Without Internet Privacy Rules, How Can I Protect My Data?

Image courtesy of TroyMarcyPhotography.com

The FCC’s ISP privacy rule, which would have limited how your internet service provider could collect and use your data without your permission, is effectively dead. The good news is, you do have some tools you can use. The bad news is, they’re not perfect.

Preventing Comcast, AT&T, Verizon, Charter, and the rest from knowing (and making a profit from) the fact that you searched for “yak milk,” or that you’re a 37-year-old male living in Saginaw with an interest in medieval agriculture, can itself take some money and technological know-how. Even then, some of your data is still vulnerable.

Here’s what’s true (and what’s bunk) about the privacy rule, and what you can do to shield your behavior from prying eyes.

True: Your ISP Knows A Lot About You

Privacy and consumer advocates supported the FCC rule because your ISP (whether it’s your cable company or your wireless provider) is in a very unique position to scoop up a great deal of your data.

Your ISP is like the doorman of your apartment building: He knows when you come and go, who visits and how long they stay, what mail you receive, and what food you order in. Some doormen could make a lot of money selling this information, but good ones don’t.

In more technical terms, if you’re browsing the internet at home, your data travels a chain something like this:

You -> Device (laptop, phone, tablet) -> software (browser, app) -> Home WiFi router -> Cable or fiber modem -> Your ISP’s wires (“last mile”) -> Interconnection through the rest of the internet (the infamous “series of tubes”) -> Destination server

Data you retrieve from the internet — articles you read, files you download, videos you stream, and all the rest — comes back to you through the same path, just reversed.

Making matters worse, while you have a large number of options for devices to get online — and seemingly countless apps and websites to browse — many people have few, if any, real choice when it comes to picking an ISP.

So What Does My ISP Know?

In 2016, when the FCC was still considering the rule, a computer science professor at Princeton explained more precisely what it is your ISP probably does and doesn’t know about you. He concluded that although increasing use of encryption does cut down on what content ISP can see, the volume and sensitivity of private data available is still extraordinary.

“Based on what we can observe from this traffic,” he wrote at the time, “it should come as no surprise that the data that we gathered—which is the same data an ISP can see—warrants special handling, due to its private nature. University Institutional Review Boards (IRBs) consider this type of work human subjects research because it ‘obtains (1) data through intervention or interaction with the individual; or (2) private, identifiable information’; indeed, we had to get special approval to even perform this study in the first place.”

In particular, he noted, the challenge of connected, data-transmitting devices that aren’t desktop computers — the entire realm of the internet of things, from your TV to your toaster — puts a huge, valuable, unencrypted trove of consumer data out there for your ISP to collect.

False: “I delete my history & use incognito mode, so I’m safe”

Deleting your browsing history won’t do anything to help you when it comes to your ISP, nor will using the private or incognito mode on your browser.

To go back to the doorman analogy, deleting your history is like destroying your Flavor Of Love: Season 2 DVD set after your doorman already saw you walking through the lobby with it. Using an incognito browser is like buying that DVD set in cash; the store doesn’t have any record that you’re a fan of VH1 dating shows, but your doorman still sees you walking to the elevator with your purchase in hand.

The problem here isn’t what information is stored on your computer or other device, which is what your history addresses; it’s all of the data that travels from your device through your modem — either a cable modem at home, or the wireless one built into your phone — to the greater internet.

That chain data travels? Deleting your history and cookies, or using private browsing mode, breaks the chain at the point between “user” and “software,” erasing your footprints after you’ve left them so that it’s slightly harder for another human being to come along and follow them. It’s good for dodging the prying eyes of other folks you may live with, or evading the occasional paywall, but does nothing to hide your tracks from the ISP transmitting your information back and forth.

True: Encryption Can Help.

Your internet provider can’t read everything you do; they’re powerful, but not that powerful. Encryption is your friend here: An ISP can’t “see” inside an encrypted connection, and so that’s the byword to watch for.

This is, for example, why more and more sites are shifting to using “https” connections instead of the older “http.” When your connection is secure, your ISP can see what top-level domain you’re visiting — Google Mail, your bank, Consumerist.com — but not what you’re doing or looking at once you’re there.

That helps with web browsing, but it’s worth remembering that far more than just your browser sends and receives data. Every other internet-connected program you use does, too.

We go back to that nosy doorman and your apparent predilection for Flavor Flav reality TV shows. Using an https connection is like putting that DVD inside a Best Buy bag instead of carrying it through the lobby uncovered. The doorman doesn’t know exactly what you purchased, but he knows you went to Best Buy. The more precise the name on the shopping bag, the more the doorman knows about you and what you probably purchased.

