US Senate bill to allow ISPs to sell user data

author Maximilian Holm, about Online Privacy

On March 27, the U.S Congress voted to pass S.J.Res.34. This resolution aims to nullify the rule Protecting the Privacy of Customers of Broadband and Other Telecommunications Services that passed on the 2nd of December. In effect, this gives way for Internet Service Providers to freely sell your information to the highest bidder.

ISPs to sell user data

The intent of the rule that was passed in December was to create a new set of regulations for ISPs, whose increasing attempts to overstep their customers' right to privacy, left a bad taste in everyone's mouth. For example, back in 2014, Verizon was caught injecting trackers — often referred to as zombie cookies or super cookies — into their customers' web traffic. This tracker was almost impossible to detect, and even harder to remove, as it was performed on the server-side. This tracker then allowed third-party advertisers and websites to get a personal and permanent profile of their visitors.

The rule that this resolution nullifies was passed in December 2nd of 2016. Before then, this rule did not exist, and regulations were handled by the Federal Trade Commission (FTC). This is how ISP:s were legally allowed to inject so-called zombie cookies into their customers' data, as the FTC:s has much less stringent rules about privacy. This resolution is just the latest in the in the tug-o'-war between the democrats and the republicans about net neutrality, and is a lash-back from the ruling back in 2015 where ISP:s were re-classified as common carriers, and were instead moved to fall under the jurisdiction of the FCC. A move that gave them stricter regulations and prevented them from prioritizing or throttling traffic to certain services. This latest resolution, therefore, aim to shift power back to the FTC, freeing the shackles of ISP:s, once again allowing them to slowly gain back the ground they lost in the war against net neutrality.

What's frightening about this resolution is not that it nullifies a newly created rule that had not yet gained traction. What's frightening is rather that the resolution prevents the Federal Communications Commission (FCC) to pass new regulations in the future, and shifts the winds of net neutrality back in the wrong direction. What's even more frightening is that it sets a new precedence. It sends the message that the US government does not care about consumer privacy and that they completely support the ISP:s effort to gather whatever information they can about their consumers to sell to the highest bidder. This allows Internet Service Providers to once again take up the fight against net neutrality with renewed vigor, and unfortunately, it is a battle they very well may win in the four-to-eight years to come, with the support of a government that has openly proclaimed their hatred against net neutrality.

As a matter of fact, not even a week after the joint resolution passed, Verizon revealed their new app that will come pre-installed on all Android phones for Verizon customers, called AppFlash. AppFlash will, according to Verizons privacy policy:

Collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them. We also access information about the list of apps you have on your device. With your permission, AppFlash also collects information about your device’s precise location from your device operating system as well as contact information you store on your device.

[...]AppFlash information may be shared within the Verizon family of companies, including companies like AOL who may use it to help provide more relevant advertising within the AppFlash experiences and in other places, including non-Verizon sites, services and devices.

Essentially, the app gives access to everything Verizon customers may use their phone for in order to build an extensive profile about them. This information can then be shared with anyone, as per their own privacy policy.

While this resolution — in theory — does not change any laws, it is the wet dream of every ISP in the USA who wish to make more money fast. Various Telecommunication companies have been lobbying for less regulations for years, and the reason is simple: There is a lot of money to be made in selling your information to advertisers and marketing companies. In fact, targeted advertisement is how both Google and Facebook makes their money so, why would Internet Service Providers not want a part of that cake?

Any company that advertises as being free to use has to make their money somehow. They are, after all, a business, with very real expenses. The difference is that ISP providers are not free — you pay them to use the Internet. By then turning around to sell their customer data, they are essentially double-dipping. Not only are you paying them to provide you with Internet access, you're also paying them to sell information about your health, your financial situation, your family, relationships, children, sexual preferences, kinks, and more. Information that by all measures should belong to you, and you alone. It should not be freely shared with, nor sold to, third-parties you did not approve of.

While you can make Google and Facebook blind by simply not using them, it is a lot harder to simply "not use" the Internet. Additionally, not everyone has the luxury of being able to simply switch to an ISP provider that does not sell your information. A lot of people may only have one or two choices, and if both of them freely sell your information, you have to choose between either accepting that they can and will sell your information, or be left without the Internet.

What this resolution does, is the same thing as telling your phone carrier that it is OK to screen phone calls for keywords, and insert an advertisement in the middle of a phone conversation between you and your significant other. Something even the most hard-lined anti-privacy advocate would find invasive.

Maximilian Holm