241 comments

[ 4.4 ms ] story [ 201 ms ] thread
Is there anything the average user can do to protect their data/privacy from their ISP?
Run everything over an encrypted channel.
VPN is a solution but requires trust in VPN provider. OpenVPN on a VPS can help. Also, consider DNS traffic can leak information, but I've not read of a fool proof way to fully protect DNS queries.
Good VPNs have DNS leak protection now, and frankly, I recommend avoiding one that doesn't.
(comment deleted)
I use a VPN, but I have to turn it on for each device. Is there a good way to set up my router to automatically push all traffic through a VPN? I'd probably need to make exceptions for stuff like video traffic.
You can install Tomato (http://www.polarcloud.com/tomato) on a compatible router. It has a bunch of options for routing all/some/groups of devices through various VPN's. This might be a feature in newer stock router firmware too.
Encrypted VPN that doesn't keep records (I like NordVPN, but have had good experiences with others like IPV and PIA), uMatrix, uBlock Origin, and don't forget to turn on your user agent spoofing options.
I'm afraid that the problem is bigger than that, most people have a number of devices that connect to the internet, not all of which work with VPN.
That's where a decent router that can support your VPN comes in. Look, I grant you this is not perfect, and there is no perfect enduser solution, but if you want to stop the bleeding, that's how.
I second NordVPN, plus their interface is adorable.
Yes VPN is a good answer here, but another idea to make the data they collect and sell less useful would be something like https://github.com/WhiteBeachStudios/cyberflare to hide your real usage habits among a bunch of artificially generated traffic.
CyberFlare looks interesting, thank you for sharing. If anyone knows of similar tools or a guide on using CyberFlare I would greatly appreciate the information.
How would one use cyberflare? Any easier tools?
Start with not using their DNS servers (OpenDNS https://www.opendns.com)

Install HTTPS Everywhere (https://www.eff.org/https-everywhere)

Install uBlock Origin (Chrome - https://chrome.google.com/.../ublock-origin / Firefox https://addons.mozilla.org/addon/ublock-origin/)

Concur with your recommendations. Would throw some caution on the OpenDNS recommendation, though. They're U.S. based and owned by Cisco. Depending on your threat model, this may or may not be desirable.
I debated about the recommendation, but went with the simplest one to start.
Just because you're not using their DNS servers doesn't mean they still don't see the DNS requests as its sent through their pipes and log them.
The article's main argument is that the ISPs are selling something that doesn't belong to them, but to the consumer.

I don't like the idea of my personal information being sold, but how could you state this as fact? Shouldn't it be up to the consumer to choose to do business with a company that sells your personal info vs a company that does not?

Via precedent set by protecting phone calls:

"For decades, in both Republican and Democratic administrations, federal rules have protected the privacy of the information in a telephone call. In 2016, the F.C.C., which I led as chairman under President Barack Obama, extended those same protections to the internet."

That would be great, but privacy policies are unreadable and ISPs tend to be total or partial geographic monopolies anyway.

This is a classic case for regulation.

You say that as if everyone had the ability to changes ISPs freely. Consumer choice is irrelevant if there's nothing to choose from.
I have a single altenative ISP that offers over 15 mbs, there is no fiber in my area. I live in New York. not the city, and I do not live 'upstate'.

as the above pointed out to your comment, it is very difficult to chane ISP's I am not happy with mine and I do not have an alternative. my unhappiness came way before this bill.

Regional monopolies are tolerated and the companies benefit tremendously from legislation and regulations that make it near impossible for meaningful competition to exist. Ideologically, the "harmful regulation" rhetoric is incredibly hypocritical.

Which is to say: most consumers have no choice among providers. That fact is a result of government action. If companies would tolerate legislation that would encourage increased competition in exchange for the right to sell consumer information, then you would be right. Of course, that isn't what happened here.

It's the same obvious policy applied to phone calls previously and mail previously previously.
Don't downvote people who ask questions. Answer them if you disagree.
Should a company you pay to make phone calls over sell the data of who you call?

Should a company you pay to mail packages/letters inspect your mail and sell the data of what mail and subscriptions you are getting?

> Shouldn't it be up to the consumer to choose to do business with a company that sells your personal info vs a company that does not?

Ideally, yes. But there's a lack of competition in the ISP industry, due to either government-granted monopolies or plain old high fixed costs, which create a barrier to entry.

Though, the historically low interest rate environment should minimize this "barrier to entry" issue.

Are there notable startups in the ISP space?

Ideally, that may be true (though whether people realize the value of their online data is unclear) - however the market for internet service is far from perfect. Over half of Americans only have one choice in broadband providers (at 25Mpbs), and just under 15% have more than two to chose from (at any speed)[1]. The cost of entering the broadband market and laying last mile cables is simply too high for there to be meaningful competition in much of the US. Hopefully, a policy like dig once[2] will eventually create real competition in ISP market, but until then the largely monopolistic ISP industry cannot go unchecked.

[1]: https://cdn.arstechnica.net/wp-content/uploads/2014/09/fcc-b...

[2]: https://www.washingtonpost.com/news/the-switch/wp/2015/09/22...

This is like FedEx or a privatized USPS being able to open your packages and read your mail without telling you.

I pay you to carry my damn packets, keep your filthy hands off my data.

A better analogy would be FedEx selling your incoming and outgoing addresses and package weights to third parties, not necessarily the contents of your packages.
Why not the contents? What happens when most content is not over a secure connection such e.g. Over HTTP? Could they not inspect the content?

It sure seems like they could. For most people most of the internet is still insecure.

I know for me personally I already assume anything over a non-HTTPS or non-secured protocol will be received and possibly read by anyone and everyone.
You forgot "and changed". Injected ads, injected JavaScript, replaced ads... This has been occurring, and without protections against it, it will continue to occur.
Yeah, the closer analogy would be FedEx selling information about content of your packages unless they are shipped in some kind of locked strong box.
Why not HTTPS? There are ways to do MITM proxing that re-encrypt traffic. As a customer, you just need to install their CA certificate.

