The latest Virtualization and Cloud Security Podcast featured a conversation about the recent Congressional repeal of FCC regulations governing privacy. Internet Service Providers (ISPs) could collect, mine, and sell your search and browser history without your knowledge. This bill has not been signed into law yet. Some would see it as opening the doors on competitiveness with Google. Others would see it as making it easier to get your data. Outside of law enforcement, which already has its means, could others buy this data from your ISP? What is the impact on a business? More importantly, what can you do about it? We were joined by fellow Tech Field Day delegate Jody Lemoine, an independent network engineer who happens to live in Canada, to shed some light from a viewpoint outside the United States.
As of this writing, this bill has not yet been signed into law. All the bill does is repeal the requirement for your ISP to provide opt-in for data collection. On the surface, this is to provide your ISP the same capability as companies like Twitter, Facebook, and Google, among others. The data that an ISP can gather about you is vast. It includes, but is not limited to, the following:
- Any sites you visit (but not always the data sent to those sites; if you use HTTPS sites such as for your bank, they just know you went to your bank).
- Quite a bit of email sent directly from your equipment that does not travel encrypted.
- Items you download.
- Items you upload.
The monkey wrench in all this is that while this data is vast, if you only go to encrypted sites via HTTPS, the data you send is encrypted, but the site and URL are not. So, encryption helps, but only if it is in use. You need more than just encrypted web traffic: you need encrypted name resolution. When you type a name into your URL, it resolves to a number that represents its address on the internet. That metadata is invaluable as well. The real issue is that this data could be used for malicious purposes. If there is no opt-in or requirement for privacy, there is no real requirement for this data to be protected.
If the data is not protected, the ISP becomes an even bigger target than it is now. If certain data, such as site history, leaked out about key people at inopportune times, the court of public opinion could shift radically. This is a real danger. It is not about becoming more of a surveillance state than we already are. It is about selling data that seems innocuous but could end up ruining companies or even individual lives. Think about it this way: would you want your family’s search history to be available to anyone who wanted it? At the moment, a wealth of information is available about individuals and organizations. This information—such as information on house purchases, phone numbers, and the like—is in the public record. It is trivially easy to get history on anyone. If you pay even just a little money, it is possible to get more information about an individual than you’d ever expect. Would you want your hourly or daily search history to be made available in such a fashion? Next comes the question, “How can you tell the activity was actually that of an adult, not that of a child, or of someone hacking into your WiFi? The court of public opinion will exclaim with horror that you allowed access to a given malevolent site.
This is the real worry, once that data is made available for a fee. How will the ISP know how that data is used? There is no proviso or anything to protect your or your organization. This means that you need to do something about this. The bill only repeals the need for ISPs to protect your data. It does not require them to not protect your data. So, you can do several things:
- Talk to your ISP about privacy. Will it keep your data private and not sell it? This includes your browser history, places you access, etc. If your ISP won’t keep your data private, you might want to switch to one that will. Some ISPs may take it upon themselves to offer this as a service.
- Write to your representatives at state and local levels. If the Federal government does not ensure privacy, State or County government might mandate it. This could even be a reason for businesses to move between states.
- Be vigilant. There are many bits of technology that can protect your privacy, but you have to be vigilant yourself. If you do not trust your ISP, and it is the only game in town, then you will need to employ technology to solve this problem.
What technology you can use will depend on the data you want to protect. Some simple things are:
- Employ an HTTPS everywhere you plug in to your browser. This means that your URL and the data you send is encrypted, but the ISP still knows where you go, as you still need to do a name lookup.
- Employ DNScrypt to ensure name lookups are protected. Note, however, that if you employ DNScrypt and then go to a non-SSL encrypted website or service, that can be picked up by an ISP.
- Use a VPN service for encryption everywhere. Note that this may mean the new endpoint now has your data.
For all of these, some level of trust is required. Where will you put your trust? Even so, there is no replacement for personal vigilance.