There are some age-old questions among Internet users, especially those concerned about privacy. Basically, “Is my ISP watching me?”, and “Is it sharing data about my online activity, such as search and browsing history, with third parties?” And back in the day, the analogous question was “Is the phone company listening?” Indeed, Bell Labs reportedly suppressed the telephone answering machine for 60 years, because it feared that recording technology would frighten away its customers.
Any service that provides Internet access (ISPs, Wi-Fi hotspots, and telecom providers) can obviously see what resources users are accessing. Unless data is encrypted, providers can also see the content. And even with encryption, traffic patterns provide some information about activity. Finally, all bets are off when the NSA, or another similarly resourceful TLA, is interested.
If you’re living in China, especially in such areas of unrest as Tibet or Xinjiang, online privacy is an fantasy. But what about the US and EU, where privacy is supposedly protected?
Well, there’s this funny difference between US and EU attitudes toward privacy. In the US, there’s relatively little concern about commercial use of private data. I mean, consider the information that credit reporting services buy and sell. The massive Equifax Data Breach made that very clear. Also, providers of credit cards sell user data to online advertising firms. Google and Facebook, for example, use such data to link online and meatspace activity.
On the other hand, there is concern about warrantless government access to such data. There’s the Fourth Amendment. By law, Social Security numbers were not to be used as IDs. And there is no national ID card. Since 9/11, there’s been government pressure for explicit access to more and more data. However, legislative efforts have failed, and there is still no mandatory requirement for data retention by Internet and telecom providers. Or by VPN providers, by the way. However, the government can access any data that has been retained, through normal warrants, or non-disclosable National Security Letters (NSLs).
Conversely, in the EU, there is great concern about commercial use of private data. There’s the Right to Be Forgotten. And the General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. It “was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” And “[i]t applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” Such personal data includes “name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” Basically, anything “that can be used to directly or indirectly identify the person.” And consent must be unambiguous, not buried in “long illegible terms and conditions full of legalese”.
However, there’s far less concern about government access to such data. The 2006 Data Retention Directive (DRD) “compels all ISPs and telecommunications service providers operating in Europe to collect and retain a subscriber’s incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of 6 months to 2 years.” But in 2014, the EU Court of Justice annulled the 2006 DRD.
In response, the UK enacted the Data Retention and Investigatory Powers Act (DRIPA) in 2014. The EU Court of Justice also annulled that in 2016, and the UK proposed amendments. However, in January 2018, the court ruled those amendments insufficient.
It appears that EU members are generally reconciling their data retention laws for consistency with GDPR. However, notwithstanding annulment of the DRD, the EU apparently won’t apply GDPR to law enforcement: “The European Commission hopes to set an international standard with its upcoming proposal to give police easier access to data from tech companies, and has already asked the United States to cooperate.”
So anyway, let’s focus on the US, where data retention by Internet and telecom providers directly exposes users to commercial exploitation, and indirectly exposes them to the government. ISPs have typically retained logs of IP address assignments, to insure that IP addresses can be linked to users.
Back in the day, it’s my impression that traditional ISPs didn’t retain very much data about users' online activity. Maybe it cost too much to store, and there weren’t opportunities to monetize it. Or maybe they were afraid of customer backlash. But over the past decade or so, that has clearly changed. Development of the online advertising industry, which targets ads based on pervasive behavioral tracking, has provided opportunities. And it has changed everyone’s expectations. With the rise of smartphones, cell providers know “where you are, what you’re searching for and what you like”. That is valuable data for advertisers, and Internet providers want to profit.
In late 2016, after many years of lobbying by privacy advocates, the Federal Communications Commission (FCC) agreed to regulate data use by ISPs and telecom providers. Use of such private data as browsing history and app usage would have required prior consent, but IP and MAC addresses would have remained fair game.
But in early April 2017, Congress and President Trump repealed those rules, months before they would have taken effect. Major ISPs and telecom providers supported the repeal, arguing that such firms as Google and Facebook would have remained unregulated. So now everyone can do as they like, subject only to public opinion, and complaints to the FCC.
