President Trump has signed the executive order finalizing the repeal of FCC’s Internet privacy rules that would have stopped intrusive practices of ISPs.
Internet Service Providers are now free to collect and share their subscribers’ private data that includes precise geolocation, financial information, health information, children’s information and web browsing history. While ISPs are claiming they won’t sell customer data, now that they are legally allowed to do it, there’s lots of skepticism surrounding this claim.
According to the rights group Electronic Frontier Foundation, “privacy and security are two sides of the same coin: privacy is about controlling who has access to information about you, and security is how you maintain that control.”
Here are the main ways how ISPs can potentially impact online security, given the new rights:
° Storing large amounts of data could attract hackers. The storage security argument always reappears when discussing the mandatory ISP data retention programs. Security experts and human rights groups usually agree that collecting citizens’ data must be balanced with increased data protection. To make matters worse, the FCC Chairman Ajit Pai has recently halted the enforcement of another ISP regulation. It would have required providers to take measures to protect user private data from security breaches. As a result, even if users’ data gets hacked because of lax security, broadband providers will bear no responsibility.
° ISPs could use enhanced tracking techniques. According to a 2015 study, at least nine ISPs, including AT&T, Verizon and Vodafone, were found to have been using a “supercookies.” When supercookies are installed, every website a user visits, and every third party embedded in these websites can track them. Even if a user deletes their browser’s cookies or use the Incognito mode, supercookies persist. Also, the effectiveness of some privacy tools may be weakened because the tracking could be added after the data leaves a device.
To prevent trackers from being added on a network level, users would have to use a combination of tools to fully secure their Internet traffic, such as a tracker blocker and a VPN for encryption. Thanks to FCC investigation, ISPs (such as Verizon) were fined and have since agreed to notify users about cookies and give an option to opt in before they can track their data. However, if FCC regulations keep getting struck down, ISPs might revert to using, or invent other enhanced tracking methods.
° ISP tactics might weaken web encryption. At the moment, ISPs can only track the portion of user traffic that is not encrypted. Although VPN service encryption is recommended, some people choose to rely on web page encryption offered by HTTPS protocol. Tracking is limited on HTTPS websites secured with SSL (Secure Socket Layer). In such websites, any data that is being sent between a user’s browser and the server is encrypted. As such SSL certificates pose a major problem for ISPs since their goal is to build advertising profiles based on their subscriber data.
There have been talks of ISPs implementing a standard called Explicit Trusted Proxy, which would potentially allow ISPs to intercept encrypted HTTPS web-page data, decode it, process it, re-encrypt it, and then finally pass the re-encrypted data along to its original destination. Recent studies have shown that many tools used for inspecting HTTPS traffic end up weakening the encryption and potentially exposing it to various security breaches. If Internet providers get their way and obtain access to HTTPS data, they will reduce the security of the entire web.
A VPN (Virtual Private Network) secures and encrypts Internet traffic, helping protect users’ identity and data by hiding their IP address. It scrambles a user’s online data, so an ISP cannot decode and use it for building an advertising profile. It also reroutes Internet traffic through an encrypted tunnel, preventing any third parties (including the ISPs) from monitoring your Internet traffic. To find out more about NordVPN, please visit www.nordvpn.com.