Legalized sale of browser histories should worry journalists

April 12, 2017
Photo via Wikimedia Commons

The blowback has been intense to President Trump’s decision last week to back a congressional rollback of recently adopted FCC privacy rules—rules designed to protect web users from the reuse or sale of their online traffic histories without their explicit consent. Yet while the revision has made news for being extremely unpopular and inspiring crowdfunded campaigns to buy Congressional browsing records, the changes have implications for media companies far beyond the current news cycle.

In the face of overwhelming negative public response to the change, Internet Service Providers like Comcast have been quick to assert that they have no intention of selling individual browsing histories. The key word in such statements, however is individual, which should not be confused with the real cause for concern: the selling of aggregate browsing information that nonetheless remains importantly identifiable.

On its face, the Telecommunications Act—which governs the ISPs—clearly prohibits usage, disclosure, or access to “individually identifiable” customer information, except in the provision of telecommunications services. Yet what constitutes “individually identifiable” has changed dramatically in recent years. As privacy researchers Arvind Narayanan and Vitaly Shmatikov have argued in a paper on the topic, making distinctions between identifying and nonidentifying information “is increasingly meaningless as the amount and variety of publicly available information about individuals grows exponentially.”

Even if ISPs only sell or trade aggregate information about users’ browsing histories, the plethora of information about individuals available from other sources makes “re-identification” of an individual within that aggregate possible.

For most users—including journalists and media organizations—the ISPs’ arguments that web histories alone do not constitute “sensitive” information amount to meaningless hair-splitting, as do the assertions of companies like Cox, who helpfully affirm that they will “not disclose Personally Identifiable Information to persons outside of Cox, other than our affiliates, vendors and business partners.” And while activists have vowed to make the privacy changes an issue in the 2018 elections, media organizations and journalists need to take steps to protect the competitiveness and confidentiality of their reporting—and their readers.

The first step is for journalists and media organizations to privilege the use of HTTPS websites and services as much as possible: While your ISP can still see which domains you’re connecting to (such as duckduckgo.com), they cannot generally see which individual pages you’ve visited. Similarly, news organizations should protect their readers by implementing HTTPS on their own sites.

Sign up for CJR's daily email

Other technical options—such as the use of a Virtual Private Network or anonymizing services like Tor—can also protect your research and reporting topics from the prying eyes of ISPs. But routing all of your web traffic through another network will come with a price—either in dollars (reputable VPNs will charge for their service) or in delays (Tor routes your traffic all over the world, and can be correspondingly slow). Note, however, that in the case of a commercial VPN, you may be hiding your web history from your ISP, but will be sharing it with your VPN provider instead.

For large media companies, negotiating special contracts with service providers may be another way to gain some protection, though doing so will no doubt be both difficult and contentious. Until further action is taken on the legal front, however, it may well be news organizations’ best bet.

Susan McGregor is Assistant Director of the Tow Center for Digital Journalism and Assistant Professor at Columbia School of Journalism.