How repeal of Internet privacy rules harms cybersecurity

Last Thursday, the House voted to repeal Internet privacy rules that had been passed back in 2016. And while there’s arguments on both sides of the aisle here, there’s no denying that where privacy goes, cybersecurity follows.

It’s broken down like this: Privacy is controlling who gets access to something – data in this case. Security is how that access is controlled. When more people are allowed access, the more risk that’s assumed. Since security is all about measured risk, it’s easy to follow why the House and Senate repealing these protections is causing a great deal of alarm within the cybersecurity field.

The previous rules controlled what Internet Service Providers (ISPs) could do with data they collected, and how they collected that data in the first place. Since the new administration kicked in, FCC Chairman Ajit Pai has been campaigning to get the rules made by the FCC under the old administration repealed. He supports removing the rule because he felt the previous one was archaic in its design, beholding ISPs to rules made in the 30s.

Still doesn’t mean people are happy about it.

Beyond using proxies or VPNs, there’s little consumers can do now to keep their data private. But attempts to protect data should still be made. Here’s why:

ISPs have just made themselves the #1 target for hackers. In order to build up a marketable amount of data on their users, ISPs are going to have to collect data – and we mean a lot of data. Having such a large database of information, such as browsing habits, allows for ISPs to extract trends using big data analysis. But that puts them right in the targeting path for malicious agents. This would be all well and good, if ISPs didn’t have a track record for being negligent with this sort of data.

Take Comcast for example. Back in 2015, a simple error on the company’s behalf exposed the private phone numbers of domestic violence victims and law enforcement personnel, people who had explicitly paid Comcast to keep those numbers safe. Comcast paid $33 million in damages to those users, but it just underscores a weakness in an already shaky argument. Especially when one considers that ISPs may not be held responsible in the future, like Comcast was.

That’s right. If a breach goes down or another mistake happens, Pai has proposed that ISPs not be held accountable for it if they have security measures in place. But breaches will happen. It’s just a matter of when, not if, especially when an already lucrative target just made itself irresistible to attackers.

ISPs can move forward with a rule that removes encryption. With the old regulation out of the way, ISPs can lobby for what they really want: Total access to encrypted data. The method is called Explicit Trusted Proxies, and it allows for ISPs to take in encrypted data, decrypt it in order to read it, then encrypt it once more when they send it off to buyers. That opens up the ability for data that should be encrypted to be intercepted. But it’s worth nothing that data that’s been re-encrypted ends up with a weaker encryption 54% of the time.

Not to mention this removes many protections users utilize to protect themselves from ISPs spying on them.

Auto-inserting ads into webpage content breaks security measures embedded in the page. ISPs want data to direct ads to users. It’s an effective – if not a bit creepy – strategy. Too bad it breaks webpages. Code that’s inserted automatically into webpages may interfere with coding that exists on the webpage already. The likelihood of this happening increases when you consider there’s two opposing forces that aren’t communicating with the other: ISP developers and the webpage’s developers.

So when an ad gets placed on a page that already has ads, it opens up holes and vulnerabilities that hackers can then use to bypass protections.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy