Can ISPs Sell Your Data?

The age old question is explored in depth, can ISPs sell your data? The answer, surprisingly, is yes.

Can ISPs Sell My Data? Inquiring Minds Want To Know

The questions, can ISPs sell your browsing history and is my ISP watching me, are easy to answer but the answers may not please you. In some cases yes and in others no, it just depends on where you live. In the US, after a landmark reversal of policy, ISPs may now collect and sell data that is deemed non-identifying. The rules, put in place by the Obama administration, would have required ISPs to get your permission before collecting your data. AT&T, Comcast and Verizon have all stated they will not sell data to third parties, they didn’t say they wouldn’t collect and use the data, or distribute it within their own umbrella of businesses.

The privacy rules were first put in place by FCC Chairman Tom Wheeler under the authority of the FCC. He claimed jurisdiction by reclassifying them as a common carrier and lumping them into the same category as the phone company. If you’re confused by this don’t worry, it is confusing because many if not all of the “old” phone companies are also offering broadband services over the same networks. In some cases regulation comes down to how the Internet connection made as in the case of cable. Cable internet is classified as an information service and largely free of regulation while DSL was once considered a phone service.

Prior to the reclassification broadband carriers were regulated by the FTC. Unfortunately for the FTC a Federal Court ruling says they have no jurisdiction over broadband anymore because the net neutrality rules passed in 2015 classifying it as a common carrier. Common carriers are regulated by the FCC, now any business offering common carrier services is exempt from FTC oversight.

But They Have To Collect Data

ISPs not only have access to all the data being generated on the Internet, they have an obligation to track and monitor it. They have to do it on the DNS end of things to make sure the network is running properly and not being abused, they have to do it on the security end as well to make sure they can protect against attacks. The issue at hand is really a matter of what they are allowed to collect, how they store it and what they do with it. The difference between the ISPs and the websites that collect your data is this. When you go to a website like Facebook or Google you are willingly and knowingly, more or less, allowing them to track you in exchange for their service. You have no choice when it comes to your ISP. You have to use them to get to the net, and you’ve already paid for the service.

Can ISPs sell Internet History?

Congress invoked its Congressional Review clause in order to make the repeal. The clause allows congress to review and revoke regulations put in place by federal agencies if they so choose. One of the outcomes of the review is a stay on any new rules of the same type without similar congressional approval. This means no new FCC chairman can enact privacy rules on his or her own authority and broadband providers can’t be labeled common carriers unless approved by majority vote.

What many don’t realize is that Congress act to repeal Internet privacy rules did little to affect the way the Internet worked. The rules weren’t scheduled to go in place until December of 2017; no one was following them anyway. There were no significant impediments to an ISP collecting data and then using the knowledge to profit, and there are none now.

The FCC has retained the right to take action against broadband providers if they engage in unjust or unfair practices. The new rules set a level of expected conduct with after-the-fact enforcement for those breaching the guidelines. Proponents of the new rules say it’s all moot because it’s in an ISP’s favor to handle your data properly or face financial loss.

The real problem is that more and more ISPs are offering services across the net and operate platforms where advertising can be displayed. Unlike a website that can track when you log on, where you log on from and what you do while you’re there an ISP can track everything you do and build a detailed profile of you, your family and your habits and then sell ads space or databases on a targeted basis. Internet based companies like Google and Facebook are opposed to ISPs collecting and selling data because it puts them at a severe disadvantage as they have limited access to information that ISPs have maximum access too.

The HTTPS protocol helps alleviate some concerns but does not alleviate all concerns. HTTPS is an improvement on the old HTTP which is the protocol for how we name and address websites. The S stands for secure and means the connection is secured by some form of encryption. This means that an ISP can’t see what you are doing when you are on a website but it can still see which websites you go to. A visit to a medical website, a social services website and a ride-share application could easily add up to highly sensitive personal information. Add to this information on where you bank, your political views, sexual orientation and other proclivities the risk of your ISP harming your security only grows.

Because no new rules can be put in place without Congressional approval it will literally take an act of Congress to do anything to control an ISPs’ collection of data. Of course, with today’s advanced data mining techniques and widespread availability of legal and illegally obtained databases it doesn’t take much for any business to do that. Social engineering, the use of data to control and manipulate situations or people, is growing problem and made easier by the detailed amounts of data ISPs are able to collect.

Internet Privacy Has Been A Problem Since Day 1

Do ISPs sell data? Not as often as you might think but they do engage in the practice of monitoring your traffic. It is in fact in their favor to behave properly, no one wants to use an ISP known to sell your secrets to anonymous third parties, which is why they try to keep the data anonymous. This doesn’t mean that no one is collecting because they are. Most websites you visit will collect some form of data, sites like Facebook and Google are in business to collect your data. They use it to build vast databases of information they use to sell targeted audiences to advertisers and organizations with a message to spread.

The problem of Internet privacy, data collection and who can collect data had been slowly simmering for some time, staring with the Madison River Investigation. This was the first case of the FCC trying to enforce net neutrality rules on broadband providers but did not result in long lasting legislation. Madison River Communications was suspected of blocking voice over IP VOIP (Skype) traffic but the case was dropped before any facts were ascertained. The company agreed to quit blocking traffic and pay a small fine if the FCC would drop the investigation.

Comcast brought the problem to a boil when it was caught throttling Internet traffic. The broadband provide monitored traffic to target users and websites that put undue strain on their network. They used the information to slow traffic to and from users and businesses in order to free bandwidth for other users. These applications included streaming media and file sharing services like TOR. A few users discovered the throttling in 2007 and brought the matter to court. Comcast was censured by the FCC and ordered to cease the practice but that decision was later overturned but the FCC lacked sufficient authority. The decision later led to the reclassification as a common carrier.

