Congress shot down the FCC’s internet privacy rules this week, and in doing so, created a world of confusion over what Americans should expect when it comes to online privacy. The gutted rules would have explicitly prohibited internet providers like Comcast, Verizon, and AT&T from sharing your web browsing history with other companies, and they would have put firm restrictions around how your data could be used. But this week’s joint resolution effectively turned back the clock to before the rules were proposed, opening the door for far more aggressive data-sharing.

With the protections gone, no one’s quite sure what to expect — some suspect their browsing habits are going up for sale, while others see no changes coming whatsoever. That uncertainty and confusion is justified: the rules Congress shot down were meant to clarify an existing set of already vague and confusing policies.

On some level, it’s being left up to internet service providers, or ISPs, to decide what the rules do and don’t allow them to do. And while none of them are very clear about their intentions, there’s plenty we can suss out based on what we already know. So to cut through the haze, we pulled together everything you need to know about the current state of online privacy rules.

What does the new resolution actually change?

This is a trickier question than you might think! Let’s take a step back: telecom regulation isn’t like criminal law, where the word of the law draws a clear line between what’s legal and illegal. Most of what the FCC does is interpreting the same law — the Telecom Act of 1934 — to apply to modern technologies like wireless internet and broadband.

Privacy rules are less like a law than a promise of enforcement

The Telecom Act says a lot about what companies can do with customer data in general — but because it was written with copper telephone networks in mind, it’s genuinely unclear how to apply those principles to data like browsing history and IP logs. That’s where the FCC comes in, interpreting the Telecom Act to say which kinds of data fall under which provisions of the law.

The privacy rules set by previous FCC chairman Tom Wheeler — the ones that just got repealed — were our first indication of how that customer data could be treated now that broadband and wireless service were classified under Title II, the big net neutrality decision made back in 2015. In many ways, the rules are less like a law than a promise of enforcement. Basically, this is what the FCC thinks the Telecom Act means, and if they think you’re violating the Telecom Act, they’ll sue you for millions of dollars. As a result, it’s very much in companies’ interest to follow the rules.

We don’t know how Chairman Pai will interpret the law

Things get more complicated when the FCC changes its mind. Under Obama, Wheeler took an aggressive approach to protecting consumers through regulation — but under Trump, FCC chairman Ajit Pai is taking a very different approach. The FCC still has to keep its promises (that is, rules set under previous regimes) but they seem a lot less threatening when the commission itself is less eager to enforce them.

That brings us to the privacy rules. Through a rarely invoked law, Congress was able to take back the privacy rules set by Wheeler, effectively undoing his interpretation of what the Telecom Act says about customer data. That leaves a gap: we don’t know how Chairman Pai will interpret the law, or what rules he’ll set. He might replace them with looser rules that take after the FTC or wait to roll back the Title II interpretation overall. But until he acts, we can’t say for sure what carriers will be allowed to do.

At the same time, the absence of firm rules could be the whole point. Pai is a free-market conservative, and believes that companies will typically find the optimal solution without government interference. Holding off on setting new rules could be right in line with that philosophy, leaving companies to make their own judgments on customer data without fear that they’ll be punished for overstepping FCC guidelines. Unfortunately for privacy-minded consumers, that would leave few legal protections for private data shared with carriers.

What information can internet providers see?

The most immediate thing affected by the FCC ruling is what regulators call Consumer Proprietary Network Information, or CPNI. That’s the information your service provider needs to connect you to the internet. Verizon can’t connect you to the internet if it doesn’t know your name and where you live. It can’t maintain your connection if it doesn’t know your IP address. It’s all information providers already have. The question is just what else they’re allowed to do with it — and without the Wheeler rules, it’s much more likely that companies will use it for marketing.

Verizon needs to know I’m playing Overwatch at 3am

That information is more detailed than you might think. Maintaining an optimal network also means collecting a lot of potentially sensitive data about internet traffic. Whether you’re watching Netflix or playing an online game, the path between you and the server is constantly shifting, and network operators are continuously monitoring where and how you’re connecting. Part of providing good service means finding the shortest path between you and the destination server. But if Verizon is going to find the shortest path between my house in Brooklyn and an Overwatch server in Vancouver, it needs to know that I (or at least an IP address linked to my name) am playing Overwatch at 3AM on a Thursday night. To me, that’s sensitive information; but to the network, it’s just an optimization problem waiting to be solved.

