Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Congressional Republicans Kill FCC ISP Privacy Rules

The Republican majorities in the United States House and Senate have voted to roll back Obama-era privacy rules for ISPs. The legislation is now headed to President Trump, who has indicated that he will sign it.

The rules set down by the Federal Communications Commission would have restricted your Internet service provider from collecting and selling your Internet browsing history to support advertising networks.

However, contrary to what many outlets are reporting, this rule rollback changes little, because the rules were never fully implemented in the first place. The FCC first approved them in October 2016, and they were set to go live later in 2017, but new FCC Commissioner Ajit Pai quickly halted implementation. However, this new legislation may embolden ISPs to expand existing data collection programs.

ISPs disliked the rules, arguing that they put them at a competitive disadvantage with online services like Facebook and Google. Bob Quinn, a senior vice president of external and legislative affairs for AT&T, said in a blog post, “If the government believes that location data is sensitive and requires more explicit consumer disclosures and permissions, then those protections should apply to all players that have access to location data, whether an ISP or edge player or search engine.” In a statement, the American Cable Association said, “ACA strongly supported Congress’ intervention to reverse the harms associated with the FCC’s unwarranted and burdensome broadband privacy regulations that singled out ISPs while exempting giant Internet edge providers, who have as much, if not more, access to similar consumer data.”

Ajit Pai isn’t entirely against Internet privacy regulation. He has consistently stated that all online service providers, including ISPs, should be subject to equal rules enacted by the Federal Trade Commission. However, as Jeff Dunn of Tech Insider explains, the fact that ISPs are now considered to be “common carriers” complicates that, since the FTC has limited power over such companies. Even if Republicans were to roll back the 2015 Open Internet Order that classifies ISPs as common carriers, firms that also offer phone services, such as AT&T and Verizon, will still fall under common carrier status.

There is one small hope left for the FCC rules: petitioning President Trump directly. Many of his fiercest supporters on Reddit are angry about the legislation, leaving open the possibility that Trump may veto it. But don’t hold your breath.

There’s also the possibility that states will enact their own privacy rules — Minnesota is considering its own measures. If enough states pass such regulations, they may act as de facto national policy.

Regardless of whether or not the rule rollback will actually change anything, what can you do to protect your privacy online? As longtime Internet activist John Perry Barlow once wrote, “Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.”

The best option, if it’s available to you, is to use an ISP with a strong privacy policy. In the United States, Sonic and XMission are widely celebrated for their dedication to user privacy. Unfortunately, the U.S. broadband market isn’t very competitive, so you may not even have a choice of ISP. If you do, small local ISPs are likely to see a focus on privacy as a competitive advantage, and most probably don’t have enough customers to make that data valuable anyway.

Another easy thing you can do is use encrypted HTTPS connections to Web sites when possible. When you’re browsing with HTTPS, your ISP can see which sites you visit, but not what you see or do on them. The Electronic Frontier Foundation offers a browser extension called HTTPS Everywhere for Chrome, Firefox, and Opera that forces an HTTPS connection whenever it’s available.

(The Take Control Web site defaults to HTTPS, as Adam wrote about in “Why Take Control Was Briefly Labeled “Not Secure”” (23 March 2017). You can use the TidBITS site via HTTPS by merely changing the URL, but we don’t currently set HTTPS as the default. That’s because it causes a few problems, such as with displaying images in the print view. We’re looking into fixing that.)

Another option is a virtual private network (VPN), which tunnels all your Internet browsing through a secure connection. Your VPN provider could snoop on your browsing just like an ISP could, so it’s up to you to decide if you trust them or not.

If you’d like to try a free VPN that’s trivially easy to set up, the Opera Web browser now features a built-in VPN. Quincy Larson wrote a Medium post explaining how to enable it and other privacy features in Opera. I’ve been experimenting with Opera and have been pleasantly surprised by its speed and features. Note that using Opera’s built-in VPN protects only your Web browsing, not any other Internet traffic.

The Internet anonymizing service Tor is more trustworthy than a typical VPN, but it’s slow, will likely draw the attention of intelligence agencies like the NSA, and can bring with it other unintended consequences (see “Why I Was Banned from WATCH ABC and Hulu,” 13 March 2014).

For more information, Joe Kissell’s “Take Control of Your Online Privacy” will tell you all you need to know about defending your Internet privacy. Joe is currently working on the third edition, which will have up-to-date recommendations for VPN services, and anyone who buys the second edition now will get a free upgrade to the third edition when that comes out in a few weeks.


