On Wednesday March 29th the 115th Congress approved S.J.Resolution 34, which among other things allows your Internet Service Provider (ISP) to sell your Browsing History without asking for your permission or even telling you. Since I live at Vanderbilt, my ISP is Vanderbilt University, which in turn is purchasing the service from Comcast, which is the only provider in our area of Davidson County. This means companies like Comcast can sell the record of every website you’ve ever visited, every link you’ve ever clicked on, to whatever company wants to buy it. The companies buying this can then make a profile of who you are and what you want in order to market to you in the most effective, targeted way possible, and I’m going to tell you what to do about it.
To figure out just what kind of information Comcast expects to sell, I downloaded Firefox, installed the NoScript and HTTPS Everywhere add-ons, and went online with an empty browser history. I wanted to know how the companies that will be buying my browsing history will use it, so I went to cosmopolitan.com, a website I expect exists purely to market to me, from a company that I expect to become a loyal customer of Comcast under the new S.J.Res. 34.
Before anyone can use my browsing history, I have to create some, so I picked an article on cosmopolitan.com to read. The information that is relevant to them is what link I click on next, and these are the 3 links they put at the bottom of the page: (You don’t get to know which article I read until you paint my nails.)
—This 28-Year-Old Guy’s Dating Diary Breaks Down What He Really Thinks About His East Coast Tinder Hookups
“I don’t really like sleeping with people I don’t know well.”
—How a 25-Year-Old Guy on the West Coast Uses Instagram to Find Hookups
“I’m mostly into a sense of humor, which is why I meet a lot of people on the internet.”
—This 31-Year-Old Guy in the Midwest Uses a $5,000/Year Dating Service
“Women say they are open to interracial relationships, but after a few dates, that changes.”
Right, so my age, location, and income are my marketing baseball card—the three most important things about me to corporate interests. cosmopolitan.com already feels like a bad date, and now S.J.Res. 34 is letting it buy my browser history.
When Facebook initially went public, arguably the only assets it had were the advertising revenue it was already making and the public personas and profile data of all of its users. Assuming that those assets were effectively being evaluated based on their ability to determine the same three facts that Cosmopolitan wants, Facebook’s value as a company could be used to estimate the value of our marketing baseball cards. It opened at $38.23/share on May 12th of 2012 and immediately dropped, hitting a low of 18.06 on August 31st of that year and not recovering back to its initial value until the start of the August of the next year. This is what access to your Facebook account is worth.
For many of us, we first became aware of online privacy when we originally made Facebook accounts. The first time I remember seeing a specific piece of legislation that affected my behavior online was the Stop Online Piracy Act in 2011. For those of you that didn’t follow or don’t remember, SOPA attempted to give the federal government more effective means to protect content creators intellectual property and combat the sale of counterfeit medication. The powers granted however extended much further than necessary, and would have effectively allowed the government to take down any website accused of allowing illicit downloads, forcing them to prove that they weren’t before hopefully being allowed to go back up. This was censorship in a guilty-until-proven-innocent system.
SOPA would have allowed the government to limit our access to content, which we successfully blocked. This was the result of a coordinated effort from some of the most visited websites on the internet. Wikipedia, reddit, imgur, Google’s main page and many others had a “blackout day”, where they replaced their normal landing pages with a mock taken-down announcement that explained what SOPA was allowing the government to do. There was a boycott of GoDaddy, then a SOPA-supporting company. There were live protests in Seattle, San Francisco and New York. Congresspeople were called. There were memes.
So what happened on Wednesday? Fake news sites will claim that it was nothing special–S.J.Res. 34 technically just rolls back a measure that former President Barack Obama put into place. This sounds pretty innocuous, but since it is available on congress.gov and short let’s take a look at what is actually written
“This joint resolution nullifies the rule submitted by the Federal Communications Commission entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.” The rule published on December 2, 2016: (1) applies the customer privacy requirements of the Communications Act of 1934 to broadband Internet access service and other telecommunications services, (2) requires telecommunications carriers to inform customers about rights to opt in or opt out of the use or the sharing of their confidential information, (3) adopts data security and breach notification requirements, (4) prohibits broadband service offerings that are contingent on surrendering privacy rights, and (5) requires disclosures and affirmative consent when a broadband provider offers customers financial incentives in exchange for the provider’s right to use a customer’s confidential information.”
—S.J.Res. 34, 115th Congress (emphasis added for clarity.)
We’ve all got different comfort levels with our online personas. Some of us use social media as a platform for branching out into casual acquaintances, some use it as a way to keep up with close friends and some use it as a personal journaling system. Some of us love that the advertisements we see are more and more effectively targeted towards what we want to buy. If this is you, I’ve got good news—some of the largest companies in existence are working on providing that service as effectively and quickly as possible. For anyone who would rather limit third party access to their web traffic, it’s going to take some setup.
