#ICYMI: Politicians don’t care about data consent

November 3, 20175 Minute Read

Are you one of the few people who actually reads their annual data disclosure statements or app permissions in detail? I didn’t think so. So, in case you missed it: Data consent is no longer an issue, at least in the USA.

In late March 2017, American House and Senate politicians voted to allow internet service providers (ISPs) to sell personal data to advertisers without consent. President Trump signed the congressional resolution into law in early April. It’s official—browser history is now up for sale in the USA. Thankfully, Canada has not followed suit.

Way back in October, the Federal Trade Commission implemented a policy that required Comcast, Verizon, and other ISPs to get “opt-in” consent from their customers before their sensitive data could be released. After politicians reversed this policy, the American Civil Liberties Union stated Congress should have resisted “industry pressure to put profits over privacy.”

Don’t bother clearing your history

The laundry list of data your ISPs can now control includes some truly concerning content you shouldn’t want to share with anyone. ISPs now have the right to share private data that includes your:

  • Financial information

  • Medical information

  • Social security numbers

  • Browser history

  • Mobile app usage

  • Email content

  • Chat content

If you’re a little white-knuckled, well, there’s good reason to be. The Globe and Mail wrote that while Comcast and other ISPs have released official statements they don’t plan to sell their customers’ data, consumer data is a big business, and ISPs are in a position to make some serious profit.

Anonymous data doesn’t hide much

While it’s impossible to predict the future, companies may technically uphold their promise to protect your privacy, while scrubbing your data of specifically identifying information and still making money hand over fist.

Your anonymized data is shockingly identifying. Advertising companies may just be buying “insights” on millennial IT professionals in your zip code, but these data sets could contain enough to figure out who you are. Researchers took this a step further and successfully simulated de-anonymizing web browser history. They were correctly able to attribute the web browsing history of 70 percent of study volunteers to the right Twitter profile. As it turns out, your browsing history contains certain idiosyncratic characteristics that resemble how you use your social media accounts.

Why ISPs want your internet rabbit holes

While the general population reacted in horror to the news that their private data was now a commodity, the details of exactly how and what ISPs could profit from their data were initially a little less clear. Chances are, you’re using some device pretty much every minute you’re awake—from the minute you check your Facebook in the morning to your final minutes watching Netflix before you turn into bed at night. ISPs will use these insights to understand people within your demographic groups and sell the information to advertisers accordingly.

If you thought Facebook’s targeted ads were creepy, you’re in for a wild ride. Representative Michael Capuano (D-Mass.) called the bill “terrible” and explained to the media that one ISP has a patent application in a cable box with a thermal camera to understand how and when you’re engaged with your flat-screen TV. Your “Netflix and chill” session could result in being shown advertisements for romantic content, because the camera may have the ability to detect when you’re cuddling with your partner (or, you know, “beyond”).

Literally being watched when you unwind after a really long work week and being shown targeted ad content accordingly is creepy enough, but the possibilities behind the ISPs new right to collect and disseminate your personal data is even scarier. While they may not sell your name and social security number to aggressive adtech professionals, what if their information security practices aren’t bulletproof, and their internal storage mechanisms don’t keep your personal identifying information (PII) obscured?

In the wake of some recent data leaks, it’s easy to see how this information can fall into the wrong hands. Targeted advertising may feel invasive—but when you think about what your identity and web browser history could mean for cybercriminals, it’s a lot worse.

Steps to protect your anonymity

There is some good news: Any website you visit with a HTTPS isn’t necessarily going to be part of your ISP’s dataset. But there’s enough contextual information around it that even if they can’t see your banking login information, a shrewd advertiser may be able to discern from your Mayo Clinic searches that you’ve experienced a strange rash in the last few weeks. Luckily, organizations are increasingly moving towards HTTPS encryption to protect their users’ data consent. One recent report indicated that more websites are encrypted than not-encrypted.

Users should assume that no method of information security protection is perfect. However, there are a few other tactics you can use. One such idea is adopting virtual private network (VPN) technology when working from your home. Web tools designed to support online anonymity, such as the web browser Tor and the search engine DuckDuckGo, may also allow you some means of protection.

Unfortunately, your sleepless nights spent reading up on the latest conspiracy theories on Reddit may not be as anonymous as you think. For most heavy internet users, they can even be linked to your online social media content. Unless you’re prepared to go completely off the grid, adopting basic means of protection, like a VPN and privacy-conscious browsing and search tools, is your next best bet.

Gary Hilson October 31, 2018 4 Minute Read

5 ways to prepare for PIPEDA’s updates

PIPEDA's getting an update, and it looks a whole lot like GDPR. Here are five best practices that will help you stay compliant.

Stephanie Vozza October 29, 2018 4 Minute Read

Brush up on these 4 fundamentals for Cybersecurity Awareness Month

From employee training to shoring up endpoints and passwords, get primed for Cybersecurity Awareness Month with these four security and privacy tips.

Graham Templeton September 26, 2018 4 Minute Read

Prepare for PIPEDA with better device security and data privacy

Complying with PIPEDA's new privacy amendments requires diligence in everything from internal processes to device security.