The simple answer to the question: not much.
In October 2016, the FCC passed a set of rules (here is a copy of the press release and the full text) specifically forbidding Internet Service Providers (ISPs) from using and sharing what was deemed as "sensitive customer information," unless the customer gave explicit, affirmative consent. This included things like location, social security number, browsing history, app usage history and the contents of messages.
Something that was not often reported from the FCC rules is that the "notice and choice" portion of the rules (the part dealing with the opt-in sharing of consumer information), was to take effect 12 months after the ruling. That means consumers would not be afforded protection until October 2017.
Last week, Congress voted to repeal these rules. Assuming the President signs it into law, then in reality, nothing has changed (except for the minor fact that the new law would prevent the FCC from creating similar rules in the future).
Now that we're back in the Wild West where our personal information can be sold to the highest bidder (as if Facebook and Google didn't already do that), how does that affect your privacy when it comes to your ever-growing collection of Internet of Things (IoT) devices?
To start, if you don't care that your ISP can collect, use and sell your personal data, you have nothing to worry about. However, if you have some concern about ad agencies getting your social security number, then you might want to think about how you are using your IoT devices.
Some of the more robust and popular devices, like the Amazon Echo (relying on the Alex Voice Service) and the Nest, ensure that user data is encrypted and sent over SSL. This means that, in theory, ISPs would not be privy to the details of messages sent to and from their respective servers. However, there is enough metadata in these messages that a potential purveyor of user information could figure out:
This can be powerful information to marketers who want to know individuals' habits to create better targeted advertising.
What about smaller devices, like the ones you might be creating with an ESP8266-based board? The bad news is that many of these low-power devices do not support or have a difficult time supporting SSL/TLS communication, which means you're probably stuck sending data in the clear, open for ISPs to collect, analyze, use and sell. The good news is that unless your living room temperature data messages become a widely used protocol, ISPs and other marketing firms likely won't care enough to interpret that data. But I wouldn't rely too much on security through obscurity.
The lesson here: Use SSL/TLS/HTTPS to avoid having the internals of your internet communications sniffed. But you knew that already, right?
What other tips can you offer to keep your traffic out of reach of ISPs? Have you had luck using Tor and VPNs to encrypt your traffic further?
As it's been said, "Remember that the S in IoT stands for security."
No matter what you do for encrypting all your traffic, you're still stuck with trusting the provider and their ISP. I personally use SSH tunnels (with autossh) as socks 5 proxies, which can be a bit more configurable and dependable on these devices, and easier than implementing SSL. Additionally, for DNS, I use DNS SEC, which tunnels your DNS requests over a secure channel to a remote provider. The challenge then becomes having a server to route the SOCKS5 connections and to act as DNS cache. Having a proxy and cache setup on your LAN with the free tier on AWS can help with all of this, and it's not likely that AWS is looking to sell information on "surfing" type traffic.
Even for IoT devices that have no SSL/TLS support, you can add a level of privacy by having them connect through a VPN gateway. Since it also forces DNS queries over the VPN, or at least to a public DNS system like Google's DNS or FreeDNS, it can solve the issue of Alexa telling advertisers where you're home. It's pretty easy to set up a Raspberry Pi to force all your internet traffic over a VPN:
https://github.com/ShVerni/Raspberry-Pi-VPN-Gateway
This, of course, does nothing to increase the security of the devices themselves, but it does make your living room temperature data private from your ISP :-)
Good to know, thanks! I may have to play with that RPi VPN.
As has been reported everywhere, but is usually buried deep in the comments: This ruling had nothing to do with privacy to begin with. Late in the Obama administration, the FCC decided to extend its power saying it could legislate over this area. Congress has disagreed, saying that this is the domain of the FTC. There's some legal wrangling on the edges, but that's the gist of it.
