Since Congress voted to prevent the implementation of new ISP privacy protections there has been a committed and sometimes loud call for new rules. The fear is, without adequate safeguards in place, ISPs will be free to build detailed customer profiles that include names, addresses and online activities. That data can then be sold to, or used by, an advertiser without the user’s consent.
Those fears have been belied somewhat by new legislative efforts. Twenty-two states have drafted their own ISP privacy rules, and in March, Rep. Marsha Blackburn (R-Tenn.) proposed mandates on the federal side. But, in the wake of an unclear privacy road ahead, consumers are increasingly taking privacy protections into their own hands and turning to VPN services. According to companies offering VPN services, the once sleepy consumer VPN market is on fire.
“By any means necessary, consumers are voicing their opposition to the repeal of ISP privacy protection,” said Ernesto Falcon, legislative counsel for the Electronic Frontier Foundation.
Consumers Speaking Out
The ruckus began earlier this year when the Senate voted to pass a joint resolution dismantling the Federal Communications Commission’s broadband privacy rules set to go into effect later this year. In April, President Trump signed legislation that repealed the FCC’s rules. FCC Chairman Ajit Pai argued that privacy rules for ISPs aren’t necessary because the broadband market is as competitive as the search engine market. He argued, that ISPs shouldn’t have a stricter set of privacy rules to abide by compared to Google or Facebook.
Privacy advocates countered Pai by arguing that many consumers can’t reasonably pick their ISP as they can a search engine. Additionally, they said unlike search engines, ISPs can track every packet a user requests online. Google and Facebook don’t have access to that type of data.
“Companies like Cox, Comcast, Time Warner, ATT and Verizon have a lot of information on their customers because they carry all of their online traffic–so they have addresses, phone numbers, browsing history, websites they frequent, social media posts and much more,” Falcon argued.
In an interview with Threatpost, Falcon notes that most consumers when asked thought ISP privacy protections were a good idea. He points to a number of heated exchanges in town hall meetings held by Senator Jeff Flake (R-AZ) and Rep. Leonard Lance (R-NJ) where constituents have expressed concern over their ISP’s ability to track and collect data based on their internet usage.
“I think a lot of Republicans voted to support the repeal of the ISP privacy rules because they perceived it another part of a larger Trump initiative to rollback Obama-era legislation and policies,” he said. The Senate vote on the resolution dismantling protections passed by party lines (50-48).
Faced with a constituent angst, Blackburn (R-Tenn.), last month introduced a bill called the Browser Act of 2017 (H.R.2520). The bill would:
“…require providers of broadband internet access service and edge services to clearly and conspicuously notify users of the privacy policies of such providers, to give users opt-in or opt-out approval rights with respect to the use of, disclosure of, and access to user information collected by such providers based on the level of sensitivity of such information, and for other purposes.”
The bill, if passed in its current form, would prevent states from imposing laws stricter than the proposed federal standards.
States Stepping Up
Privacy advocates don’t have high hopes for the bill, calling it a charade meant to appease angry Blackburn constituents. More hopeful, privacy advocates said, are the 22 state-level privacy laws being proposed by lawmakers.
Alaska, California, Montana and South Carolina have each proposed laws that would prohibit ISPs from collecting personal data without consent.
“This amendment is about standing up and saying that our online privacy rights are critically important,” said Senator Ron Latz (D-MN) of his state’s proposed ISP anti-snooping bill. “The amendment states that Minnesotans shall not have their personal information from their use of Internet or telecommunications services collected by providers without their express written approval. It won’t circumvent the federal government, but it will give Minnesotans a legal recourse to protect their privacy.”
In Massachusetts, six Republican lawmakers are breaking ranks with GOP counterparts who voted to overturn federal ISP privacy protections. They are backing a bill that would ban ISPs from collecting user data without user consent. The measure goes further and prevents ISPs doing business in Massachusetts from charging extra for customers who refused to share personal data.
Lance Cottrell, chief scientist at Ntrepid and founder of Anonymizer.com, has long argued that ISPs have had the ability to spy on their customers. And that it’s only been the recent debates around ISP privacy that consumers have begun to get outraged.
Privacy advocates and entrepreneurs such as Cottrell say the only way to keep your ISP from snooping on you is to encrypt all of your traffic, using either a VPN or Tor.
Boom Times for VPN Services
When it comes to consumer VPN services, over the past several months, nearly all say they have benefited from media coverage detailing a loss of privacy. It should be noted consumer VPN services represent a tiny sliver of the overall VPN market dominated by enterprise players.
“Growth and interest is certainly on the rise. Really, since Edward Snowden detailed how little privacy consumers have we have seen an uptick. With the U.S. abandoning ISP privacy protections, we have certainly seen another big jolt to our user base. It’s something the entire VPN market has benefited from,” said Ruby Gonzalez, head of communications of NordVPN.
In the days following the Senate resolution to repeal broadband privacy rules, the number of new VPN subscriptions in the U.S. surged, growing 239 percent, based on data culled by Comparitech.
“In the U.S. (VPN) interest has died down from the peak. But it is still significantly higher than pre-Trump and before the broadband privacy rules were repealed,” said Richard Patterson, founder of Comparitech.
At NordVPN, of the more than 1 million customers who pay a monthly fee for VPN protection, Gonzalez said that about 10 to 20 percent were added since the ISP privacy rule was struck down.
For consumers, the sudden rise of so many new VPN services can be daunting. “There is a VPN boom right now. There is price competition and more services to choose from. All this noise doesn’t make it easy for consumers to understand who to trust and what makes a good versus a bad VPN service,” Gonzalez said.
She said for many entrepreneurs, they see the erosion of privacy protection strictly as a new market opportunity. The problem, she said, is the barrier to entry for wannabe VPN kingpins is low. All you need to get started selling VPN services is a server running VPN software to route traffic through. And that, Gonzalez said, is why so many VPN services are shoddy and will ultimately go out of business.
Despite privacy concerns, most VPN services today aren’t built with privacy in mind, warn VPN experts. Instead they are used to hide geolocation data allowing consumers who want to defy regional restrictions and stream, for example, European content in the U.S.
But as ISPs face few privacy obstacles and governments crack down on what their citizens can view online, VPN providers see it as a huge market opportunity. “Eventually, VPN services will be as ubiquitous and common as antivirus solutions,” Gonzalez said.