The FTC just released a report based on data received from major players in the mobile Internet market and A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers is an eye opener. According to the FTC, several Internet service providers collect and share far more personal data than their customers expect while failing to give customers meaningful choice about how that data can be used.
Under Section 6(b) of the FTC Act, the agency may require companies to file “reports or answers in writing to specific questions” about their business practices. In 2019 the orders went to six ISPs that make up about 98% of the mobile Internet market:
- AT&T Mobility,
- Cellco Partnership (Verizon Wireless),
- Charter Communications Operating,
- Comcast Cable Communications (Xfinity),
- T-Mobile US, and
- Google Fiber.
The FTC also sent 6(b) orders to three advertising companies affiliated with those ISPs: AT&T’s Appnexus (now Xandr), Verizon’s Verizon Online, and Oath Americas (now Verizon Media).
You’ll want to read the entire report for more about data collection and privacy practices, but here are just a few observations that merit closer consideration:
Many ISPs amass large pools of sensitive consumer data. Several ISPs and affiliates collect significant amounts of consumer information across a broad range of products. Add to that the fact that people are using so many other services that depend on their Internet access – for example, home security and automation, video streaming, content creation, advertising, email, search, wearables, and connected cars. The result is the collection of detailed data about individual subscribers. When combined with even more information from third party data brokers, those ISPs are able to draw highly specific insights and inferences not just about subscribers, but about their families and households, too.
Several ISPs in the study gather and use data in ways consumers don’t expect and could cause them harm. Consumers may expect ISPs to collect certain information about the sites they visit as part of the task of providing internet service, but it goes way beyond that. Many ISPs in the study also collect and combine other highly sensitive data – browsing information, TV viewing history, contents of email and search, data from connected devices, location information, and data about race and ethnicity, to name just a few categories. That raises the specter of how that information could be used for discriminatory or other harmful purposes.
Although many ISPs in the study purport to offer consumers choices, those choices are often illusory. Several ISPs in the study claim to offer choices about data collection, but how clearly do they explain that to their subscribers? And to what extent do those ISPs nudge people toward sharing more data?
Many ISPs in the study can be at least as privacy-intrusive as large advertising platforms. Despite ISPs’ relative size in a market dominated by Google, Facebook, and Amazon, the privacy implications of ISPs are amplified. Four reasons suggest why: 1) Many ISPs have access to 100% of consumers’ unencrypted internet traffic; 2) many ISPs can verify the identity of their subscribers; 3) several ISPs can track consumers across websites and geographic locations; and 4) a significant number of ISPs can combine subscribers’ browsing and viewing history with large amounts of other information they get from additional Internet-dependent products, services, and features they offer.