Here's another way of putting it: Imagine if you turned on the TV, and there was wall-to-wall coverage on CNN of how Congress just passed a bill to take money from schoolchildren in Iraq. Everyone posts about how it's terrible that schoolchildren in Iraq won't get an education, or maybe we weren't doing a good job to begin with. But the real story is, that Congress repealed the authorization for force and declared that we will no longer be fighting in Iraq. Programs designed to "win over the hearts and minds" of the Iraqi people are going to go away as part of this force reduction, but really, the ruling has NOTHING TO DO with defunding Iraqi schools except in passing. Same here. There may be a conversation with having about the privacy fallout of this ruling- but that has NOTHING TO DO with the actual ruling.
We're so deep into fake news that neither side is even close to talking about the actual issues. Both sides just decide what they want to talk about.
I'm afraid you're wrong that the FTC has any authority over ISPs. The FTC cannot regulate common carriers:
"The legal changes all stem from the FCC's decision in February 2015 to reclassify home and mobile ISPs as common carriers. The reclassification had numerous effects: it allowed the FCC to impose net neutrality rules, but it also stripped the Federal Trade Commission of its authority over ISPs because the FTC's charter from Congress prohibits the agency from regulating common carriers."
And even if ISPs weren't common carriers, the FTC still probably wouldn't have jurisdiction over them:
"Theoretically, Congress and the FCC could return jurisdiction to the FTC by eliminating the privacy rules and eliminating the ISPs' common carrier classification. But even that might not work, because a federal appeals court ruling in August 2016 said that any company with a common carrier business cannot be regulated by the FTC at all, even when they're offering non-common carrier services. The common carrier designation is also used for landline phone and mobile voice service; that means ISPs like AT&T, Verizon, T-Mobile, and Sprint could be entirely exempt from FTC oversight."
Source: https://arstechnica.com/information-technology/2017/03/how-isps-can-sell-your-web-history-and-how-to-stop-them/
So this is absolutely not about overreach by the FCC to replace the FTC, this is about the FCC creating privacy rules where the FTC has no authority.
Not to mention this from the eff.org: https://www.eff.org/deeplinks/2017/04/trump-signs-bill-roll-back-privacy-rules-law
wherein you will find this paragraph:
That measure not only repeals the rules, it also prevents the FCC from writing similar rules in the future, throwing into question how much the FCC can do to police ISPs looking to trade off their customers’ privacy for higher profits. Because of the current legal landscape, the FTC can’t police ISPs either, leaving customers without a federal agency that can clearly protect them in this space.
So, yeah, I'll go with the eff.org version over your twisted fever dreams... referring here to the original post by #831693
The main sticking point is that under the Obama administration there were serious proposals to police the internet and in particular, ban sites like Drudge and Britebart(?) and various commentators they found to have a negative effect on achieving their goals for societal change (Hope and Change). The method of control was to be the FCC, which has a much different charter than the FTC. Thus the reversing of the rules and moves to make sure the FCC is not the internet police.
The media outcry was rapid, very large, and avoided the main issues, including that it was about rules that never took effect and that your ISP has been selling your info all along. Many who would be in favor of the move were outraged due to getting it all wrong. It was very well done by whoever orchestrated the social media blitz.
I noticed that your article implies that ISPs can sell sensitive information like Social Security numbers. I think that there are already laws against this; like selling credit card numbers or banking information, this information is used to commit identity theft and fraud, so companies can't just sell it. Otherwise, any company could sell their employees addresses, phone numbers, SSNs, etc (which they all have) and create chaos.
True, I meant it as more of a "level of paranoia." Do you have any information on those laws? I'm curious to know what they can and can't collect/sell.
The ISP's privacy policy (customer, not website) should detail what they do collect, and how they use it. Here's Comcast's, for example:
https://www.xfinity.com/Corporate/Customers/Policies/CustomerPrivacy.html
Comcast's policy cites the Communications Act of 1934 (as amended) and the Cable Communications Policy Act of 1984, plus a few others. Comcast's policy explicitly states they will use your PII and usage history to provide you an 'enhanced advertising experience' but allows you to opt out, noting you will still be served advertising.