Or slightly worse, they could get browser vendors to include their CA (or pass legislation to force this).

What prevents this from happening?

In mobile, where the carrier controls everything (the network, the OS) it's not unlikely this is already happening.

They can and do. I recall instances where some ISPs even went so far as to inject advertising HTML directly into pages sent over HTTP.
More like your landlord selling the keys to your apartment, but you still have the key to a series of safes inside. Everyone can get a lot of your stuff and probably watch you poop, but hopefully those safes are built well enough to keep everyone out of your valuables.
Only if every package and letter I sent was securely sealed so they couldn't get in.
In case people don't know, the author, Tom Wheeler was the previous chairman of the Federal Communications Commission.

With the administration changed he no longer is in government.

also formerly a lobyist for the cable and wireless industry, which gives him some insight into the industry.

https://en.wikipedia.org/wiki/Tom_Wheeler

At least consumers still have https going for them I suppose? Or maybe ISPs are now more motivated to man-in-the-middle those connections to get to the data, under the guise of security or something?
Yea that was my main question during this. What can we do. I thought https made this near impossible unless they MITM it, which would be difficult no? Or is it easy?

This is all the more reason we need to start encrypting all communication. All my hand built services (home bots, etc) need to start using tls for everything.

Three problems here. First being that the ISP is a permanent MITM. Second is that TLS will not protect the hostnames, which are sent in the clear so that servers can identify the correct certificate for a given connection. Likewise, DNS is not encrypted (though companies like OpenDNS do provide alternatives here).
Regarding the MITM, more specifically i meant able to compromise HTTPS. If i sit between you and your https site, can i read all of your traffic?

I know very little about the nitty gritty of HTTPS, so forgive my ignorance, but i thought the most i could do was try to pass off a custom key (ie, spoof the key authority), but then the signing done from the https site (say, https://google.com) wouldn't be valid based on my bad key.

How common is it to read full https data if you're a MITM?

It's not likely that they would attempt active attacks to decrypt your TLS web traffic. I'd assume they won't be able to read the full contents of those sessions.

STARTTLS on mail is a slightly different story, though I'm going to assume that most of the established compaines are smart enough fo avoid email snooping.

You might, however, be surprised at how much you give away via the metadata associated with your web browsing.

You don't need to compromise HTTPS. You need to get your cert onto the trusted list on the device. "As part of the setup for Comcast-Super-PlanTM please run this script" is enough to let your ISP terminate the SSL connection and restart it so they can read content. In the worst case, they can pay a company like Lenovo to stick their certs on devices on day 1.
They can still correlate traffic going to specific IPs, DNS requests, and SNI information (since it's not encrypted, because the remote server needs to know what certificate to use). There's plenty of data to choose from.
I don't believe SSL alone would protect you since ISPs would still have access to the DNS lookups, the fully qualified domain name of the server (which is sent in cleartext for SNI), and IP addresses for the person browsing, so there's still plenty of "meta-data" for them to sell.

Maybe if you use a third party DNS service, but then you need to trust them.

Is there TLS connections to DNS servers available for the major operating systems?

edit: You're still broadcasting the IP you're connecting to, but it's still nice to close up this DNS lookup leak.

I feel like this isn't going to go anywhere but I'm still tempted to contribute: https://www.gofundme.com/BuyCongressData
(comment deleted)
im conflicted about this. hate to hand over millions to ISP's just to prove a point. I'd rather put the money towards starting a competing anonymized ISP.
Why on Earth would this be set at $500M, and why on Earth would people trust a random person on the internet with that?
good thing this will create jobs jobs jobs! aka just ordinary bull shit.
if i dare to say that the republicans fucked us over i'll be banned for "partisan bickering", so:

we just need to develop technological workarounds to the politicians. vpns are an okay start.

It's actually interesting, now i feel like VPNs are going to get a huge spike in customers.

On that note though, if all ISPs are doing this, what VPN choice do you have?

> In 2016, the F.C.C., which I led as chairman under President Barack Obama, extended those same protections to the internet.

Oh how nice of Tom Wheeler to play the good-guy now. It took a lot of public outcry for him to change his tune about Net Neutrality.

He came around, and then was a reasonably good champion. Let's live in a world where people aren't permanently branded with temporary positions.
I suppose you're right. But I will still remain suspicious of a former lobbyist turned head of FCC turned NN champion.
(comment deleted)
We need to laud people who change their positions for the better, not continue to becry them. It's harder for people to admit they are wrong than be right in the first place.
> Oh how nice of Tom Wheeler to play the good-guy now. It took a lot of public outcry for him to change his tune about Net Neutrality.

That's wrong. He was for net neutrality from day one at the FCC.

You are probably thinking of the first net neutrality rule he proposed, which would have allowed for paid fast lanes, and interpreting that as somehow not being for net neutrality.

When he proposed that rule that was about the strongest net neutrality rule possible without reclassifying ISPs as common carriers. Reclassification was a very risky approach, with probably at least an order of magnitude more chance of not surviving. He did state that he was open to that approach, if the comments on the first proposal indicated that there was enough support for reclassification.

> You are probably thinking of the first net neutrality rule he proposed, which would have allowed for paid fast lanes

That was the second; the first he got passed did not, but it was struck down by the courts for exceeding the power the FCC had without Title II reclassification. The draft of the replacement might have allowed paid prioritization (it was clearly not intended to, but it was limited because it attempted to stay within the boundaries of what would pass muster without Title II reclassification.) The final replacement order opted for Title reclassification, and was not only stronger than the draft, but stronger in many ways that the 2010 order it replaced.

Wheeler was always on the side of net neutrality, and in fact his actions in favor of it are one of the main reasons the issue became well known.

