The way I understand it is that ISPs can sell anonymized data from groups of users. Like: people who visit news.ycombinator.com generally also visit stackoverflow. I also don't know how an ISP would get your actual internet history if the website uses HTTPS.
Yes, I am a strong supporter of NN and I was appaled when the EU diluted it, but this reply is directed at your 'ISPs who are allowed to sell users' browsing history' part.
The regulations being overturned here are ones that have only recently taken effect, and non-anonymized, non-aggregate selling of ISP data is still outlawed by the Cable Communications Act of 1984, which protects subscriber privacy is 47USC § 551.
Put simply, neither the most recent executive order, nor a reversal on Net Neutrality overturns that law on the federal register.
Of course, if Congress were to draft a bill that does so, the current fears would be well justified.
Legally, I can't think of a case where it's been tested that didn't lean the government's way, so who knows?
Repealing the Obama rule does mean that you can't opt out of data collection or sale. It does not mean that your individual browsing records are available to anyone with enough cash. Moreover, much of the rules Trump's executive order overturn had either very recently taken effect, or not yet taken effect.
There may be much theoretical damage from overturning the regulations, but the practical effect here will be minimal, and limited because of the other laws that already exist to prevent exactly the doomsday scenario many are predicting.
I'm not saying that Trump isn't after your privacy rights, but the surest test of that will be whether or not he goes after or seeks to circumvent the 1984 protections I referenced earlier.
I think it is truly insane.
I do agree. There are somethings you can do to mitigate things. But at some point you have to be you (e.g., FB, etc.) and as small and minor as such digital breadcrumbs might seem, they add up.
I don't know anyone who would fault me for not being on Facebook (yes I know this has a strong selection bias). Only time was at a convenience store, looking a bit puzzled I had to scan my ID-card in some device (to buy cigarettes), the guy explained this was announced on Facebook, I (completely neutral, matter-of-factly, already having complied with the ID-device thing) replied I don't have an account on Facebook which he took as a cue to start some anti-privacy diatribe at me. My guess he was probably having a bad day, possibly from other people giving him a much harder time about the ID thing. I finished the transaction, excused myself because I (really) had to catch a bus, and wished him a very nice day.
My point is, when I look around, it seems like Facebook is going the way of the cigarettes. The majority of people (that I know) know of at least one or two scandalous things that are deeply wrong about the way Facebook treats privacy and manipulates its users. Of those people, a good chunk hate it, really want to quit, but feel they can't due to social pressure or addiction. Just like cigarettes. Others make excuses about convenience, little vices, relaxing. Just like cigarettes.
I don't know how many of you are old enough to remember that you could smoke in trains, bars, in restaurants while people were still eating 2 metres next to you. As late as the early 90s. And only after those bans people started to dare to ask if you could maybe smoke outside, in home situations, even if they're the guests and it's your home (I was younger and inconsiderater).
If you don't remember you maybe also don't remember how thoroughly ingrained the social act of smoking was in society. Only a few decades ago, nobody could imagine where we are today. Smoking was just so normal, even if you didn't really, you would occasionally, your friends would offer, people just liked it too much, were addicted too much.
The almost-entirely-non-smoking-everywhere society we have today was seen as an impossibility. We could never get there, we couldn't change or impose, people wanted it too much. And it was a hard transition before it got momentum, but it did in the end. I personally, as a smoker, welcomed these bans, because I figured it would make it easier for me to quit (hint: if you're addicted, you still have to quit by yourself. those bans maybe helped me the first 5% of quitting).
The point is, it may seem impossible to imagine a way out of this anti-privacy swamp. But it's not too late. Just remember the cigarettes and how far we got. DON'T let anyone tell you it's useless to refrain from using surveillance tech X just because "you're going to be tracked any way because P, Q and R" (being your phone, CCTV and the NSA). The fight is NOT lost, not at all. It's just getting started, now that people are slowly realizing they don't actually really want this, they are mostly made to want this, and more and more people want it to stop, and it would help if only everybody else would stop shoving it in their face.
