Everything you need to know about Congress’ decision to expose your data to internet providers

A joint resolution has just been passed by both houses of Congress and all but signed by the president, reversing the Broadband Privacy Rule, a piece of regulation from the FCC that made some inconvenient changes to the ways internet providers can collect and sell the data they collect on consumers. But what exactly can they do now that they couldn’t last week?

Well, I’ve got good news and bad news. The good news, such as it is, is this: Congressional Republicans (most of them; 15 representatives voted against, it’s worth mentioning) initiated this joint resolution in a great hurry because the privacy rule hadn’t actually taken effect yet. So technically you’re not losing any protections — they’re just preventing you from getting them in the first place. I’ll come back to that, but for now let’s look at the facts around what these protections would have been, had Congress permitted you to enjoy them.

What was the rule, exactly?

The Rule, as I’ll call it (the full name is pretty cumbersome), updated existing requirements for broadband internet providers in a few major areas. Under the Rule:

  • ISPs are required to be transparent about what data they collect, how they use it and with whom they intend to share it.
  • ISPs must get advance permission from consumers (i.e. users must opt in) before using “customer proprietary information.” That’s a category defined by the FCC and encompasses what you would normally expect to be protected — medical data, social security number — and adds information that is not inherently personal but the large-scale tracking of which most people would disapprove of: web browsing history and application usage history. (This is the part that’s gotten the most coverage.)
  • ISPs must take “reasonable measures” in security terms to protect that information, and in the event of a major breach (more than 5,000 accounts affected) must inform various parties, and the affected consumers, within a week.
  • No providing price breaks for lower privacy measures — for instance, lowering monthly charges if a consumer agrees to be tracked.
  • Notice was given (but no actual rule yet proposed) that the practice of forced arbitration, which limits the legal means consumers have for redress to companies’ internal processes, was soon to be reviewed as well.

OK, so now ISPs can do all that stuff?

Kind of. Bear with me for a second.

The primary argument for repealing these rules was that the Federal Trade Commission already does this privacy protection stuff, and has for years. And it’s kind of true! The FTC is in fact on the job when, say, Target’s loyalty card system gets hacked, or if Facebook or Twitter were colluding against its users. And it still is. But in 2015, the FCC exerted authority specifically over internet providers, taking them out of the FTC’s jurisdiction.

The Rule we’re talking about today — based on the FTC’s rules and on the Obama administration’s Consumer Privacy Bill of Rights — was meant to quickly fill that regulatory gap, and augment it a bit with ISP-specific things like browsing history, which the FTC didn’t consider as needing protection.

The repeal of the Rule is, ostensibly, to put it all back in the hands of the FTC. But here’s the thing: Right now, the FTC is legally barred from regulating ISPs! The FCC’s move in 2015 actually made room for the FTC to step in when problems were happening on the business side of the ISP — for example, price-fixing at a national level. But a recent court decision (which really no one likes, for the record) put ISPs solely in the jurisdiction of the FCC.

Get it? Both the FCC and the FTC are now barred from making privacy rules for ISPs. There’s no cop on the beat whatsoever!

Technically the FCC still has some residual authority over telecoms, but the current commission has made it clear they don’t consider ISPs telecoms, so they won’t exert it. In other words, right now, ISPs have a pretty free hand when it comes to their subscribers’ data. They’re not going to go hog-wild, of course — this power vacuum will only last until the FCC gets around to reversing its 2015 decision, putting the FTC back where it was before.

But in the meantime, yes, they can get away with quite a bit:

  • ISPs can record and sell your browsing history, data on which apps and services you use and so on.
  • ISPs don’t have to tell you what they collect or who they sell it to beyond what they volunteer to say in their privacy policy.
  • ISPs may or may not be required to notify you in case of a breach (this differs state by state).
  • ISPs can still force you to resolve complaints or violations in their internal system via forced arbitration.
  • ISPs could give subscribers a discount for agreeing to share personal information — but why bother when they get it for free?

It’s also a great time to experiment with invasive practices like ad injection and supercookies, and questionable ones like zero rating. Why not, right?

They’re not going to do anything that will get them in trouble with the FTC later, but the ISP-specific improvements made by the FCC aren’t coming back any time soon, as we’ll see later. And it’s unlikely that the FTC will adopt similar rules, since that would be like admitting this one was a good idea in the first place.

But don’t Facebook and Google see more anyway?

