The good news: Your Internet provider can’t tell you’re reading this story.
The
bad news: It still has other ways to track what you’re interested in.
And — given the history of Internet providers tracking their users’
travels around the Web and then selling that information to advertisers —
it wouldn’t be surprising if your ISP wanted to figure out more ways to follow you online.
These concerns have become higher-profile issues since the Federal Communications Commission gave itself the authority to make Internet providers obey some of the same privacy rules that already restrain telephone and pay-TV services.
Why you shouldn’t worry
The FCC can do that because of last year’s reclassification — in the name of Net neutrality — of Internet providers.
That shift subjected them not only to “common carrier” rules that
govern phone companies but also to the privacy obligations that stop
your phone carrier from, say, selling your calling history to a
marketing agency.
So far, the commission has mainly looked for — in the words of a May 2015 notice — “reasonable, good-faith steps” by ISPs to follow those rules. (The Federal Trade Commission already
exercises roughly that level of oversight, taking action when it thinks
Internet providers are being deceptive or unfair.)
But the FCC is now getting ready to debate more detailed regulations.
Beyond their customary response — relentless litigation —
to overthrow the Net-neutrality regime, major Internet providers have
recently offered another reason not to adopt such regulations: They say
they can’t see that much of what you do, anyway.
A paper released last Monday by Georgia Tech’s Institute for Information Security & Privacy (and partly funded by the industry group Broadband for America)
makes that argument by pointing out how much Internet traffic is now
encrypted and how much of it travels over mobile and Wi-Fi networks
instead of via residential broadband.
The amount of time we spend on those other networks isn’t news. But some numbers about encryption cited in the 125-page paper did catch my eye.
Authors Peter Swire
(a longstanding privacy professional and veteran of the Clinton and
Obama administrations), Justin Hemings, and Alana Kirkland say that the
data — from the network-analysis firm Sandvine and the Center for Applied Internet Data Analysis (CAIDA),
a public/private research organization — suggest that Internet
providers are blind to half or more of the traffic they carry because
that traffic is encrypted.
Sandvine, for example, forecast last month that 70 percent of global Internet traffic will be encrypted this year. (But
the same report found that in North America in February, only 38
percent of wired-broadband traffic was encrypted.) CAIDA’s research,
meanwhile, shows the share of encrypted traffic rising from 13 percent
in April 2014 to 49 percent in February 2016.
The
paper’s conclusion: “There clearly can be no ‘comprehensive’ ISP
visibility into user activity when ISPs are blocked from a growing
majority of user activity.”
Image from CADIA site
Why you should worry
But
even when you visit encrypted sites, your Internet provider can still
see their domain names (unless you also employ a virtual-private-network
connection). As New America’s Open Technology Institute pointed out in a January paper,
your mere presence at the domains of Planned Parenthood, cash-advance
services, or the National Rifle Association can reveal volumes about
you, regardless of whether or not the specific pages they send you are
encrypted.
And if even a limited view of somebody’s Web activity is so worthless, why haven’t Internet providers stopped trying to monetize their users’ online habits?
A decade ago, many sought to use “deep packet inspection” of their users’ traffic to help sell ads. Today, AT&T’s GigaPower gigabit fiber-optic service’s default offering is a “Premier Offer,” in which you consent to have your Web traffic scanned for marketing purposes.
(A no-scanning option is available but hidden behind a smaller-type
link.) AT&T’s deal does save you money — or, if you prefer to put it
another way, the ISP will charge you $29 and up for your privacy.
Verizon Wireless’s radically curtailed “supercookie” tracking didn’t lower your bill, but it did make it easy for every other site to follow you around the Web. On Monday, the FCC announced a settlement
in which VzW agreed to pay a $1.35 million fine, obtain its customers’
permission before sharing their data with third parties, and only
perform this tracking “using methods that comply with reasonable and
accepted security standards.”
Internet providers have also been among the last tech firms to start issuing “transparency reports” inventorying government queries about their customers. That doesn’t make them easier to trust.
Don’t trust anyone too much
Swire,
Hemings, and Kirkland are right that search engines, social networks,
app developers, and ad networks can gather far more data about you than
your ISP and then leverage that information to follow you wherever you go on whatever device you use.
(Remember that in the debate about how much data police investigators can obtain from a single locked phone.)
If
you skip to page 102 of their paper, you’ll see a graphic outlining how
many parts of today’s “online ecosystem” 10 companies participate in
(see above). None have a lock on all 10 core functions (from Internet
access to online video), and the Internet providers listed look
relatively weak.
Companies
that don’t want any more regulation like to throw around data like that
to argue that, hey, it’s the other guys that need more rules. But
there’s a simpler way to read them: as a reminder that one of the better
ways to protect your privacy is to spread your business around. It
might be easier to let one company serve all of your online needs, but
that also gives that one company a much bigger magnifying glass to hold
over your online activities.