What Is End-To-End Encryption?

On the mobile side, the practice of end-to-end encryption is getting more popular by the day, particularly for messaging apps. Messaging platforms like WhatsApp and Signal block the content of your texts from everyone but the recipient — including the app-makers themselves.

This is like putting your DVD set in a brown box with no markings to indicate what may be inside. The doorman only knows that you carried something through the lobby.

The best way to make your entire usage history secret from your ISP, then, is to encrypt the whole thing. And for most home users, the best tool for that will be a virtual private network, or VPN.

A VPN doesn’t exactly make your tracks disappear; you’re still meandering the internet and leaving a digital trail. Instead, it shifts who can see it and where it can be seen.

But since a VPN’s entire business model is “protecting our users’ privacy,” most of them guard it jealously — to the point where one VPN company, Private Internet Access, took out a full page ad in the New York Times calling out the 50 Senators who voted to reverse the FCC’s rule.

In terms of usability, VPNs, like basically any other software or service, can fall anywhere on the spectrum from user-friendly to completely opaque. There are a lot of variations in both how VPNs look and what they do.

Some VPNs include ad-blocking; others don’t, meaning you may want to look into using an ad-block service on top of a VPN. A few have free versions available for consumers to use or try; most charge somewhere in the range of $3 to $10 per month, depending on the billing plan you sign up for.

So how do you choose a VPN?

Ars Technica offered an overview of the state of VPNs in 2016 that provides a good list of features to think about. Lifehacker and Gizmodo have also both written guides to help you think about how to get started.

And if you decide you’re ready to start shopping for a new VPN, PC Mag and TechRadar have both recently compiled “top 10” lists of their recommended VPN services.

It’s also important to consider that your mobile provider is also an ISP. The loss of this rule doesn’t just let Comcast, Charter, and the rest of the fixed broadband providers have their way with your data; it applies (or rather, doesn’t) to AT&T Mobility, Verizon Wireless, Sprint, T-Mobile, and every other mobile phone company, too.

Digital Trends has best-of lists for Android and iOS compatible VPN services, and PCMag has an Android ranking in addition to its overall list (many of which offer Android or iOS compatible versions as well).

False: A VPN is all you need to remain private

While using a VPN will help stymie efforts by your ISP to screen and capture the bulk of your internet use, the reality is that it won’t protect you entirely if someone’s really out to have a look at what you’re up to.

Security researchers have demonstrated that the mere pattern of internet traffic volume — when you send data and how much, without any regard as to where — can still give external viewers a pretty big glimpse into what you’re probably doing.

Other studies have also found that the amounts of data that travel, and the patterns in which they move, can tell a savvy watcher a fair amount about what you’re doing online.

Even if you protect the content of your communications, then, you’re still pushing enough bits and bytes through your ISP that if it wants to develop the tools to figure out what you’re up to, it can — and now no law or rule exists preventing them from using that data in whatever way they choose.

What Is This Tor Thing?

The truly privacy-minded folks out there use advanced internet tools to stay another step ahead.

Tor is the tool of choice for users worldwide — everyone from whistleblowers, to dissenters in repressive regimes, to outright criminals — who have a deep need to conceal their identities and tracks.

Using the Tor browser sends your data over a “random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it’s going.”

Revisiting our imaginary apartment building lobby one last time, Tor is like having that DVD set delivered to your apartment by a delivery driver who has no idea where the package originally came from or what it contains.

Layering advanced security settings with VPNs and anonymizing services like Tor will keep the data of pretty much anyone who isn’t under some serious federal investigation under wraps — but it’s also a heavy ask for the majority of users.

The easiest way to protect the vast bulk of regular everyday internet users from having their data used against them by carriers was the effectively defunct rule the FCC put in place (as of this writing, the resolution only awaited the signing of President Trump).

True: You’ll have to stay vigilant.

Keeping up with what internet companies are doing with your privacy can be practically a full time job by itself. You need to keep up to date with changes to the terms of service of every app, site, and platform you use — and now, you can add your ISP to that list.

It’s not like everything changed on a dime with the loss of this rule. Most of its terms weren’t going to take full effect until the end of 2017, so it’s not like we’re suddenly seeing a reversal in everything your ISP can do. Rather, the future is now very, very open to ISPs using your data, and some of them will be more sneaky than others.

When you next get a notice about a terms of service or privacy policy change from your home or wireless broadband provider, give it a good look. There may be changes in there to the terms about what data they collect, what they do with it, how they store it, and who they share it with and why. The terms may also sometimes include a way to opt out of having your data used, but odds are opting out will have a time limitation, and may not be easy to find.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.