Data Privacy Dead After FCC Reversal Legalizes ISP Data Mining

April 19, 2017 Security and Compliance, MOVEit

The repeal of the FCC rule on ISP data mining has serious implications, not only for individual data privacy, but for businesses as well. 

Disclaimer: When I state that this is my fourth draft, you can appreciate that earlier ones were not family-friendly, being more reminiscent of George Carlin, whose fans are universally disappointed that he wasn’t here to witness the changes in 2017. Ditto, Robin Williams. Opinions are my own.

Nice headline, huh? Of course, it doesn’t reflect reality in the slightest. As any security expert will tell you (Mr. Snowden, Assange and others), we never had online privacy and before the Internet, our faxes, telexes, semaphore and voice calls were monitored. AND everything is still being monitored. 

“If you really want to see how much you are being tracked, download a browser plugin such as Ghostery and watch all the tracking data appear on your screen,” said Charles Henson, managing partner at Nashville Computer Inc., a Tennessee-based provider of managed IT services.

However, this latest release from those wonderful people at the White House makes it perfectly legal for American ISPs to sell your data to marketers. This data can include the personal details needed to ensure a broadband connection, browsing habits and more. What is most annoying about the whole thing (from a non-US perspective) is that ISPs can legally store all data but are not liable if a security breach occurs.

Annoyed? Sure I Am.

Along with allegations of payoffs and vested interests by those who voted for it, this travesty became law on April 3, 2017, missing the due date by just two days.

Security experts in and outside the U.S. are not impressed with the change.

“It is a sad state of affairs when we are getting data mined without permission. It will eventually backfire on all these who only take but don't give back. Even Facebook, which pillages your personal life, is, on the surface, providing some value in the form of a free social platform,” said Vaclav Vincalek, president of Pacific Coast Information Systems Ltd., a Vancouver, BC-based provider of strategic IT consulting services.

“What annoys me the most [is] the ISP can legally ‘listen in’ to all conversations that happen over the Internet connection, fishing for information and keywords to sell advertising and paid ads to their clients,” said Henson.

Who Are Affected by the Internet Privacy Bill?

Prior to April 3, ISPs had to obtain permission from users to monetize their data. Now, they are free to do so without specific permission. The larger ISPs were quick to announce that they would still give users a choice but many are skeptical, especially when you consider that the same companies are investing in web networks and ad delivery tech. It seems it is no longer enough that users pay for a desired service and additional profit is leveraged by any means possible. If this trend spreads to other industries, a toilet installation becomes far more complicated, as water and sanitation departments get in on the act.

You Will Be Assimilated, But Resistance is Not Futile.

With my inner geek comparing the rise in data mining to the Borg in Star Trek, no one is safe. Are marketers really interested when I search for “my hovercraft is full of eels” in Simplified Chinese? Apparently so.

However, some users are not overly concerned with being targeted, claiming “I’ve nothing to hide.”

“I’ve nothing to hide in my bathroom or shower but both have doors… If I want to go off grid and browse the web in anonymous mode, then why not?” asked Henson.

Vincalek agreed, adding that “People using this argument don't deserve any privacy protection.”

Technically-savvy users, especially in business circles, are more reactive, using a variety of tools to encrypt or block access to their data.

Henson has already mentioned Ghostery. VPNs are another option but careful selection is necessary.

“The deciding factors should include who owns the VPN software and if they too trying to gain access to your data or simply providing a service,” said Henson.

Tangible Business Threats

All users, whether domestic or commercial, require a broadband connection and a subsequent ISP to provide one. For business users, there are several considerations, including but not limited to:

Data Privacy

Whether personally identifiable information (PII) is used or not, Henson said that, ”The ISP is the backbone connection for all communication on the web. If I am running a business on a cloud computing platform, who’s to say that my proprietary data isn’t being downloaded, recorded and saved for future data mining?”

Compliance

An important consideration. Given that all industries are likely to use the same ISPs and they are not liable for security breaches, there is nothing forcing them to comply with additional data and privacy standards. “If ISPs can take any information they want as it crosses over the wire, will anyone in the US be able to fulfil compliance requirements for their industry and jurisdiction i.e. FINRA, HIPAA, PCI-DSS, Sarbanes-Oxley and others?,” asked Henson.

Speed

With all this data mining, will broadband speeds suffer?

Storage

Data is stored for analysis. Won’t these huge data repositories make an attractive target for cybercriminals?

America First?

The Internet is global. Will U.S. business suffer as their non-U.S. contacts become aware that all communications are mined by American ISPs for resale or even for government review? Those without a secure FTP or a managed file transfer solution, for example, are easy targets.

The GDPR

Lastly, consider how ISPs can inadvertently put themselves and businesses that store and move EU citizen private data at risk. Under the new General Data Proteciton Regulation (GDPR) which will be enacted in May 2018, mining private data without an EU citizen's consent can mean lofty fines in the millions of dollars. 

The Cost Could Be ISP Abuse of Power

In conclusion, as Henson points out, users have become the commodity and are the new product for sale by big data companies throughout the world.

“No one is safe unless they live off grid and out of view of surveillance cameras,” added Henson, citing the facial recognition features used by Google Picassa and Facebook, where a child’s birthday photo is  stored into a repository the minute someone posts a future picture of him or her.

Giving ISPs the power to monetize user data may well prove to be a costly mistake. The ISP argument that it levels the playing field with global giants such as Google, Microsoft and Facebook does not hold weight as they offer many free services and can justify monetizing to some extent. ISPs are paid for their service, with no exceptions. What gives them the right to invade our privacy more than is needed to provide that service?

My advice is to do as I do, avoid free services, use anonymous browsing, adblockers, VPNs and the Tor Network. It won’t stop state surveillance but will certainly hamper marketing efforts. I also find it worthwhile to capitalize ‘is’ as much as possible. Here ends my two (let’s say cents and not fingers) to the establishment that condones this level of monetization.

 

Michael O'Dwyer

An Irishman based in Hong Kong, Michael O’Dwyer is a business & technology journalist, independent consultant and writer who specializes in writing for enterprise, small business and IT audiences. With 20+ years of experience in everything from IT and electronic component-level failure analysis to process improvement and supply chains (and an in-depth knowledge of Klingon,) Michael is a sought-after writer whose quality sources, deep research and quirky sense of humor ensures he’s welcome in high-profile publications such as The Street and Fortune 100 IT portals.

Read next Data Privacy vs. Data Protection