The one that got struck down was passed before Wheeler was on the FCC.
Yeah, I was somehow projecting his chairmanship back to beginning of the 3/5 partisan pro/anti-neutrality split.
> Oh how nice of Tom Wheeler to play the good-guy now. It took a lot of public outcry for him to change his tune about Net Neutrality.

Tom Wheeler was the driving force behind all of the FCC net neutrality efforts, including early case-by-case actions, the 2010 Open Internet Order and the 2015 Open Internet Order. The idea that he was somehow an opponent of net neutrality mostly comes from ab unfair set of hit pieces in popular outlets (including, notably, Jon Oliver's Last Week Tonight) based around some groups (legitimate) concerns that the first public draft of the 2015 order (written to address the court decision striking down the 2010 order) was an insufficiently strong instrument.

So the only thing I don't understand as far as the fuss about this is concerned -- everything I've read indicates that this is undoing a protection put in place late last year. So essentially we've gone back in time six months ago or so. If ISPs weren't selling our info then when they could have, why does it logically follow that we're now in some uncharted territory of ISPs selling personal info? Or is this simply blowing the situation out of proportion because Republicans did it?
Because why the push to undo something if they weren't planning to do it, or weren't already? I know Verizon has an opt in program for it where they gave you deals and free data.
Can't argue with that, but again, the status quo for many, many years was that your ISP could have done this, but didn't. And the next time there's a changing of the guard the protections will be put back in place, so I can't see how ISPs are going to bet on selling this information as a viable long-term business strategy.
"We shouldn't blame the Republican's for repealing this protection pointlessly, because the Democrats will put it back when they get in power."

Seriously? Free pass to do bad stuff because "it won't last". Come on.

I'm not giving them a free pass, I'd prefer the protections to be in place. But I'm just putting the situation in perspective. My observation is just that I'm perplexed about the amount of "sky is falling" reactions here when you couldn't find a peep about "which VPN do I use to keep my ISP from selling my data" on HN say, a year ago.
I would argue that the full impact of what is possible wasn't very visible until certain companies got caught doing MITM advertising injections and other questionable tactics (eg Verizon; Googling suggests HN started noticing them and others circa 2014 or so).

As far as "simply blowing the situation out of proportion because Republicans did it", it has been pretty obvious that Republicans have been aligned with the telco / big cable companies (as opposed to content companies) for a while. Maybe some are surprised and shocked, but personally I have no problem with this action highlighting that there are differences between current political parties beyond the usual social politics and political memes.

> And the next time there's a changing of the guard the protections will be put back in place, so I can't see how ISPs are going to bet on selling this information as a viable long-term business strategy.

Nope:

> The bill not only gives cable companies and wireless providers free rein to do what they like with your browsing history, shopping habits, your location and other information gleaned from your online activity, but it would also prevent the Federal Communications Commission from ever again establishing similar consumer privacy protections.

Also, a lot of things are broken. Voices are raised when something bad is actively done, not when something good isn't actively being done.

Do you get the difference? I am dismayed that the healthcare system is currently bad and has been bad for generations. Is it smarter to kick up a fuzz randomly out of nowhere, or to do it when there's legislation being made on it, in either direction?

> And the next time there's a changing of the guard the protections will be put back in place, so I can't see how ISPs are going to bet on selling this information as a viable long-term business strategy.

I wouldn't bet on it. All the discussion about politics and policy leave out the fact that the GOP now controls 33 state assemblies. 1 more power grab, they will be able it invoke it. They won't have the 38 needed to ram through changes without opposition, but there's a good chance they will attempt to put in legal guards against the Democrats from undoing their policies.

Things have changed, though. Many ISPs are also cable TV providers. Netflix is now at 98m paid subscribers (worldwide), with cable footprint at 94 million (US). Somewhat apples to oranges numbers there, but also:

"The thirteen largest pay-TV providers in the US, representing about 95% of the market, lost about 385,000 net video subscribers in 2015." http://www.broadbandtvnews.com/2016/03/11/us-pay-tv-continue...

The ISPs have been complaining about being reduced to a dumb pipe for a while now. They are very motivated to increase data revenue...

All I ever wanted to buy from my ISP was a dumb pipe. It frustrates me that I can't buy that, without the surveillance.
There were some ISPs which were selling people's data prior to this order (Verizon was one, IIRC, and a few others were actively injecting ads and JS into non-TLS traffic), and many more were considering it.

Yes, we've "essentially" just gone back in time, but it's not a positive regression.

> Yes, we've "essentially" just gone back in time, but it's not a positive regression.

I agree, but with the way this thing has been reported you'd think we've gone back to the dark ages rather than where we were just prior to the election. I don't recall a lot of discussion on HN about which proxy to use because "OMG my ISP is going to sell my browsing history!!!" back then.

That's all I'm getting at. Wondering why the reaction to going back to the status quo of not long ago at all is seen as some assault on civil liberties.

Your wondering why was just answered succinctly in the comment you posted your reply to:

> There were some ISPs which were selling people's data prior to this order (Verizon was one, IIRC, and a few others were actively injecting ads and JS into non-TLS traffic), and many more were considering it.

edit: spelling

Because it is an assault on civil liberties?

The status quo was wrong, which is why we passed the law in the first place.

The difference, of course, is:

* [thing isn't thought about, so isn't made illegal - making it implicitly legal] * Hey, this thing they're doing is bad - now that we know about it, we should make it illegal. * Repeal: Hey, let them do this thing.

No law was passed in the first place.
> I don't recall a lot of discussion on HN about which proxy to use

When the articles about ISPs came up (as Verizon did, fairly frequently; though it was also as frequently buried), there was discussion about using VPNs. We're primarily technology users and creators; our first instincts are to find technological solutions to such problems.

Give this a week, and it will fade from the front pages as well. That doesn't mean it's not still important, or that we accept the new status quo as being right or correct.

> Wondering why the reaction to going back to the status quo

Because, IMO, that "status quo" was not a good place to be, and was getting worse. And is now likely to continue to get worse since we've regressed back to it.

