If you're reading the news, you've probably seen hoards of tech journalists up in arms about S.J. Resolution 34. In a nutshell, this is an agreement by Congress to overturn a rule passed late last year by the FCC. The rule itself prohibited Internet service providers (ISPs) from collecting and sharing data about their customers without said customers' consent.

The Congressional resolution nullifies that rule.

What happened

Last October, the FCC published a rule aimed at protecting consumer privacy. It dictated specifically that ISPs were required to:

  • notify customers about the data being collected
  • explain for which purposes that data will be used and shared
  • identify the parties with which that data will be shared

The rule identified ISPs as, effectively, telecommunications services. This means that ISPs would fall under the same laws that require other communications agencies to protect their customers' data. It requires that customers "opt-in" for the sharing of data and further blocked ISPs from refusing service to those who refused to share their information.

The rule was passed in October, published in December, and became effective in early January.

Congress - specifically Republicans in Congress - felt this rule went too far. They elected to void the rule using their power of "Congressional disapproval" as granted through the Congressional Review Act:

The [Congressional Review Act] empowers Congress to review, by means of an expedited legislative process, new federal regulations issued by government agencies and, by passage of a joint resolution, to overrule a regulation. Once a rule is thus repealed, the CRA also prohibits the reissuing of the rule in substantially the same form or the issuing of a new rule that is substantially the same[.]

As soon as President Trump signs the joint resolution into law, the FCC's rule will no longer exist.

OK ... So what now?

The media outcry about the new resolution is a bit misleading. Though the FCC's rule took effect in January, it hasn't actually changed anything yet. The new FCC chairman, appointed in the early days of President Trump's administration, has never been a proponent of this or any other FCC rule enforcing net neutrality.

Though the rule exists and has been "effective" most of this year, it hasn't been used to change anything about our ISPs behavior. It was still so new, no one had used it for anything yet.

The Congressional resolution rolling things back effectively just said a rule that wasn't being used cannot be used. In other words, nothing is substantially different today than it was at the end of last year.

Wait, the sky isn't falling?

Media coverage of the issue has, thus far, neglected to highlight much of the above. The FCC rule is regarded as a long-standing law that protected consumer privacy; unfortunately, this isn't true. The rule would have protected our privacy, but is being culled from our way of life before it had a chance to effect any change on the way ISPs do business.

Again, nothing is different today from the way things were three months ago.

And that should terrify you.

Happening right now

Rescinding the FCC rule means that ISPs are legally allowed to collect your data without your knowledge or consent. This includes:

  • IP addresses from which you access the Internet (potentially translatable to physical addresses)
  • A list of websites you visit
  • The pages and content on insecure (non-HTTPS) websites you visit
  • The content of forms you submit over non-HTTPS connections
  • And potentially much more

They are also legally allowed to use this data for advertising or even sell it to third parties, again without your knowledge or consent.

Even more chilling, they were already allowed to do this and might have been doing so all along. The FCC rule tried to protect us by preventing this behavior; S.J. Resolution 34 has highlighted the fact that this behavior was already the way of the world and will remain so for the foreseeable future.

What can you do about it?

As always, call your representatives and explain to them why they should care about protecting your privacy. Also, take what steps you can independently to ensure you're protected even if they do nothing.

  • Use tools like ad blockers and Privacy Badger to block tracking scripts on the sites you visit
  • Always ensure you're visiting sites over secure, HTTPS connections - your ISP can see the name of the server you're visiting, but not the individual pages or the content thereof
  • Find a reputable VPN provider and browse the web over an encrypted Internet connection

If you're a web developer, do everything you can to make sure the websites you build and maintain serve content over HTTPS. You are the first line of defense for your customers, your neighbors, and even yourself. SSL certificates are free, and many hosts will even set them up for you.

No one is more responsible for your privacy than you. No one will fight more for your privacy than you. Not Congress. Not your ISP. You owe it to yourself to understand the world around you, the data being collected about you, and how to proactively protect the privacy of that information.