For years a quiet battle has been raging, largely outside the public awareness. On one side are the telecom companies that provide your home & mobile internet service. On the other side, a loose coalition of privacy rights activists, government regulators, and regular citizens.
What’s at stake in this battle? A fundamental principle of the internet (and indeed all communications): does the information you transmit on a network belong to you, or the company who owns the network?
For a minute, it looked like we the people had won this skirmish. Congress recently reversed course. Here’s what it means for you.
What Happened?
It’s complicated. In essence:
Congress voted to overturn rules created by the Federal Communications Commission in October that required broadband providers to get your permission before collecting private data on your online activities and offering it for sale to advertisers.
For such a simple paragraph, there’s a lot of unknowns here unless you’ve been following this debate closely. What “rules” are they talking about? What does “private data” and “online activities” mean? And why should you care?
Politics Killed the Internet Rules
This is perhaps the most tricky thing to wrap your head around: Under President Obama, the Federal Communications Commission (which is made up of political appointees) voted to require broadband companies, also known as internet service providers (or ISPs) to get explicit permission from consumers before selling your demographic and browsing data.
Why was this a big deal? Because up until last October when the rule was approved, ISPs could do pretty much whatever they wanted with your data. This is one aspect of the story under-represented by the media – Congress didn't gut existing, decades-old regulation. They killed new rules before they could take effect.
Then and now, some limits exist. Your ISP needs your opt-in permission before selling your social security number, medical records, or location.
The new rule under Obama’s FCC made it so that your internet company would now need your opt-in to store and sell everything else as well: browsing history & habits.
But there’s a new sheriff in town. President Trump’s pick for the FCC favors big business over consumer rights, and Trump will almost certainly sign Congress’s new rule killing Obama’s rule.
This is a step telecoms have been lobbying hard for, arguing they need to be on equal footing with companies like Google and Facebook – an argument which, in my opinion, doesn’t hold up unless broadband services are cheap-to-free (see below). Other commentators have argued the merits of the ISPs case, too.
Congress just voted to kill rules that would – had they taken effect – made the collecting and selling of your data your choice. Now, they’re gone, possibly forever: the new rules prohibit the creation of new ones.
Why You Should Care
Can Your Phone Company Listen to your Calls?
Think of it like this: years ago, the FCC created privacy rules that prohibited phone companies from listening to your calls for marketing purposes. This is a good thing.
Say you called a friend to talk about renting an apartment. Without privacy rules your phone company could eavesdrop, then sell that tidbit to brokers, real estate websites, banks, even IKEA, who would then call you.
The rules created to protect your phone conversations established a principle: When you pay a company to rent space on their network, the data you transmit on that network is yours. Why shouldn’t the same principle apply to the internet?
But Google & Facebook Already Collect Your Data, Right?
Yes. 100%. But here’s the difference between your ISP and Google:
Google is free. In exchange for their powerful search and cloud-based products and services, they build a detailed profile of you as a consumer which they sell to support their products and services. So, yeah, Google is “free.”
Sites like Google & Facebook also give you the option to opt-out of some of their marketing activities. Most people don’t, but at least you have the choice.
In contrast: You pay good money to your ISP for their service. Except with the current (and now, much more permanent) rules, you pay once and your ISP gets paid twice: once when you fork over $40 – $160 bucks a month for internet (and maybe cable), and once when they sell the same kind of data Google collects to the same kind of marketing and data analytics companies. And you have no option to opt-out.
Which begs a question:
What “Private Data” Do Companies Collect?
So much data is continuously collected about you, by so many different entities, that the idea of privacy online – without countermeasures – is functionally meaningless. There are probably at least 100 companies sifting through data sets that include your information right now.
What kind of data? Everything.
Anything you browse on the web, including time of day, duration, and location is captured, stored, and sold. Shopping, news, banking, dating, your contacts lists, the content of your photos… everything. This is what comprises your “browsing data.”
Google, Facebook, Amazon, and others know a lot about your browsing data, and have devised ways to know more. Why do you think they’re trying to get you to use them for banking, document management, and even offering a cheap AI personal assistant (i.e., open microphone) to tell you the weather and order more dish detergent?
Your ISP is no different, and is possibly even more complete in their knowledge of your browsing history.
Relax, Data Collected by your ISP is Anonymized
Everything mentioned above – your browsing history – is attached to you in the form of an anonymized tag that scrubs out your name and other personally identifying information, like your address.
“Wait a minute,” you might be saying: “By law, my data is anonymized. So everything’s fine, right?”
Anonymized Data Can Be Reverse-Engineered
It’s actually pretty simple for someone with the right tools and expertise to un-anonymize your data.
In one experiment, researchers took open a massive trove of anonymized ride data from the New York City cab system and quickly uncovered driver’s identities & addresses.
In addition, ISPs aren’t very good at securing your data in the first place. In 2015, AT&T was fined $25 million for failing to do just that.
But You Don’t Have Anything to Hide, Right?
A lot of people feel this way. I feel this way, especially when it comes to matters of public security. I’d argue it’s why the Snowden revelations didn’t lead to rioting in the streets. Most people hear about aggressive data-gathering and shrug – why worry if you don’t have anything to hide?
Just because you don’t have anything to hide doesn’t mean you don’t have a right to privacy.
Imagine this: in the not-too-distant future you contract an embarassing but treatable disease. You google it to find out more information, log in to your doctor’s website to schedule appointments and email or chat about it with your best friend. Your ISP knows all this, sells your info, and suddenly Valtrex ads are everywhere on your browser.
Once you start to consider just how invasive it is to have your total internet behavior out there, for sale to the highest bidder, the importance of protecting your internet privacy comes into focus.
What You Can Do About It
Everything comes down to your IP address: it’s a unique identifying number attached to your computer that is used to track your online behavior. If you can conceal your IP address, it’s a lot easier to disappear from the prying eyes of your ISP and Google & Co.
Enter: VPNs.
VPNs, or Virtual Private Networks, essentially create a little walled-off garden in which you can frolic on the internet unseen by ISPs, search companies, and the like. PC Mag describes VPNs like this:
In the simplest terms, it creates a secure, encrypted connection, which can be thought of as a tunnel, between your computer and a server operated by the VPN service. In a professional setting, this tunnel makes you part of the company's network as if you were physically sitting in the office, hence the name. While connected to the VPN, all your network traffic passes through this protected tunnel, and no one in between can see what you are up to. A consumer VPN service does the same thing, but for the purposes of protecting data and identity.
The VPN provider knows your IP address, but the virtual network they provide conceals it from everyone else. This is something to keep in mind when selecting a VPN service – do they do anything with your data? Many have strong commitments not to, but be sure to read their FAQs or fine print carefully. At it’s best, a VPN should be a tight-lipped partner in keeping your data private.
Sounds great, right? So why haven’t VPNs caught on big time?
For one, they have a bit of an image problem. Another way to browse the internet securely and anonymously is via the encrypted onion-routing program Tor, originally created by the NAVY and DARPA. Tor has become associated with the Dark Web and other nefarious activities, and VPNs have suffered by association.
The real reason, however, is that VPNs tend to be a bit slower and less convenient than just hopping on your web browser. But as I’ve outlined, convenience comes at a steep cost.
VPN Services You Should Consider
Running a VPN on your laptop/desktop and phone will set you back some cash, with most services coming in between $4 – $12/mo.
1. Tunnel Bear
Tunnel Bear comes personally recommended, and is well reviewed. I found it to be a comparatively inexpensive ($4.17/mo, billed as $50 a year), simple way to get started with a VPN. After a quick signup & email verification I got 500 MB of free data to try it out.
Browsing on an Acer Chromebook and my Android phone’s web browser, pages loaded quickly and smoothly – I didn’t notice a slowdown in speed. And it’s really, really nice knowing my experience of being on the internet (I’m just some anonymous entity) matches the data-driven reality.
Another feature of Tunnel Bear is their beefy privacy policy. Yeah, it's leap of faith. But consider: if it were to leak that Tunnel Bear (and VPNs with a similar commitment to privacy) were logging your data to sell or hold in case they're hit with a subpoena, their customer base would revolt.
2. IP Vanish
Highly reviewed, this VPN has some features and Tunnel Bear doesn’t – namely, it allows you to use torrenting programs. For shame.
3. Free VPNs
There are ad-supported VPNs out there. If you don’t feel like putting down a few bucks a month, they’re certainly an option, but they come with drawbacks. For one, they serve you ads (kinda antithetical to what we’re trying to do here…), and most throttle browsing speeds or limit the bandwidth you can consume each month.
Another thing to watch out for – do they have a bulletproof privacy policy? It would be an ironic, privacy negating VPN if they sold your data to support your privacy.