These days, I can't imagine shopping for most things in physical brick-and-mortar stores. In just the past two weeks, I've ordered Nia Mya Reese's How to Deal with and Care for Your Annoying Little Brother (impossible to find in stores), a Braun Series 5 51S Foil & Cutter Replacement Head, school uniforms, vitamins, and cup lids . . . all online and all without leaving my sofa. I've mapped directions to my new doctor's office, signed up for cooking classes, and had a face-to-face meeting with a colleague in Europe. The internet provides an amazing range of opportunities to us all, and we can take advantage of many of them while sitting at home in our pajamas.
Recently, the public has learned that all of this convenience comes at a price. A huge price that we mostly pay with our data. When we browse, email, purchase, and post, we are creating tons of data about ourselves and others. Data that describes where we're physically located, what kinds of information we like to read and watch, what our health and medical statuses may be, the identity of our significant others and kids, and any number of other things.
Check out how much data we were creating every minute of 2016:
Companies who want to sell stuff to us really, really want access to our data. With it, they can figure out how to get deeper and deeper into our private lives and ultimately our pockets. As such, many of them are constantly looking for new ways to collect this information, and what better way to do that than with using your internet activities? I talked about why this information is so valuable on WHO-TV/NBC Channel 13 in Des Moines this week:
From where you are, to how long you're spending on specific websites, to the ages and birthdays of your children, this information helps companies figure out what to show and hopefully sell to you.
Recognizing how intrusive this could be to many people's private lives, the Federal Communications Commission passed rules last year that focused on how internet service providers like Verizon, Comcast, Charter and AT&T collect their customers' data. As of this week (the week of March 27, 2017), these rules hadn't gone into effect yet - and after this week they probably never will.
These rules, which won't ever see the light of day, would have done two important things:
- Required internet service providers to tell customers exactly what information they were collecting, and
- Required explicit consent from customers to collect "sensitive information," defined to include geographical location, internet browsing history, email content and other communication, app usage, Social Security numbers, medical information, health information, and information about children.
Over the past two weeks, Congress took some pretty significant steps to kill these rules.
Using the rare Congressional Review Act ("CRA"), which allows lawmakers to take steps to eliminate newly-created federal regulations with a simple majority vote, both the House and the Senate voted (mostly) along party lines to kill the rules. House Republicans won the vote by a margin of 215-205, while Senate Republicans won by a margin of 50-48. Before the Trump administration, the CRA had only ever been used once (under George W. Bush). Just this year, Republicans have used it 8 times to kill Obama-administration regulations.
At any rate, the White House has indicated that President Trump will sign the bill into law, ultimately eliminating the FCC rules designed to protect consumers.
What changes now that we won't have these rules?
Given that the FCC rules hadn't gone into effect yet, not much will change in the short term. Federal laws do currently say that internet service providers have a duty to protect the confidentiality of customers' data. The law also says some data can't be collected without approval. BUT, the law neither explains how companies have to go about getting this approval nor how companies have to protect your data. In addition, the law doesn't explain how (or whether) internet service providers have to tell you if they've been hacked (which means you may not even find out if hackers have your information).
In the long run, the elimination of these rules means that internet service providers will have significant reign to collect data related to their customers' internet usage and use that data to sell increasingly personal advertisements. They'll also be able to sell that data to third parties. All without the customers' permission. Also, because of the way the CRA was drafted, the FCC is likely prohibited from creating similar rules in the future.
What can you do to protect your online privacy?
In my opinion, there isn't a perfect solution to this issue for internet users. Users can, in some cases, opt out of data collection, but internet service providers don't make it easy for users to figure out how to do this appropriately.
Users can also use something called a "virtual private network," (VPN) which sends a person's browsing history and internet usage through a secure connection that providers can't see (though VPNs don't protect data related to one's geographical location). The really good VPNs, however, can be expensive and hard to set up. In addition, a person has to figure out if they really trust the VPN, because it, too, could sell their data.
The longer term, solution, of course, is to make sure representatives know how people feel about these issues and hold them accountable for the decisions they make on the Hill about online privacy. If you're curious about how your own reps voted, the below chart shows how individual members of Congress casted their ballots.
These issues will not be going away anytime soon. Internet users will have to decide how comfortable they are with providing personal data to companies who don't have to share what they're doing with, or how they are profiting from, that data. Frankly, we already share this kind of data with Google, Facebook, and others (they aren't subject to the same FCC rules/regulations). But, it may be time to take a closer look at the impact of such activities.
Our current and future privacy depends on it.