Stanford CIS

Why You Shouldn’t Be Comforted by Internet Providers’ Promises to Protect Your Privacy

By Arvind Narayanan on

This week President Trump signed a congressional resolution to repeal protections—scheduled to go into effect in December 2017—that would have prevented internet service providers like Comcast, AT&T, and Verizon from collecting, mining, and selling customer information without permission. Internet providers have sought to assure customers their privacy will still be protected. Comcast, for example, wrote that it has “no plans” to “sell our broadband customers’ individual web browsing history.”

But let’s be clear: Despite such declarations, letting internet providers monetize sensitive web browsing data is bad for consumers.

Let’s leave aside the fact that “no plans” is not the same as “never will,” and that selling a specific individual’s history is—despite stunts trying to buy records for members of Congress—an admittedly unlikely outcome. More worrisome is the possibility that governments order internet providers to turn over their records in certain cases. The Federal Communications Commission rules would not have stopped the government from requesting data from ISPs, of course—but ISPs collect a lot more information precisely because they can monetize it, making it accessible to law enforcement. Though such requests for information might first be justified by national security, it’s not hard to imagine a world in which routine government background checks involve scrutinizing a job applicant’s online behavior. Data breaches carried out by domestic or foreign hackers, or by disgruntled employees, are an even more immediate threat to collecting and storing sensitive web records, exposing users to blackmail and scams.

In the near term, internet providers may monetize web browsing records by selling anonymized user data to advertisers in bulk. It’s unlikely, however, that these companies would be able to fully decouple browsing records from personal details. In a paper to be presented this week, we show—in collaboration with our Stanford colleagues Jessica Su and Ansh Shukla—that “anonymous” web browsing records often contain an indelible mark of one’s identity. We recruited nearly 400 users to send us their web browsing data stripped of any overt personal identifiers. In 70 percent of cases we could identify the individual from their web history alone.

Read the full piece at Slate.