AT&T is admittedly guilty of monitoring traffic and using their position as broadband provider to extort higher prices. The company began a policy in 2013 that required an extra $29 fee for fiber optic connection unless customers opted into a program that allowed their habits to be tracked for the purpose of targeted ad placement. The program was terminated in 2016 shortly before the FCC had finalized its new privacy rules, the rules Congress just threw out the window. Charter, a cable company and ISP, had plans for a similar system in 2008 but scrapped it before implementation due to heavy criticism.

Also in 2013, a company called CMS Communication, a rural TV and broadband provider servicing Texas and Louisiana, was caught slipping ads on top of their subscribers’ content. One such Internet user, a computer scientist, said he first thought Apple.com had entered into a bad cross-marketing campaign, and then that he had somehow downloaded a virus. Both thoughts paled to the horror he felt when the realization struck his ISP was watching what he was doing and serving unsanctioned ads. After doing some in depth analysis he determined that the ISP was acting as a sort of man in the middle, using a single line of code to hijack web connections and route them through an ad server. The server belongs to a company calling itself R66T, pronounced Root 66, a business partnering with ISPs to serve targeted ads.

Verizon Wireless customers browsing is tracked by an online clearinghouse for the purposes of serving up targeted advertising. Customers can opt out of the system if they want, or opt-in to specialty plans the allow them to earn rewards for viewing ads. The service is part of the AOL Advertising Network and will share you identifying information with their partners and affiliates. From the web page:

“We do not share information that identifies you personally as part of these programs other than with vendors and partners who do work for us. We require that these vendors and partners protect the information and use it only for the services they are providing us.”

At least they make their vendors and partners promise to use your information the right way.

T-Mobile’s website terms of use and privacy policy is scary, it’s more of a non-privacy policy. They clearly state that they do collect data about you. This data includes personal information such as name and date of birth, contact information like emails and addresses, credit and financial information including social security numbers and account numbers and your network and device information including the machines you use, the websites you visit and applications you use. They use the data for a lot of truly respectable things like verifying your accounts and billing but they also use it for targeted advertising and in either case your privacy and security have been compromised.

These abuses are not limited to US providers. In 2011 the Tunisian government was found to have infected a password grabbing bit of code targeting Facebook accounts. It would steal passwords whenever Facebook was accessed from within the country in order for monitoring of subversive elements within the population. Facebook got wise to the scheme and made the site available over HTTPS and preventing further abuses.

A Solution No One Talks About

You can enhance your data security with VPN. VPN is Virtual private network and a solution for Internet privacy and security that no one talks about. It is a means of securing connections for sensitive data transfers and comes with many side benefits. A few of these include masking your IP address, evading geodetection / georestriction, encrypted transmissions and anonymity on the net. In the case of your ISP and its collection of your data, VPNs make it highly unlikely they will be able to collect anything more than that some user, somewhere has made a connection through their gateway and it goes to some place on the Internet.

Imagine a huge water pipe, that’s the flow of Internet traffic through your ISP’s gateway. If you want to use it you have to connect to it, when you connect to it they are able to monitor everything you do (not saying they do necessarily but you never know). Now imagine inserting a hose through the pipe. The hose has no markings, no identifying features and is not traceable to its origins. The hose is camouflaged to look like all the other water flowing through the pipe but is able to bypass monitoring stations and connect to its end point without interference. This is what a VPN does for you.

The VPN was created during a period spanning the late 70’s into the early 80’s in response to growing widespread use of the Internet. Before that time most computer networks were local networks and only accessible by direct access. When the Internet Protocol came along it allowed remote users to access local networks over the public phone lines. This was a great advancement as it allowed users to access and share data with the home network from anywhere a phone connection could be established. The only problem was security. Public phone lines and sensitive information were a recipe for disaster and led to the rise of rampant Internet crime as we know it today.

To combat this problem teams at DARPA and within the private sector developed a number of different technologies. One allowed for direct / secured connection to dedicated servers, another masked IP addresses and yet another included encryption. None of them quite managed to solve all the problems faced by governments, military and businesses who relied on the net. The solution turned out to be a combination of these technologies that have now become known as VPN.c

In the early days of VPN it took advanced knowledge of the Internet and the resources to set up and operate a VPN network. Today VPN is commercially available with subscription and sometimes even for free. The caveat though is free VPN really isn’t free. Sure, it may protect you from outside influences but that’s only so they can monitor and log your data without competition. A paid VPN service dedicated to preserving the principles of a free, unrestricted, safe and open Internet is a much better choice and often very inexpensive.

Simple VPNs allow for safe and anonymous surfing of the net. The only people who will know you’re surfing are the sites you visit and only if you log on to them. Even then they won’t know where you are, not really, because your computer will display a different IP address assigned by the VPN server. More advanced VPNs add additional layers of security with encryption and packet verification to ensure information goes to the right place and can only be used by the right websites.

Le VPN is a leading provider of VPN services for home and office. With servers in 100+ locations, their network has the coverage to meet the needs of virtually all Internet users. The service can be used with PC or Mac, iOS or Android, Desktop, laptop, mobile and can even be installed on a router for whole-home protection. If you’re worried about your ISP collecting and selling your data you need a VPN. You know they’re out there right now tracking you read this blog post… don’t let them do that anymore, get Le VPN.

*Article Updated On January 16th, 2019.*