President Trump, as part of his plan to roll back regulations put in place by President Obama, just signed legislation that eliminates the prohibition against internet service providers selling customer data without their written consent. Although the original restriction had not yet taken effect, its elimination ignited a firestorm of controversy among privacy organizations, including the Electronic Privacy Information Center and the American Civil Liberties Union (which tried to no avail to get Trump to veto the legislation at the last minute).
Having done a good bit of privacy consulting in the healthcare world, I have become somewhat of a privacy fanatic myself. For example, I pay higher medical insurance rates because I don't care to share medical information with my employer.
Despite this, the change in regulations is not keeping me up at night, and I think it poses only a limited privacy risk for the enterprise.
As you probably recognize, since ISPs route our requests to the appropriate sites and relay the response back to us, they have access to a good bit of information about us. Among this data is the sites we visit, and the frequency of those visits. On the surface, this may be troubling. If you examine in more detail exactly what they can see, however, it is a good bit less troubling -- for a variety of reasons.
First, most web traffic is now Secure Socket Layer (SSL) encrypted. Google reported recently that as of March 2017, 85% of traffic crossing its servers was encrypted. This encryption forms a secure tunnel between your browser and the destination website.
An ISP is not able to decrypt this traffic, or to see significant details about the destination. It does know the address to which the request gets routed, but little else. When it amasses the destinations, however, it does have some information about its customers' browsing habits.
I suspect that many people would prefer that their browsing habits remainÂ private.
Second, in the enterprise, your data is aggregated with browsing information from all other users. The typical network uses network address translation (NAT), which means that while each PC has a unique address internally, all requests appear on the public network as coming from a single address. Because of this, an ISP only sees a bunch of website requests, with no idea which individual made them.
In a larger company, it is likely that a wide variety of sites are accessed, so this information would be of limited value to advertisers (the likely primary customers for such data). As an example, the ISP might know that someone from a large company went to the website for a particular vendor, but it won't know who specifically viewed the site, or exactly what they looked at.
Finally, Reuters recently reported that many major ISPs -- including Comcast, AT&T and Verizon -- said they would not sell data. Given the limited value of the data they have, and the downside risk of incurring the wrath of their customers, I find it likely that they will live up to this commitment.
I do find it amusing that so many in the industry are focused on ISPs and the sale of customer data, while ignoring the more serious privacy risks we face from search engines and social networks.
An article written by Leo Notenboom in 2013 detailed how a search engine -- having obtained significant information from the browser, and after examining the details of searches -- can do some degree of user identification. He recounted a study using anonymized data that was still able to identify some users based on the search phrases used.
In a process known as fingerprinting, the search engines "learn" about search users from their addresses, items searched for, cookies and other details, and can then match those traits with an individual in many cases. Google used these techniques to implement its one-click "reCaptcha" process to confirm a user is not a robot. Once you understand these techniques, you will likely worry less about ISPs selling your data.
It seems that more people are becoming aware of privacy exposure from browser and social media use. In a recent poll conducted by Politico, respondents said they trusted their ISP a bit more than Google or social networks, by a margin as large as 22%.
If you want to ensue the best available privacy for your browsing, or that of your employees, consider the following:
1. Use good browser privacy settings
It is possible to limit some information available to others about your browser experience by changing a variety of settings on your browser, as described by Heimdal Security in its comprehensive guide on that subject.
2. Use a browser specifically designed for privacy
3. Use a VPN tunnel
A virtual private network is a secure, encrypted tunnel from your network to another destination. By using a VPN tunnel with an appropriate service, you can eliminate almost all of your ISP's visibility into your web traffic. You must ensure, however, that your VPN provider protects your information, rather than selling it to third parties.
4. Use an alternate DNS service
The domain name system (DNS) translates human-readable site names to IP addresses, which are what routers need to get your traffic to its destination. Much of what your ISP can tell about your traffic comes from the fact that their servers usually handle the DNS name resolution for you. You can prevent them from seeing some of that data by using an alternate DNS service.
Cisco's OpenDNS, for example, which is free for individual use and available as a subscription product for businesses, can send your DNS queries across an encrypted tunnel, thus protecting some of that information from your IPS.
Scott McNealy, the former CEO of Sun Microsystems, is somewhat famous for having said: " You have zero privacy anyway. Get over it."
While there is some truth to his statement, there is much you can do to maximize the privacy of your Internet activity, with or in spite of regulatory decisions by a government.