We pride ourselves as Americans as being progressive - trying to make things more fair for everyone. Everyone should have a vote. Everyone should be able to express their thoughts without fear of censorship. Everyone should have the ability to rise above their station. Everyone should have a right to privacy. When our elected government take steps away from these ideals, people (rightly, IMO) complain that we're moving in the wrong direction.

I don't get your point, even if no one does do it, why repeal the protection? It's effort and time wasted just to create a potential for something bad to happen.

Even if you think this will never be abused, I don't see how it's being blown out of proportion, this is still bad.

> I don't see how it's being blown out of proportion

Really? Where was all the hyperventilating about the status quo on HN prior to when the protection was put in place? That's all I'm getting at, the reaction to being back in the dark ages of late 2016 seems a bit overblown in my opinion.

The ftc was the protection prior to the fcc. Now there is no protection. This is a regression.
FTC can still regulate ISP's after this bill passes, if I understand it correctly.

Edit: Nope, apparently this just nullifies the FCC rule, it's not an actual bill to change authority away from FCC. D'oh.

The FTC was preventing them, until it was decided that it was outside their purview. The FCC took over, but that's just been reversed. Now no one is preventing it.
(comment deleted)
> So the only thing I don't understand as far as the fuss about this is concerned -- everything I've read indicates that this is undoing a protection put in place late last year. So essentially we've gone back in time six months ago or so.

Sort of, but you've missed a key aspect. Yes, six months ago (or whenever) there was (possibly) no protection. However, that was a fairly recent development. Earlier, ISPs had been regulated by the FTC when it came to privacy.

As part of the implementation of its net neutrality order, the FCC changed its classification of ISPs from information services to common carriers. Last year a court ruled that the FTC did not have the authority to regulate common carriers.

The FCC's privacy rule was meant to step into the void left by the FTC losing jurisdiction.

Here is a less editorialized summary of the bill:

https://www.govtrack.us/congress/votes/115-2017/h202

It repealed 73 pages [1] of regulation on ISPs.

Personally, I'd like to see more competition in the ISP space. This bill may help by reducing barrier to entry, but the central problem remains that national carriers have lobbied the state to prevent competition at the municipal level.

Furthermore, this bill seems like a minor nuisance compared to the data collected by Facebook, Google, and the NSA.

So yes, I'd say this is being blown out of proportion. The Republicans aren't being evil, but they have much more to do before I'd consider them being good.

[1] https://www.gpo.gov/fdsys/pkg/FR-2016-12-02/pdf/2016-28006.p...

You think that regulation is the relevant barrier to entry to being an ISP? Not the cost of running lines or anti-competitive practices by rivals?

Please, this just means no protection for an environment where, right now, we have no competition to move to when our ISP decides to do something shitty.

I've had an ISP willing to put 2km of copper wire to get my 15$ / month fee. (Not in the US.) I don't think the cost of wires is significant anywhere in the US either.
You may live in a country where the government subsidizes the laying of communications infrastructure. Laying fiber or even just coaxial cable is extremely expensive.
No, the whole reason we have great internet is that it took the government a long time to find out about it. The company had two 20-somethings spread the wire on existing poles :)
> Furthermore, this bill seems like a minor nuisance compared to the data collected by Facebook, Google, and the NSA.

This is the bullshit argument Republicans/ISPs are pushing that anyone technical should immediately realize as such. It's conflating two separate issues.

I can choose whether or not to use Google and Facebook, and indeed willingly "agree" to their TOS when I log on. But to even get to those providers, I need to go through an ISP. As someone in rural America, I don't have a choice in ISPs, and even in a lot of cities where you have "choice," they all share the same privacy-invading practices. That's the point of the rules passed by the FCC: protecting us, the consumers who are subject to the whims of anti-competitive corporations that have access to large swaths of our personal data.

Agree with you on Facebook and Google. There's a choice, and at least there is no law preventing competition/disruption. Not the case with the NSA, but that's a tangent.

The root issue is the national providers lobbying the state to prevent competition at the municipal level. Granting more power to the FCC does not solve that problem. Rather, it would only serve to lock in the existing monopolies and further centralize control with the state/corporate nexus.

The state preventing the market from functioning is not a valid reason to introduce more state intervention. In my view, competition will protect the consumer better than regulation in the long run.

Absolutely, competition will protect the consumer best. But we need that competition first :)

In the meantime, it seems logical to take some steps to limit the damage that our currently monopolistic telcos can do and give someone power to enforce a rule that: "(1) applies the customer privacy requirements of the Communications Act of 1934 to broadband Internet access service and other telecommunications services, (2) requires telecommunications carriers to inform customers about rights to opt in or opt out of the use or the sharing of their confidential information, (3) adopts data security and breach notification requirements, (4) prohibits broadband service offerings that are contingent on surrendering privacy rights, and (5) requires disclosures and affirmative consent when a broadband provider offers customers financial incentives in exchange for the provider's right to use a customer's confidential information." [0]

I mean seriously, considering the current landscape, does that seem like unreasonable overreach? Is anyone going to go out of business with rules like that?

[0]: https://www.congress.gov/bill/115th-congress/senate-joint-re...

The summary does sound reasonable on the surface. But read the whole whopping 73 pages. The regulations hurt small ISPs much more than national carriers.

For example, there's a Mom & Pop cellular-based ISP that serves my small mountain community. They could certainly be put out of business by this type of regulation after they pay for lawyers, IT services, training staff on new operations, etc. -- and heaven forbid they get audited by the FCC.

Maybe if the regulations only applied to national carriers, then you could argue this wouldn't hamper competition. That'd be something I could support.

The actual regulations are about 3 pages, 2 if you respect your customers' privacy. The previous 70 pages include historical context, rationale, explanation of related regulations, even an overview of the OSI model.

The FCC gave small providers a one-year extension and other concessions. And, as they pointed out, small providers generally collect less customer information and use it more narrowly.

