Privacy invasion —

Senate votes to let ISPs sell your Web browsing history to advertisers

ISP now stands for "invading subscriber privacy," Democratic senator says.

Senate votes to let ISPs sell your Web browsing history to advertisers
Getty Images | KrulUA

The US Senate today voted to eliminate broadband privacy rules that would have required ISPs to get consumers' explicit consent before selling or sharing Web browsing data and other private information with advertisers and other companies.

The rules were approved in October 2016 by the Federal Communications Commission's then-Democratic leadership, but are opposed by the FCC's new Republican majority and Republicans in Congress. The Senate today used its power under the Congressional Review Act to ensure that the FCC rulemaking "shall have no force or effect" and to prevent the FCC from issuing similar regulations in the future.

The House, also controlled by Republicans, would need to vote on the measure before the privacy rules are officially eliminated. President Trump could also preserve the privacy rules by issuing a veto. If the House and Trump agree with the Senate's action, ISPs won't have to seek customer approval before sharing their browsing histories and other private information with advertisers.

The Senate vote was 50-48, with lawmakers voting entirely along party lines.

“President Trump may be outraged by fake violations of his own privacy, but every American should be alarmed by the very real violation of privacy that will result [from] the Republican roll-back of broadband privacy protections," Sen. Ed Markey (D-Mass.) said after the vote.

The Senate measure was introduced two weeks ago by Sen. Jeff Flake (R-Ariz.) and 23 Republican co-sponsors. Flake said at the time that he is trying to "protect consumers from overreaching Internet regulation." FCC Chairman Ajit Pai argues that consumers would be confused if there are different privacy rules for ISPs than for online companies like Google and Facebook. "American consumers should not have to be lawyers or engineers to figure out if their information is protected," Pai recently told Democratic lawmakers.

Sen. John Cornyn (R-Texas) argued today that the privacy rules "hurt job creators and stifle economic growth." Cornyn also said the FCC's privacy rulemaking involves the "government picking winners and losers," and was among the "harmful rules and regulations put forward by the Obama administration at the last moment."

Update on March 24: We have a new story explaining the impact of the Senate vote, titled, "How ISPs can sell your Web history—and how to stop them."

ISPs: “Information sold for profit”

Democrats and consumer advocates are furious. The acronym "ISP" now stands for "information sold for profit," and "invading subscriber privacy," rather than "Internet service providers," Markey said during floor debate today.

The Senate action "would allow Comcast, Verizon, Charter, AT&T, and other broadband providers to take control away from consumers and relentlessly collect and sell their sensitive information without the consent of that family," Markey said. That sensitive information includes health and financial information, and information about children, he said. ISPs want to "draw a map" of where families shop and go to school, and sell it to data brokers "or anyone else who wants to make a profit off you," Markey said.

"Your home broadband provider can know when you wake up each day—either by knowing the time each morning that you log on to the Internet to check the weather/news of the morning, or through a connected device in your home," Sen. Bill Nelson (D-Fla.) said during Senate floor debate yesterday. "And that provider may know immediately if you are not feeling well—assuming you decide to peruse the Internet like most of us to get a quick check on your symptoms. In fact, your broadband provider may know more about your health—and your reaction to illness—than you are willing to share with your doctor."

Home Internet providers can also "build a profile about your listening and viewing habits," while mobile broadband providers "know how you move about your day through information about your geolocation and Internet activity through your mobile device," he said.

"This is a gold mine of data—the holy grail so to speak," Nelson said. "It is no wonder that broadband providers want to be able to sell this information to the highest bidder without consumers’ knowledge or consent. And they want to collect and use this information without providing transparency or being held accountable."

Few consumers have any choice of Internet provider, said Sen. Ron Wyden (D-Ore.). Thus, their only choice may be between "giving up their browsing history for an Internet provider to sell to the highest bidder or having no Internet at all," he said.

Wyden also said that the FCC rules don't prevent ISPs from monetizing customer data—the rules simply require ISPs to inform consumers about how their data is used and get customer consent before selling the most sensitive data, he said.

Advocacy groups including Free Press, Demand Progress, and the ACLU went to Congress to deliver nearly 90,000 petitions to "save broadband privacy" yesterday.

ISPs and advertising lobby groups had urged senators to kill the privacy rules. Cable lobby group NCTA—The Internet & Television Association said, "we appreciate today’s Senate action to repeal unwarranted FCC rules that deny consumers consistent privacy protection online and violate competitive neutrality." The group said that the cable industry "remains committed to offering services that protect the privacy and security of the personal information of our customers."

What the privacy rules require

The FCC's privacy rules would require ISPs to get opt-in consent from consumers before selling or sharing personal information including geo-location data, financial and health information, children’s information, Social Security numbers, Web browsing history, app usage history, and the content of communications. Opt-out requirements would have applied to less sensitive data such as e-mail addresses and service tier information.

The opt-in and opt-out provisions would have taken effect as early as December 4, 2017. The rules would also force ISPs to clearly notify customers about the types of information they collect, specify how they use and share the information, and identify the types of entities they share the information with. 

The FCC's privacy rules also had a data security component that would have required ISPs to take "reasonable" steps to protect customers' information from theft and data breaches. This was supposed to take effect on March 2, but the FCC's Republican majority halted the rule's implementation. Another set of requirements related to data breach notifications is scheduled to take effect on June 2.

The Senate vote would prevent all of these rules from taking effect, unless the House or President Trump decide otherwise.

Republicans say that the Federal Trade Commission should have authority over ISPs' privacy practices, instead of the FCC. That would require further action by the FCC or Congress because ISPs and phone companies are common carriers that cannot be regulated by the FTC.

Channel Ars Technica