On Sunday, two days before the Tuesday vote in the House to kill the FCC’s browsing privacy rules, Peter Eckersley, the Chief Computer Scientist for the Electronic Frontier Foundation, and Jeremy Gillula, EFF’s Senior Staff Technologist, posted the following notes on the EFF’s Deeplinks Blog:
Five ways cybersecurity will suffer if Congress repeals the FCC privacy rules
Back in October of 2016, the Federal Communications Commission passed some pretty awesome rules that would bar your Internet provider from invading your privacy. The rules would keep Internet providers like Comcast and Time Warner Cable from doing things like selling your personal information to marketers, inserting undetectable tracking headers into your traffic, or recording your browsing history to build up a behavioral advertising profile on you—unless they got your permission first. The rules were a huge victory for U.S. Internet users who value their privacy.
But last Thursday [23 March], Republicans in the Senate voted to repeal those rules. If the House of Representatives votes the same way [which the House did, on 28 march] and the rules are repealed, it’s pretty obvious that the results for Americans’ privacy will be disastrous.
But what many people don’t realize is that Americans’ cybersecurity is also at risk. That’s because privacy and security are two sides of the same coin: privacy is about controlling who has access to information about you, and security is how you maintain that control. You usually can’t break one without breaking the other, and that’s especially true in this context. To show how, here are five ways repealing the FCC’s privacy rules will weaken Americans’ cybersecurity.
Risk #1: Snooping on traffic (and creating new targets for hackers)
In order for Internet providers to make money off your browsing history, they first have to collect that information—what sort of websites you’re browsing, metadata about whom you’re talking to, and maybe even what search terms you’re using. Internet providers will also need to store that information somewhere, in order to build up a targeted advertising profile of you. So where’s the cybersecurity risk?
The first risk is that Internet providers haven’t exactly been bastions of security when it comes to keeping information about their customers safe. Back in 2015, Comcast had to pay $33 million for unintentionally releasing information about customers who had paid Comcast to keep their phone numbers unlisted. “These customers ranged from domestic violence victims to law enforcement personnel,” many of who had paid for their numbers to be unlisted to protect their safety. But Comcast screwed up, and their phone numbers were published anyway.
And that was just a mistake on Comcast’s part, with a simple piece of data like phone numbers. Imagine what could happen if hackers decided to target the treasure trove of personal information Internet providers start collecting. People’s personal browsing history and records of their location could easily become the target of foreign hackers who want to embarrass or blackmail politicians or celebrities. To make matters worse, FCC Chairman (and former Verizon lawyer) Ajit Pai recently halted the enforcement of a rule that would require Internet providers to “take reasonable measures to protect customer [personal information] from unauthorized use, disclosure, or access”—so Internet providers won’t be on the hook if their lax security exposes your data.
This would just be the fallout from passive data collection—where your Internet provider simply spies on your data as it goes by. An even scarier risk is that Internet providers want to be able to do much more than that.
Risk #2: Erasing encryption (and making it easier for hackers to spy on you)
Right now, your Internet provider can only spy on the portion of your traffic that isn’t encrypted—in other words, whenever you visit a site that starts with https (instead of just http), your Internet provider can’t see the contents of what you’re browsing. They can still see what domain you’re visiting, but they can’t see what specific page, or what’s on that page. That frustrates a lot of Internet providers, because they want to be able to build advertising profiles on the contents of your encrypted data as well.
In order to accomplish that, Internet providers have proposed a standard (called Explicit Trusted Proxies) that would allow them to intercept your data, remove the encryption, read the data (and maybe even modify it), and then encrypt it again and send it on its way. At first blush this doesn’t sound so bad. After all, the data is only decrypted within the Internet provider’s servers, so hackers listening in on the outside still wouldn’t be able to read it, right?
Unfortunately not. According to a recent alertby US–CERT, an organization dedicated to computer security within the Department of Homeland Security:
“Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MiTM [Man-in-The-Middle] attack. Furthermore, certificate-chain verification errors are infrequently forwarded to the client, leading a client to believe that operations were performed as intended with the correct server.”
