Last Updated on by SCARS Editorial Team

The U.S. Govt. just wiped out your online privacy…

…and here’s what you can do to protect yourself

Congress and President Trump just approved a bill lifting restrictions imposed on Internet Service Providers (ISPs) concerning what they could do with information such as your browsing habits, location data, and Social Security number. That’s right, your online privacy is now for sale.

So what happens when this massive store of aggregated, location-specific customer data is up for grabs? We’re about to find out, but the prognosis isn’t good. See what you can do to cover your data.

Your ISP, browsing history, and what to do about it

RePosted from Malwarebytes Labs: April 4, 2017 by William Tsing

In late March 2017, the United States Congress approved a bill lifting restrictions imposed on ISPs last year concerning what they could do with information such as customer browsing habits, app usage history, location data, and Social Security numbers. They additionally absolved ISPs of the need to strengthen their existing customer data holdings against hackers and thieves. For more on the particulars of the bill, you can see reports on the Washington Post and Ars Technica. Given that the repealed restrictions hadn’t yet come into effect, the immediate impact of the new bill is somewhat unclear. But given what typically happens with massive stores of aggregated, location-specific customer data, the prognosis is not good.

So what’s the worst that can happen? Let’s run through a few probable outcomes:

Ad Targeting

Ad Retargeting:

We all might be familiar with this; when we buy a product online and then see ads for it relentlessly for a couple weeks thereafter. But with increased granularity of metadata, ad retargeting can be significantly more ‘effective.’ As an example, certain tech support scamTech Support Scam Phone scammers may masquerade as tech support employees for a major company in order to take your money or install a virus on your computer. They may call from what seem to be legitimate company numbers using caller ID spoofing. companies prefer to draw their staff directly from complicit drug detoxes and rehabs, largely in order to ensure a compliant, desperate employee base. So the next time someone searches for help with an intractable heroin addiction, they might get targeted ads for unlicensed rehabs that come with a new job opportunity of scamming the elderly. Perhaps if my browser history correlates to those of low income or unemployed people, my ads would fill with work from home scamsScams A Scam is a confidence trick - a crime -  is an attempt to defraud a person or group after first gaining their trust through deception. Scams or confidence tricks exploit victims using their credulity, naïveté, compassion, vanity, irresponsibility, or greed and exploiting that. Researchers have defined confidence tricks as "a distinctive species of fraudulent conduct ... intending to further voluntary exchanges that are not mutually beneficial", as they "benefit con operators ('con men' - criminals) at the expense of their victims (the 'marks')". A scam is a crime even if no money was lost.. Or low literacy search phrasing, in conjunction with low income, could get me directed to multi-level marketing scams. There are a cornucopia of ways to target the weak and vulnerable via metadata and it’s both legal and profitable.

Online Stalker

Cyber Stalking:

As we can see with many domestic violence cases, abusers have no compunction against using technology to stalk and harass their victims. A 2014 article by NPR surveyed a series of domestic violence shelters and found 75% of their clients had dealt with abusers monitoring them remotely using hidden mobile apps. Some ill-conceived apps have linked multiple sets of user data together, to create inadvertent ‘stalking appsApps Applications or Apps An application (software), commonly referred to as an ‘app’ is a program on a computer, tablet, mobile phone or device. Apps are designed for specific tasks, including checking the weather, accessing the internet, looking at photos, playing media, mobile banking, etc. Many apps can access the internet if needed and can be downloaded (used) either for a price or for free. Apps are a major point of vulnerability on all devices. Some are designed to be malicious, such as logging keystrokes or activity, and others can even transport malware. Always be careful about any app you are thinking about installing.’. Once search metadata is openly sold, a person suffering domestic abuse would have a hard time searching for a local shelter without their partner knowing about it. Even with new homes and new identities, a victim would have to live with the fear of their search patterns combined with IP addressGeolocation Geolocation is the utilization of a device IP address, along with other device signals, to determine geographical location. An Internet Protocol address (IP address) is a numerical label such as 192.0.2.1 that is connected to a computer network that uses the Internet Protocol for communication. An IP address serves two main functions: host or network interface identification and location addressing. An IP Address can be used to locate a physical computer's location. identifying them, permanently. Stalking via metadata has been seen as an issue before and it will most likely happen again.

Browser History Ransom

Web Browser History RansomRansom A ransom is an amount of money or other assets of value that is paid for blackmail, extortion, or under other threats or coercion. The ransom is usually paid in cash or now in cryptocurrency. Online blackmail, sextortion, and ransomware all demand ransoms to avoid negative outcomes.:

We’ve seen doxware in the wild before. But when the barrier to entry is lowered to simply having enough money to purchase the incriminating data in question, why wouldn’t more criminals get in on the game? As seen with ransomwareRansomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies that are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan virus disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without user interaction. and tech support scamsTech Support Scams Phone scammers may masquerade as tech support employees for a major company in order to take your money or install a virus on your computer. They may call from what seem to be legitimate company numbers using caller ID spoofing., when technical limitations to a crime are removed, people willing to try it multiply exponentially. Ransoming a victim’s browser history would seem to be easy money.

Time to Breach

Time to Breach:

Essentially, once this data begins to be collected, stored, and prepared for sale, there is a stopwatch set for time to breach and dissemination of your data to the highest bidder on the dark webDark Web This is a sub-level of the internet that normal search engines and everyday browsers cannot access. It’s an encrypted network that contains websites – both legal and illegal – that remain hidden from plain sight.. Think that’s hyperbolic? In 2015 Comcast published the personal data of almost 75,000 California customers due to operator error. In a separate incident in the same year, 200,000 Comcast customers had their data sold on the dark web. In 2014, Comcast hadn’t patched their mail servers adequately and hackers made off with extensive credentials. Not to be outdone, Time Warner had their customers breached in incidents here and here. Cox Communications paid the FCC a $595,000 fine for breach of its customer data. Given the track record of handling customer data thus far, how long until the next breach?

But this is bad and I don’t want this?

Although options are limited and sometimes frustrating, there are some things you can do. To combat ad retargeting, an ad blocker works quite well. It’s awfully tough to be taken in by deceptive or fraudulent, or just too intrusive advertising if you can’t see it. However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content. This doesn’t really address the issue of shadowy third parties doing untoward things with your data, which brings us to…

Virtual Private Networks (VPNs)

Here be dragons, though, because many VPNVPN A VPN (also known as a proxy) is an app or connection method that keeps your internet connection private, whether you're connecting to unsafe public Wi-Fi or your network at home. Having a layer of security that blocks people from watching you browse helps keep you safe online, no matter where you connect from. Virtual private networks protect you by creating an encrypted "tunnel" that all of your device's data travels through on its way to the internet via a proxy server or service. Encryption turns words and data, like text files, into a secret code. If someone tries to read encrypted data without the password, they'll see random gibberish. providers are no more trustworthy than the ISPs that we all love so dearly. If you go to a VPN review site you can see the latest VPNs and how they stack up on quality criteria, which generally include, but are not limited to:

Do they keep logs of your activity?

How much identifiable data do they keep on you?
Do they have physical control over their own VPN servers?
What countries are their servers located in?
Check out some reviews of popular VPNs based on answers to these questions here. Another question that you should be asking is how much a VPN costs. Free ones generally find some unsavory ways to monetize your traffic, which is what you’re trying to avoid to begin with.

HTTPS Everywhere

This is a browser extension published by the Electronic Freedom Foundation. It forces websites to use a more secure HTTPS connection when the website supports it. Encrypting traffic in this way does not protect the specific websites you visit from your ISP, but it does obfuscate specific content that you’re accessing on that page. And as a browser extension, it’s fairly easy to install, and probably falls under the category of things you should be doing anyway. If you want to find out more about HTTPS Everywhere, check out their FAQ here.

Calling your congressman

Privacy is a developing issue. As technology advances, its ability to infringe on our privacy in irritating and sometimes dangerous ways can increase. Letting your representatives know that this is a concern can help prevent worse legislation in the future. If you’d like to make your opinion on online privacy known, you can find your representatives here and here.

In conclusion, strong online privacy can sometimes be an inconvenience for those of us trying to catch cybercriminals. But its loss hurts all of us. Whether you have ‘something to hide’ or not, your data and your identity belong to you. Why shouldn’t you control how it’s used?