ISP selling data: why you should actually care

Unbeknownst to you, there’s a good possibility that your Internet Service Provider (ISP) regularly sells your data to boost their profits.

Since the US Congress voted to roll back the FCC protections against the practice, American ISPs now have the opportunity to record, store, and sell the data that passes through their servers.

This might sound abstract at first. However, just think about the implications of your ISP selling your data. ISPs are actually recording everything you do online – the websites you visit, the brands you love, how long you spend on streaming services – and converting all that into cold hard cash.

Should you really care about your ISP selling data?

On the face of it, you might just shrug and accept ISPs selling data as one of the natural costs of having cheap internet access. But there are actually some serious privacy issues at hand when you let an ISP sell your web history, and the implications should alarm anyone with any interest in digital rights.

For starters, most people are unaware of exactly how much data they give away during everyday internet use. But think about what ISPs and advertisers can discover about you just from the websites you visit frequently. By selling your browsing history data, third parties can learn about your personal health, your romantic life and friendships, as well as professional connections. In the wrong hands, that kind of data can be used for nefarious activities – from identity theft to extortion.

Then there's the business case. You might want to argue that since your data is created by your browsing history, it belongs to you. When ISPs harvest and sell it without your knowledge, they’re effectively stealing from their own customers for their own gain. So, the argument goes, why not give ordinary web users a cut from the digital windfall?

Finally, if governments can access personal data from ISPs, they can use that information to increase their powers beyond their current scope. For instance, it could lead to an overly strict interpretation of restrictions on pornography or torrenting, while police departments might buy up information on the buyers of drones or knives.

What’s the legal situation with your ISP selling browsing history?

Laws governing ISPs selling data vary across the planet, and there are significant differences even among the developed democracies. Here's a quick snapshot from some important jurisdictions.

• USA – In 2016, the FCC mandated that ISPs would have to obtain consent for information harvesting, but officials from the Trump administration rescinded these regulations back in 2017, before Congress rejected them, and Trump signed his ISP Privacy Bill into law in April 2017. This made harvesting information absolutely legal. So users in the US have very few protections unless they use a VPN.
• UK – The situation is different in the United Kingdom, where citizens can now ask ISPs to remove their personal data under a version of the "right to be forgotten." However, at the same time, the Investigatory Powers Act 2016 forced ISPs to retain certain data for security reasons. It looks like "best practice" guidelines discourage selling this data, but the UK's protections are far weaker than the EU.
• EU – The European Union introduced the landmark General Data Protection Regulation back in 2017, which made it very difficult for ISPs to capitalize on user data. Everything they do regarding data now has to be subject to informed consent, with huge fines for breaching these regulations.
• China – Chinese data laws aren't as transparent as those in the USA or Europe, but we do know that there have been cases of data reaching the open market – such as insurers accessing detailed information of when car insurance policies are up for renewal. China's digital environment is like the Wild West in terms of data at the moment, making VPN use highly recommended.

Nobody is safe from the shadow data market

Wherever there are internet users, there’s data. And where there’s data, there will be clients keen to analyze and monetize that data to serve their interests. And given the connected nature of the global web, even European users can't be sure their data is secure.

Recent events have shown that selling information is rife among the major digital companies. Perhaps the most famous instance was Facebook, where users found ways to harvest personal data via games, surveys, and promotions. This data was sold to companies like Cambridge Analytica for political purposes.

With that in mind, Facebook are far from alone. The same actors worked with Twitter to harvest information, and there have been cases of big American ISPs selling data as well. AT&T, Verizon, T-Mobile, and Sprint have all admitted to selling mobile users’ location data, allowing people to be located in seconds. So it's a growing practice. But it's also one that users can do something about.

VPNs: the solution to ISPs selling browsing history data?

If you're worried about ISPs selling your data, using a VPN may well be a viable option. Thankfully, it's a remedy that almost anyone can implement on the cheap.

VPNs work by encrypting your data as soon as it leaves your computer, and then re-routing it through secure servers that could be thousands of miles away. This makes users almost entirely anonymous and renders their data almost useless.

High-quality VPNs create a wall that ISPs selling data can't penetrate, so in that sense it doesn't matter what the ISP privacy bill allows.

However, a word of caution: some unscrupulous VPNs keep logs and monetize data just like an ISP sell internet history. So always choose a VPN that doesn't keep logs, and hasn't been flagged as a data-seller.