Sophos Cloud Optix
We often worry about how online services like Facebook and their advertising partners track our every move, but let’s not forget the information that internet service providers collect.
These organizations get to see what you access online, when you access it, where from, and what device you’re using, among many other things. It’s a treasure trove of user data. Last week, the US government stopped a ruling designed to give users control over it, the day before it came into force.
US ISPs have historically been able to sell this sensitive information to online brokers interested in knowing more about their customers. Those brokers could in turn use it for advertising and targeted marketing. In October, the FCC moved to regulate that with a contentious privacy rule that introduced a privacy framework for ISPs.
Under the rule, broadband providers couldn’t do anything with sensitive data unless the consumer gave them explicit permission first, by opting in. Sensitive data includes things like geographic location, app usage history and communications content (including, for example, your web browsing history).
The rule let ISPs do what they wanted with non-sensitive user data, but users could still stop them by opting out and telling them not to. It also called on ISPs to take reasonable security measures to protect customer data.
Broadband service providers were against the rule, and in late January telco and online advertising lobbyists called on Congress to hold off on it under the Congressional Review Act.
A major irritation for them is the switching regulation that happened two years ago. Back then, the FCC reclassified ISPs as telcos under Title II of the Telecommunications Act. This also enabled the agency to preserve net neutrality, but also reclassified ISPs as telecommunications services.
Before that, the Federal Trade Commission regulated ISPs. The FTC’s approach to privacy regulation focuses mainly on private settlements. “Edge” internet services such as Facebook and other social media networks fall under this purview. The telcos prefer the FTC’s regulation to the FCC’s approach, and lobbyists asked for the same treatment.
If you read the ISPs’ own privacy principles, though, which the National Cable and Television Association reaffirmed as it was asking Congress to stay the rule, it looks like the FTC offers a similar kind of regulation. From those principles:
ISPs will continue to: (i) follow the FTC’s guidance regarding opt-in consent for the use and sharing of sensitive information as defined by the FTC; (ii) offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing.
If the FTC also wants opt-in consent for data, then what’s the big deal? The issue revolves around what constitutes sensitive data. The FCC casts a wide net when classifying data as sensitive, including all of a customer’s web browsing data. The FTC has a tighter focus. Only certain web sites in areas such as health would be considered sensitive. For more on this, here’s a Federalist Society podcast where people from both sides of the debate weigh in.
ISPs wanting the same kind of regulation as edge service providers needn’t worry because Republican FCC chair Ajit Pai just came to their rescue. The Trump appointee was against the privacy rule when working as an FCC commissioner. He has been busy reversing the work of his Democrat predecessor Tom Wheeler, calling instead for “light-touch” regulation that would allow businesses to innovate.
The FCC’s privacy rule is his latest unpicked stitch. He called an FCC vote on staying the rule that passed on March 1.
This rule has been contentious from the beginning, with the FCC’s commissioners and chair tending to vote along party lines. Now that Pai has the tiller, it’s unlikely that the standoff will be resolved any time soon. So what does this mean for broadband customer privacy in the US?
There don’t seem to be much in the way of consent options for users when dealing with ISPs in the US for the time being. US users could always try paying for privacy, though. Comcast has floated the idea with the FCC in the past, asking for it to “allow business models offering discounts or other value to consumers in exchange for allowing ISPs to use their data”. AT&T’s GigaPower broadband plan already implemented this in the past.
In the US, it seems that everything really is for sale. If you’re not interested in playing that game, then there’s always Tor, we suppose.
I’m not really sure how being able to sell off people’s browsing data is in any way related to “innovation” except maybe “we found another way to make money off you” which isn’t exactly a very … compelling argument.
I could be okay with storing and using it for improved services through metrics and automatic detection of network flaws/deficiencies, but simply being able to collect and sell to pad the bottom line is not something that appeals to me. Especially since we’re already paying for the service access (this doesn’t even have the ‘caveat for using a free service’ deal with things like Google Gmail, Facebook, etc) and many locations have at best two options – a land-based line of some sort and (expensive and usually bandwidth-limited) satellite.
“light-touch” regulation, a phrase to give the heebie-jeebies to anyone who has been paying attention since at least 2008.
I think as soon as word got out that your ISP was tracking *and selling* your less savoury web surfing habits including site URLs, there would be very strong customer pushback.
And, are some ISPs not already doing this?