Does anyone have a good VPN that they would recommend? This bill is totally fucked.
I use PIA (https://www.privateinternetaccess.com/) and don't have any complaints. They have apps for every OS, servers all over the place, and don't log anything. If you search around you can find a deal for 2 years for $60.
I am using PureVPN (https://www.purevpn.com/) for quite a long time. There is no issue so far. The live chat support is commendable which can guide you about setup on various devices.
Tom Wheeler, former FCC chairman and cable/wireless lobbyist, fails to charitably address why his opponents did what they did. To Republicans and opponents of his FCC chairmanship, this was about regulatory authority, not "selling your data to ISPs". They believe the FTC, not the FCC, should be the main privacy regulator as it has in the past. They also contend that ISPs are already disallowed from scooping and selling data without consent, and that the FCC already has authority to prosecute, via sections 201, 202 and 222 of the Communications Act.
> They believe the FTC, not the FCC, should be the main privacy regulator as it has in the past.

If they believed that, they would pass legislation to correct the law on which the court relied striking down FTC regulatory authority in this area and allow the FTC to actually do that; not doing that when reversing the FCC rules which mirrored the FTC rules which were struck down demonstrates that that is a pretext, not a genuine motivation.

> they would pass legislation to correct the law on which the court relied striking down FTC regulatory authority in this area

The FCC rule is being struck down using the Congressional Review Act [1]. CRA provides "an expedited legislative process" [2]. Giving the FTC authority in this area would require passing a real law. (That said, I agree with you regrind the explanation of motive.)

[1] https://en.wikipedia.org/wiki/Congressional_Review_Act

[2] https://web.archive.org/web/20150402230759/http://assets.ope...

> The FCC rule is being struck down using the Congressional Review Act [1]. CRA provides "an expedited legislative process" [2]. Giving the FTC authority in this area would require passing a real law.

Right. But if the real basis of reversing the FCC action is not that the substance is wrong but the regulator is wrong, then you'd expect the fix to the law to allow the FTC to regulate to, at a minimum, be introduced first and highlighted in the debate over reversing the FCC action. (And, in fact, regular laws can be expedited as well, as was demonstrated procedurally with the AHCA, even if the votes were never there to follow through on the expedited process that was set up.)

It's not clear to me how the CRA actually makes anything faster in this case. The "real law" approach would only need a simple law, which surely could be drafted quickly. Both a "real law" and a CRA action require the same simple majority in the House and Senate, which they have.
CRA actions can't be filibustered, regular legislation can. OTOH, while Democrats might filibuster repeal of the FCC action if they could, I can't imagine a clear positive grant of regulatory mandate to the FTC on this issue would be opposed by Democrats, so if that were really the majority's concern, I don't see how the procedural distinction between CRA action and regular legislation would be a real issue.
How difficult would be to create a DuckDuckGo of the ISPs? Both at national or local levels.
This and the move to dismantle the Clean Power Plan. Sad.
Internet Provisers -- that's Google and Facebook, right?

On a more serious note, people need to understand that every domain you visit, every query you search, every digital conversation you have, every number you call, every movie you watch or book you read, everything you buy, unless you take active measures to mask your identity that record is being retained by as many different people that can get their hands on it as possible.

Let's be clear about what this bill is potentially changing -- not who is collecting the data but who can monetize it.

Frankly, a bill that allows monetization of data already collected is not about privacy it's about deregulation. As long as the data is retained, privacy is already lost.

I actually really like this bill because it exposes, well, how exposed we all are online. The more people understand how much tracking is going on, the more likely we can garner the will, the market, the demand for technological solutions which actually protect privacy rather than regulating monetization.

More likely people will, without ever understanding any of this, become agitated and then over time... nothing they recognize will happen, nothing they can see will change. It will be even harder to get their attention next time...
> ...is being retained by as many different people that can get their hands on it as possible.

Which isn't a big deal as long as the data is only being used for internal use (e.g. UX purposes) to make the product better.

Sounds like it's time for an "AdNauseam" for browser history obfuscation. Does anyone know if such a tool already exists?
I want a privacy first router. Does such a product exist?

Key features:

  - I pay a subscription for maintenance (so I'm not the product) say $10/mo

  - Automatically routes all traffic over a VPN.

  - Smart VPN bypass for performance-sensitive traffic like streaming video and gaming

  - Provides non-logging DNS service

  - Automatic advertisement blocking
For VPN, DNS, and adblock I want the option to use servers & block lists maintained by the paid service, augment them with my own, or use my own exclusively. Bonus points for rotating requests between providers.

Does such a product exist? I think I could hack together something similar using DD-WRT[1], but I'm confident the maintenance hassle will eventually outweigh my desire for privacy. #shutupandtakemymoney

[1] http://www.dd-wrt.com/site/index

> I'm confident the maintenance hassle will eventually outweigh my desire for privacy.

Nothing should outweigh your right for privacy.

Sure, but there's a cost to exercise that right. Right now, the cost of protecting myself from my ISP is quite high. I need to maintain DNS and VPN settings for every device in my home... many of which are personal devices of other family members with little patience for such techno-babble.

I want a product that reduces the cost of exercising my right to privacy, and allows me to pay that cost with money instead of time.

There are commercially-available routers which support running all traffic through a VPN. That should handle all the devices in your house.
A VPN doesn't actually provide more privacy, it just changes who can snoop on your data.
Privacy isn't an either/or. That's like saying closing your window curtains doesn't give you more privacy, because your phone might be wiretapped.
I don't agree with that analogy. The VPN takes away the ISP's snooping abilities, but gives snooping abilities to another company that wouldn't otherwise have it.
You're right, of course, but a VPN at least lets you make sure that the service that can snoop on your data doesn't want to snoop on your data, because they know you'll just leave them for another, more privacy conscious, provider if they do.

VPN providers have incentive to compete with each other and commitment to user privacy is an important selling point. ISPs have zero commitment to privacy and almost no reason to compete since users have no choice.