Specifically, that information usually has to do with domains. Web encryption like HTTPS will hide what you do once you’ve connected to a domain — they can see a user connected to NYTimes.com, but not which articles they read or which comments they left — but it’s hard to disguise the connection itself.

Got a tip for us? Use SecureDrop or Signal to securely send messages and files to The Verge without revealing your identity.

There are plenty of other things ISPs still can’t see. Information like medical records and banking details are always served over HTTPS, and it’s unlikely that carriers would be able to collect them from the network. Similarly, carriers won’t have insight into anything you do offline. There’s concern that service providers might buy other information from data brokers, like loan history and credit card purchases. That would let them target ads even more accurately, and it’s a tactic Facebook already uses. But all of that information was already available through other channels, and it isn’t meaningfully affected by the new FCC rules. Carriers also won’t be allowed to sell information on specific people or groups because of the laws on individually identifiable data — so all those efforts to buy congresspeople’s browsing history are doomed.

There are ways to evade carrier data collection by using VPNs or Tor, but it’s hard to ask carriers not to collect this information at all, since it’s genuinely important for maintaining the network. That’s left the FCC to set rules about how that information can be used, mandating that it can only be shared outside of network essential functions under specific circumstances. Unfortunately for privacy advocates, the rollback means those rules will be a lot weaker, and that information will probably be shared much more widely.

What can internet providers do with your data?

Internet providers are able to put this information to work in a number of ways, most of which involve trying to sell you stuff through ads.

Many ISPs already admit to this in their privacy policies: T-Mobile says it uses and shares "a de-identified profile of your web-browsing or application use activity"; AT&T says "we also learn about the pages you visit" and make use of that information for advertising; Sprint says it stores "web sites you have visited, applications purchased, [and] applications downloaded or used" for advertising; and Verizon has a program that customizes ads based on "your visits over time to different non-Verizon websites."

The modern ad industry is "about the buying and selling of individuals"

The question becomes how anonymized your data is, where it's ending up, and whether you have any say in the matter. And on those questions, internet providers are rarely willing to give clear answers.

Internet providers tend to say they use or share information in aggregate — that is, they combine your information with information of people with similar interests or demographic information to get a bigger picture. But it's possible their ads will become increasingly personalized. The modern ad industry is "about the buying and selling of individuals," says Jeff Chester, executive director at the Center for Digital Democracy. "All the investments is aggressively pushing toward much more granular personalized targeting."

For the most part, critics of Wheeler’s privacy rules are right to say that all of this has been happening already: these policies are live and in use, and these ad businesses are being built out. But without clarifying the rules in place, the only thing clear is that ISPs will have more leeway in what they do with customers’ data. That likely means more information for them, and less say for consumers.

And the gates are open for ads to become more and more personalized, as internet providers augment their data with data they purchase from others. “For the foreseeable future,” Chester says, “we're going to be living in a commercial surveillance state."

Can I opt out?

Internet providers don’t need to ask first before using info about you for ad targeting — they’re free to assume you’ve consented, because you signed up for their overall service. That allows them to do things like share your information anonymously.

But Dallas Harris, a policy fellow at Public Knowledge, suspects ISPs could also use identifiable information on a "mostly opt-out basis" if they wanted to. "It's really up to the internet service provider if they want to provide you an opt-in option,” she says. “They can just assume they have your consent."

“They can just assume they have your consent."

So why aren't they? Harris says it doesn't make sense for their businesses. "Why would your internet service provider sell your particular web browsing history to some big company?" she asks. "They have the capability internally … to analyze that data to offer some targeting advertising aspect.”

Internet providers actually do tend to offer the ability to opt out of their targeted advertising, though you'll often have to dig quite a bit to get there. We were able to find opt-out options for Comcast, Charter, AT&T, and T-Mobile (though you first need to see a targeted T-Mobile ad before opting out), while both Verizon and Sprint actually require customers to opt in to targeting advertising.

Sprint confirmed this policy in an email, while T-Mobile directed us to a website explaining its opt-out policy. Comcast said, “We offer several opt-outs,” and “We do not sell our broadband customer’s individual web browsing history.” Representatives for Charter, AT&T, and Verizon did not respond to requests for comment.

Still, it's not clear that opting out will prevent ISPs from putting your data to use — you're opting out of seeing ads, but not out of providing data. Internet providers may not be targeting you, but they can still keep your information. And with carriers like Verizon and Comcast buying up web networks and ad-serving technology, there’s little doubt they’ll be able to use that information to make a profit.