On March 28^th 2017, Congress passed S.J.Res.34.  In case you are not familiar with this piece of legislation, let me fill you in.  Back in October 2016 the FCC released rules designed to protect the privacy of customers using broadband and other telecommunication services. This rule basically said that your Internet service provider must implement reasonable security controls in order to keep their customers data secure. Additionally, it required the ISPs to give you the opportunity to opt out of them selling your data to third parties. It also set notification rules that the ISPs would have to follow if they suffered a breach and your data had been compromised. Those rules were to go into place starting this year. In March 2017 the FCC, under tremendous pressure from Internet Service Providers, decided that the rules were too cumbersome and that the FCC somehow no longer had the authority to implement such rules.

Now that you’ve been brought up to speed let’s look at S.J.Res.34 which Congress just passed. This bill if signed into law (The White House has assured us that it will) would basically reinforce the FCC’s determination from March and free the ISPs from any requirements having to do with the security, sale, or breach notifications pertaining to any of your private data. From the ISPs perspective they are no longer required to secure your data, they can sell it to whomever they want, and they’re not required to notify you should your data be compromised in a security breach resulting from the fact that there are no longer securing your data.

So whatever data are we talking about? Well, your name, address, phone number, IP address, email, any financial information, your geolocation, health information, your child’s information, Social Security numbers, your web browsing history, your application usage history, and the contents of any communications that transcends the Internet (like voice over IP).  

That’s a lot of stuff and we could go in line by line and talk about the bad things that could transpire if each one of these items are compromised. But I would like to focus here, not so much the personal aspects of this bill (There has been a lot of privacy uproar already). I would like to focus on the negative effects that this bill will have on business and our economy. It’s pretty clear that your unprotected data may result in your identity being stolen. It’s also pretty clear that some of this information could be used to embarrass you personally should some of your browsing history become public.

What people are not generally talking about is the chilling effect that this may have on business. Let’s face it we all live in a very connected world and as business owners and stakeholders we have come to rely on our Internet service providers to keep some things private. For example your company’s browsing history. Imagine all of the information that I could derive from just the browsing history of one of my competitors. I may be able to figure out expansion plans based on employee traffic to travel sites. Compound that information with the fact that I will be able to purchase the geolocation of those employees should they have Internet access on things such as: oh, I don’t know, their cell phone?  And what hacker would not want to know about your application usage?  

That brings me to another point. Let’s say you’re in the executive security industry. How hard is it going to be to keep the location of key executives on the down low when someone with ill intentions will be able to buy that geolocation information along with other Internet data about that executive? 

I could literally come up with volumes of threat scenarios that are going to be unleashed here but here’s the biggest point that I’m trying to make today, remember the chilling effect that the NSA surveillance program caused on American business? Now imagine that the NSA no longer has to covertly spy on anyone, they can just buy that data directly from the ISPs (And that may have been one of the goals here). In fact, anyone can now buy that data from your ISP: Friends, foes, hackers, competitors, government agencies, and lest we forget foreign state actors and your ISPs are not required to tell you or your company that any of this is going on.  So the next time your company “privately” approaches that other company with an offer to acquire them and another offer comes flying in out of the blue or you new client gets a call from you competitor immediately after you meet with them, you will have yet another avenue to explore when trying to figure out how the cat got out of the bag. 

In yet another installment of the Government talking a good game about information security but being an epic failure at actually implementing anything that might increase this country’s overall security posture and protect your personal and corporate privacy; The FCC indefinitely suspended the 2016 Privacy Order that they had adopted last October. 

You might remember the Privacy Order basically said that ISPs (Internet Service Providers) must implement reasonable security controls to protect the security and privacy of their customers (You, me, your company, the government).  I want to be clear here.  They were not asked to be responsible for securing your network.  They were being asked to secure their own network and to put in protections so that data about you would be harder to compromise on their systems.  Further, this order was to ensure that they kept your data, information about you as a costumer (Billing information, browsing habits etc.) private and were required to notify you if they were going to sell that data (Terms of use) or if they had a security breach.

You may remember when the ISPs lobbied and succeeded in getting an exemption from HIPAA compliance.  It is kind of like that.  The arguments for staying the action appears to have been an impressive exercise in circular logic.  Here are some examples:

The FCC does not have the authority to impose and force ISPs to put reasonable security measures in place.

But somehow the FCC did have the authority back in October when they made the rule.

The rule is unnecessary because ISP follow the FTC Rules.

But the FTC does not have the authority to make the ISP follow those rules and the ISPs do so voluntarily (In theory, there are no attestations required to verify).

And yes those appear to be the same rules that the EU said were not sufficient enough to allow the data of EU citizens to transcend (Remember Safe Harbor).     

There is no evidence that having reasonable security controls would better protect the public interest.

This one is self-fulfilling, you see the ISPs are not required to report breaches so there is no way to measure if a control would stop a breach that they never reported on….If a tree falls in the woods….you get the idea.

No really, did they just say that?

It would be too cumbersome for smaller rural providers to comply.

                A good number of these providers are owned by lager companies at this point.

Are we talking about all the rural providers that are subsidized by the FCC as part of their “Telecommunications Service in Rural America” initiative? 

The companies that petitioned to have this stayed, provided no evidence of this, in fact they apparently provided no data to support any of their assertions. 

Okay, at this point you’re probably saying “We get it Alan this appears to have been a shit show, but what does it really mean to me?”  Let’s take a second here to walk through some threat modeled examples of the potential impact.

Due to the lack of proper controls an ISP insider is able to access and download the browsing history for your entire organization and then sells that information to a competitor who is able to surmise based on your traffic that you were planning to launch your product in South America and thereby beat them to that market.

An external attacker compromises the database containing your billing information, including Social Security number (often required to set up an account) and uses that information to open fraudulent bank accounts, obtain loans and destroys your credit.

Here is the short list that the ISPs are no longer required to protect:

Geo-location, financial information, health information, children's information, social security numbers, web browsing history, app usage history and the content of communications.

Not to worry though, Michael O’Rielly, the FCC Commissioner is pleased with the decision and thinks that it should be addressed when Congress brings Net Neutrality back up. 

So, there you have it in a nut shell, sleep tight.