FTC Report Reveals ISP Data Privacy Failures

The Federal Trade Commission (FTC) recently issued a report on the privacy practices of internet service providers (ISPs). The report is based on material provided by the United States’ six largest ISPs – AT&T, Verizon Wireless, Charter Communications Operating, Xfinity, T-Mobile, and Google Fiber. These ISPs comprise approximately 99 percent of the mobile internet market. The report found that ISPs use their massive caches of data for intrusive and unnecessary purposes that have the potential to cause harm to consumers.

Legal Background

The trends of consolidation and vertical integration in the telecommunications industry have expedited the ability of ISPs to amass large volumes of data, while historical legal frameworks have failed to address the privacy violations we see today.

ISPs offer numerous services to consumers besides internet access. Historically, these different services have been treated differently under various regulatory frameworks. The Communications Act of 1934, as amended by the Telecommunications Act of 1996, distinguishes between “information services” and “telecommunication services.” When providing telecommunications services, the entity is treated as a common carrier and is subject to Title II of the Communications Act. “Section 222 imposes a duty on telecommunications service providers to protect the confidentiality of their customers’ “proprietary information,” and places restriction on the use and sharing of customer proprietary network information (CPNI) without customer approval.”

However, the FTC has no jurisdiction when an entity is engaging in common carrier activities. In 2014, the FTC filed an action against AT&T, alleging the company misled customers with promises of unlimited data. AT&T challenged the action, arguing that its mobile data service was exempt from FTC jurisdiction as a common carrier. In Federal Trade Commission v. AT&T Mobility LLC, the Ninth Circuit ruled “that the FTC may regulate common carriers’ non-common-carriage activities.”

Internet and data services are not common carrier activities, and therefore the FTC has the authority to oversee the internet privacy practices of ISPs. The most common enforcement mechanism used is Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices (UDAP). An act or practice is considered unfair where it causes or is likely to cause substantial injury to consumers; cannot be reasonably avoided by consumers, and is not outweighed by countervailing benefits. The FTC considers deception as a material misrepresentation or omission that is likely to mislead consumers acting reasonably.

Operational Context

To understand the privacy practices of ISPs, it is necessary to understand their core business practices. ISPs provide core services to consumers like home internet, voice, and television. When a new customer registers with an internet service provider, they must collect personal information to provide the service and bill the customer. In addition to collecting information affirmatively provided by customers, the study found that several ISPs “collect information passively about their customers as they browse and engage with apps online.” However, much of the information collected – device specifications, service usage information, browsing information, and location data – is necessary to provide services, deliver customer support, and can even be used for fraud detection.

The report notes, “there is a trend in the ISP industry to include contractual provisions which limit the use of such information solely for the purpose of providing the service. Many ISPs in our study further prohibit these vendors from using such information for other purposes or further disclosing the information they receive to other parties.”

In providing their core services, ISPs appear to limit the use of collected information for the benefit of their customers. But in addition to internet services, many ISPs – either directly or through parents or affiliates–offer other products and services through which they can collect additional personal information.

If an ISP also provides streaming services, they may collect data on what the customer is watching, including granular detail such as viewing start and stop times. Companies in the home security and automation space can collect information such as lighting type, energy usage, and even temperature readings. “ISPs have the capability to combine personal information gained from their status as ISPs with personal information gained from their–or their parents’ or affiliates status–as email providers, search engines, e-commerce marketplaces, and distributors of connected products.” Combining information gathered across different services allows ISPs to create profiles of their customers for advertising purposes.

The report found that some ISPs collect data that is not necessary to provide ISP services to enhance their advertising abilities. Others will retain the data that they need to perform ISP functions longer than necessary, so that they can repurpose it for advertising. In fact, two of the ISPs in the study “stated that they use web-browsing information to target ads to consumers, and another reserve the right to use such information for advertising purposes.” ISPs also buy consumer information from third party data brokers, which they use to market their products.

To attract new customers, ISPs may buy a list of new homeowners in a certain area from a data broker. “A sizable number of the ISPs in our study also buy data from data brokers about their existing customers.” For instance, an ISP would have the name and address of a subscriber. They can then request demographic and interest data from data brokers about those subscribers for targeted advertisements about specific products. “Targeted advertising can also lead to pernicious bias, resulting in large segments of the population being stereotyped and denied access to key opportunities based on protected characteristics.”

While consumers can block tracking data on traditional ad networks, “consumers cannot use these tools to stop tracking by these ISPs, which use ‘supercookie’ technology to persistently track users.” This, combined with the fact that ISPs have access to each website that a consumer visits, gives ISPs the ability to target consumers on a granular basis.

Privacy Practices

The FTC found stunning opacity in the privacy practices of ISPs. They report that while many promise consumers that they “will not sell your personal information,” three of the ISPs in the study, “reserved the right to share their subscribers’ personal information with their parents and affiliates, which seems to undercut the promises not to sell personal information.” ISPs also obscure the ways in which consumer data can be transferred to third parties and used for targeted advertisement by burying it deep in the legalese of privacy policies.

They also note that ISPs offer consumers illusionary choices with respect to data usage. They do this by creating interfaces that can be confusing for consumers. For example, they found the CCPA requirements that companies include a “Do Not Sell” button, allowed ISPs to obfuscate consumer choices. One of the ISPs in the study stated that since it doesn’t sell consumers’ personal information, it doesn’t offer an opt out. Yet other ISPs that claim to not sell personal information do include a “Do Not Sell” button. ISPs also can make it cumbersome for consumers to exercise their privacy rights. One ISP spread different privacy choices across multiple tabs, with one that “required consumers to make as many as nine selections to fully protect the privacy of their personal information.” At least two required consumers to manually enter each phone number, email, and address, and device they wished to opt out.

While several of the ISPs have data retention schedules and claim to only keep the information for only as long as needed for a business reason, an ISP “has the ability to define (or leave undefined) what constitutes a business reason, giving them virtually unfettered discretion.” This leads to huge discrepancies and inconsistencies. The report found one ISP deleted logs of the websites consumers visited every 24 hours, while another kept the same logs for 35 days, and a third ISP kept the logs for a year.

Implications

Vertical integration allows ISPs to track information gathered across their services and combine that with additional information from third-party data brokers to amass a collection of highly granular data about subscribers and their households, which it uses to segment and micro-target consumers with advertisements. ISPs purport to offer consumers choices, but these are often unclear or even fall into the category of “dark patterns.” While ISPs are relatively small players in the global digital advertising industry, they have unique access to customer information. The report found that many of the ISPs “have access to 100% of consumers’ unencrypted internet traffic.” ISPs can track their customers across devices and services at nearly all times. The report concludes that “their uses of such data could lead to significant harms, particularly when consumers are classified by demographic characteristics.”