Just because it seems impossible now doesn't mean we should roll over, curl up and stop voicing your dissent, ever.
Then maybe our kids (or other people's kids--who didn't ask for this either) can grow up in a society where they're not quite as pervasively tracked and surveilled as our generation.
If it helps maybe to imagine the next impossible thing, imagine everybody securely wiping the exabytes of private data they've collected on us so far. I really can't see that happening either and it kind of gives me hope in a weird "wishing on a star" kind of way, because other important things used to seem just as impossible.
 I've quit since. It's hard. Very hard. Unfathomably harder for some people than others. I will never judge an addict in my life.
47 U.S. Code § 551 (c)(1)
Except as provided in paragraph (2), a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned
So this section of the law, though another might, does not support your statement that "that they could sell that (which is false)".
Your statement is too strong. It's not outlawed. There is a relatively easy avenue for ISPs to sell this type of data, and it's written into the law, and not some sort of weird loophole. It is voluntary that they have not pursued it on their part.
What the bill stripping Broadband Privacy rules does is make it nearly impossible for the law to set a precedent for what should be considered illegal to sell when it comes to users' data. What may have happened if broadband privacy rules were enacted as intended here[https://www.nytimes.com/2016/10/28/technology/fcc-tightens-p...]
... someday somebody who didn't "opt out" would have discovered their [medical, financial, insert whatever] data had been sold to their detriment. Lawsuit. Legal scrutiny. Precedent == Baseline for what is acceptable and what is not for people who don't opt out.
Now, with no consumer privacy rights by default on broadband, and no neutral delivery system (net neutrality), and with provisions the GOP inserted into the Broadband Privacy rollback explicitly to make it harder to sue entities who sell your data, the default situation is already stacked badly against the average person.
Your ISP can (and likely does) monitor your DNS queries, which (as far as I know) are not encrypted.
Personally I think the net neutrality stuff is a tad overblown. I'd vote for maintaining it, but I've never been particularly convinced by the whole "surveillance state/beyond-orwellian/ISP censoring your speech" arguments that get thrown around on HN, among other places.
I think the problems with ISPs are more practical: they overcharge, provide shitty service, have no incentive to upgrade their infrastructure, and clearly collude with one another. Therefore they need to be regulated.
Agreed. Though I would prefer that we do whatever we can to identify and implement mechanisms to increase competition. I want new ISP options, and several of them, rather than just marginally better behavior from the one or two ISPs I have in my neighborhood. I'd prefer regulation that increases competition (even if that hurts the incumbents) rather than regulation that assumes the incumbents are fixed and therefore just manages how they conduct their business. The prior is designed to create new ISP options, the latter tends to serve to decrease the incidence rate of new options.
I've always been a voracious Internet consumer. For all of its faults, I really enjoyed the regulatory framework of the Communications Act of 1996 that allowed competitive ISPs to lease physical wires.
> Your ISP can (and likely does) monitor your DNS queries, which (as far as I know) are not encrypted.
HTTPS does expose the domain name in plain-text through SNI. Yes, DNS is not encrypted.
Until the world switches to DNSCrypt, DNS-over-HTTPS, or DNS-over-TLS and while most Internet users are using ISP provided DNS resolvers, recent research shows it is possible to narrow down what pages the user browsed based on their DNS queries.
Like say I run hackernews — couldn't I just cross-reference my own logs with that "anonymized" data and get a pretty good idea of what a specific users' traffic was?
Based on some of the tools Uber has used to pinpoint specific users like, government officials, it doesn't seem too far beyond the realm of possibility.
The ISP could monitor your DNS requests or the SNI in the TLS handshake.
Why shouldn't there be similar provisions to protect my browsing history?
Charge users extra fees for "premium service" unless they agree to let the ISP their traffic.
If they want to determine your political leanings your browsing history is enough.
With a fee, this requirement could then be waived.
Dystopian but technically possible.
Gogo didn't require installing a root cert, but they DID issue forged certificates to MitM connections to *.google.com (and others).
