Future Tense

Why You Shouldn’t Be Comforted by Internet Providers’ Promises to Protect Your Privacy

Your web browsing patterns say a lot about you.

Liderina/Thinkstock

This week President Trump signed a congressional resolution to repeal protections—scheduled to go into effect in December 2017—that would have prevented internet service providers like Comcast, AT&T, and Verizon from collecting, mining, and selling customer information without permission. Internet providers have sought to assure customers their privacy will still be protected. Comcast, for example, wrote that it has “no plans” to “sell our broadband customers’ individual web browsing history.”

But let’s be clear: Despite such declarations, letting internet providers monetize sensitive web browsing data is bad for consumers.

Let’s leave aside the fact that “no plans” is not the same as “never will,” and that selling a specific individual’s history is—despite stunts trying to buy records for members of Congress—an admittedly unlikely outcome. More worrisome is the possibility that governments order internet providers to turn over their records in certain cases. The Federal Communications Commission rules would not have stopped the government from requesting data from ISPs, of course—but ISPs collect a lot more information precisely because they can monetize it, making it accessible to law enforcement. Though such requests for information might first be justified by national security, it’s not hard to imagine a world in which routine government background checks involve scrutinizing a job applicant’s online behavior. Data breaches carried out by domestic or foreign hackers, or by disgruntled employees, are an even more immediate threat to collecting and storing sensitive web records, exposing users to blackmail and scams.

In the near term, internet providers may monetize web browsing records by selling anonymized user data to advertisers in bulk. It’s unlikely, however, that these companies would be able to fully decouple browsing records from personal details. In a paper to be presented this week, we show—in collaboration with our Stanford colleagues Jessica Su and Ansh Shukla—that “anonymous” web browsing records often contain an indelible mark of one’s identity. We recruited nearly 400 users to send us their web browsing data stripped of any overt personal identifiers. In 70 percent of cases we could identify the individual from their web history alone.

Proponents of deregulation argue that companies like Google and Facebook, which are not internet providers, were never barred from collecting and selling user data. FCC Chairman Ajit Pai decried this inconsistency as improper government intrusion in “picking winners and losers.” But Pai’s sentiment is misguided. Leveling the playing field by dismantling online privacy is a convoluted way to help consumers. It would be better to hold all companies to a higher standard, limiting the scale and scope of the data they can collect, store, and sell—protections that are already mandated in the European Union.

Internet providers also hold a unique position in the web ecosystem: They are the gateway to online activity, and there are few practical steps consumers can take to prevent surveillance. For example, using a virtual private network, or VPN, simply shifts privacy concerns from internet to VPN providers. In contrast, we found that consumers can employ ad blockers and other browser tools to prevent companies like Google and Facebook from tracking their online behavior.

Further, one-third of Americans have no choice in internet provider. When given a choice in online services, many do opt for privacy: The nontracking search engine DuckDuckGo has millions of users, and privacy worries likely contributed to the meteoric rise of social networks such as Snapchat and messaging apps like Signal. When competition is limited and the market doesn’t address consumer needs, government regulation is a natural solution.

Some insist that stricter regulation of internet companies would break the web. They claim that without detailed data on individuals, online advertising would be less effective, and less effective ads would mean less revenue for website operators, forcing sites out of business and ultimately hurting consumers. The reality, though, is complicated. In another recent study—with Ceren Budak, Justin Rao, and Giorgos Zervas—we show that highly targeted banner ads are not as big a source of revenue as one might expect. Many online news sites indeed recognize the limits of targeted advertising and have started charging readers for premium access. (Slate, for instance, has a membership program called Slate Plus.) Reasonable privacy policies won’t fundamentally alter the economics of the web.

One bright spot in the impending repeal is that website operators may be catalyzed to take simple and long overdue steps to improve user privacy and security. For example, adult sites have already started to encrypt traffic to their domains, masking information from internet providers and other snoopers. A free and easy-to-use tool called HTTPS Everywhere ensures browsers use encryption when possible, even when sites don’t enable it by default. Though a welcome change, encryption is a partial solution: Internet providers can still record visits to sites, they just can’t monitor what users view there.

Online privacy regulation is unlikely to improve in the current political climate. Absent government intervention, the burden is on consumers to demand internet providers and websites respect their privacy.