Mitnick In The News
Abuse, theft, exposure: What’s in store for your web history
Apr 4, 2017 - InfoWorld, by Roger A. Grimes
We've lost more than personal privacy now that ISPs can now collect and sell our browsing data
“If you’re being watched, you change your behavior, and that means you have less freedom. I don’t think you can have freedom without privacy.” —Kevin Mitnick, quoted in my new book, "Hacking the Hacker."
The United States has a long history of protecting at least some individual privacy rights with respect to common carriers. Much of the current protection was gained with the passage of the Communications Act of 1934 and further amended by the Telecommunications Act of 1996. The 1934 act put radio and telephone companies under the control of the FCC, and the 1996 act added ISPs and cable companies.
Although both laws have inherent flaws, companies that provide your telephone, cellphone, radio, satellite, what have you service have long been prevented from reselling your personally identifiable information to others without your consent. Legally, it’s not much of a burden. All they have to do is proactively notify you of their intent, and if you don’t stop it, they can collect it and sell it.
Unfortunately, laws regarding telecommunications were not clear regarding the ISPs’ obligation to obtain consumer consent about collecting information on their private internet behavior. So on Dec. 2, 2016, the Obama administration passed FCC 81 Fed. Reg. 87274, titled “Protecting the Privacy of Customers of Broadband and Other Telecommunication Services.” It not only required notification of what data is collected, but also opt-in consent.
Last week, Congress passed S.J. Res. 34 to roll back the new FCC rule, and President Trump has signed it. The White House’s press statement even acknowledges that ISPs will be able to “share certain information, including app usage and web browsing history. It also allows ISPs to use and share other information, including email addresses and service tier information, unless a customer ‘opts out’” (emphasis mine).
Understand that for a moment: Cellphone companies and ISPs can share your web browsing history, physical location, application use, and email address with anyone without notifying you or asking for your permission. It may shock you that they were legally able to do that both before the Obama rules and now once again—and some have done so. But most ISPs have not shared this information (although they may have been collecting it for future use) because the law was previously unclear.
The Obama administration created a new rule against it, providing clarity but in a way the ISPs didn’t like. The removal of the Obama rule by the new administration essentially clears the path for abuse. The sky’s the limit.
Some people argue that other privacy laws prevent your personal information from being shared with third parties in a way that specifically identifies you, including preventing your email address spreading for such purposes. Yet browser security experts have long known that anyone can be specifically identified when visiting almost any website.
That’s a big part of the reason the FCC privacy rule was created. It specifically made selling email addresses, for example, illegal, unless the vendor had prior consent. The rollback undoes this obligation. Not a single independent privacy expert thinks rolling back the new FCC rule is a good development.
Why the FCC rule should stand
What the Obama FCC’s rule required is not new, unduly burdensome, or excessive.
Stipulating that people must opt in to have their personal information collected is part of the European’s Union’s 2016 General Data Protection Regulation, requiring consent for all personal data used. The GDPR already applies to more than 20 percent of all global business, including American companies doing business with EU member states.
Asking for opt-in consent is not a huge business hurdle. Any ISP could easily offer cheaper services to consumers in exchange for free use of their personal information. They could add a single paragraph among all the other complex paragraphs you are supposedly required to read while signing up or renewing an existing contract. It’s already how most personal information is collected.
I’m not sure how many people would understand the nature of the opt-in language in an agreement. But I do know that when you explain to people that their privacy rights are about to be taken away, nobody likes the idea. Perhaps that’s what the ISPs are worried about.
No, Google isn’t already doing It
Some proponents of the rollback counter that Google and others are already collecting your information in personally identifiable ways. What does it matter if a few ISPs get the same privileges?
Although it’s true that Google (and others) collect your browsing history (and even personal information, if you send it using Gmail), Google does not track everything. For example, it does not collect data on your use of non-Google applications. Plus, Google has always promised not to provide personally identifiable information.
Even if Google did it, you could use other search engines that specifically promise not to collect your personal information, such as DuckDuckGo or Ixquick. With this new rollback now passed, you cannot avoid your ISP trying its best to collect and sell your personally identifiable history, whether individually or in aggregate form.
Although I have more than a dozen browsers and many dozen search engines to choose from, I have at most a few ISP candidates. Some areas have no options at all. And you can bet that now the law is rolled back, no ISP will exclude itself from collecting more of your data. They would be stupid, financially, not to.
Your data will get out—that’s a given
There isn’t a company on the planet that will completely ensure that your data is secured against malicious hacking or unauthorized disclosure. There isn’t a security expert who doesn’t think that every company with any valuable data hasn’t already been thoroughly compromised or can’t easily be thoroughly compromised at will in the future. That’s the state of computer security today.
On top of that, there are often untrustworthy third parties with legal access to the data that will supply your private info for a price. This already occurs with the myriad of shady online “detective research” sites that not only collate public data records but can return very private information. This will certainly extend to your personal internet browsing history. Anyone with any interest in you at all—your friends, your neighbors, that creepy old guy down the street—will be able to see your most intimate moments.
The only reason this isn’t already happening today is that most companies didn’t have our private internet browsing information to start with. It can’t be stolen because it didn’t exist in their databases.
Of course, our financial information is all over the internet and is stolen all the time. But one difference is that when our financial information is stolen and reused, we can get new credit cards and have the money put back in our bank accounts. We can be made legally “whole” again.
But if someone learns something precious or private about you, you might never know that information was learned by someone else or being used against you. If your very private information is used by others, whether you’re aware of it, the genie cannot be put back into the bottle. It’s out there forever. Simply legally allowing databases to retain your internet browsing history is guaranteeing it will be abused, stolen, and revealed.
Now that your ISP is legally allowed to harvest your internet browser history and sell it, you can bet it will. After all, ISPs in the past have even intercepted search engine requests and results and redirected them to other paid advertisers. This time, they will have even more legal backing and likely use more personally identifiable information. For example, if you check on our herpes lab test on your doctor’s website, what’s to stop pharmacies from trying to sell you the “right” medicine? That test result could leak into the public realm forever.
The new law prohibit future laws respecting your privacy
It’s common for federal laws to prevent related laws of lower municipalities (state, regional, city) from applying, in what is called preemption. But the rollback includes a clause that prevents future similar FCC laws that might try to implement even much needed and agreed-upon privacy protections.
For example, suppose you find that the new law accidentally (or purposely) allows your children’s privacy to be invaded or allows your neighbor to buy your personally identifiable data. That new law prevents Congress from fixing such a specific flaw without repealing the entire law (which is much harder to do).
We need a world where more of our privacy is protected by default. Is it too much to ask of the people who supposedly serve us that we get notified by our ISPs and be required to opt in? I don’t think so.
This seriously cool article, and may more be found at the source.