A Quick Primer on the recent FCC Ruling Clusterfuck

Posted on Updated on

Disclaimer: while I am a software engineer variably-employed in computer security, I am not a lawyer. Please take any legal opinions posted here with a grain of salt. Avoid anything legally hazardous without speaking with a lawyer. This document also represents my own personal views, instead of those of my employer, et cetera.

Note, especially for non-US citizens: the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) are separate US federal agencies. These are not used interchangeably.

Yesterday, our 45th president approved Senate Joint Resolution 34, repealing last year’s FCC order for consumer privacy for broadband and other telecommunications services that themselves followed this 2015 ruling. These documents are a lot to take in, and there is an incredible amount of misinformation about their impact, so let’s break down what this means.

The 2016 FCC order, which would not have been in effect until later this year, would have resolved an open legal question in common carrier law. Specifically, when the FCC began treating broadband and other Internet service providers as “more like telephone networks [that] could be regulated as ‘common carriers'”, it created a situation in which the FTC no longer had jurisdiction to govern the companies that now received this designation. As FTC lawyers would later state, this problem is “especially severe in the area of consumer data privacy”, as this created a vacuum within which previous rules around privacy did not apply.

In other words, by getting common carrier designation, service providers such as AT&T, Xfinity, Spectrum, and Verizon were suddenly able to work around FTC laws previously governing their sharing of private consumer information. The now-rejected 2016 order would have explicitly covered by late 2017:

  • Financial information
  • Health information
  • Social Security numbers
  • Precise geo-location information
  • Information pertaining to children
  • Content of communications
  • Web browsing history
  • Application usage history, and the functional equivalents of web browsing history or application usage history
  • VoIP and other voice service call data

Needless to say, this is a big deal. Not just because these service providers will now lack explicit guidance and regulation in an area of legal ambiguity, but also because they can share subsets of this information for marketing and profit motivation today. The removal of this 2016 order also shelves any attempts companies would have made for compliance before the deadline, and in some cases, may actively encourage these providers to become worse.

The main problems with having these data available for paid sharing and marketing purposes — even if you believe you have “nothing to hide” — are twofold. First, these data are being collected in ways that may be sensitive to attack or breach across a very large attack surface (and thus, subject to breach from a large number of service providers). Second, many of these data can be used for identity theft, real-world stalking behavior, or as we are learning with a growing body of evidence, used to help swing a presidential election through propaganda tailored to individual consumer biases. And these are just top-of-mind scenarios of potential abuse.

If you especially care about any of these outcomes, here are a few things you can do about it:

  1. At a minimum, follow this guide by Matt Kiser. Setting up two-factor, using separate passwords per service, always using HTTPS (or just plain TLS), and blocking third party content and ads solves most of the problem of background collection of your information. As noted in the guide, you can do much more. Tune as necessary.
  2. Request your own records. While it is unclear how ISPs will implement their own data sharing procedures in the FTC vacuum, you can request these records from many other businesses today to get an idea of what they might look like. (Note: this is a 2010 article containing dead links, so you may need to search for the correct ones).
  3. Set up a credit freeze to preemptively protect yourself from identity theft.
    • The positive: this makes it substantially more difficult to turn leaked personally identifying information into a credit disaster.
    • The downside: secondary verification to obtain credit is a pain, often requiring paying a small fee and a pin to have the freeze temporarily lifted.

Note that in addition to the big three (Experian, Equifax, and TransUnion), Innovis is a fourth bureau also worth freezing. While you’re at it, you may want to also opt out of prescreened credit to save yourself on junk mail.

Many people have proposed that this change means you must also set up a VPN if you live in the United States. This is flatly untrue, and in many cases can cause more harm than good if the VPN service you choose has worse data hygiene or sharing policies than your home ISP. However, having these options available in the event they are needed is exceptionally handy, especially if you are concerned about passive collection of DNS traffic or if things get worse than they are today.

Should you opt to set up a VPN for general use or in case of emergencies, I strongly recommend first reading this short primer by the EFF. With the possible exception of Tor, steer clear of free providers: as they say, when the service is free, the product is typically you.

I’ve chosen NordVPN for the time being, based on their low cost, generally favorable reviews, large server presence, strong privacy, use of OpenVPN, excellent configuration guides (including router guides), and ability to accept Bitcoin. But as always (and especially as this guide ages), make your own decisions based upon your own needs.

Typically, VPN providers will give you a client that runs from your desktop computer, laptop, or phone automatically. This is handy if you have a very small number of devices that you wish to connect, and is in many cases the easiest option to start using a new provider on a personal machine.

However, for connecting a large number of devices or providing the connection to an entire household, I recommend buying a cheap wireless router that supports DD-WRT (FTP containing most recent builds from 2017). Doing so allows you to connect devices to the VPN “on the fly”, while performing configuration only once.

In my case, I set this up in a few hours using a WRT54G v2.0 that I bought from a thrift store for $5. For most, a similar setup is viable as a weekend project with very little financial investment.

If you do opt to go this route, make sure to carefully read the installation guides and make sure that your router has enough available storage space for DD-WRT’s VPN build, which will come with OpenVPN preinstalled. Setup is typically GUI-driven, and once you have DD-WRT set up, setting up a VPN tunnel can be as easy as following a guide depending on your provider.

Comments are disabled, but please let me know on Twitter if this guide helped you or if you have any questions or comments.