How ISPs can sell your Web history—and how to stop them

It's up to ISPs to interpret law

If ISPs could only use your browsing history when you make a conscious choice to opt in to tracking programs, they might not get very many Internet subscribers on board. But if there are no rules, or if browsing history is subject only to an opt-out system, ISPs could share the data of most or all of their customers.

ISPs may still be subject to the underlying requirements of Section 222, but it isn’t clear how that affects broadband providers. Section 222 limits how carriers can use “customer proprietary network information” but doesn’t define what that means in a Web browsing context. Harris says that 222 requires ISPs to give customers a chance to opt out of sharing information.

“It’s just not clear what information they’re going to require an opt-in for and what information they’re going to require an opt-out for,” she said. “That will all be up to the ISP to determine what they feel they need to get opt-in for as opposed to opt-out.”

Public Knowledge believes that opt-in systems are necessary to put customers in control of sensitive information, "and we think Web browsing history and app usage history is squarely under that sensitive category,” she said.

But CTIA, which represents the biggest wireless carriers, argues that Section 222 does not cover “personal” information and can’t be applied to broadband service. Absent specific rules, attempts to enforce Section 222 on broadband providers could get the FCC sued—and FCC Chairman Ajit Pai opposes the privacy rules anyway.

Is there anything holding ISPs back?

In January, all the major ISP lobby groups signed on to a voluntary set of privacy principles based partly on the FTC framework. They specifically pledged to follow FTC guidance for opt-in consent before sharing sensitive information and to “offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing.” Browsing history would be subject to an opt-out system.

Harris encourages Internet users to go to their ISP’s website or call the ISP to figure out exactly how they can opt out of tracking. It’s not convenient, but the option should be there.

VPNs, Tor, and HTTPS: Preserving your privacy

To protect your browsing history from your ISP, you need to encrypt your Internet traffic, and there are three primary methods of accomplishing that: VPN services, Tor, and HTTPS.

"That’s basically it," Electronic Frontier Foundation Senior Staff Technologist Jeremy Gillula told Ars. "Those are the three ways you can encrypt [your browsing] so that the ISP can’t see it."

Your ISP can see that you're using a VPN or Tor, "but that's all they'll see," Gillula said.

With a VPN, you're paying a company to encrypt all of your Web traffic and prevent others from tracing your Web browsing back to your IP address. You're trusting that the VPN company will not keep logs of your activities and that it will generally be more respectful of your privacy than your ISP.

Readers have been asking us for a definitive list of the best VPN services. But as we covered last year, this is really an impossible task. You can find out whether a VPN provider promises not to keep logs of your Internet activities, but there's no way to verify whether the VPN provider actually keeps logs, Gillula said.

A VPN provider would see exactly what your ISP would see, but "in some cases, that may be better than trusting your ISP, because your ISP may just straight out say, 'we’re going to be snooping through your browsing history,'" Gillula said.

For guidelines on what to expect and what not to expect from VPN services, read our feature from last year. We also discussed VPNs and other technologies in this beginner’s guide to boosting your privacy and security online.

While each VPN is operated by a single provider, Tor is a distributed network that tries to preserve anonymity by routing traffic through a series of relays.

"When you use the Tor software, your IP address remains hidden and it appears that your connection is coming from the IP address of a Tor exit relay, which can be anywhere in the world," the EFF explains.

Tor is not without vulnerabilities. But generally speaking, while operators of Tor exit nodes "can see traffic going back and forth, they wouldn't be able to trace it back to you," Gillula said. They'd know that someone is going to the websites you're visiting, but they "wouldn’t know that it originated from your home IP address." Tor is thus "a little more privacy preserving than the VPN," he said.

VPNs have an advantage over Tor in ease of use if you want to configure your router to tunnel all of your traffic through the VPN, Gillula said.

"You can do that with Tor, but that takes a little more tech savvy than firing up the Tor browser bundle," which only encrypts traffic in and out of the browser, rather than throughout your home, he said. But there are Tor-enabled routers, which we have reviewed in the past.

Finally, there is HTTPS, which if present in your URL bar indicates that your connection to a particular website is encrypted. As we discussed earlier, your ISP can't see what you do on an HTTPS-enabled website. For example, the ISP knows when you visit https://arstechnica.com, but it doesn't see which articles you're reading.

The HTTPS Everywhere browser extension offered by EFF and The Tor Project provides greater protection on websites that offer only limited support for encryption via HTTPS. However, "it only upgrades your connection if the website supports [HTTPS], and then only if it's in our list of websites that support HTTPS," Gillula said. If the website doesn't support HTTPS at all, you're out of luck.

Turning on your Web browser's private or incognito mode will not prevent ISPs from seeing your Internet activity. Google, for example, says that Chrome's incognito mode prevents the Chrome browser itself from saving the sites that you visit, but does not stop ISPs and websites from seeing which websites you've visited.

Not too late to call your rep in Congress

While the situation looks dire for the FCC's privacy rules, consumer advocates aren't giving up. The Senate's resolution to eliminate the rules still has to pass the House of Representatives.

The House is also controlled by Republicans, but "we think we've got a shot at killing it off," Gillula said. The House is expected to vote on the measure next week, but there's still time to contact your legislator before a vote.

"If we kill it [in the House], we don’t have to worry about any of this creepy tracking," Gillula said.