President Trump signed a law on Monday that repeals FCC protections requiring internet service providers (ISPs) to get permission from customers before collecting and sharing their browsing data.

While the repeal was put in place to make ISPs more competitive with internet giants like Google and Facebook, some say the new law exists simply to allow the ISPs to profit off the data they collect from customers.

“The real reason [for the law] is the ISPs simply want to be able to market the data that they gather from their customers. This is why we saw so many lobbyists push to have this signed into law,” said Dodi Glenn, vice president of cybersecurity for PC Pitstop.

What happens now

The law doesn’t change how ISPs have been currently operating, but only how they were going to be operating in the future. As previously reported by TechRepublic’s Hope Reese, the repealed FCC privacy regulations had not yet gone into effect. The Obama administration had approved the new protections in October 2016, and they were set to go into effect on December 4, 2017. The regulations would have required ISPs to obtain permission from customers before their personal web history could be shared.

Nathan Wenzler, chief security strategist at AsTech, said, “Since the original regulations had not yet taken effect, there is little that will change immediately, but the intended purpose was to prevent ISPs from collecting and selling the browsing history and patterns of their users. Many websites do this already when a user is on their site, and leverage that browsing history to deliver targeted advertising to the consumer. But they can only do this for what a user does on their own site. An ISP, being the means to connect directly to the internet for a user, would be able to gather every single bit of usage data for a user, including every site ever visited. ISPs have argued they need this data in order to be competitive with websites like Facebook and Google for delivering valuable browsing data to advertising networks.”

Wenzler said he considers this an apples-to-oranges argument because ISPs are meant to provide people the ability to connect to the internet at large, while sites like Facebook and Google deliver content that rides on top of it all.

Glenn said, “The difference is that a person can refuse to use Google or Facebook, and not risk their privacy. In the case of an ISP gathering the data, there is no choice other than don’t use the internet.”

Spying for profit could become the new norm among ISPs

Lawrence Pingree, vice president and security analyst for Gartner, said, “For the ISPs that choose to spy on their users, the data could be used to build profiles of users and their interests by categorizing the URLs they go to. It can also allow ISPs to sell this data as a fee to advertisers, political parties, and other organizations to do real time behavioral profiling. It also can be used to give law enforcement a new data source they can subpoena.”

AT&T, Verizon, T-Mobile, and Sprint, all ISPs, have been in favor of eliminating the restrictions and had filed a petition with the FCC. The ISPs say that web browsing history is not considered sensitive data, unlike individual Social Security numbers, financial information, and health information.

The argument from many of those in favor of the repeal is that eliminating the FCC restrictions would be good for business, both to allow the ISPs to profit from the data and for marketers to better target their ads to consumers.

SEE: Your internet history is now for sale. Here’s how you can protect it (TechRepublic)

How the data can be used

There are a variety of ways that ISPs could use the data they collect.

“They [ISPs] could use the data to behaviorally profile users and categorize their behaviors into interaction types, age estimations, sex determination, and a variety of other demographics to profile the user(s). One problem is that if they are collecting URLs. Some URLs that are not secure will contain things like passwords and secret values that expose the security of some websites,” Pingree said.

There is potential for an ISP to stand out among competitors by not selling customer data, and several providers, including Comcast, Verizon, and AT&T have already said they will not breach customer privacy.

However, Glenn said he thinks it’s unlikely that any ISP provider will voluntarily opt out of selling customer data in the long term. “One can hope so, but the promises of being able to capitalize off of customers’ telemetry data will likely make that not happen.” The data collected from customers could be valued in the billions, but no set amount has been determined since the market has not been established. An ISP not selling its data could be viewed as a “dumb pipe” to transfer information.

Impact on online browsing habits

As for how individuals might change their own browsing habits, Pingree said, “I think for the bulk of the internet users their usage will not likely change since most people are fairly innocent online. However, I will say that it is likely to have a chilling effect on some interactions and topics that would otherwise be considered taboo, controversial, or less desirable such as pornography, fetish, special interest groups, political interactions websites, etc.”

Glenn said a business professional could be impacted if their personal browsing history was revealed, and seeking outlets for more privacy will become the norm: “I believe the usage of Virtual Private Networks (VPNs) will increase exponentially, due to this legislation. These servers will be used by consumers and business professionals to route their traffic to offshore locations, where their privacy is maintained at much higher standards. By using a VPN, the ISP can only see that their customer connected to another server, but not the websites they have visited.”

Jonathan Hill, dean of the Seidenberg School of Computer Science and Information Systems at Pace University in New York, said, “With a green light to collect this information, this law puts business users at greater risk of having their search histories sold or made public in embarrassing or potentially litigious ways.”

Three takeaways for TechRepublic readers:

  1. President Trump signed a law on Monday that repeals FCC protections requiring ISPs to get permission from customers before collecting and sharing their browsing data.
  2. Nothing changes from how ISPs are currently operating, only in the protection rules that were set to be enforced beginning in December 2017.
  3. Some say the real reason for the law is to allow ISPs to be able to make more money off of customer data.

Also see