To find out, I spoke to a number of privacy and security experts who have been following these issues closely in the public and the private sectors.
Catch me up real quick. What did Congress vote on?
Congress voted to keep a set of Internet privacy protections approved in October from taking effect later this year. The rules would have banned Internet providers from collecting, storing, sharing and selling certain types of personal information — such as browsing histories, app usage data, location information and more — without your consent. Trump must still sign the legislation, but he is widely expected to do so. For more, read our full story here.
Without these rules, could I really go to an Internet provider and buy a person's browsing history?
The short answer is “in theory, but probably not in reality.”
That said, if the providers relax their privacy policies or if the FCC chooses not to take action, ISPs could conceivably share detailed information about a person's Web usage that could be used to discover his or her identity.
“You may recall Verizon's supercookie program where they were tracking quite a bit,” LeBlanc said. “And there were allegations they could share unique data sets. It may not have said 'Travis LeBlanc,' but it would have been substantial data points about me.”
Based on how companies use and share data today, it's still relatively unlikely that an ISP would simply hand over data for cash, particularly about an individual, said Chris Calabrese, policy vice president at the Center for Democracy and Technology.
What generally happens in this industry is that a marketer will ask a company such as Facebook to advertise with a certain demographic — say, men between the ages of 45 and 55. The two companies will settle on a deal, and the marketer's ads will be displayed on Facebook to that group, but the marketing company will never see specific information about those people, which will continue to be held by the data company (or in this case, the ISP).
“That's the most likely way you'll have your Web surfing history sold,” said Calabrese — which means getting the raw data on, say, President Trump could be harder than you think. For that matter, other legal analysts said, it's not clear why Internet providers would comply with consumer requests for data on the politicians that helped ease industry regulations in the first place.
A spokesman for the cable industry said that many Internet providers have committed to a voluntary set of privacy principles that already limit the industry's ability to share or sell the data of individuals.
"ISPs haven’t done this to date and don’t plan to because they respect the privacy of their customers," said Brian Dietz, a spokesman for NCTA — The Internet & Television Association. "Regardless of the legal status of the FCC’s broadband privacy rules, we remain committed to protecting our customers’ privacy and safeguarding their information because we value their trust."
How can I protect myself now?
If you're looking for ways to enhance your privacy in an era of loosened regulation, security experts generally recommend several steps.
First, use a virtual private network, or VPN. For a little bit of money, the best VPNs can hide your true location so that it looks like you're surfing the Web as somebody else, and encrypt your Internet traffic so that nobody outside of the VPN can tell what you're looking at. Other tools, such as Tor, mask your identity by sending your Internet traffic bouncing through a whole bunch of other intermediary servers before arriving at its destination. Think of it as the online equivalent of losing a tail in a spy movie. These services are not cure-alls: They may cause your browsing speeds to drop, and some websites block VPNs altogether. That includes Netflix, which does this to defeat people who want to watch videos illegally. Finally, they don't thwart any snooping software that an Internet provider may have installed on your own device, logging your activity locally.
Second, make sure that the websites you use take advantage of HTTPS. You can think of HTTPS as a more secure version of the normal websites you visit; your overall experience won't change, and Internet providers will still be able to see that you're on a particular site, but they will see less about what you're doing there. Try forcing your browser to use the HTTPS version of a site if there is one. Chrome users, for example, can do this by installing this extension from the Electronic Frontier Foundation.
What does the legislation mean for the government's ability to spy on me?
The measure doesn't give the government any more powers to gather information on people than it already had, although with ISPs getting into the data-mining business, LeBlanc said, that's another place government officials could theoretically go to find information about people of interest.
“I don't see any prohibitions on government as a market actor bidding for your personal data,” he said. LeBlanc added that even foreign governments could conceivably buy data from ISPs to find out about people they're interested in.
There is some precedent for this. In fact, in 2013 the New York Times reported that the CIA had paid AT&T for records relating to its customers' phone calls.
But gathering information this way may be less efficient than certain tried-and-true methods, Calabrese said.
“If the FBI wants information from AT&T, they're going to get it the way they always have,” he said, “which is to send them a subpoena or a warrant.”
That's not to say law enforcement officials don't or won't find consumers' Internet data useful. What's likely to happen, Calabrese added, is that the new information ISPs collect on their users may find their way into databases that government officials are already mining. And that's how the government could indirectly gain even more information about you.