Backblaze is unlimited, unthrottled backup for Macs at $5/month.
Web access to files means your data is always available. Restore
by Mail allows you to recover files via a hard drive or USB.
Start your 15-day trial today! <>

Comments about Congressional Republicans Kill FCC ISP Privacy Rules
(Comments are closed.)

A-10 Pilot  2017-04-03 16:12
Kudos for writing the first fairly balanced article on this topic...a refreshing change from the pearl-clutching-followed-by-a-case-of-the-vapors you usually get from both sides.
Josh Centers  An apple icon for a TidBITS Staffer 2017-04-03 17:25
Thanks for noticing! I put a lot of thought into making sure it was accurate and fair.
gastropod  2017-04-03 17:11
Nice balanced article.

Also canceled are the pending rules that ISP would be required to take steps to prevent customer info from theft and other data breaches, and to notify customers when info is stolen.

Opera is now Chinese, which might concern some users. TunnelBear gives you 500 MB free per month, and it protects all net traffic not just the browser. I've had it eat battery on the iPad if some Background updates are turned on (e.g. Signal), but that's a chatty iOS problem, not a VPN problem.

Krebs has a good article on VPNs. He doesn't say which he uses, but gives a hint to narrow it down to about 5, none of of which I've seen on 'X Best VPNs!!!' lists. If you sort the comparison list he links to by 'Technical Serv Conf' it's easier to eliminate the chaff. (But then you have to trust that data!)
Josh Centers  An apple icon for a TidBITS Staffer 2017-04-03 17:27
Yeah, I was leery of Opera for a while due to Chinese ownership, but I've been pleased with its privacy features so far. With Safari combined with other adblockers, I still see those creepy targeted Amazon ads, but I haven't seen any with Opera. A lot of the most trusted VPNs are based in Hong Kong, which falls under Chinese jurisdiction anyway. Sadly, every solution has drawbacks.
gastropod  2017-04-03 20:43
I'm cautious of China mostly because of their track record on food safety. If their companies have been willing to poison even their own population for profit, how good is the handling of mere privacy going to be? But it's probably more of a problem for people who have ties of some sort to China.

I've only started checking the many entries on That One Privacy Site, but so far two with good rankings are in Sweden. EU has some good data privacy laws, and some even get enforced. If we're primarily foiling ISP bad behavior, jurisdiction is probably less important than the ethics and technical competence of the VPN, but sadly, ethics are hard to determine unless they get caught. At least there's lots of competition, so unlike an ISP it's easy to switch. Good Ars Technica article from last year:
JohnB (SciFiOne)   2017-04-04 15:37
Unfortunately, Xmarks does not support Opera.
Angusmacg  2017-04-04 18:05
I'm glad you wrote this piece. A lot of fear mongering and blaming Trump going on (some of which is fair but not in this case IMO). You provided a fair view of the before and after so it's refreshing to see someone do actually reporting without the sensationalism
tom powers  2017-04-05 17:37
I don't know whether you want to go to the basis of this whole problem, but here goes: Why ISN'T an ISP a 'common carrier?'
Since ISPs are so rarely in a competitive situation, why aren't they treated as regulatable monopolies?
I try to avoid Google, and absolutely avoid Facebook. I cannot avoid my ISP, Verizon (who apparently wants to segment their corporate structure to not let the curse of 'telephone' draw their 'immune' businesses under regulation).
The FTC couild regulate ISPs, but on what grounds? The FFC could have on very firm grounds: get the content out of the carriers like they did in the telephone days.
Curtis Wilcox  An apple icon for a Friend of TidBITS 2017-04-06 07:41
ISPs ARE classified as common carriers, as this article states. It's a relatively recent change made by previous FCC head Tom Wheeler, primarily so the FCC could implement pre-net neutrality regulations but it also resulted in the FCC being responsible for privacy regulation of them instead of the FTC.

I agree that mega-corps that own much of the content and the broadband means of distribution are very concerning but I don't think customer privacy is a main issue there.
tom powers  2017-04-06 10:52
Okay, perhaps I overstated. Perhaps the question is "why aren't the ISPs being treated as if they were 'common carriers,' if that's what they are. With repeal of net neutrality rules pending, the literal categorization is becoming moot.
Josh Centers  An apple icon for a TidBITS Staffer 2017-04-06 11:13
They are common carriers, at least under current rules. Geoff Duncan has been writing about this for us for years.

Here's Geoff on the Open Internet Order (I should have referenced this in the article):

It was a huge shock when the FCC actually did it. Here's discussion of why the FCC was hesitant to do it.