You're right, of course, but a VPN at least lets you make sure that the service that can snoop on your data doesn't want to snoop on your data, because they know you'll just leave them for another, more privacy conscious, provider if they do.

Only if you can tell that they're doing so. If they create two companies with no apparent connections, how would you know that VPN company A was selling your data through Marketing company B?

We are now getting pretty far down the rabbit hole.

Is this possible in theory, if your packets go in all directions (IPs) encrypted, not sure how you reassemble, but in theory, would the information then be whitewashed? I guess I'm asking, is it possible in principle, can you leak no information (including metadata) from IPv4?

Netflix for example does not work over vpn so the router would have to have a way to manage exceptions.
I would set up a tor endpoint on the home connection (to make the collected data as useless as possible).

Combining this with a regular VPN should be enough effective, with a minimum maintenance burden.

Privacy is weighed against public safety all the time. The question is at which point does it become unreasonable. Warrantless searches of American individuals just so happens to be where we, as Americans, draw the line.

On the other hand, don't mistake my assault on the technical validity of your sentence for disagreement with its intent. We should be outraged.

Shame on us for having allowed this to happen, and for the dangerous precendent it sets for local monopolies to sell your information.

Someone posted on a similar thread yesterday or the day about something that would fit the bill for you. I'll see if I can find it.

Off the top of my head, I think they sold a router, mostly pre-configured with ddwrt, that you plugged in your info for PrivateInternetAccess and used them as the VPN. Could be wrong though.

Edit: Here's what I was talking about: https://easyvpnrouter.com/. May or may not meet your needs

That's great! Good find, thanks.

The website mentions an interesting solution to the streaming media problem: "Keep your existing router and run both networks simultaneously. Connect to your Easy VPN Router when you need safety"

So basically I could have the performance-sensitive devices hook up to the existing router, then use Easy VPN as the main access point for everything else. That's probably a lot more maintainable than trying to choose what goes over the VPN dynamically.

A router only helps you at home. We need a service that protects you anywhere.
An app that enables you to use your home router as a gateway could solve this problem.

I had an idea called 'Home Gateway' awhile back, but i do not have the business acumen and lack part of the technical know-how to complete such a task.

> - Smart VPN bypass for performance-sensitive traffic like streaming video and gaming

It is highly error-prone to maintain (or expect a company to maintain) essentially a large filter list. In the end you'll end up with a product that gives you neither privacy nor performance. For a real world example, try using a smart dns. They suck at dns on its own. And they have to keep up with the cat and mouse of content sellers blocking them. You'll end up with pretty much the same situation with your smart vpn solution. You'll never know reliably what's going over which route (unless you are making the list), debugging will be a nightmare, and you'll have leaks all over.

For the nerds among us this shouldn't be too hard. A Virtual Private Server can be rented for a few dollars a month. I have seen examples that charge less than $4 for unlimited bandwidth.

Install VPN software on the server and become your own VPN provider. On your home router you can setup a point-to-point VPN connection and you're done - all traffic encrypted and bypassing your local telco.

I assume that network-providers are not included in this legislation though...

Mind divulging on some VPS providers? The one I've been looking at closely is https://www.vultr.com/

Their $2.50/month plan fits me well as my monthly traffic across all my devices (and home) is roughly 100GB. Pair that with https://github.com/trailofbits/algo and it's a reasonable setup.

I'm a fan of RamNode. I've been using them since they launched a few years ago without a hiccup.
There is one issue that your traffic is typically flagged as originating from a VPS provider and you might end up getting denied or have to do annoying challenges.

Still worth it but it's something to consider.

what's a good vpn software to install on a server?
> VPN

This is a political problem. Technology like a VPN or alternative DNS is little more than a placebo. With the ISP as a permanent MitM, modern deep-packet inspection, etc, you are probably still leaking a lot of information.

Worse, you're only moving the problem to a different location. Even if you were able to hide your traffic from your local ISP, your VPN host or DNS service becomes your ISP de facto. Also, if any of your online accounts can be tied back to you on their own, you might not get a choice in the matter; the server's ISP can also sell information. What about TLS? Unfortunately far too many websites are only encrypted to CloudFlare.

However, the real reason that VPNs/etc are not a solution is that privacy shouldn't be limited to people with a technical background. Those of us that do understand the technology have a duty to help the people without that knowledge and experience.

Tell people to use the Opera browser. It has VPN built-in.
So you trust the company involved in the WoSign debacle with your data?
The question isn't about absolute trust.

It's about who you trust more with your privacy.

So yeah, I think I'd trust almost anyone more than my ISP now because they have an incentive to profit off my lack of privacy.

> Worse, you're only moving the problem to a different location

I agree that's true from a technical perspective. However, the VPN provider has an economic incentive to compete on privacy. I would much rather just trust my local ISP, but at least I have a choice in VPN providers.

> privacy shouldn't be limited to people with a technical background

Absolutely. That's why I want this as a product that Just Works instead of my own hacked-up implementation.

Not just that, but being able to choose your VPN+ISP is better than being able to "choose" your ISP.
Excellent point. In the US you likely only have a small number of ISPs you can choose from, but there are huge number of VPN/PaaS/HaaS providers out there that you can route your traffic through. Surely some will compete on privacy.
> Those of us that do understand the technology have a duty to help the people without that knowledge and experience.

No, we don't. The fact that the "common people" don't value privacy enough led to this whole situation. Those that do value privacy, can pay for it with their money (or their time to learn).

I agree with this! I think, should people value their privacy and want to use VPNs then we can teach them about such matters but merely us trying to convince them should not be our problem.
I think the problem is not that most people don't value privacy, it's that most are unaware of the privacy issues that affect them, or have been misled to believe that the cost of having the websites and services that they rely on (facebook, gmail, etc.) is necessarily tied to giving up privacy.
This isn't a new problem. We "know" the common people don't care because all attempts at scandalizing this in the media, for years, have not found much resonance.
If people didn't care about privacy, companies wouldn't be so opposed to regulations requiring them to get consent before selling personal information. Advertisers wouldn't disguise targeting to avoid creeping people out. Uber wouldn't have deleted a blog post mapping one-night stands. Republicans wouldn't have had any reason to spin this bill as being about which agency should have authority.