Here’s what we need to do if we want to protect our information from this newly passed legislation. If you’re going to be using Facebook, Gmail, Netflix, the mainstream web services, you realistically can’t stop your web traffic from being logged, tied to your browser and distributed on some level. You can limit access to personally identifiable information that would tie your specific traffic to your name, and you can limit how much of your data is able to be logged. The best bet for this purpose as of now is to install and use Firefox with the settings configured to deny as much as you can accommodate. If you don’t want to use Firefox (why?) then you can do all of this to a lesser extent with Chrome. Some extensions may not be available, and Google, which is a corporation just like Cosmopolitan, will be tracking you regardless. Do not use Safari unless you want everyone to know everything.
Once you’ve downloaded Firefox, you’re going to want to take advantage of all the great privacy setting and add-ons you now have access to. For example, apply Do Not Track, don’t save history, don’t accept cookies, and don’t load pages over a non-https connection. “Do Not Track” is literally just a setting in your browser that tells websites to not track you (some will ignore this). Not saving your history is an option in Firefox that will do exactly what it says. Cookies are files that websites attach to your web browser to save information about you. HTTPS connections are encrypted, which prevents 3rd parties from reading what you are sending to the websites you visit. You can also use browser add-on extensions (like the previously mentioned NoScript and HTTPS Everywhere) to block scripts and advertisements themselves, and set DuckDuckGo as your default search engine, because unlike Google it doesn’t save your search history. It is important to note that Firefox and DuckDuckGo are open-source projects supported by nonprofit organizations, and frequently updated by volunteers.
All of this will help dissociate you from your data in that your baseball card will be less detailed, or prevent it from having your name written on it. Depending on how far you go with the settings and extensions, you will also be preventing the websites you visit from comparing notes—Netflix and Amazon won’t be updating each other’s cards. It will not protect you in the slightest from an entity that is specifically targeting your traffic in the wiretap sense. For context, “the wiretap sense” is exactly what your relationship with Vanderbilt looks like. All of your web traffic goes through Vanderbilt University, whether it’s going from you to Comcast or from Comcast to you. To make your communications completely private in their content, at minimum you are going to need to figure out PGP encryption (Google–Or DuckDuckGo “PGP Encryption”), and an email client that you trust. I use Thunderbird because it has add-ons that make opening, closing, sending and signing encrypted emails one-button operations. You are only as secure as your host though, so getting your @vanderbilt.edu email forwarded to a Thunderbird inbox will not stop Vanderbilt IT from viewing all the letters, even if they can’t understand the words. To be clear, Vanderbilt IT’s system is set up in a way that they not only do monitor your web traffic–they can’t not do it. This is how the Vandy network blocks certain websites and tries to stop illicit uses of the network. What PGP encryption effectively does is scramble the letters in your emails. They will still have to go through Comcast, which can save it all and can now sell it, and Vanderbilt, which can also save it all and now sell it.
If you want to make your web traffic anonymous, meaning scrub your name and address off the front of your letters, you should start by figuring out how to setup and use a Virtual Private Network, download the Tor web browser, and consider using the Tails operating system. You cannot become fully anonymous online. Even using a VPN you are vulnerable to your VPN provider. If you are trying to hide from a sufficiently motivated governmental power, you need to know that you can’t—this is why Edward Snowden is in Russia. What you can do is make it so that your data from any one session is encrypted (scrambled), and comes from a source that isn’t you and changes every time you log on. What you’re trying to do at this point is blend in. Your traffic is still being saved, but it is impossible to tell who in the crowd yelled because the voice comes from a different place every time, and they were speaking a language that cannot be translated.
Our right to privacy is Constitutional. Because the internet created a new form of communication that somehow needs its own legislation (I thought the Communications act of 1934, which created the FCC worked fine) we will have to keep fighting for privacy against the corporations that can profit from having access to it. Part of this is personal responsibility and public knowledge. Show your friends how to install NoScript, HTTPS Everywhere, and AdBlock. When they tell you you’re a nerd tell them that they’re not screaming into the void—they’re screaming into the microphone.
The other part of this is coercing your congressmen. Where SOPA was a success for the public that wanted to defend its own safety, S.J.Res. 34 is a failure. We are all less able to control what information Cosmopolitan has about us now. When we visit websites we leave a little trail of our characteristics. Our ages, locations, and incomes are just a few examples of things Cosmopolitan wants to know about us. We can’t stop Cosmopolitan from trying to figure this out based on what links we click on their website, but now Cosmopolitan can purchase from Comcast every link that we have ever clicked on any website. I am registered to vote in Washington State, and you had better believe that Dan Newhouse is having his secretary delete my memes from his inbox. I urge you to to force your congressional office to do the same.
Douglas McKinley is a senior in the School of Engineering. He can be reached at firstname.lastname@example.org.