Experts weigh in on the House of Representatives and Senate votes to repeal the regulation preventing internet service providers from selling customers’ web browsing and app usage data without consent.
President Trump indicated his intention to sign the bill, S.J. Res. 34. The data privacy regulations enacted late last year at the Federal Communications Commission, but which hadn’t gone into effect yet, would have required ISPs to receive clear opt-in customer consent.
Information privacy, security and compliance consultant Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, said this repeal of privacy and security protections under the law contains far-ranging consequences. “This change allows all ISPs, who provide broadband internet access services, to now be able to share and sell data about anything a consumer does with any computerized devices attached to networks to which ISPs provide the connectivity.”
Herold pointed out the BIAS can access all connected devices in a home. “Whenever we use a wearable connected device (fitness tracker, health tracker, etc.), smart device (thermostats, door locks, smart TVs), tablet, smart watch, laptop, smartphones, our activities are all logged by the BIAS. So not only does the BIAS know/log the websites we’ve visited, it also knows the devices we’ve used, as well as our locations, dates and times of our activities, files we’ve uploaded and downloaded, videos and photos we’ve viewed…pretty much everything (not purposefully encrypted) that has been transmitted.”
This rollback means ISPs can sell the online activities of credit union members to anyone willing to pay for it. “Who will be interested?” Herold asked. “Marketers, researchers, government agencies, investigators, law enforcement, any type of business that is looking for customers/clients to target, and those criminal organizations posing as legitimate businesses (yes, many do this).” Also, perhaps employers checking out the off-the-clock lives of their workers.
Herold noted entities could see how many members are visiting the credit union servers/sites, and the associated times, dates, locations, and types of activities with regard to uploads and downloads, etc.
“There are a wide range of security and privacy risks this law mitigated, which is why it was enacted in the first place,” Herold said. Such information could also reveal exploitable vulnerabilities – and good targets for phishing, ransomware and other types of malware – to cybercriminals.
In part two, we’ll find out what kind of pressure this will place on credit unions’ security policies and compliance issues.
