If you’ve ever visited a site you’d rather not broadcast, you might have wondered if your internet provider can view your browsing history.
…And if you’ve ever received a legal notice related to your torrenting habits, you know that they can.
While California does have strong consumer privacy protection laws in place, these policies alone aren’t enough to keep customer behavior data completely shielded from internet providers.
But what exactly can they see, and what rights do you have as a consumer in regards to their use of that information?
In the article below, I’ll cover the steps you can take to prevent ISP interference, and how to use California’s strong data protection rules to your advantage.
What Kind Of Data Can An ISP In California See When I Browse?
It might be worth acknowledging that ISPs are not all-seeing and all-knowing when it comes to your data. They are the equivalent of the internet’s mail service. So, they can see:
- Which websites you have visited (say msn.com or yahoo.com)
- The overall length of the URL that you visited (that is how many characters are in the URL in total)
- The weight of the HTML on the page that you visit (measured in kilobits – e.g. 217 kb)
- The other resources required by the page (as a number – so, if the page loads 7 images, 3 adverts, 1 stylesheet – that’s 11 resources)
- When the data was sent and when the connection was initiated between you and the site
So, that means they can’t, for example, instantly tell which pages on a website you’ve visited. It might be possible from the information that they do collect to calculate which pages you’ve visited (though the bigger the website that you visit, the less likely this is to be true).
The exception: unencrypted HTTP websites
The big exception is unencrypted websites. If the website you are visiting does not have an “https” lock before the domain (look for a lock icon in Chrome and most other browsers), it means it is not secure.
Websites that have “http” rather than “https” in the domain are not encrypted, and in theory the internet provider (and other third parties) can see exactly what pages on the site you’ve requested.
Can I Stop An ISP From Collecting This Data?
Yes, you can. The easiest way to do this is to install a Virtual Private Network (VPN) service. With a VPN the majority of data transactions are handled on the virtual private network and thus remain invisible to the ISP. What the ISP gets is the data about connecting to the VPN only — so they can see that you use a VPN, but not what websites you visit using the VPN. All other metadata about your traffic is hidden by the VPN “tunnel.”
However, while this can stop the ISP from collecting your information, it won’t stop the VPN provider from collecting your browsing data. In fact, many cheap or free VPN services exist to collect and sell this data; it’s how they subsidize the cost of running the service to the end user. So, only use a VPN service with a good reputation, and keep in mind that VPN providers as a whole are actually more likely to be selling your data than the ISP.
So, if you intend to go this route – it’s best to read the small print of your VPN contract before you sign up.
You will also find that using HTTPS rather than HTTP websites reduces the amount of data that an ISP can store. This is because the transactions are encrypted on HTTPS websites and the ISP doesn’t have access to the data keys that would decrypt this data.
It doesn’t prevent the ISP from knowing which sites you visited (unlike a VPN which does) but it does ensure that they have no access to any private data that you share with that site such as logins or passwords.
Fortunately, you don’t have to work very hard to use HTTPS nowadays as almost all websites use it and most browsers refuse to connect to less secure sites unless you force them to do so.
Finally, there are also privacy encryption tools that you can buy and implement to make it more difficult for your data to be used and/or collected. However, many of these tools are quite complicated to use and require a level of technical skill to implement that many of us simply don’t have.
What Are My Rights Regarding This Data Collection?
In California, there are specific legal protections for data collected on private citizens by commercial organizations. The California Consumer Privacy Act of 2018 passed unanimously through state legislature and it was enacted by Governor Jerry Brown. 1
This bill gives residents of California the right to:
- Know what personal information/data is being collected about you.
- Know whether this data is being sold and if so, whom it is being sold to.
- To be able to access your data and see what is on file.
- To be able to delete the data that was collected from you.
- To be able to opt out (or in) of the sale of your data to any other party.
- To get equal service and pricing (though this is an age-based policy).
This bill came into force on January 1st, 2020 and if businesses don’t comply, they can be fined up to $7,500 for every violation that they commit.
While CCPA has primarily impacted website owners, who are at the “front lines” of buying and selling consumer data, it applies to broadband providers like Spectrum, AT&T, etc., as well.
Personal information under this bill is considered to be anything that can be associated with or directly linked to an individual or a household (either directly or indirectly). It specifically includes your internet browsing and search history.
You can ask your ISP to provide this data a maximum of twice a year and they cannot charge you to provide it. Once you have this data, you may ask them to delete all or any part of it. There is also a provision to ensure that your ISP cannot discriminate against you because you decided to exercise your rights under this law.
That means the most data your ISP can hold on you at any given period is the last 6 months of browsing history because you can require its deletion every 6 months.
Keep in mind you have to take action to make this happen. None of the protections described above are automated processes.
Should I Be Concerned Over Any Adult Browsing I Do?
Your ISP can’t tell which exact page of a website you have visited. They can, however, collect data on the websites that you visit in general.
So, you can assume your provider will have a record of any adult websites that you have been to unless you are using a VPN service.
For this reason, if you are concerned about keeping your adult browsing completely secret – it’s always best to use a VPN and to ensure that the VPN provider you use is not keeping records of your browsing.
However, assuming that your adult browsing is legal, you shouldn’t be overly concerned if you do connect via your ISP – ISPs are not in the blackmail industry and while you might not be thrilled to learn who they sell your data to, there is no historical record of a Californian being blackmailed, extorted or embarrassed by their ISPs retention of their adult website use.
What About Torrenting?
Yes, your ISP will collect data if you torrent and may be able to demonstrate when you logged in, etc. to an individual torrent.
It is worth remembering that torrenting itself is not a crime. There are many legitimate uses for distributed file networks. However, downloading copyrighted material without a license to do so may be a crime.
That means that if a lawyer representing a copyright holder can demonstrate that you have been downloading such material, they can force your ISP to release the data that they have to confirm the suspected issue.
However, while there are many ethical legal practitioners out there, there are many not-so-ethical ones who will issue a “cease and desist” letter without enough proof.
In either case, you are likely to receive a cease and desist letter via your ISP – they will provide you two dates. The first tells you how much time you have to contest the subpoena for your information. The second tells you when they will release the information required by the court.
Has anyone faced legal action due to their ISP sharing their private data?
It’s rare, but it does happen. In practice, it’s difficult for an ISP to prove that a specific customer did or didn’t purposefully download copyrighted material on their network. There have been cases that went to court, or where default judgements were made against consumers.
This has happened in California before, like this case in which a judge awarded $20,000 default judgments over a file sharing allegation.
Summary: CCPA is a benefit, but only if you use it
In summary, the legal requirements around consumer privacy in the US are still relaxed compared to those in Europe.
Whether or not you agree with the regulatory stance, be aware that internet providers — and most services you use online — are logging metadata about your activity online.
While it’s likely not being used or sold in any malicious way, you are within your right to file data deletion requests and access the data to see for yourself, as well as have it deleted permanently.