Facebook, Google, Amazon, Netflix and a hundred other services online also track you as closely as they can, it’s true. That’s the other big argument against this rule: Why enact these more stringent regulations for ISPs while edge providers (as they’re called) get away scot-free?

Well, the answer is threefold.

First, they’re not getting away with anything. Most edge providers are still under the FTC’s jurisdiction, since they’re not broadband providers. A big exception is Alphabet/Google, which gets to play the ISP card because of its Fiber service. But as we noted before, that court decision doesn’t make anyone happy and probably doesn’t have long to live.

If people were really worried about the privacy threat of edge providers, well, the FCC is the wrong tree to bark up. They’ve got nothing to do with each other.

Chris Ratcliffe/Bloomberg via Getty Images
Second, ISPs may not have the same window as Facebook on your activity, but they have a unique and broad one. They can’t see what you do on Google (generally, queries and content are encrypted), but they can see that you went from Google to the WebMD page for a certain affliction, spent 15 minutes there, then to your healthcare provider, then the page of a local clinic, then your credit union. What information would you draw from that? Now imagine you have a few million more data points and a big team of machine learning experts ready to help.

The metadata you produce from ordinary activity on your home internet connection can paint a disturbingly accurate picture of your life, from your shopping preferences to your medical woes. And, of course, the things you carefully keep hidden in incognito mode are still visible to your ISP.

Data collected by ISPs is different from what’s collected by edge providers, but as a piece of the puzzle that is your online habits and persona, it’s very valuable nonetheless.

Third, users of services like Facebook and Gmail have other options. People make conscious decisions to limit what they post online, or to use an email service that doesn’t harvest data for ads. They’re aware, in using these services, that they are trading a bit of privacy for a free service. That isn’t the case with ISPs.

Not only are users unable to control what traffic the ISP sees, but frequently they have no alternative; no Protonmail, no DuckDuckGo, no Signal. Much of the population gets to choose between two or three providers if they have any choice at all. This lack of choice puts ISPs in a different category from edge providers.

So while privacy threats do come from many directions, ISPs are no exception, and, in fact, constitute a special case that, arguably, deserves special rules.

What can I do to protect myself?

Not a lot, honestly.

HTTPS Everywhere is a good start — that makes sure that when you connect to a website, you use a secure connection that, apart from the base URL, the ISP can’t snoop on. Other anti-tracking software (Adblock, Disconnect, etc.) will primarily affect what edge providers know.

VPNs are often suggested as a way to disguise your traffic, and they work, but you have to pay for them (I can’t recommend any free ones, at least).

Log into your account at your ISP and look through the options — you might be able to opt out of certain practices. You can try calling too, to see what you can get out of them on the phone. But keep in mind their hands aren’t really tied and their privacy policies are largely voluntary.

Are we all just up the creek forever, then?

It’s hard to say for certain, but things are going to get worse before they get better.

See, the FCC’s rule was debated and tweaked for much of last year but only passed just before the election, with the various requirements it contained scheduled to enter effect over the next year. (Some considered this to be politically motivated, but the alternative seems to be that the FCC just does nothing during election years in case there’s a reversal of power, which is ridiculous.)

Congress had a little help here from the new FCC chairman, who gamely rescinded the parts of the rule due to come into effect in early March. Had he not done that, you would be losing some protections. But he did, so you never got them. And the bad news is you probably never will.

But because of the timing, the repeal was performed under the Congressional Review Act, which is a balance-of-power thing that lets Congress revisit recent legislation from the latter days of the previous administration and reverse it. It’s sort of so a party in power doesn’t just pack its final days with all kinds of mad bills that remain law even if power changes hands.

Using the CRA has the additional effect of preventing similar legislation or rules from being proposed again — it’ll take another act of Congress to make it legal to do that again.

Before that happens, you can expect the FCC and Congress to roll back the order that established the former’s authority over ISPs and enacted net neutrality rules. So not only will it be a few years, but we’ll have that to deal with, as well.

Why would they do this?

It’s an easy play for Republicans in Congress (this didn’t have to be a partisan issue, but it ended up being one) to both stay in the good graces of the truly enormous ISP and telecoms lobbies, while simultaneously saying they’re standing against bloated bureaucracy and the Obama administration. Big internet providers are the undisputed winners here, with conservative members of Congress coming a close second. They sold you out, plain and simple.