Sunday, April 2, 2017

Privacy Is Dead. Long Live Privacy.

There seems to be a lot of confusion about what happened on March 28, 2017 when the United States Congress affirmed the Senate vote the previous week to block the Obama-era adoption of safeguarding privacy of online activity. I want to try to clear that up.

First, let's get the legal mumbo jumbo out of the way. In October 2016, the FCC amended its interpretation of the Communications Act of 1934, Section 222. Prior to this amendment, Internet Service Providers ("ISPs") were required to protect their customers' online habits and personal information, although the method of protection isn't defined. What is defined are exceptions:
- in order to bill their customers for data usage
- in response to subpoena/warrant
- suspicion of harm to the ISP's own or partnering infrastructures
- to provide location data in the interest of public safety
- and if customers gave their permission to being served ads based on their personal information and/or usage.

These exceptions meant that ISPs were able to examine all customer data and traffic in order to satisfy the criteria.

Let me repeat that - ISPs have had the legal right and means to collect, analyze and sell customer data all along.

Popular wisdom is that, although they legally *could,* few ISPs actually *did* sell customer data because Section 222 didn't forbid it, it simply stated selling your information must be on an opt-in basis. People are under the impression that unless they gave consent, it didn't happen. However, the language for opting in may be buried in the terms of service in your contract as a condition of usage. You may have agreed to opt in unless you explicitly opt out. For example, Comcast/XFINITY contracts contain this perfectly legal twist of language.

The October 2016 amendment enforced a higher standard of care in protecting personal information and banned the sale of customer data without explicit permission by the user him/herself by removing the "not opting out is opting in" loophole. The law was scheduled to go into full force and effect in December 2017. What the current Congress and Senate voted on was halting this amendment, effectively preserving the status quo of selling user data and removing the stronger privacy/protection standards for personal information and online activity.

In the aftermath of the March 28 vote pundits are saying that nothing changed and until POTUS signs the new bill, it's not "law."

True? Not exactly.

Let's take the second point first because that's easier to explain. Yes, it's true that bills don't become laws until the sitting president signs them. In this case, though, the bill is a negative, that is, it takes prioritizing privacy in ISPs' data handling standards with penalties for non-compliance off the table. More simply stated, the ISP practice of collecting, analyzing and selling user data remains legal.

Now let's get into the trickier part and where there are even more misunderstandings. I drew the above gross oversimplification to explain this to someone and I'm finding it handy so I thought it worth sharing here.

In the "Before March 28, 2017" drawing you see the typical Internet traffic flow. We access Internet-based resources from our homes, offices, coffee shops, hotels, schools, mobile devices, etc. by way of routers and broadband lines leased to us by our ISPs. When accessing sites considered sensitive, like banks, shopping sites, and email, the session takes place using SSL or TLS hosted on those websites. SSL/TLS creates encrypted wrappers for the flow of data back and forth between your device and the destination, making it difficult for ISPs (or anyone else) to eavesdrop. They can't see or collect the information, they just see gobbledygook. The "Profit" box in the drawing means ISPs make their money directly from their consumers who pay for Internet and carrier services. They also make money by serving us ads based on the use they see that's not protected by SSL/TLS. When we see the ad, people get paid. These are called "ad impressions." If we click on the ad, people get paid more because ISPs, websites and advertisers make commissions on the number of clicks. Some ads are random and some are based on our online activity. Websites learn about us by incorporating user tracking like cookies or hidden pixels in images on the sites we visit. While not strictly illegal, nor technically infeasible, before March 28 it was considered unethical for ISPs to decrypt SSL/TLS sessions in transit for the purpose of serving ads or to sell to third parties.

That's the crux of ISP complaint against the October 2016 amendment. Google, Facebook, banks, shopping sites, etc. all get our decrypted data because they're sending your machine a certificate that acts like a key to unlock the SSL/TLS tunnel on their end of the conversation. This is how they're able to provide you the service you expect. It's also how they show you ads you're more likely to click on ("targeted ads"), because they get to see what you do while you're on their sites. ISPs want to be able to use the data they collect from you to do the same.

Wait a minute, I hear you saying. ISPs decrypting SSL? Is that possible?

It's not only possible, the capability been commercially available for a decade. Bad guys use SSL/TLS, too, in order to slip past defenses. The good guys needed a way to fight back. Corporate gateway inspection, intrusion detection/protection, firewalls and proxies sold by companies like Bluecoat, Palo Alto Networks and Microsoft all rely on SSL interception to decrypt and analyze SSL/TLS-encrypted traffic to identify and respond to encrypted malicious activity. Of course, government spies have been doing it much longer. And ISPs had the right to decrypt traffic in order to meet the exceptions noted above.

Why is this important? Because, contrary to popular belief, the Communications Act, Section 222 doesn't prevent ISPs from employing this same tactic in order to compete for advertising dollars. Public opinion has been the only deterrent. The October 2016 amendment aimed to rectify that. Which brings us to the "After March 28, 2017" picture.

In the lower drawing, we see the Internet as it exists today with a couple of hypotheticals in the current climate. Remember when I said the justification for killing off the October 2016 amendment was to allow ISPs to compete with website owners for higher ad revenue? They don't have to wait for something to *not* happen (increased restriction and oversight). Thus you see the data siphon flow, representing the ISPs' desire to create a database of their customers and their online behaviors. In some states it's illegal to store this data in plain text (unencrypted) but the point is that ISPs are free to use data they already collect on customers by searching through their data stores with tailored queries suited to advertisers' whims. They are free to serve highly targeted ads and redirect us from where we wanted to go to sites that pay them in order to maximize the ISPs' commissions. Theoretically, this data is also available to anyone willing to pay for it, including local, state and federal agencies, without notifying users should ISPs continue and even expand their definition of "not opting out is opting in." Remember, ISPs are only restricted by the broad language of Section 222 as it existed before March 28. That's why I used "warrantless searches" as one theoretical example.

So what can we do about this? Not a heck of a lot.

Deleting your browsing history on your own device has no effect whatsoever. Zero. Nada. The data collection we're talking about is your activity as it traverses your ISP's network, not your own computer or mobile device. Deleting cookies & history is a good practice against certain types of malware but it's no help here.

Privacy fans who are willing to put up with a slower Internet experience can run i2P and Tor to make a best effort at protecting their anonymity. If you go this route, use both. i2p acts as an underlying layer that complements Tor to increase the effectiveness of the privacy Tor provides. Just be aware that eventually your Internet traffic pops out of the private channel to reach its destination and those exit points can be monitored. Sometimes it's good guys, sometimes it's bad guys, sometimes it's both sitting and watching on the same exit node. Another downside is that Tor is blocked by many popular websites like banks, shopping, and streaming entertainment sites because anonymity is popular with bad guys, too. The same goes for other forms of free virtual private networks ("VPNs").

Speaking of VPNs, if your employer allows you to work remotely, chances are pretty good that you log into your office on a corporate VPN. Using your company's VPN may be an option to keep your ISP's eyes off your activity. The downside is your employer is probably watching and you will definitely be restricted by the employer's acceptable use policies.

Another alternative is to simply accept and assume that everything you do online is public.

The best thing we can all do is to keep the pressure on and support the folks on the front lines fighting for our privacy. The Electronic Frontier Foundation and the ACLU are leaders in this pack. Keep calling, writing, emailing, faxing, and showing up to let your elected officials know how you feel about your privacy and either volunteer and/or donate to EFF and ACLU.

Update: POTUS signed the bill on April 3. The bill rolling back privacy protections is now law.