ISP selling my data

bergertime used Ask the Experts™
Ok, so the new law in the process of being passed.  What does it do.  From what I understand, it repeals a law Obama signed in Oct. of last year that's not even in effect till the end of 2017, so nothing really changes right now.  ??  Does this mean I can simply go up to my ISP and ask to buy my neighbors browsing history to see where all they have been going?  Or can I buy a report on an application for work to see if they have any weird browsing history?  It seems the internet is just full of "the other side are a bunch of assholes!".  I just want to know what changes currently and in the near term if the law passes and if it fails.  Thanks
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Scott CSenior Engineer

I'm not sure about all of your questions, but what I do to protect myself at home is I use a VPN.  The one I use is Private Internet Access.

I send all of my data through the Netherlands.  I know this works because one kind of cool thing that happens is when I watch our church service from home they announce where people are watching from and I always chuckle when they say "and we even have someone in the Netherlands".  Also ping tests and Google let me know where my traffic is being filtered through.

And when torrenting (legitimate of course), I use the Socks 5 proxy included with my subscription so that my ISP can see traffic on the torrent port, but it is all encrypted.

I know this doesn't answer your specific question, but it does tell you how to keep others (including ISPs) from nosing into your business.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

I think privacy laws are still in effect, and for sure such laws are in place here (north of you).

so nothing really changes right now   <-- I doubt very much you could ask your ISP for your neighbour's browsing history. The FBI or Secret Service might be able to do this with a court order. But otherwise this is not likely to compromise you.
This development is very troubling, along with the fact is there is no assurance ISPs are not disclosing your email address and browsing habits To third parties.

Look up the definition of quiet enjoyment in leases between tenants and landlords at:

 I suggest two things:
1. Everyone start sending requests to their ISPs, email providers, and social media services that they want: (a) a quiet enjoyment provision in their agreement. The quiet enjoyment provision would assure that email addresses, interests, affiliations and browsing habits of those email addresses  and their owners are not to be used by the ISP for anything other than providing Internet service; and,
(b) The ISPs, email providers and social media services each warrant warrant and represent that  they will not provide the email address and browsing habits of their subscribers to any third parties.

2. As already mentioned above, use a VPN. I use TunnelBear and TOR browser for those purposes.

Don't forget, you get what you pay for. If you're paying for a service you should have a right to these additional protections, Because the service fee should eliminate the need for the ISP provider to make money off of selling your email address and associated browsing habits

I'd gladly pay a small fee per month to an ISP that will assure quiet enjoyment to me.

Anyone want to crowd source local nonprofit  ISPs to do this?


Sent from my iPhone
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.


WS, that was very good and thought out and for the most part agree.  But from what I have read and I could be way off base, is that it currently doesn't change anything.  It simply rolls back a law Obama signed at the end of OCT 16, which takes effect at the end of 2017.  Is that correct?  I'd also like to add in that I agree that you get what you pay for, wouldn't it be nice to have a free ISP service that was supported by targeted ad's?  You could also pay a higher price for not having ad's?  Kind of like the games on an iPhone.  Free, you get ad's, pay a couple of bucks you get it ad free.  I saw a link to an AT&T ad saying for an extra 30 bucks a month your data would be off limits.  I don't know....I like options.
Good question, worded with an interesting twist. Technically, essentially all of your scenarios are possible even if unlikely. It does indeed appear that you could buy whatever browsing history of your neighbor's that the neighbor's ISP collected for example. Potentially a lot of additional detail could also be bought.

Now, whether or not any ISP would ever do such small business is a very different question, completely separate from legality. The same data might be sold/traded many times (in absence of some contracted exclusions).

And technically, yes, the FCC rules that covered this were in process, not yet reaching deadlines for full implementation. In that sense, the law that just passed through Congress doesn't quite make things any different from what they were a year ago. The new law only stopped the implementation of those protections and technically prevented the FCC from making the same privacy rules in the future.

You can read an authoritative summary of the FCC rules that were blocked. The new law blocked the implementation. I haven't specifically looked to see if (so-called)President Trump has signed it yet, though I seem to remember it happening and his administration has clearly issued statements of support for it.

BTW, they were FCC regulations issued under President Obama's policies and were not "law".
I prepared a response for someone who recently posted an EE question because he/she was writing an article about the change to ISP regulations. Perhaps someone here remembers that question. I can't find the thread so I'll give my response here, because it seems to fit well.

[and BTW,  I agree with Burgertime that I would gladly pay an email or social media provider for the protections I want.]


