Congress signs law killing internet privacy

An employee types on a computer keyboard. (KIRILL KUDRYAVTSEV/AFP/Getty Images)

By Meg Wagner

Next stop: Trump’s desk

The U.S. House of Representatives voted on Tuesday to kill a set of internet privacy rules, paving the way for service providers to share and sell their customers’ sensitive information — including everything from browsing histories and financial records to information on children.

The bill to repeal the Federal Communications Commission (FCC) regulations passed 215-205, with 15 Republicans joining the 190 Democrats who voted against it. It passed in the Senate last week in a straight party-line vote.

The regulation-smashing bill now goes to President Donald Trump, who is expected to sign it.

The FCC passed the privacy rules in October under the Obama administration, and they were due take effect later this year. They would have barred internet service providers — such as Comcast, Verizon, or AT&T — from selling customers’ sensitive information to advertisers without their explicit permission.

Republicans across the board — on the FCC and in Congress — have insisted that the rules unfairly target internet service providers, burdening them with extra regulations that other online companies don’t have to follow.

For example, search engines and social media sites, such as Google and Facebook, are regulated by less stringent Federal Trade Commission regulations, which don’t require companies get users’ permission to collect and sell data. This is why, when on those sites, users frequently sees ads for products for which they’ve previously searched, or for local businesses.

Democrats claim that overturning the regulations is an attack on consumer privacy.

“What the heck are you thinking?” Rep. Michael Capuano (D-Mass.) yelled at his pro-bill colleagues on the House floor ahead of his vote. “Give me one good reason why Comcast should know what my mother’s medical problems are? You know how they’d know? Because when I went to the doctor with her, and they told me what it was, I had no clue what they were talking about. I came home, and I searched it on the ‘net.”

“Just last week I bought underwear on the internet. Why should you know what size I take?” he added.

Meant for protection

When the FCC passed the rules, the organization was composed of three Democrats and two Republicans. At the time, the commission’s chairman, Democrat Tom Wheeler, said that the rules were meant to protect all web users.

“It is the consumer’s information,” he said ahead of October’s vote. “How it is used should be the consumer’s choice, not the choice of some corporate algorithm.”

When Wheeler, an Obama appointee, left the FCC in January ahead of Trump’s inauguration, Republican FCC commissioner Ajit Pai took his seat as chairman — and again began criticizing the privacy rules, just like he did after the October vote.

There are two major parts to the rules Congress voted to overturn. The first provision requires that internet providers tell their customers exactly what information they’re collecting. The second part would have specified that if a company wants to share or sell “sensitive” information, they need explicit consent from their customers to do so. The rules defined eight areas of sensitive information: geolocations, web browsing histories, the contents of emails and other communications, app usage, Social Security numbers, medical information, health information, and information on children.

Under the proposed guidelines, providers could share and sell non-sensitive information — such as users’ names, IP address or anything else not on the sensitive list —  but customers would have been allowed to opt-out.

Currently — and for the foreseeable future — customers must opt-out to stop the sharing of both sensitive and nonsensitive data. But that can be a difficult process, and many providers don’t readily provide information on how to do so.

A lukewarm solution

Congress was able to overturn the FCC rules this week through the Congressional Review Act (CRA), a once little-used maneuver that allows lawmakers to overturn newly implemented federal regulations with a simple majority. Before the Trump administration, it had been used just once before, under former president George W. Bush. This year, congressional Republicans have used to kill at least eight Obama-era regulations.

The act stipulates that federal agencies can’t try to pass new regulations that are too similar to the ones Congress overturned, so it’s unlikely that the now Republican-controlled FCC would be able to pass new privacy regulations, even if it wanted to.

But the CRA doesn’t seem to be stopping Democratic lawmakers from trying to reinstate the regulations. Sen. Ed Markey (D-Mass.) promised on Tuesday to introduce a bill forcing the FCC to write new, “strong broadband rules.” Since Democrats don’t control either chamber of Congress, it’s unlikely such a bill would pass — and questionable if it would even be allowed under the Congressional Review Act.

Privacy experts are encouraging anxious web users to try using a virtual private network (VPN) as a kind of work-around. VPNs route users’ online activity through a secure connection, effectively hiding it from providers.

But VPNs can be expensive, and it’s not a fix-all solution. While they hide browsing histories and other information, they still allow providers to keep track of your location. Plus, some critics have suggested that using a VPN doesn’t guarantee a user’s privacy: Instead of a service provider tracking and selling your information, the VPN could.