People do more to protect their privacy when they know it's being violated, understand the impact, and believe they can do something about it.

Some people care about privacy. Most probably may even care about it to some degree, but not to the degree where they sacrifice their convenience for it.

Again, the media has done its best to scandalize the very real privacy concerns with companies like Google and Facebook. Did it hurt their success with the unwashed masses?

If privacy was really such a big deal, why would Uber write that blog post in the first place? Sure, enough people complained online to get it pulled, but that's not representative.

To wake people up, we'd need a real "story" here, like somebody getting fired over googling something relatively innocent.

Finally, if advertisers really try to disguise targeting, they're doing a terrible job at it. Just try turning adblock off for a moment to see for yourself. Yes, even the common folk thinks targeting is creepy, but at the end of the day they don't care that much.

I disagree that the media has done anywhere near its best to bring privacy issues to people's attention. At the same time, many stories that do get published offer lots of vague scares and no practical suggestions, which fuels people's sense that there's nothing they can do.

I don't know many people who have stopped using Facebook. I do know a lot of people who don't post things they would've 5 years ago.

Uber miscalculated, simple as that.

For targeting, I'm talking more about direct advertising. I think most people know by now that the sites they visit don't directly control the ads they see. Seeing the same ads everywhere is annoying but doesn't prove anything. A company you've never given your email address sending you offers for only items you looked at is creepy.

You should try a the NetAidKit. We use them a lot for high risk human rights defenders travelling to various places. It works with VPN and Tor. Has wifi bridging, is portable etc.

https://netaidkit.net

I use a service called Cloak[1], and I'm super happy with it. I'm getting 75MB/s down over my Wifi while VPNd through their service. I often forget that it is on because it _just works_. I have no affiliation with them, I just think they make a good product.

[1](https://www.getcloak.com/)

I seriously doubt you're getting 75 MEGABYTES down over Wifi. Did you mean 75 Megabits (Mb)? There is a major difference between Mb and MB. 75 MB would be equal to 600 Mb per second.
Why not? 5 Ghz connections are capable of delivering > 1 Gbit over the... air.
:eyeroll: Sure, and MIT managed to transmit data wirelessly at 1 Tb/s one time. But we're talking about the real world and regular consumer hardware here.
TP-Link Archer C7 can do up to 1300 Mbps over 802.11ac, and costs about $85.

No university research equipment required.

I was mulling over a service like this. Was thinking I'd set it up roughly like so:

1. Create Terraform / Ansible scripting to boot up fresh DigitalOcean droplets with OpenVPN and encrypted DNS / pi-hole to strip out ads.

2. Bulk purchase cheap dynamic DNS domains (or just generate sub domains on command and hit some kind of load balancer).

3. Create scripting to shuffle the various VPN boxes every x time (each night, week, whatever).

I'm not an expert, so I might be missing things here. But I'd pay for that, and I think all you'd have to do as a client is put OpenVPN client on your router and point it to whatever static domain you're assigned by the service.

EDIT: I also figured I'd donate some % of proceeds to OpenVPN / Pi-Hole.

The fact that this law has passed raises an interesting question: can a private citizen request and receive any and all information from a government entity about the users of that government's various assets? For instance:

1. Detailed data on the number, character, weight, etc. of every car that passes on a government road. (cameras record license plates, traffic videos exist, weigh stations are sometimes required for trucks, etc.)

2. Power companies bill the owning address for every power meter connected to the grid - therefore it should be possible to compile detailed historical data on power use. (watt-hours used, at least in monthly time-slices, possibly with geo-locating data, etc.)

3. Same as above for water use.

It seems to me that if the government is going to make it legal for a provider of services that run on government owned property (telephone/internet lines, which if not in all cases outright owned by the federal government, ARE deeply regulated by it), then why not all the databases concerning all gov. property?

(comment deleted)
This is basically like having your mailman/postoffice sell the list of your to/from addresses.

Isn't it possible to challenge this on constitutional grounds?

I really doubt it. First, the Constitution places limits on the government; not so much on contractual agreements between private parties. What you and Comcast agree to just has to avoid depriving you of basic human rights (i.e., you can't sell yourself into slavery).

Even ignoring that, you give up most constitutional privacy claims if you start disclosing the information to third parties. The ISP is a permanent and necessary third party here. If you tell your ISP that you want to go to ihaveherpes.com or whatever (by asking them to route your traffic there), then I'm not sure you have any claim to privacy as it pertains to a conversation between you and the herpes people. You willingly gave the ISP the information.

That's why we need legal protections like the prior FCC rules. Because by necessity, you need something above any bare constitutional protection.

(comment deleted)
Time to roll up our sleeves and get to work. I've watched the tech community battle back many times: PGP, SCO Unix vs Linux, WebStandards.org, etc.

How do we fight this using software? Remember that many of the innovations came from single individuals. Is there a way to have a fully private, fast communication between two computers when we know everything we do is being saved and analyzed? Because that's all the Internet really is, whether one of those computers is a web server and the other a browser or any other infinite combination.

(comment deleted)
One idea that I have been running through my head for awhile is a Tor like onion router that could be funded by a special cryptocurrency. This would mean each relay would get some amount of money for passing a packet on to the next relay. Ultimately this would solve two problems with Tor: speed (as it is paid there would likely be more relays with faster connection) and issues with spam (DOS over the network would cost a lot more.) Obviously it would suffer from some anonymity issues that would need to be solved as you are paying and it could be traced. I don't know if this idea would solve the issue in this case but I figured I would mention it.
It's a repeal of the regulation put in place by the FCC last year October prohibiting ISPs (such as Verizon, AT&T) to sell their customers' data. This shows how strong the lobbyist groups are if this very recent item was taken on this quickly -- which makes sense if you think about that it's a $156+ billion industry in the US alone.

