Most outlets are not getting this story right. They don't understand the technical details behind what can be tracked, sold, or how your ISP (Internet Service Provider) can advertise to you.
Actually, nothing. The Obama-era rule did not go into effect, but ISPs may have stopped efforts to sell this data due to the new FCC regulation. I would like to think ISPs are nervous about making their customers angry, and realize they could face backlash if they sell your data. That means that all of this is already true, yet you don't get this type of advertising right now (as far as you know).
Note that this also applies to your mobile data carrier anytime you use the Internet on your smartphone (not over wifi, though whatever wifi network you are connected to cannot be trusted either). However, mobile carriers may be subject to different (older) regulations since they are a "telephone" company. I am a computer nerd, not a telecommunications lawyer.
Your ISP can track the following information about you:
- IP addresses of anything you connect to (sites you visit, etc), as well as length of those connections. Though IP addresses are not too useful on their own, they can easily infer which sites and services you are using in many cases.
- The domain name, like "www.facebook.com", of all sites you visit and any services your devices talk to.[1]
- Everything when you visit something or use a service which is not secure - e.g.
http://and nothttps://. Always use https if it is available. Plugins exist to automatically use https on site that offer it, like HTTPS Everywhere for Google Chrome.
That said, this is a lot of information and a lot of processing just to gain relatively small amounts of information about you. Your ISP probably has enough trouble just keeping the Internet running and may not want to spy on every piece of information that you consume. They do not have the resources like the NSA to monitor Internet traffic. This data is also quite "vague" - they can't tell which device it is coming from (i.e. who in your house is requesting the content), and whether the information you're requesting is intentional (or something you clicked accidentally, advertising you are being forced to consume, a virus you do not know about, etc).
That doesn't mean they won't try anyway. Some sources of information are easier to collect than others, so they may sell information based solely on those sources.
Your ISP cannot modify content that is secure (https), but they can modify insecure content (http). This makes it hard for them to sell you advertising directly. Since they know who you are, though, they could:
- sell your address as well, then send you targeted snail mail advertising
- send you email to your ISP email (your @comcast.net address) with targeted advertising
- modify or sell advertising on their own services, like via Comcast's TV / set-top box, and online streaming services
- modify insecure content, like inject or modify advertising
- something else clever I didn't think of
You can still call or write the President to veto this bill (though this is unlikely). You can also contact your representatives in the House and Senate and hold them accountable for their "Yes" vote.
If you are worried about your privacy, review your ISP's privacy policy. Call (or write a letter to) your ISP to tell them you do not support selling of your information and want to opt-out (if they let you) of any such tracking. Tell them you will switch providers if they choose to do this in the future and you cannot opt out.
If you are still worried about your privacy, the recommendations you may have read about online are good - VPN or Tor will help. I find this to be an unreasonable requirement for most people, though, and believe technology should try to solve this problem without requiring VPN. ISPs can still be held accountable by consumers, even if Congress believes this should be a "free market" issue.
If you have any questions, I am happy to answer them (but I cannot fix your computer).
Love,
JD
[1]: Technical details: ISPs can sniff DNS packets since DNS is not secure, and they often run DNS services that is then the default for routers (DHCP). Even without DNS (e.g. if you were to set up DNSCrypt), SNI leaks the hostname when you connect to secure services.