US Internet users everywhere won a great victory when the Federal Communications Commission (FCC) passed some rules that barred internet providers from invading the privacy of their users.
These rules would have kept internet providers like Comcast and the like from selling your personal information to marketers, inserting undetectable tracking headers into your traffic or recording your browser history in order to curate an behavioral advertising profile. Providers would be forbidden from these actions unless they had the express permission of the user.
However, as of last Thursday, Republicans in the Senate voted to repeal those rules. So if the House of Representatives vote toward the same path and more rules are repealed, it’s fairly obvious that the results will be rather horrendous for the cyber security of internet users in the USA.
Privacy and cyber security go hand-in-hand. We’ve listed a few ways your cyber security will suffer if the FCC rules are repealed.
Spyware
When internet providers are allowed access to your private information, this goes without saying that spyware will be pre-installed in your devices. This goes particularly true for mobile phones and other mobile gadgets that most users purchase directly from providers.
There were already records of internet providers who tried to install spyware like Carrier IQ on phones. They claimed it was only to “improve wireless network and service performance”. After this became public knowledge and the fallout was enormous, several providers stopped using Carrier IQ.
Should the FCC rules be repealed, it wouldn’t be a far away occurrence for providers to start using Carrier IQ which is capable of recording browsing history, keystroke logs, and search results.
The issue is that Carrier IQ (despite already being pretty bad) can be configured to record sensitive information into the system logs of any user’s phone. What people don’t realize is that some apps transmit system logs off of phones as part of their standard debugging procedure. They’re running on the assumption that nothing sensitive is recorded in the system logs. However, if there are, it’s fairly easy to intercept for hackers.
This means that hackers may be able to see your username and password without having to do any real hacking.
Erasing Encryption
As of now, your provider can only view the portion of your traffic that isn’t encrypted. When you visit a site that starts with https your internet provider will not be able to see the contents of what you’re browsing. They’ll be able to see the domain but not the specific page or what’s on that page.
Since it would be to their benefit to be able to see what you’re browsing, in order to efficiently build your advertising profile, the providers are cooking up something new. The internet providers have proposed a standard they call “Explicit Trusted Proxies” which will allow them to intercept your data, remove the encryption, read the data, modify it when needed, and encrypt it once more.
While at first it doesn’t sound so bad, recent studies have found that 54% of connections that were intercepted (decrypted and re-encrypted) ended up with a weaker encryption. This means that many of the systems designed to decrypt and then re-encrypt data end up weakening the security of the encryption–this can and will expose users to increased risk of cyber attacks.
If internet providers are aiming to profit from looking at users’ encrypted data and start deploying these systems widely, users can no longer trust the security of their web browsing.
The cyber security implications of repealing the FCC’s privacy rules are dire. If the privacy rules are repealed, internet providers will resume and accelerate the dangerous practices with the aim of monetizing their customers’ browsing history and app usage. To do that successfully, providers will need to record and store even more sensitive data on their users which will become a prime target for hackers.