Back in 2014, 3.7 million Americans submitted comments to the Federal Communications Commision (FCC), stating loudly and clearly: We don’t want Internet service providers (ISPs) like Verizon, Comcast, or AT&T spying on or controlling how we use the Internet. Their voices convinced the FCC to update privacy rules that would prevent ISPs from spying on Americans or selling their data. Simply put, these rules were a huge win for Americans’ privacy online and continued the decades-long tradition that your communications provider must have your permission before using your data.
But last week, at the behest of the cable and telephone industry, Senate Republicans voted along party lines to abolish those rules. If the House votes the same way the Senate did this Tuesday, the consequences for Americans’ privacy online will be disastrous. ISPs will be able to spy on web browsing, install spyware on phones, and sell data to advertisers—all without customers’ permission. Here are just a few of the potential consequences for Americans if they don’t stop Congress now:
ISPs could sell your data to marketers
It’s no secret that many ISPs think they’re sitting on a gold mine of user data that they want to sell to marketers. What some people don’t realize is that some are already doing it while the law is unclear on the legality of the practice. However, they’ll be forced to stop if the Obama-era FCC consumer protections go into effect.
According to Ad Age, SAP sells a service called Consumer Insights 365, which “ingests regularly updated data representing as many as 300 cellphone events per day for each of the 20 million to 25 million mobile subscribers” whose data is fed into SAP’s service. Who is selling SAP their customers’ data? Ad Age says “SAP won’t disclose the carriers providing this data.”
In other words, mobile broadband providers are too afraid to tell you, their customers, that they’re selling data about your location, demographics, and browsing history. Maybe that’s because it’s an incredibly creepy thing to do, and these ISPs don’t want to get caught red-handed.
You could pay more for privacy
Back in 2013, AT&T introduced a plan called “Internet Preferences” for its GigaPower fiber Internet service. As part of the plan, customers could either agree to allow AT&T to snoop on their traffic, or pay from $30 to nearly $100 extra a month to opt out and preserve their privacy.
AT&T did this despite having a legal duty to protect your confidential information under Section 222(a) of the Telecommunications Act. The company only discontinued the program last September, shortly before the FCC passed its privacy rules. If the House succeeds in repealing the FCC’s rules, you can be sure that pay-for-privacy plans like this will start popping up all over.
ISPs can snoop through your traffic
ISPs have every incentive to snoop through your traffic, record what you’re browsing, and then inject ads based on your browsing history. Plenty of ISPs have done it before—AT&T did it on some of their paid WiFi hotspots; Charter did it with its broadband customers; and a smaller ISP called CMA did the same.
Remember, these companies carry all of your Internet traffic and can examine each packet in detail to build up a profile on you, which they can then use to inject even more ads into your browsing experience.
Recording software could be installed on your phone
When you buy a new Android phone, you probably expect it to come with some bloatware—apps installed by the manufacturer or carrier that you’re never going to use. You don’t expect it to come preinstalled with software that logs which apps you use and websites you visit, and sends that data back to your ISP. But that’s exactly what was uncovered when security researcher and EFF client Trevor Eckhart did some digging into Carrier IQ, an application that came preinstalled on phones sold by AT&T, Sprint, and T-Mobile.
Simply put, preinstalled software like Carrier IQ gives your ISP a window into everything you do on your phone. While mobile ISPs may have backed down on using Carrier IQ in the past (and the situation led to a class action lawsuit), you can bet that if the FCC’s privacy rules are rolled back, there’ll be ISPs be eager to try something similar.
All of your web browsing could be tracked
In 2014, Verizon Wireless decided that it was a good idea to insert unique tracking tags into all of its mobile customers’ traffic, and didn’t bother to explicitly tell their customers ahead of time. In other words, Verizon was adding tracking cookies into peoples browsing, so that they could be monitored even more easily.
But it gets worse. Initially, there was no way for customers to turn this “feature” off. It didn’t matter if you were browsing in Incognito mode, using a tracker-blocker, or had enabled the browser’s “Do Not Track” feature: Verizon ignored all this and inserted their tracking tags anyway. As a result, anyone—not just advertisers—could track you as you browsed the web. Even if you cleared your cookies, advertisers could use Verizon’s tracking tag to resurrect them, which led to something called “zombie cookies.” If that doesn’t sound creepy, we don’t know what does.
The good news is that Americans can keep all of these practices from coming back from the grave. They just need to raise their voices and tell Congress that they value their legal right to privacy—and that they won’t sit idly by while Comcast, AT&T, Verizon, and others try to erase a monumental victory for consumers’ online privacy rights.
Jeremy Gillula is senior staff technologist and Ernesto Falcon is legislative counsel at Electronic Frontier Foundation.