ISPs and Internet Privacy

Jake Chanenson

On April 3, 2017 S.J. Res. 34 was signed into law. This resolution provided congressional disapproval of the FCC privacy rules implemented in late 2016. This joint resolution not only overturned the rule, but it now prevents the FCC from making make similar rules in the future. Many people are wondering what this means and how it will affect the general populace.

The overturned ruling in question is a dense 81,485 word document. There is a data security component to the rule, but this article is only focusing on the privacy aspect. S.J. Res. 34 enables internet service providers to bypass consumers’ opt-in consent before selling or sharing their web browsing history, app usage history, geo-location data, financial information, children’s information, social security numbers, health information, MAC addresses, IP addresses, domain name information, traffic statistics, port information, and much more. These privacy protections would not have gone into effect until late 2017.

It’s important to note that telephone operators have similar requirements. Under title 47 section 222 of US Code, phone companies have “a duty to protect the confidentiality of proprietary information of…customers.” For the most part, the FCC guidelines were after the same goal–in fact, the rules were an application of the Communications Act of 1934–except there is a lot more information to protect than just who a customer calls and when, so-called “metadata.”

 

Quick primer on how internet infrastructure works

To understand why the privacy rollback is an issue one needs to understand how internet infrastructure works. An Internet Service Provider (ISP) provides access to the Internet. It is the gateway; one cannot get on the Internet without it. From a device, the data travels to the home router/modem/switch combo which is connected to the Internet service provider. Next, the data is sent to an Internet exchange point and then onto the server that hosts the content the user requested. Once there, the server sends back the requested information the same way but in reverse (Internet exchange, ISP, your device). Obviously, this is a vast oversimplification. Data also passes through a DNS server, many more routers, possibly multiple Internet exchange points, and the route back to the device may be different.

Screen Shot 2017-05-11 at 4.56.57 PM.png

Screen Shot 2017-05-11 at 4.57.09 PM.pngTo reach www.google.com it took 11 hops

 

How bad is it?

Pretty bad. Since an Internet Service Provider is the gateway to the internet, it has the best position to build a complete profile of one’s interests, beliefs, and affiliations based off where they go on the internet.

ISPs can see all of one’s unencrypted traffic. Encrypting one’s traffic offers a little more protection. Even if one encrypts their data by using HTTPS–which isn’t available on all sites–ISPs can still paint a pretty clear picture of what you are doing from an analysis of one’s DNS query information.

Allow me to illustrate, below is a sample DNS query:

  • [2017/04/02 12:34:36] phostreet.com
  • [2017/04/02 12:45:07] maps.google.com
  • [2017/04/02 12:47:52] trycaviar.com

Not a big deal, this hypothetical person is ordering takeout from Pho Street, but try a more sensitive example courtesy of the Upturn Team:

  • [2015/03/09 18:34:44] abortionfacts.com
  • [2015/03/09 18:35:23] plannedparenthood.org
  • [2015/03/09 18:42:29] dcabortionfund.org
  • [2015/03/09 19:02:12] maps.google.com

Additionally, encryption is only so effective. One can make a pretty good guess about what the content is like looking at what port it’s going into (25 is email and 4070 is Spotify), the timing, destination, and the size of the packet.

However, the biggest issue is the regulatory gap on ISPs. Congress claims that the Federal Trade Commission should regulate ISPs. However, ISPs were reclassified as a common carrier back in 2015 meaning that the FTC has no authority over them. It is repeal without the replace! Which is good for the ISPs because it lays the groundwork to repeal net neutrality.

 

Why is this an issue? Isn’t Congress leveling the playing field for ISPs so they can compete with Google and Facebook?

Yes, and you are already tracked extensively while browsing the web. (see the gif below). However, it is an issue of choice. Google and Facebook only see the traffic you direct to them. One doesn’t have to use either service. In addition, there are free extensions like Privacy Badger (https://www.eff.org/privacybadger) that stop third party trackers from secretly tracking a person’s web activity. That option does not exist with ISPs. As per an earlier section, one cannot simply decide not to use an internet service provider. A VPN–more on that later–is the only line of defense.  

Screen Shot 2017-05-16 at 10.48.24 AM.pngI visited 17 sites in the initial research for this article. In doing so, I was connected to 325 third party sites. The lines that turn purple are the third party sites that were tracking me.

 

Why you should care

In doing my research for this article, I was surprised at the techno-illiteracy of the Radnor High School student body. Many were unaware that of the extent to which they were being tracked, and the strategies one can employ to thwart the tracking.  A common question asked while interviewing students was “why should I care if I am tracked?” Or from my staunch the-right-can-do-no-wrong brother, “If you’re not doing anything wrong, what do you have to hide?”

As Bruce Schneier–a fellow at Harvard’s Berkman Center–put it: “privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.” Clearly, the founders understood this when they created the 4th amendment.

 

What can you do about it?

You, dear reader, will do nothing. I asked 137 Radnor students “do you do anything to protect your data online,” 96% said no. That is for simple stuff, like installing an extension for your browser. I myself am guilty of this. To go the whole nine yards, one would have to eschew many mainstream services–like Google products or Dropbox–and find privacy conscious alternatives. Most options end up as do-it-yourself, such as setting up your own email server and cloud storage or using a service that cares about privacy. These services usually require one to pay a fee because the access isn’t being subsidized by the sale of one’s data. In the words of one online commentator, “if it’s free you are the product.”

I digress, if you are interested in taking steps to preserve your privacy, you can buy a VPN. There are free ones, but many have drawbacks such as data caps, slower speeds, minimal to no support, and they can be less secure. In essence, you pay for what you get. Regardless of which option you choose, VPNs have drawbacks. For example, Netflix doesn’t allow users to use a VPN with its service. In addition, you can use a different DNS from the one your ISP provides. Google’s Public DNS (https://developers.google.com/speed/public-dns/ ) is a good alternative.