Americans' online privacy will soon be in the hands of internet service providers after Congress officially voted to repeal Obama-era protections that prevented ISPs from selling customers' browsing history and data.
If signed into law, the repealed protections — which would have taken effect later this year — will now give ISPs free reign to exploit for profit everything their customers do online, all without disclosing it to users themselves.
Using consumers' internet histories for advertising purposes is already done by companies like Facebook and Google, as evidenced by targeted ads users receive while using these services.
But there's a big difference in what information these companies see. In an article for the Verge, Gigi Sohn, former counselor to FCC Chairman Tom Wheeler, wrote that "edge companies" such as Facebook and Google can "only see a small portion of any given consumer's internet traffic."
Internet service providers, on the other hand, "hold a unique position in the internet ecosystem: they have access to everything you do online," Sohn wrote. "They know every website you visit, how long and during what hours of the day you visit websites, your location, and what device you are using."
So what, exactly, do ISPs see when you're online? Here's what you need to know.
The most detailed information ISPs pick up about users comes from visits to unencrypted websites, which use the unencrypted Hypertext Transfer Protocol (HTTP) instead of Hypertext Transfer Protocol Secure (HTTPS). HTTPS combines HTTP with the Secure Sockets Layer to encrypt data, making a website more secure.
According to a 2016 report compiled by technology and policy organization Upturn, visiting unencrypted websites means your ISP can see the full URL you visit, along with the full content of "any webpage requested by the user."
More than 85% of the top 50 health, news and shopping websites are unencrypted, Upturn reported, including WebMD, Target.com, the Huffington Post and more. Don't want your ISP knowing what Black Friday deals you're buying or the diseases of which you might be showing symptoms? Too bad.
Getting unencrypted sites to change to HTTPS is often a challenge — according to Upturn, all third-party partners on the site, including advertisers, analytics and embedded videos, must support HTTPS.
And this unencrypted browsing doesn't just apply to the sites users visit. A lack of encryption is an issue for at least some of the information sent and received by "Internet of Things" devices such as voice-command devices, Nest thermometers and PixStar photo frames, Upturn explained.
Mobile ISP providers, too, could go beyond HTTP websites to gather unencrypted information about users. The Electronic Frontier Foundation reported that mobile providers have used several methods in the past to gain information. Android phones sold by AT&T, Sprint and T-Mobile, for instance, were once sold with pre-installed software that tracked users' app use and browsing history — including information-secure sites. Verizon, too, inserted undetectable "supercookies" into mobile users' unsecured browsing, which allowed anyone to track a user as he or she browsed the web.
To combat how easy it is for ISPs to gain information through unencrypted browsing, half of all websites have now encrypted their web pages through HTTPS. Users can tell they're on an encrypted site when the URL begins with "https://" — or if there's a marker next to the URL with a lock symbol or the word "Secure."
When users visit an encrypted site, the ISP doesn't receive the full URL nor the page's content.
But there's still a way for ISPs to learn something about the encrypted pages users are visiting. Even when a page is encrypted, ISPs can see what domains users are on — Mic.com, for example, versus the URL for a specific article, like this one.
ISPs can determine this information, Upturn explained, through requests to the Domain Name System, a public directory that converts a domain name into an IP address. The default DNS servers a computer uses are, as it happens, owned by the user's ISP.
Upturn noted these DNS servers play an essential role in helping to detect compromised sites or malicious software. But they also allow ISPs to gather more user information than customers realize.
"You don't need to see the contents of every communication" to track users' habits for advertisers, Dallas Harris, an attorney specializing in broadband privacy, told Ars Technica. "The fact that you're looking at a website can reveal when you're home, when you're not home."
Domain names can also provide information about users. For example, visiting children's sites can indicate when a child might be using the device, Harris said, while Upturn noted that a list of domains can reveal what smart devices a user has at home.
"The level of information that they can figure out is beyond what even most customers expect," Harris said.
The Upturn report also highlighted ways in which ISPs can further analyze encrypted data as HTTPS sites become more widespread. "Website fingerprinting," for instance, uses what little information an encrypted website shares — such as the domain name, the amount of content and any third-party resources that loaded — to identify the specific webpage a user is visiting.
In other studies cited by Upturn, researchers have gained access to annual family income, medical conditions and other sensitive information on encrypted websites — all without decrypting any of the "secure" information.
What can users do?
So, how can users ensure their ISP won't gain access to their information? There are a few steps customers can take to protect their privacy, though none are completely foolproof.
First of all, incognito browsing is one thing that won't help. Some browsers offer the option to browse privately, without the sites showing up in search histories or being saved by the browser itself. However, Ars Technica noted, this will not hide users' browsing from their ISP, so it's not an effective way to secure your browser history.
Users can also download an extension, such as the EFF's HTTPS Everywhere extension for Google Chrome, which will automatically switch many sites from HTTP to HTTPS. This is not a perfect option, though. According to Ars Technica, the Chrome extension only applies to websites that are already on its list as supporting HTTPS. If the website doesn't support HTTPS, there's nothing the extension can do to help.
For more comprehensive security, users can opt for a VPN service, which encrypts web traffic and prevents browsing from being tracked to a user's IP address — or Tor, which protects anonymity by making it appear as though a user's internet connection is coming from a Tor exit relay, which could be located anywhere in the world.
Though easy to use, VPNs have several downsides, Upturn noted. Many VPNs require an additional subscription cost to use them, which may be financially unfeasible for many users; further, the strength of the security depends largely on the specific VPN service. Such a service sees the same information an ISP would see, according to Ars Technica, which means users have to trust the VPN won't do the same kind of tracking they're trying to avoid.
Tor is "a little more privacy-preserving than the VPN," EFF senior staff technologist Jeremy Gillula told Ars Technica, though the software is still subject to its own downsides. Vulnerabilities have popped up in the past for Tor, leaving users exposed and allowing the FBI to hack suspects who use it. For users truly worried about their privacy, however, it may be the best place to turn.