The measure, which passed by 215 votes to 205, means every company that provides internet access in the US will be able to sell everything they know about users to third parties without their consent or even knowledge.
ISPs already know quite a lot about their customers — names, addresses, ages, and a host of other personally identifiable information (perhaps as much as social security numbers). They also know which websites users visit, when, and how often.
ACTION: Call yr Congressman— Rama Dey-Rao (@ramadeyrao) March 27, 2017
Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.To understand n use: pic.twitter.com/taSMccWtm3
Such information can be used to build a yet more detailed picture of who a user is — their political and sexual leanings, medical conditions, when they are at home, whether they have kids, etc. In short, a cornucopia of separate data points — all of which can be traded without individuals even knowing about it — that amount to highly precise user profiles that can be built and exploited.
It's calculated this information is worth at least US$60 per month if a customer gets internet access through their cable provider — with around 100 million households online in the US, Congress has effectively handed ISPs an annual bonanza of perhaps US$70 billion, as strong an incentive as any for these firms to collect as much user data as digitally possible.
The law even potentially places ISPs in a better position than Facebook or Google to track and sell user activity — by definition, unlike those services, users needn't log or opt in to anything. If an individual logs out of Gmail and uses a search engine other than Google, the search giant is effectively blinded — likewise, if one logs out of Facebook (and any sites they've used Facebook to log into) and delete all the cookies it has installed on their system, the world's biggest social media platform is confounded.
An internet user theoretically has no way of hiding any of their online activity from their ISP — and an ISP can theoretically see the content of at least some of a user's online interactions, emails and search results.
On the plus side, ISPs can only track such data if it is conducted through websites unsecured with HTTPS (encryption). A majority of websites, including most of the world's most popular, use HTTPS. Moreover, it is second, it is perhaps more trouble than it's worth for ISPs to attempt to mine this enormous glut of data in an attempt to monetize aspects of it
What To Do?
Still, many, whether they are highly privacy sensitive or simply concerned, casual web users, will undoubtedly be extremely troubled by the implications of the law. The obvious question is — what one can do about it.
1. Use Tor
If a user connects to the Tor anonymizing system, or use the Tos browser, an ISP will only know that they have connected to Tor — from there, it loses the data trail.
However, Tor is a notoriously slow browser — and while is has been repeatedly endorsed by Edward Snowden, and one of the browser's primary developers has fled the US to escape FBI harassment, some critics have raised concerns over its origins. It was developed in the mid-90s by United States Naval Research Laboratory employees, and is still funded by the US government intelligence complex.
2. Log Out
Why not log out of websites when done with them? Doing so would also reduce distractions, meaning a user isn't constantly visiting Facebook to see whether a recent photo or post has received more likes when they should be working.
3. Rely Heavily on HTTPS
As previously noted, if a website has HTTPS, an ISP can see when a user visits it, and how long they've spent there, but nothing beyond that, including particular pages visited or searches or other data typed in.
However, the HTTPS Everywhere browser plugin applies a similar degree of effective encryption to all websites without the extra security.
4. Use Different Search Engines
Google may be fastest search engine, but it's also the most "stalky" — why not use a different one? Services such as DuckDuckGo pride themselves on not tracking or storing user information.
5. Try and Opt Out
A user could attempt to contact their ISP directly and ask to opt out of any tracking they currently conduct or plan to. This may not be successful on an individual basis, but a suitable groundswell of opposition to the law could compel companies to amend their practices.