Also, remember "Superfish"? Their root cert was pre-installed by Lenovo.
"On October 27, 2016, the Federal Communications Commission (FCC) issued a proposed rule that seeks to expand its regulatory jurisdiction, create a two-tiered privacy regime for different types of Internet companies, and impose data restrictions on Internet service providers. These types of regulations have traditionally been under the jurisdiction of the Federal Trade Commission (FTC), which already has in place a regulatory regime to protect consumers. Full implementation of this proposed rule would have, among other things, given consumers a false sense of protection and privacy. As a bipartisan group of representatives stated in a 2016 letter to the FCC in response to its notice of proposed rulemaking:
-We had hoped the FCC would focus on those protections that have traditionally guarded consumers from unfair or deceptive data practices by ISPs and the other companies in the Internet services market. But, based on the [FCC’s] Notice of Proposed Rulemaking, we remain increasingly concerned that the Commission intends to go well beyond such a framework and ill-serve consumers who seek and expect consistency in how their personal data is protected. If different rules apply to the online practices of only selected entities, consumers may wrongly assume that the new rules apply to all of their activities in the Internet. But when they discover otherwise, the inconsistent treatment of consumer data could actually undermine consumers’ confidence in their use of the Internet due to uncertainty regarding the protections that apply to their online activities.-
In response to these actions, the House and Senate introduced legislation in March to disapprove of this proposed FCC rule. The House version of this legislation, H.J.Res.86, was introduced by Rep. Marsha Blackburn (R – TN) on March 8, 2017. The measure seeks to block the proposed FCC rule. On March 28, 2017, the House passed the Senate version, S.J.Res.34, with my support, and the measure now heads to the president’s desk for signature. Again, it must be noted that recent actions in Congress have not changed the status quo in terms of privacy-protection standards for consumers."
That's what they attest. And the Washington Post had a good editorial (which I'm currently at pains to find) explaining how, under Commissioner Wheeler, the FCC pushed for broadband privacy rules, but ran roughshod over the FTC in the process. While it was a win in the sense that a legal gap was closed (more on that in a minute), it wasn't good in that it weakened the definitions between the FTC and FCC, which bother have governance roles to play. While it might sound like needless bureaucracy, firm and clear rules are the underpinnings of strong court rulings, which are essential to good governance.
Except, now that gap still exists. While it's claimed that the FTC will now fill in the gap, the problem is that it couldn't effectively in the first place. WP explains:
"Can't the FTC go after Internet providers with its rules?
At the moment, not really. The reason has to do with the FCC's rules on net neutrality. When the FCC passed those rules, it branded all Internet providers as “common carriers,” essentially a fancy legal term to describe traditional phone companies.
The problem is that the FTC is bound by something called the “common carrier exemption.” The agency isn't allowed to take action against companies that have been labeled common carriers by the FCC. (The idea behind the exemption is to prevent both agencies from going after the same companies twice for the same infraction.)
So if the House vote succeeds and Trump signs the measure, that releases Internet providers from the FCC's privacy regulation but does not do anything to apply the FTC's own privacy guidelines to the industry. The FCC can still sue companies after they have allegedly violated consumer privacy, industry groups say. So can state attorneys general. But the FCC will be unable to write regulations that preemptively bar privacy violations, meaning that Internet providers will be subject to less oversight as a result of the congressional measure."
So, with regards to selling data. Is it anonymized? Probably. To an extent. People get assigned an advertising ID, which is a random number in place of your legal name, and your profile is built under that. But you and I both know that it's not really anonymous, and it's trivial to then do a correlation between your, say, name and address, and then your advertising ID and address, and suddenly you have a full profile on someone. That's an issue when other businesses and services begin to take advantage of your health, interests, associations, etc, to charge you more or deny service based on these indicators. ISPs feel they've been at a disadvantage compared to online services like Facebook. Remember, that they do not want to be "just a bit provider". There's a very powerful profit factor if they can use their lock-in to be your content provider as well.
Anyways, hope that helps!