Three Ways How Repealing the FCC Privacy Rules Damages Cybersecurity
On March 28, the US House of Representatives voted to repeal the Internet privacy rules approved by the Federal Communications Commision (FCC) in October, 2016. The repeal resolution had already passed the Senate the week before, leaving the final decision in the hands of President Trump. Nevertheless, the White House has already said the president supported the repeal, meaning that the decision will soon be signed into law.
Ever since the vote was announced, the Internet has been buzzing with resentment at prioritizing Internet Service Providers’ (ISP) profits and anxiety about the implications for citizens’ privacy. However, the debate has not yet shifted to another important question: What does weakening of online privacy mean for cybersecurity?
According to the rights group Electronic Frontier Foundation, “privacy and security are two sides of the same coin: privacy is about controlling who has access to information about you, and security is how you maintain that control.” Here, we review the main ways how the new ruling will impact Americans’ security.
#1 Storing Large Amounts of Data Attracts Hackers
This mind-blowing visualization shows all the major data breaches and leaks over the last 13 years, illustrating the huge growth in both the number and the scope of breaches. From Yahoo and Ebay to the US military and >Hillary Clinton’s election campaign – any system can be vulnerable to security risks.
The storage security argument always reappears when discussing the mandatory ISP data retention programs in various countries of the world. Politicians, security experts and human rights groups usually agree that collecting citizens’ data for national security purposes must be balanced with increased data protection. However, in this US case, the data collection and storage has nothing to do with national security – it is purely a measure to increase ISP profits at the expense of subscribers who already pay significantly higher fees than Europeans.
To make matters worse, the FCC Chairman (and former Verizon lawyer) Ajit Pai has recently halted the enforcement of another ISP regulation. It would have required providers to take measures to protect user private data from security breaches. As a result, even if your data does get exposed because of lax security, broadband providers will bear no responsibility.
#2 Supercookies Allow Hackers to Track You
A 2015 study has shown that at least nine telecommunications providers, including AT&T, Verizon and Vodafone, have been using a tougher version of the common website cookie. On the surface, these “supercookies” do the same as regular cookies: track user preferences and browsing histories.
However, in contrast with regular cookies, this type of trackers is difficult to detect and remove. These cookies collect user data in secret, beyond the limitations of common industry practices, and therefore raise serious privacy concerns.
They also raise extremely serious security concerns. If your Internet provider sends these trackers to every website you visit (as Verizon did originally), then every website you visit, and every third party embedded in these websites, can track you. Even if you delete your browser’s cookies or use the Incognito mode, supercookies persist. Also, many of the tools you use to protect yourself may not work because the tracking is added after the data leaves your device.
#3 ISPs Have Incentives to Weaken Web Encryption
At the moment, Internet providers can only track the portion of user traffic that is not encrypted. Tracking doesn’t work on HTTPS websites secured with SSL (Secure Socket Layer), which are getting increasingly popular and encouraged by major tech companies. In such websites, any data that is being sent between your browser and the server is encrypted. This helps protect user’s private information from any prying eyes, including their ISP.
Naturally, the spreading use of SSL certificates poses a major problem for the ever-curious Internet providers. They want to be able to build advertising profiles on the contents of all subscriber data, encrypted or not. Result: a suggested standard called Explicit Trusted Proxy that would allow ISPs to intercept your encrypted data, decode it, process it in some manner, re-encrypt it, and then finally pass the re-encrypted data along to its original destination.
Even those who are not particularly worried about their ISPs being able to access their data should take note. Recent studies have shown that many tools used for inspecting HTTPS traffic end up weakening the encryption and potentially exposing it to various security breaches. If Internet providers get their way and obtain access to our encrypted data, they will reduce the security of the entire web.
With all these risks in mind, there are a few steps you can take to protect your privacy, such as using a VPN. A VPN (Virtual Private Network) secures and encrypts Internet traffic, helping to protect your identity and data by hiding your IP address. It scrambles your online data, so your ISP cannot decode and use it for building an advertising profile.