Translating from engineer-speak, that means many of the systems designed to decrypt and then re-encrypt data actually end up weakening the security of the encryption, which exposes users to increased risk of cyberattack. Simply put, if Internet providers think they can profit from looking at your encrypted data and start deploying these systems widely, we’ll no longer be able to trust the security of our web browsing—and that could end up exposing everything from your email to your banking information to hackers.
Risk #3: Inserting ads into your browsing (and opening holes in your browsing security)
One of the major threats to cybersecurity if the FCC’s privacy rules are repealed comes from Internet providers inserting ads into your web browsing. Here we’re talking about your Internet provider placing additional ads in the webpages you view (beyond the ones that already exist). Why is this dangerous? Because inserting new code into a webpage in an automated fashion could break the security of the existing code in that page. As security expert Dan Kaminsky put it, inserting ads could break “all sorts of stuff, in that you no longer know as a website developer precisely what code is running in browsers out there. You didn’t send it, but your customers received it.”
In other words, security features in sites and apps you use could be broken and hackers could take advantage of that—causing you to do anything from sending your username and password to them (while thinking it was going to the genuine website) to installing malware on your computer.1
Risk #4: Zombie supercookies (allowing hackers to track you wherever you go)
Internet providers haven’t been content with just inserting ads into our traffic—they’ve also tried inserting unique tracking tags as well (the way Verizon did two years ago). For Internet providers, the motivation is to make you trackable, by inserting a unique ID number into every unencrypted connection your browser makes with a website. Then, a website that wants to know more about you (so they can decide what price to charge you for a product) can pay your Internet provider a little money and tell them what ID number they want to know about, and your Internet provider will share the desired info associated with that ID number.
At first you might be tempted to file this one away as purely a privacy problem. But this is a great example of how privacy and security really are two sides of the same coin. If your Internet provider is sending these tracking tags to every website you visit (as Verizon did originally), then every website you visit, and every third party embedded in websites you visit, can track you—even if you’ve deleted your browser’s cookies or enabled Incognito mode.
This means that more people will be able to track you as you surf the Web, you’ll see more creepy and disconcerting ads based on things you’ve done in the past, and many of the tools you might use to protect yourself won’t work because the tracking is being added after the data leaves your machine.
Risk #5: Spyware (which opens the door for malware)
The last risk comes from Internet providers pre-installing spyware on our devices—particularly on mobile phones, which most of us purchase directly from the company that provides our cell service, i.e. our Internet provider. In the past, Internet providers have installed spyware like Carrier IQon phones, claiming it was only to “improve wireless network and service performance.” After a huge blowback, many Internet providers backed down on using Carrier IQ. But given that software like Carrier IQ could record what websites you visit and what search terms you enter, it would be pretty tempting for Internet providers to resurrect that spyware and use it for advertising purposes. So where’s the cybersecurity risk?
As we’ve explained before, part of the problem with Carrier IQwas that it could be configured to record sensitive information into your phone’s system logs. But some apps transmit those logs off of your phone as part of standard debugging procedures, assuming there’s nothing sensitive in them. As a result, “keystrokes, text message content and other very sensitive information [was] in fact being transmitted from some phones on which Carrier IQ is installed to third parties.” Depending on how that information was transmitted, eavesdroppers could also intercept it—meaning hackers might be able to see your username or password, without having to do any real hacking.
But the even bigger concern is that for spyware like Carrier IQto function effectively, it has to have fairly low-level access to your phone’s systems—which is engineer-speak for saying it needs to be able to see and access all the parts of your phone’s operating system that would usually be secure. Thus, if hackers can find a vulnerability in the spyware, then they can use it as a sort of tunnel to get access to almost anything in your phone.
In the end, the cybersecurity implications of repealing the FCC’s privacy rules come from simple logic. If the privacy rules are repealed, Internet providers will resume and accelerate these dangerous practices with the aim of monetizing their customers’ browsing history and app usage. But in order to do that, Internet providers will need to record and store even more sensitive data on their customers, which will become a target for hackers. Internet providers will also be incentivized to break their customers’ security, so they can see all the valuable encrypted data their customers send. And when Internet providers break their customers’ security, you can be sure malicious hackers will be right on their heels.
The net result is simple: repealing the FCC’s privacy rules won’t just be a disaster for Americans’ privacy. It will be a disaster for America’s cybersecurity, too.