Elizabeth Weise

USATODAY

SAN FRANCISCO — Protecting your Internet activities from collection and sale by marketers is easier said than done, especially after Tuesday’s vote to overturn pending FCC privacy rules for Internet Service Providers.

The move by Congress dismantled rules created by the Federal Communications Commission just six months ago, rules that weren’t slated to go into effect until later this year. President Trump is expected to sign the bill into law soon.

Broadband rules axed by Congress, headed to Trump

The decision, decried by consumer groups and Democrats and lauded by Republicans and telecom companies, sent those worried looking for a fallback plan. One possibility? Wider use of VPNs, which provide private end-to-end Internet connections and are typically used to keep out snoops when using public Wi-Fi.

"Time to start using a VPN at home," Vijaya Gadde, general counsel at Twitter, tweeted after the decision.

But such protection is limited. While VPNs keep broadband providers from seeing the sites users visit, that masking only goes so far — once logged into a website, an operator like Amazon tracks users' activities so it can suggest tailored products.

"All that a VPN does is hide what take place to get from point A to point B. Once you're on the other side, if you have credentials there — think Netflix — it knows who you are," said Matt Stamper, director of security and risk management programs at the consulting company Gartner.

Congress' decision essentially reverts to the status quo. The FCC argued that IPS’s like Comcast and AT&T should not face more stringent privacy rules than online companies such as Facebook and Google, which also collect information about users. Opponents countered that IPS's are different because they have access to users' full web browsing habits and physical addresses.

With the repeal, Internet providers won't be required to notify customers they collect data about or ask permission before collecting, sharing and selling data about what they do online, beyond the initial Terms of Service agreement. Information collected could include websites visited, apps used and physical location.

“Your entire clickstream, basically your life online, has the potentially to become one giant profile,” said Stamper.

That information can then be used to craft highly-targeted ads. This is part of the fundamental business model of many online companies, from e-commerce juggernaut Amazon to search giant Google to social network Facebook. They follow users’ online movements and actions, then use the information to better market to them. Increasingly, broadband providers are also getting into the content and advertising business. For instance, that's a key reason Verizon is buying Yahoo.

While web companies' profiles aren't person-specific, they allow their own products and those of advertisers to minutely target a type of customer, say a 30-year-old woman in the Southwest who likes rock climbing. While individual companies' privacy policies vary and sometimes allow for opt-outs of information sharing, in general websites can sell or share this de-personalized information with partners.

Side-stepping that constant surveillance while trying to use the web in our daily lives is almost unachievable, said Stamper.

“Realistically, unless somebody is extraordinarily well-versed in technology, has a really good understanding of what different sites are doing and how they do it, it’s almost impossible for the average consumer to keep their details private,” he said.

One option is for customers to find the privacy policy of their ISP and specifically opt out of data collection, said Robert Cattanach, a privacy lawyer with the firm of Dorsey & Whitney.

That's easier said than done, said ACLU lawyer Neema Singh Guliani.

"You'll need to go through what in some cases is going to be a long, arduous and frustrating process in understanding what you can do to control the information they gather about you," she said.

Overall, the best course of action for those concerned about what's collected about them is to practice ‘digital privacy hygiene’ by giving as little information as possible when doing things online, to minimize the digital footprint available to companies, said Nuala O’Connor, president and CEO of the Center for Democracy & Technology, a non-profit digital rights group.

“I was asked for my phone number when buying towels recently at a home store. They don’t need my phone number! Just sell me the towels! Companies need to do a better job about minimizing the data they’re collecting, but in the meantime we can all be stingier about what we give out,” she said.

Long term, the situation could create incentives for companies to offer privacy-for-pay, “tiered pricing models that would effectively make privacy a privilege for those who could afford to pay more for these services every month,” said Fatemeh Khatibloo, a privacy analyst with Forrester.