Your Internet service provider has intimate knowledge about your intimates, and a bill headed to President Donald Trump’s desk allows them to sell that information, says Internet privacy advocacy group Fight for the Future.

Voting along party lines, Republicans in Congress recently passed a joint resolution that reverses a landmark Federal Communications Commission rule requiring Internet service providers (ISPs), like Comcast or Verizon, to ask customers for their explicit permission before handing user data over to advertisers and other third parties. President Donald Trump is expected to sign it into law.

"215 members of Congress just voted to let your ISP spy on what type of underwear you buy and sell that data to advertisers," Fight for the Future tweeted March 28, after the bill passed the House.

215 members of Congress just voted to let your ISP spy on what type of underwear you buy and sell that data to advertisers #BroadbandPrivacy pic.twitter.com/m1HkVptuNt — Fight for the Future (@fightfortheftr) March 28, 2017

Fight for the Future has the vote count right; 215 members of the House of Representatives voted for the measure. We decided to dig into whether the group is right about what the bill means for online shopping.

ISPs and the bill

Fight for the Future’s tweet might give the misleading impression that ISPs can’t already see their customers’ online purchases and sell that information. They can. Congress’ action just makes this explicitly legal.

An ISP’s function is to connect its users to websites or online apps, and so it can see nearly everything its users do on the Internet, including what kind of underwear they buy. An advertiser might be interested in purchasing that information from an ISP because then it can predict whether a given user is more likely to respond to an ad for boxers, briefs or tighty-whities.

Beyond shopping habits, ISPs and advertisers can glean more significant personal information about their customers from Internet browsing patterns — like that a spouse is contemplating divorce because he looked up "best divorce lawyers in my area," or that a person has a chronic medical condition because she spent a long time reading certain pages on WebMD.

In October 2016, the FCC established rules intended to give consumers more control over how ISPs used their data. The rules required ISPs to obtain explicit information from their customers before using and sharing their web browsing history, which would include underwear purchases.

The rule also required the ISPs to get consent before sharing other "sensitive information," like Social Security numbers, precise geolocation data and financial or health information. Many Internet companies and trade associations had already committed to requiring consumers to opt-in before they can share that sort of information, per guidance from the Federal Trade Commission.

But these opt-in rules never went into effect; Congress killed them in March 2017, months before the December 2017 start date. So ISPs can see and use customers’ web browsing data as they always have.

"Practically speaking, I expect consumers will see no change in how their data is collected and marketed," said Brent Skorup, a technology policy research fellow at George Mason University’s Mercatus Center.

Fight for the Future Campaign Director Evan Greer said Congress’ vote was significant because it gives ISP companies explicit permission to engage in practices that some privacy advocates consider "abusive," and it gives ISPs an incentive to invest in systems to further these practices.

ISPs have been expanding the scope of their operations, merging with other varieties of service providers, such as Verizon purchasing AOL, or AT&T’s planned deal to purchase Time Warner, Inc. This, combined with Congress’ reversal of the FCC rules, might encourage ISPs to expand their role in online advertising, said Peter Swire, a professor at Georgia Tech and the chief counselor for privacy during President Bill Clinton’s administration.

"There’s a lot of online advertising today," Swire said. "Now the big broadband companies will play more actively in that space."

Those who supported gutting the FCC rules argue that the regulations put ISPs at a disadvantage compared to other Internet companies, like search engines or social media sites, that already sell users’ data without first getting permission. They also say the rules stifle technology innovation.

Privacy advocates, however, say that ISPs have an especially large window into its users Internet habits, and this rule could have opened up the possibility of beginning to enact privacy regulations on other web-based companies.

"This is troublesome because of the larger question: Is privacy opt in or opt out?" said Jamie Winterton, director of strategy for Arizona State University’s Global Security Initiative. "Can your browser behaviors be bought and sold?"

Privacy protections

Though they can see a lot, there are limitations to what ISPs can see.

Some websites use encryption, so the ISP can see the domain name but not the exact page on that website the user is browsing. A website is encrypted if the address starts with "https" not "http." For example, if a web user visit the Macy’s website, which is encrypted, their ISP will know they’re browsing the Macy’s website, but it won’t know if they’re shopping for underwear, a prom dress or bedding. (The article you’re currently reading is not encrypted.)

However, if someone visits MeUndies.com right after visiting VictoriasSecret.com — both encrypted — an advertiser can probably make an educated guess that the person is in the market for some underwear. There are many more sophisticated ways an ISP or third party can glean information about a user even when the data is encrypted.

Regardless, most ecommerce sites remain unencrypted, Swire said.

An Internet user who really does not want an ISP tracking any of their data can use a Virtual Private Network, which, put simply, is a way to scramble all Internet traffic so the ISP and potential hackers can’t get at it. But this might not completely eliminate privacy concerns because some VPNs themselves don’t fully protect users’ data.

"If you don’t want any of your information out there, you’d have to do all sorts of things," Winterton said. "It’s a lot to ask of people."

Our ruling

Fight for the Future said, "215 members of Congress just voted to let your ISP spy on what type of underwear you buy and sell that data to advertisers."

ISPs can see most of the websites their customers visit. Congress, with 215 votes from the House, sent a bill to Trump’s desk that codified ISPs’ ability to sell their customers' web browsing data, including any online underwear purchases that aren’t encrypted.

Regulations enacted in 2016 would have required ISPs to ask customers for explicit permission to share this data with advertisers or other third parties. But Congress acted before the regulations went into effect.

Fight for the Future’s phrasing — and use of the loaded term "spy" — might lead people to think that Congress’ action gave ISPs new freedoms, but they could always view and sell users’ web browsing information. Now they have Congress’ stamp of approval to do so without getting users’ permission first.

That context is important, so we rate Fight for the Future’s claim Mostly True.