With looming changes to U.S. broadband privacy, police can bypass warrants entirely and just BUY your browser history from your ISP

Posted on Mar 26, 2017 by Rick Falkvinge

The bill passed the U.S. Senate: it looks like your ISP will be allowed to just sell your browsing history. While the bill still needs to pass the House (the lower legislature in the U.S.) and the President’s signature, it seems increasingly likely to unfortunately do so. This doesn’t just mean that your privacy is commercialized – it also means that search-and-seizure is: the Police will be able to just buy your browsing history from your ISP, bypassing any privacy protections completely.

In the beginning of telephony, the telco switchboard operators – human operators who connected phone calls – had the ability to listen in to anything and everything. At the time, telcos took privacy seriously. To qualify as a switchboard operator at a serious telco, you had to swear a formal oath to respect the privacy of the customers – and advertising seeking customer trust indeed spoke of “our oathsworn operators”.

That was a century ago.

Today, telcos are tripling over to milk the sheep – that’s you – for as much dough as they can get away with. All thoughts about earning the end users’ trust in delivering value are long gone, almost like it wasn’t modern management to run a good business in the telco world.

A century ago, telcos advertised to seek customer trust by telling the public how their employees were oathsworn to respect and protect privacy.

But this bill is about ISPs, and in the US, there aren’t a lot of dedicated Internet Service Providers – almost all of them are telcos or cable companies, which means we also need to include cable companies – Comcast and the like – in this bunch of customer-condescending business practices. (You’ll remember that Comcast has been repeatedly voted the most hated company in America.)

When you’re on the web on a regular insecure page, your ISPs sees everything: not just what page you visit, but also what that page looks like to you, and what data you send to it (except passwords, which are almost always encrypted). This includes any private messages you send or receive that are displayed on that web page, any forum posts, any images, et cetera.

When you’re on a secure HTTPS page, which are quickly becoming the norm, your ISP is not supposed to see anything. But your ISP will still know what website you asked for – it won’t know that you’re on a page with the address www.datingnow.com/gay/singles, or what you see on that page, but your ISP will be aware that you’re probably on the server www.datingnow.com, which can be bad enough for many server names. It knows this since your ISP handles what’s called a name lookup – translating the server name to an IP address for you – and your ISP can remember what server name you asked for and how long time you spent on that server.

With the new bill, police won’t need a warrant or subpoena to get your browsing history, but can just buy it from your ISP like it were yesterday’s bread at a shady bakery. This includes much of your HTTPS browsing, even if in less detail.

The one defense against this remains an honest ISP with oathsworn operators (good luck with that) or using a no-log VPN service, a VPN which also performs the name lookups for you so your ISP won’t see them. (Disclosure: Private Internet Access is such a VPN service.) Only then are you rightfully concealing your private activity from an ISP which may, can, and will sell you out to the highest bidder – including the police.

As a final punch in the gut, the Police won’t just buy your browsing history, they’ll be doing so with your money – with taxpayer money.

Hat tip to Phil A. Buster on Twitter.

Privacy remains your own responsibility.

VPN Service

Comments are closed.


  1. CitizenX911

    Background Investigation services would buy your browsing info to paint a personality profile. They do this already with Social media and other resources. They do this as contracting work for major corporations for job pre-screening, insurance investigations, security clearances, and police investigations. This is an outrage since we pay for ISP so that information is ours. Unless they want to give us free service in exchange but that is our decision to make and not theirs.

    4 years ago
  2. Trolfor Truth

    You forgot about SNI. Even when you change DNS servers, such as to Google or OpenDNS, the ISP can get the domain of any SSL domain via either reverse IP lookup or the SNI handshake.

    4 years ago
  3. Sarah

    Or just store your webpages in an iframe.

    4 years ago
    1. Jeffery Standinson

      what do you think that would accomplish?

      4 years ago