FTC Staff Report Finds Many U.S. ISPs Collect and Share a Wealth of Customer Usage Data ftc.gov

From the U.S. Federal Trade Commission

Many internet service providers (ISPs) collect and share far more data about their customers than many consumers may expect — including access to all of their Internet traffic and real-time location data — while failing to offer consumers meaningful choices about how this data can be used, according to an FTC staff report on ISPs’ data collection and use practices.

This report is alarming, yet painfully obvious to anyone who has been paying attention to the behaviour of American internet providers. Because they are conglomerates operating in many markets, they have a uniquely comprehensive view of Americans’ lives, which they pitch as an advantage in the miserable world of targeted advertising. And it is a mutually beneficial market.

From the report (PDF):

Second, there is a trend in the ISP industry to buy consumer information from third party data brokers, which many ISPs in our study use for advertising purposes. One reported using data from data brokers to market their own products to new customers only. For example, they might get lists of new homeowners in a particular geographic area. A sizable number of the ISPs in our study also buy data from data brokers about their existing customers. For example, an ISP might send the data broker subscriber names and addresses, which the data broker would then append with demographic information (e.g., gender, age range, race and ethnicity information, marital status, parental status) and interest data (e.g., hiking, biking, gardening, bodybuilding, high-end spirits) for those subscribers. Or, for those ISPs that do not want to share their customers’ names and contact information with third-party data brokers, the ISP might send persistent identifiers (e.g., cookies, advertising identifiers, or hashed or encrypted account numbers or telephone numbers) associated with their subscribers to third party “matching services.” These matching services then sync these identifiers with similar identifiers they receive from other sources and provide the list of identifiers to the ISP. Once the ISP has the synced list of identifiers, the ISP can then check with data brokers to request demographic and interest data 94 associated with all of those identifiers, without sharing consumers’ name and contact information.

The data brokerage industry is vile. For comparison, here in Canada, internet providers are prohibited from using subscriber information for auxiliary business purposes without express permission. Bell, one of the big telecom providers in Canada, runs a “tailored marketing program” that requires subscribers to opt into receiving ads based on their Bell-provided services. I still think it is gross, but at least it is off by default and requires explicit permission.

Because it is opt-in, I bet this business is tiny. I asked Bell for more information about it, including the number of subscribers, and have not heard back. But I imagine very few people agree to allow the use of their web activity and television habits to serve them ads, probably because most people do not think the privacy tradeoffs are worth it. iOS’ App Tracking Transparency feature has similarly low opt-in rates. Even though many apps do not respect it, this indicates that most people do not want their activities recorded for the milquetoast reason of making ads a little bit more relevant.

U.S. service providers should respect those kinds of wishes. Unfortunately, while mainstream attention has finally turned to the egregious privacy practices of companies like Facebook and Google, ISPs have not been treated with similar scrutiny. This is as true for the press as it is for regulators. The CEOs from tech companies have spent hours over the past few years testifying before Congress about their privacy practices, but telecom CEOs have not been asked to do the same. Reports about lobbying have highlighted how much money is being spent by technology companies, without acknowledging similarly huge spending by telecoms.

I know this is not a new observation, but: these egregious violations of user privacy will not change without regulation, but rules protecting consumers’ personal data are unlikely to materialize when lawmakers are earning so much from the businesses they are supposed to regulate.