The regulation from last October required to ask for expressive consent to sell the following:

- Precise geo-location - Children’s information - Health Information - Financial Information - Social Security Numbers (wait, they actually sold those?!) - Web Browsing History - App Usage History - The content of communication

With the new regulation, passing all of these information on is fair game again. Which is absolute fucking shocking!

Btw, for anyone interested, I wrote a blog post about the implications of the new regulation for ISPs when it was first passed -- just make sure to read it as the opposite of what I wrote: https://blog.datawallet.io/broad-band-providers-take-a-hit-b...

Just because you call it a right, doesn't make it a right. For instance: I have a right to only be upvoted! Should I call the ACLU on everyone who downvotes this?

Recognizing the costs of providing internet service, and then making a suggestion to pay a higher premium for additional service (i.e. privacy) is the logical way to resolve this.

Well, I was going to respond to this, but it's an account that less than an hour old. Seems the trolls are picking up on tactics from Reddit.
What part of saying privacy/security comes at cost is trolling? It does. Whether you pay money directly or for lost access to features like persistent geolocation, using closed source internet-connect applications, etc, etc.

Unless I'm missing something bad the OP said.

The Supreme Court recognized on multiple occasions that we have a right to privacy. In this specific instance, protecting privacy comes at no cost to an ISP, as they simply do not collect or sell your data. They literally have to do nothing, as setting up the systems to collect and opening the channels to sell takes work. This nothnig more than money grab.
> The Supreme Court recognized on multiple occasions that we have a right to privacy.

The right to privacy... from the government, not private businesses.

There are privacy regulations which affect private business such as HIPAA. But these are not 'rights'.

And just because they are regulated doesn't mean they are effective at the intended or worth the significant costs of implementation - which is the critique here. So unlike government where the risks are a certainty (because we give the state a monopoly on violence and other powers), the risks of private companies selling data are not nearly in the same league, regardless if you believe regulations are the way to go.

I personally would like to be able to invest money so we don't have to worry about ISPs selling data. TLS/VPNs are a solved problem. Same with the opportunity to use adblockers... ad companies collect as much data and that is entirely unregulated. No one seems to care. We just say 'use an ad-blocker'... a private solution. 'Do not track' regulations were a total failure.

The first part you're correct about, so no argument there.

The second part sounds like a "private, free market" solution, which has had, at best, limited results. What's to prevent an ISP from simply prohibiting customers from using a VPN? If Netflix and Hulu can do this, why not Spectrum or Comcast? Your claims about ad-blocking can be used against you since there are companies that will prohibit you from using an ad blocker.

This is exacerbated by the fact that in many areas, there is only one ISP available, so there is no free market. Additionally, these companies will use any means to slow down or stop competition, so that's not an option. In this case, the government is the only organization that can effectively regulate these companies.

There is no right to online privacy. Full stop. If you'd like for an ISP to provide you with an additional benefit, there is nothing stopping you from writing them and asking to pay a premium for them to not track/sell your information.

They have a right to offer you a price, and you have a right to accept or deny their offer. You also have a right to cancel their service and switch to a provider who satisfies you as a consumer.

It's amazing how quickly the left dismisses logic and reason. Stay in your bubble.
Clearly, government ordained rights is the only way to stop data from being sold to evil marketing companies! To believe other viable options exist is crazy, you must be a troll! /s

That's how partisan worldviews work, my ideology is good, to believe otherwise is unfathomable / malicious / the agenda of a conspiratorial paid shill. There's some great literature on this subject, the left is particularly susceptible as their worldview tends to start from a smug all-knowing-esque position. But the right is hardly immune to this either.

45% of the top websites online have TLS by default and growing. Most home internet is shared among various people and most valuable data (ie, identifying data) is almost always encrypted these days. I can't imagine it's very valuable as it is and clearly the value is diminishing as privacy activists like myself push for TLS adoption and better OS defaults.

Yet despite previous ISP privacy laws, there's still a massive billion dollar marketing data industry collected from ads, rewards cards, credit card usage, etc, etc. This is like creating a huge fuss about a fly while a jumbo jet gets let through.

> Clearly, government ordained rights is the only way to stop data from being sold to evil marketing companies! To believe other viable options exist is crazy, you must be a troll

You're from Canada, so your government has implemented strong privacy laws. What you may miss out on is that the usual response to this involves either individual responsibility or a free market solution.

The problem with both of these is that ISPs in the United States are powerful, and in many cases, hold either monopolies or non-competing duopolies is a region. There is no "free market" solution. Claims there are ignore the reality that ISPs will use any means necessary to slow of halt competition. Google Fiber is an example of that. Individual responsibility would require everyone to set up VPNS. For some people, that is beyond their means or their capability. It also is, as I said, an arms race. An organization can detect if you're using a VPN and either throttle or ban you from their service. If you live in one of those areas with a monopoly, you're of luck.

I have yet to see either logic or reason in your posts. However, using a fresh account with a username clearly meant to incite is not exactly a subtle tactic.
We've banned this account for trolling. Please don't create new accounts to violate the guidelines with—we ban the main account too if that continues.
Yeah, you're right, we should make list of people who think their "rights" are important. Let's start with gun owners.
Please point me to the amendment that guarantees a right to internet privacy.

Gun owner's actually have a right: https://constitutioncenter.org/interactive-constitution/amen...

Perhaps you should try to better understand the system of rule of law we have here in the United States before participating in discussion.

If you're so convicted about your beliefs, perhaps you shouldn't be too chickenshit to post from your main account. Drop the troll tactics.
Unfortunately, this does not answer my original question. Please provide me the constitutional amendment that grants individuals the right to privacy while using the internet.
What's the point of trying to have meaningful discourse with an obvious troll account? Grow a pair.