A new study from the Federal Trade Commission (FTC) indicates that many United States internet providers are collecting intimate personal data about their customers, and that customers are largely unaware of the scope and uninformed about their options for limiting this data collection.
The FTC says that the six internet providers that make up 98% of the US market are peeking in on customer’s online activity, and sometimes engaging in worrying data practices: sharing information with third parties without customer knowledge or consent, logging real-time location data, and creating targeted advertising profiles among other issues.
FTC finds internet providers playing fast and loose with customer data
These data collection practices are the sort of thing that have put internet service platforms like Google and Facebook in the crosshairs of international regulators. While there is now broad awareness of (and strong sentiment against) these surreptitious profiling techniques, many consumers are unaware that their internet providers are tapping directly into mobile connections to do many of the same things.
Entitled “A Look at What ISPs Know About You,” the FTC report examines the data collection practices of the six largest internet providers in the country: AT&T, Charter, Comcast, Verizon, T-Mobile and Google Fiber. As the report points out, these ISPs have the most direct possible line to customer internet activity. But for some reason, perhaps an assumption that paying a monthly subscription fee for the service negates the need to monetize their traffic, consumers lack awareness about how these internet providers are using and selling their data in the same manner that social media and e-commerce platforms are known to.
The report finds that internet providers are sometimes also actively hiding and obfuscating this data collection. Some have outright said they will not transfer data to third parties, yet have done it anyway.
The lack of a federal data protection law is certainly a factor in this behavior, but the FTC report also highlights a very rapid period of mergers and acquisitions unfolding over the past decade. The formation of giant media conglomerates, the result of moves such as Comcast acquiring NBC and Verizon acquiring AOL and Yahoo, has enabled the creation of very detailed consumer profiles in a short amount of time.
Unfortunately, the FTC report does not specify exactly which internet providers are engaging in each questionable data collection practice. It instead gives general numbers. For example, it says that “many” of the ISPs target consumers with ads using sensitive personal information of the sort that is subject to special regulations and limitations in other countries: categories such as sexual orientation, religion, political affiliation and race/ethnicity.
“A significant number” are also sharing real time location data with third parties. “At least three” of them combine multiple consumer data streams (such as personal and browsing information) for targeted advertising, and “some” collect information that is not necessary for the provision of internet services (such as app usage data).
Some appear to be intentionally deceptive and opaque in their data collection policies and promises to customers. “Several” of the internet providers publicly pledge to not sell customer data to third parties, but do transfer it to their parent companies and affiliates or monetize it in other ways that don’t involve a direct sale. “Many” provide consumers with only limited access to information about their stored personal data, or present it in a confusing way. “Several” also use the contractual loophole of “business reasons” to store personal data indefinitely; they pledge to delete it after a certain period of time, but can invoke vague “business reasons” to hold onto it beyond that.
Data collection extends beyond reasonable limits
Even when internet providers truly limit their transfer of personal data to third parties, they sometimes take in more of this type of data from the same sorts of third-party data brokers that they might sell it to. The report notes that these telecoms now have very extensive user profiles based on combining data collection from their various first-party services with active pursuit of third-party information.
The report does find that consumers have at least some expectation that internet providers are logging the sites they visit; after all, this information is sometimes requested in both criminal and civil cases. However, they said several ISPs take their data collection far beyond what the average person expects in this area; contents of emails and search queries, television viewing histories, and more.
While ISPs have far greater access to a breadth of sensitive personal information than any other source, there are limits to what they can view. For example, if webpages are encrypted (with an “https” URL), ISPs can generally only see that the user visited that domain and not what specific pages they looked at or searches they entered. The study also found that only two of the ISPs are persistently tracking users across multiple devices and browsers with an internal identifier. VPNs can shake off much of an ISP’s ability to snoop on customers, but come with an added cost and potential safety issues of their own.