 1. What are your thoughts on this change?
     It was extremely disappointing that the government would intentionally allow something like this.  But, there is something more concerning; the fact that individuals and businesses are ignoring the implications of privacy policies they agree to – policies that allow what the government is now allowing. Just look at the privacy policies of the big websites we go to, as well as those of the major email providers. Show me a privacy policy from one of those and I'll show you the concerns we all should have.

 So, this Is not just about individual persons as consumers, but also about corporations and tax-exempt organizations. They have lot to gain by something that helps ensure they have adequate privacy protections that should also be available to customers as well as businesses. Consider the fact that a quality assurance (QA) program can be developed fairly easily so as to be equally beneficial to businesses and individual persons. Didn't the Supreme Court rule that corporations are people!

2. Do you think these changes to privacy will make your job harder?
     No, I will be more effective. The right QA service will make it easier for both businesses and individuals to be assured of their privacy protections under an agreement with a reputable third party. This QA service will help ensure the quality of privacy protections for both consumers and businesses their third parties.
      The implementation of such a program would provide an easier method to review and understand the privacy protections that individuals and businesses expect from third parties; and give them certain rights to audit and verify compliance of third parties' privacy policies.

 3. How will these changes affect business security?
      It will make it easier for them to do what they should've been doing all along, with respect to protecting their own privacy.

 4. How can consumers [and businesses] keep their data private?
     Other than not disclosing it, the short answer is to know and understand the implications of the privacy policies they agree to with a supplier of goods or services – whether or not the Internet is involved.  
     In answer to the larger question, there needs to be a widely accepted quality assurance standard for privacy policies. I believe I have an idea that most reputable companies would subscribe to.  For the moment the exact details of this idea are presently proprietary to me and my brother. However, I don't mind sharing with you some of the concepts that will make it work. Reviewing, drafting and negotiating confidentiality agreements (or, call them privacy agreements) was an ongoing responsibility of mine during the last 20 years of my professional career in the insurance/banking industry.  Almost all of that also applies to my brother.
"Negotiating" privacy agreements can be difficult. In much of the U.S.A. geographic area, there is only a single ISP possible. I'm approx 25 miles (40 km) from Seattle, WA, and maybe only <5 mi. from Tacoma. Yet there is only a single ISP available unless I choose to try a satellite service with the connectivity risks that go with that (or use a dial-up, of course; but seriously...).

Most population is in what might be called "metropolitan" areas, but a significant fraction is rural and even close to wilderness. It's perhaps ironic that those who choose to live a more private life will be the ones least able to "negotiate".

Regardless, the fundamental "business" case for killing the FCC rules is supposedly to help ensure equality for different businesses. Some businesses, such as Facebook and Google, have access to the traffic that hits their sites and therefore to certain aspects of associated 'private' data. Because those businesses have opportunities to make potentially profitable use of such data, Congress decided that ISPs should have the same opportunities.

Because Facebook/Google/etc. have business models and customer agreements that already cover privacy and because there are (more or less) competitors in similar business spaces, I haven't quite figured how this roll-back of rules makes sense. I can't see how it means that normal tel-cos for example shouldn't be just as free to track/sell all of our phone call history nor how Fed-Ex et al. couldn't sell our shipping history, ad nauseum. I just don't see why I can't go around offering privacy agreements to whomever I find to ensure that I won't track there movements and offer my database for sale. ISPs simply aren't in the same business space as Facebook/Google, so I can't accept whatever the reasoning is.
BTW, I do not believe that the "business opportunity" argument truly is the reason; it's just the main publicly stated reason from sponsors of the resolution that rolled back the FCC rules. IMPO, the darker hidden reason is simply that those sponsors wanted to encourage many new repositories of 'private' data in order to make potential governmental access easier. Google has a far easier time standing up to federal requests for search history that are not backed by FISA warrants than, say, "Tiny ISP of Littleroot Montana Co." and all of the many similar small operators.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
The "authorities" argument is a little more difficult, but requests have to be backed up and warrants issued.

I do not think there is much chance of ISPs selling data. They would probably land in court. Not worth it.
@John Hurst: Requests that are the result of a FISA warrant generally can't legally be denied, but that in no way stops forceful requests without warrant being made. Many requests have been made without warrant. The larger companies have successfully refused even some (usually non-FISA) warrant-backed requests, but it's harder to know how many smaller organizations might have acceded. (Link is for U.S.A. requests only. Other countries' requests are tallied on other pages.) The simple fact of court/lawyer costs can make or break a stance.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

I understand what you are saying, but that is quite different than wantonly selling user data which (a) is what was asked and (b) what I was saying in the second part of my post above.
And I understand what you are saying, but the selling of private data by ISPs was widely and aggressively lobbied for, which (a) indicates a strong interest in doing so and (b) may or may not be congruent with governmental interests in the same process that I mentioned only as a secondary 'conspiracy theory' opinion.