That does work, sometimes. For example, MoviePass CEO Mitch Lowe bragged at the 2018 Entertainment Finance Forum that “We watch how you drive from home to the movies. We watch where you go afterwards.” That generated considerable upset among privacy advocates. And shortly thereafter, MoviePass announced that it had removed those capabilities from its iOS app. Similarly, in late 2017, after protests and an FTC complaint from EPIC, Uber stopped tracking its users after rides. But that’s arguably less reliable than regulation. People can choose whether or not to use MoviePass or Uber, but there’s typically little choice about Internet access, outside large cities.
Some major ISPs and telecom providers (AT&T, Comcast and Verizon) quickly reassured the public that they will not sell, and have never sold, users' private data. Of course, as noted above, they will provide it to the government as required by warrants and NSLs. But that’s not why they fought for the right to collect it. Like Google and Facebook, they want to make money in the behaviorally targeted advertising market.
Third Door Media has this chilling prediction for 2018:
In 2018, a growing threat to Google, and to a somewhat lesser extent Facebook, will be the ISPs and wireless providers such as AT&T, Charter, Comcast, Sprint, T-Mobile and Verizon. Verizon, with its ownership of Oath (the combination of AOL’s ad tech and content properties and Yahoo’s remnants), is probably best positioned to take advantage of the new anti-regulatory climate. Net neutrality was an obvious gift late this year. But the gifts started coming this past spring. In March, the Senate voted to reverse FCC privacy rules that would have limited ISP’s ability to sell user data without consent — for ad targeting and other purposes. FCC Chairman (and former Verizon lawyer) Ajit Pai argued consumers would be confused if ISPs were held to different privacy standard than companies like Google and Facebook.
The breadth of data ISPs have on users through their internet and mobile behaviors is wide. It includes geolocation data, browsing data, listening and watching data, app usage data and other non-personally identifiable information (PII) that can be used to inform highly detailed user profiles. It’s a marketer’s dream playground, a privacy-minded consumer’s nightmare.
Also, contrary to assurances, telecom providers are indeed selling “customers' personal information and real-time location to third parties”. The unsecured APIs for data access have been taken down, but the initial report remains a frightening read:
But what these services show us is even more alarming: US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services — not just federal law enforcement officials — who are then selling access to that data.
Given the trivial “consent” step required by these services and unlikely audit controls, it appears that these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight. [emphasis added]
And yes, the FCC’s action to end net neutrality in December 2017 was another gift to Internet providers. Indeed, Internet access in the US may change dramatically this year. That’s arguably a distinct issue from privacy, although it may be instrumental in the evolving role of ISPs and telecom providers in the online ad industry. That is, they can now block (or at least, slow) particular Internet traffic, affecting both content and ads. It further strengthens their position vs content providers, including Google etc. And against users.
So what can we do to protect our privacy?
Well, using a VPN service will prevent Internet providers from tracking and monetizing users' online activity. Because all they see is encrypted VPN packets. It will also prevent them from throttling or blocking particular websites or traffic types, except based on traffic volume and patterns. Internet providers could throttle or block VPN traffic, but VPN providers can obfuscate connections in various ways. Some providers use SSH or SSL tunneling. IVPN uses the obfsproxy framework, developed by the Tor Project to penetrate the Great Firewall of China (GFW) and such. It seems unlikely that US Internet providers will go as far as China does to block VPNs.
That’s the good news. But perhaps the focus on throttling and blocking is misguided. There have been instances of that, following on disputes over peering fees and such. And VPNs could obviously protect against that, using obfuscation if necessary. However, it appears that AT&T’s plans focus on preferential treatment of traffic from “data sponsors”. While AT&T claims that it’s “not interested in creating fast lanes and slow lanes on anyone’s internet”, other Internet providers haven’t made such assurances about paid prioritization. It’s hard to imagine how VPNs could help with that. Unless VPN providers paid for prioritization. Or unless VPNs became Internet providers. We can dream, right?
So anyway, by all means, use a VPN. If you really care about your privacy, use nested VPN chains. Plus Whonix for Tor, if it matters a lot. And study OPSEC.
Suggest an edit on GitHub.