Wikipedia has a useful (if depressing) article on privacy laws in the US: https://en.wikipedia.org/wiki/Privacy_laws_of_the_United_States
It seems that most target or benefit a specific group, e.g. Privacy Act regulates Gov't use of PII, FERPA, COPPA protect student educational and personal info, HIPAA protects health information, Gramm-Leach targets financial institutions, Sarbanes-Oxley -> financials of publicly held companies (indirectly affecting consumer privacy), etc. Then the States may or may not supplement with their own laws.
If I were the paranoid type though, I'd worry less about privacy laws and legal protections extended to classes of persons and more about individual and arbitration clauses in click-wrap agreements, and what I term the "NSA defense" (record everything, use when 'necessary').
It varies from state to state, and there are some federal laws that mostly apply to government use/misuse. Also, I think a lot of it depends on who or why or what it is being sold for (like id theft). But, I'm no expert.
Anyway, great article, and thought provoking - thanks! Yet, I'm still having trouble figuring out how to be actually worried about any IoT privacy issues. Probably because I don't yet have many (any?) IoT devices around me.
Good to know, thanks! I'm not too concerned about IoT devices yet, either, as most of mine are silly projects that I've made that won't tell marketers much of anything. It does become a little more concerning when popular devices like Nest, Echo, and even Teslas start connecting to my network. What kind of information are they transmitting? Could it be used to paint a picture of my lifestyle and habits?
HIPAA would apply to those sort of records. Even ISPs don't like being fined anywhere from $500 to $15,000 per instance of a data breach like that.
I must differ with the notion of "selling to the highest bidder": this information will be sold to EVERYONE who offers money for it, not just the "highest bidder". As for protecting communication from devices incapable of effective SSL, it is easy enough to dedicate a computer on your local network to proxy SSL connections out over the internet.
Security, not just privacy, is a huge potential issue in the "Internet of Things". IPV6 has better solutions but we are still at IPV4 with no available IPV6 IoT products. I'm using the Arduino MKR1000, which does come with a software implementation of SSL using TLS but I find that certificates (and the need for frequent renewals) are a huge kludge, and there's no support for anything better. Does anyone else care about this?
I'm with you on this: I'd love to see some proper PKI support on embedded architectures, but I think we're still a generation or two away from seeing it really be supported natively. Perhaps the next iteration of the ESP line will have something for us. :-)
There is always the protected-subnet-with-a-gateway/proxy setup. Don't allow any embedded/IoT product/project to talk directly with the Internet, but instead require them to use some local service to either encrypt all their traffic or to even be the final destination. (Why not just run your controller locally? Much faster response times, and no dependence on Internet connectivity for your fun toys to work. Then again not everybody runs a hyper-visor on a server in a basement closet...)
ISPs aren't (at least shouldn't be) a big concern for privacy. Anyone can avoid them collecting private info by using encryption (https eg) and/or VPNs. The much bigger concern are the large internet companies like google and facebook. (Notice that google no longer uses the motto "Don't be evil").
ISPs can still collect data on you to help ad agencies paint a picture of your habits (e.g. when you are home and use the Internet), even if they're not sniffing the internal contents of your traffic. But you are correct, Google and Facebook get lots more insight into your surfing habits. Something like ixquick.com is a good alternative search engine if you're concerned about privacy.
So should I just always use an SSH tunnel to my home RPi VPN box? That will give my home connection uptime whenever I'm active, which should be a sufficiently entropic dataset that there's no real information to be gleaned from it, or at least so I think.
Good point! I never thought about ISPs knowing when you are home (or not). That's a little freaky. I suppose if one were really paranoid, one could write some code to frequently ping the internet to make it look like someone is at home.
The flip side is if you have enough fun projects at home that use the Internet to upload status/measurements or even just to check for updates it may look like you are always home. (Plus there are firewall setups like pfSense that will ping your next hop every minute or so for latency and availability tracking.)