The lobbying that preceded the roll-back of those specific regulations certainly weren't intended to ease regulatory burdens. There is no burden in not doing the extra work of collecting, storing, securing, maintaining, sanitizing, aggregating, marketing and distributing data. A roll-back only allows additional effort by way of some business activity. If that doesn't directly imply some hoped for profit by ISPs, then an alternative motive would be welcomed for understanding.

What's your thought on the purpose if not for sale? The lobbying indicates a 'pot of gold' somewhere.

Also, the OP's question wasn't so much about ISPs themselves as it was about later implications. If the data existence is maintained, then how may it later be (legally) used? What's to stop any imagined use once constraints are removed? What (legal) basis gives courts reason to uphold any suits?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Governments in North America do not support sale of public data and Consumers do not support.

I am saying the if an ISP tried to sell customer data to any Tom, Dick or Harry (and that was the subject here), I think they would find themselves in hot water and public displeasure that would show up negatively on their bottom line.

I recently started a hobby, looking for better solutions to the privacy problems we all have. I found the last few postings resonate with some of the ideas I would like to be discussing - in a different thread.

I like the level of your thoughtful understanding of the privacy issue, and you sure have a nice way of communicating it.

What I'm thinking about is:  A theoretical market solution for personal and corporate privacy issues. One idea is as follows: Monetize privacy and level of intrusion permitted by individuals and businesses.  That way the folks who can afford it will get the privacy and quiet enjoyment they desire. Conversely, those that cannot afford it (and anyone else) may license rights to certain aspects of their privacy for a fee and for a defined time period.

A person or company who wants to consider monetizing an aspect or aspects of its privacy (the initiating party) would contact a secure broker for the purpose of setting a license fee between themselves and a third party based on compatibility between their respective Demographics and Privacy Concerns/Protections (collectively, the "DPCPs"). The broker would solicit a potential connection between a third-party licensee and licensor with matching DPCPs. No identification of the participating parties would be exchanged by the broker, until or unless  the licensing deal was approved by both parties. Incidentally, the Bid and Ask market price for licensing the privacy rights naturally varies with comparable DPCP market prices.  In short everyone gets the going market price for DPCPs they are willing to buy or sell.

So, please keep a lookout for a Politics thread that I might post, and I'll try to keep an eye out for any new Politics threads regarding privacy.
@John Hurst,

"I am saying the if an ISP tried to sell customer data to any Tom, Dick or Harry (and that was the subject here), I think they would find themselves in hot water and public displeasure that would show up negatively on their bottom line."

However, if you will check their privacy policies, I don't think you will find in anything that prevents them from:
Compiling information about you regarding your affiliations with organizations, suppliers of goods and services, websites and type visited, the frequency of those visits, and keywords from subject lines in emails between you and third parties; and then tying that information together with your contact information and trends of your internet activities, for sale to other third parties.  

Additionally, I don't think you'll find anything in those privacy policies that prevents an ISP from selling your profile and contact information to other third parties who can assemble a larger profile In connection with your contact information. In short, nearly all privacy policies, whether or not from an ISP, can initiate an infinite for-sale chain of information for building a complex contact profile on you and me. Each link in the chain adds its own profile information, which in turn produces a higher market value for selling your enhanced Internet profile linked to your contact information.  

As for me, I don't want to be personally identified by my Internet interests, visits associations, activities, statistics, trends, etc. to the extent that I can be personally identified by name or contacted by email, mailing address, telephone number.



Wow, all good points, wish I could give all of you the 500 points.  But instead, I'll keep your info private by telling no one of your answers.  :)
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

You are very welcome and I was pleased to help you.
Thank you, bergertime.

WaterStreet's reference to 'privacy policies' is good because they're really the only protection that exists for the data (that would have been) covered by the gutted regulations. AFAIK, there are no laws that restrict the dissemination of this class of data by ISPs except where such dissemination involves unfair or deceptive practices. Of course, none of this data is covered by financial or medical privacy regulations or laws at all, so that whole body of laws is irrelevant. If @John Hurst can provide a reference that cites a law that says otherwise, I'd be very interested. As it is, I'd be surprised if any federal court would even accept a case involving this thread's scenario since there is no basis in law.

The issue of public outrage, though, might someday rise to a level that eventually makes a legislative difference. But it's hard to imagine that happening until Congressional makeup changes back in the other direction again.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial