Monday, June 19, 2017

The Rapidly Fading Illusion of Internet Privacy in America

With the media focusing on the failure of Donald Trump's signature changes to American health care coverage, immigration and the ongoing McCarthy-like anti-Russia hearings, a relatively little-noticed joint resolution passed the Senate in March of 2017.

Senate Joint Resolution 34 (S.J.Res.34) also known as "A joint resolution providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Federal Communications Commission relating to "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services" was sponsored by Republican Senator Jeff Flake (R-AZ) and introduced to the Senate in March 2017.  

Here is the text of the Joint Resolution:

That's the way all legislation should look - nice and short.

Let's look at some background.  On October 27th, 2016, the Federal Communications Commission, better known as the FCC, imposed new privacy rules on internet service providers (ISPs) which required ISPs to get opt-in consent from its customer base prior to sharing Web browsing data and other private information with third parties, including advertisers.  Here is a link to the FCC's Broadband Consumer Privacy Rules and here are some of the highlights:

The rules implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, giving broadband customers the tools they need to make informed decisions about how their information is used and shared by their ISPs. To provide consumers more control over the use of their personal information, the rules establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information. This approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights.

The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

1.) Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.
2.) Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

3.) Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship. 

In addition, the rules include:
a.) Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;

b.) A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
c.) Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.”

Basically, the new rules prevented America's internet service providers like Comcast, AT&T, Verizon and Time Warner Cable from recording your browsing history so that they could build a behavioural advertising profile, insert undetectable tracking headers into your web traffic or sell your browsing information to marketing companies unless they got your permission first.  

According to the Electronic Frontier Foundation (EFF), as it stands now, ISPs can only spy on the internet traffic that is non-encrypted (i.e. doesn't begin with https: for example, banking websites); with encrypted sites, they can see the website that you are in but they cannot see the content of what you are browsing (i.e. what is on the webpage).  ISPs want to be able to see everything that you do, including the content on encrypted pages and, as such, have proposed a standard called Explicit Trusted Proxies which would allow them to remove the encryption from the page, read the data on the page and then encrypt it again and send it on to their customers.  Many experts believe that this re-encryption weakens the security of the encryption, exposing users to the risk of cyberattack.  This could mean that everything that users do on the internet, including banking and investing, is less secure.  Internet service providers, Verizon in particular, also have a history of inserting unique tracking tags into every unencrypted connection that browsers make with a website.  This means that in the case where an ISP is sending these tracking tags (aka "supercookies") to every website that you visit, then every future website that you visit can track you as you surf the internet, even if you delete your browser history or surf in private mode, these "supercookies" persist.

With that background, let's look at the subject of this posting, Senate Joint Resolution 34.  When the FCC introduced its new rules, the Republicans balked because they believed that it represented yet another example of government overreach.  As such, here's how the vote turned out:

Not surprisingly given the partisan nature of Congress, the 50 to 48 vote in favour of Senate Joint Resolution 34 was split along party lines with Republicans voting in favour of the resolution (excluding two that did not vote) and Democrats and Independents voting against the resolution.  House Joint Resolution 86 was introduced on March 8, 2017 and has been referred to the House Committee on Energy and Commerce and the Subcommittee on Communications and Technology  and we already pretty much know the outcome given what happened in the Senate.  Here is a look at the co-sponsors of H.J.Res. 86, all Republicans:

After it passes the House, it's off to the office of the President for a quick pencil-whipping.  

Those of us who spend time on the internet are already inundated with advertising, most of which we completely ignore.  We should also realize that most of the internet is free, largely because of that very advertising that we ignore.  That said, the fact that internet service providers can further reduce what little remains of our online privacy in even a small way can now be laid at the feet of Congress.  I hate to tell the Republicans but, sometimes, government does have to step in when Corporate America has only its own best interests at heart.

1 comment:

  1. The Internet has never been private - it's quite an illusion to have. But since the world is shaking with cyber attacks, we must follow security protocols and implement strong customer authentication methods -