You may not know it, but there’s a good chance that your Internet Service Provider (ISP) routinely sells your data to boost their profits.

Since Congress voted to roll back FCC protections against the practice, US ISPs now have the opportunity to record, store and sell data that passes through their servers.

That might sound abstract at first, but think about the implications of your ISP selling information. ISPs are recording everything you do online – the sites you visit, the brands you like, how long you spend on media sites – and converting that into cold hard cash.

Should you care about your ISP selling information?

On the face of it, you might shrug your shoulders and accept ISP selling data as one of the costs of having low cost internet access. But there are actually some serious privacy issues in play when you let an ISP sell internet history, and they should alarm anyone with an interest in digital rights.

For starters, most people are unaware of exactly how much information they give away during everyday internet usage. But think about what ISPs and advertisers can learn about you from the sites you visit frequently. By selling browsing history information, third parties can find out about your personal health, your sexuality, your romantic life, friendship networks, and professional connections. In the wrong hands, that kind of information can be used for all kinds of nefarious activities, from extortion to identity theft.

Then there’s the business case. You might argue that because your data is created by your browsing history, it belongs to you. When ISPs harvest and sell it without your knowledge, they are effectively stealing from customers for their own gain. So, the argument goes, why not give ordinary web users a cut from the digital windfall?

Finally, if governments can access personal data from ISPs, they can use this to increase their powers beyond their current scope. For instance, it could lead to an overly strict interpretation of restrictions on pornography or torrenting, while police departments might buy up data on purchasers of drones or knives.

What is the legal situation with your ISP selling browsing history?

Laws governing ISP selling data vary across the world, and there are significant differences even among the major democracies. Here’s a quick snapshot from some important jurisdictions.

  • USA – In 2016, the FCC mandated that ISPs would have to obtain consent for data harvesting, but officials from the Trump administration virtually rescinded these regulations in 2017, before Congress rejected them, and Trump signed his ISP Privacy Bill into law in April 2017. This made harvesting data totally legal (or, more accurately, prevented regulations to stop data selling). So US users have very few protections unless they use a VPN.
  • UK – The situation is different in the UK, where citizens can now ask ISPs to remove personal data under a version of the “right to be forgotten”. However, at the same time, the Investigatory Powers Act 2016 forced ISPs to retain certain information for security reason. It looks like “best practice” guidelines discourage selling this data, but the UK’s protections are far weaker than the EU.
  • European Union – The EU introduced the landmark General Data Protection Regulation in 2017, which makes it very difficult for ISPs to capitalize on users’ data. Everything they do regarding data now has to be subject to informed consent, with huge fines for breaching the regulations.
  • China – Chinese data laws aren’t as transparent as the USA or Europe, but we do know that there have been many cases of data reaching the open market – such as insurers accessing detailed knowledge of when car insurance policies are up for renewal. China’s digital environment is like a Wild West for data at the moment, making VPN use highly advisable.

Nobody is safe from the data market

The thing is, wherever there are internet users, there is data. And where there is data, there will be customers keen to analyze and monetize it to serve their interests. And given the connected nature of the global web, even European users can’t be sure their data is secure.

Recent events have shown that selling data is rife among major digital corporations. Perhaps the most famous instance was Facebook, where users found ways to harvest personal data via surveys, games and promotions, which was sold to companies like Cambridge Analytica for political purposes.

But Facebook are far from alone. The same actors worked with Twitter to harvest data, while there have been cases of major American ISPs selling data, too. AT&T, Verizon, Sprint and T-Mobile have all admitted selling location data of mobile users, allowing users to be located in seconds. So it’s a growing practice. But it’s also one that users can do something about.

How VPNs can be the solution to ISPs selling browsing history data

If you’re worried about ISPs selling data, using a Virtual Private Network may well be the only viable solution. Thankfully, it’s a remedy that almost anyone can implement for very little cost.

VPNs work by encrypting data as soon as it leaves your computer, then re-routing it through servers which could be thousands of miles away. This makes users almost totally anonymous and renders their data almost useless. You can read more in this guide.

High-quality VPNs like NordVPN, ExpressVPN, TunnelBear and CyberGhost create a wall that ISPs selling data can’t penetrate, so in that sense it doesn’t matter what the ISP privacy bill allows.

However, a word of caution: Some unscrupulous VPNs keep logs and monetize data just like an ISP sell internet history. So always choose VPNs which don’t keep logs, and haven’t been flagged as data-sellers.