The U.S. House of Representatives voted Tuesday to overturn rules scheduled to go into effect later this year that would have banned internet service providers such as Comcast, Time Warner Cable and Verizon from tracking user online activities and reselling the data without consumers first opting-in.
Legislation designed to kill the privacy rules now heads to the White House where it’s expected President Donald Trump will sign the privacy rollback.
Businesses and privacy activists say the defeat is a blow to the Federal Communications Commission’s strong privacy provisions that prevent ISPs from collecting and selling web browsing history, app usage history, and other private information to advertisers and other companies.
Experts say dismantling online privacy protections created by the FCC’s 2016 Broadband Privacy Order by way of the Congressional Review Act doesn’t just hurt consumers, but also impacts businesses. They say businesses face uncharted territory where unproven privacy rules could impact data privacy and security of digital records of their business activities online.
“Data security and privacy comes up in every discussion we have with our customers,”said Allen Falcon, CEO of solution provider Cumulus Global. “There are typically business privacy and security assurances built into every contract a business has with an ISP. But we just don’t know the extent of how ISPs might evolve their tracking capabilities on businesses or consumers as they enter this new regulatory landscape.”
For weeks, broadband companies had been lobbying to nullify the enforcement of consumer privacy protections scheduled to take effect in December. The Congressional Review Act doesn’t just terminate the FCC’s privacy rules, but also prevents the agency from creating similar privacy protections in the future.
According to a study of 320 IT professionals by Spiceworks, 61 percent said they believed the rollback of ISP privacy provisions makes it more challenging for them to protect business data.
Privacy advocates at Fight for the Future see the the weakening of privacy rules as having a domino effect putting net neutrality into the legislative crosshairs of Republicans who see the FCC regulatory oversight of ISPs as too broad. With the rollback, ISP privacy enforcement moves from the FCC to the FTC.
“The FTC has historically had no enforcement authority. It’s been defanged to the point where enforcement of these privacy rules will come from a very weak regulatory position,” said Evan Greer, campaign director for Fight for the Future.
He said the same Republicans who want to roll back broadband privacy protections are now gunning for net neutrality.
To that end, Republicans say they want the FCC and FTC to work jointly to come up with new rules governing ISP privacy. Civil liberties groups fear that could lead to the repeal of rules prohibiting the FTC from regulating common carriers or ISPs. The common carrier classification of ISPs was used to impose net neutrality rules imposed by the FTC.
“In the absence of net neutrality rules, we essentially have a race by internet companies to a monopoly. In no way is that good for businesses,” Greer said.
Still others say the impact on businesses will be negligible.
“ISPs have always had the power and the option to (track businesses and consumers)… All ISPs can do this and switching ISP providers is no easy task. I don’t believe there will be any impact to businesses since this information is already being collected and sold,” said Ryan O’Leary, vice president at WhiteHat Security.
That said, Peter Eckersley, chief computer scientist at the Electronic Frontier Foundation told Threatpost that while ISPs had been free to collect and sell private information those efforts have been nominal so far. “ISPs have been modest in their data collection for fear of public backlash and regulatory scrutiny by the FCC ahead of what was to be new privacy rules.”
He pointed to pressure on Verizon to allow customers to opt-out of UIDH so-called supercookies in 2015 and the controversy around the use of Carrier IQ’s software in 2011. “Once the privacy rules are nullified, ISPs will be unshackled to collect whatever type of data they want,” Eckersley said.
As with consumers, businesses run the same risk when more of their data is collected, stored and resold. That boosts the odds that a third-party repository of their businesses’ online activities could be breached, Falcon said. “We remind our customers the internet is insecure by design. Encrypted email and VPN services, when deployed correctly within a business, are are the only antidote for data leakage,” he said.
Falcon said business already use VPN services for mission-critical applications. But he said, businesses might think twice about company work-from-home rules as the debate over ISP snooping grows louder. “Business data, from email, application usage and cloud service information would be a treasure-trove for resale to those selling complimentary and competitive services to businesses,” Falcon said.
Spiceworks’ found in its study most businesses are not encrypting their data at rest. “Many IT pros believe that if these changes are put in place, data encryption will be even more important in business,” Spiceworks said.
“Consumers will now have to pay a privacy tax by relying on VPNs to safeguard their information,” wrote Ernesto Falcon, legislative counsel at the EFF.
For a small business of 300 employees with two locations, that tax could run as high as $10,000 a year for hardware, licensing and support for VPN services to protect communications from prying eyes. For consumers, prices run the gamut, but one leading consumer VPN service charges just under $100 a year to add VPN capabilities to six devices.
According to ecommerce pricing engine Comparitech in just under the 24 hours after the House of Representatives passed the resolution to repeal broadband privacy rules VPN subscriptions in the US have already surged by 239 percent.