If you have been online at all recently, you've probably read something about the new online Privacy Rules that were supposed to go into effect later this year that would prevent your ISP from profiting off of your browsing history or private information. You might also be aware that those rules were repealed by Congress through a Congressional Review Act resolution. A CRA resolution basically repeals a rule enacted by a government agency and also prohibits the agency from enacting a similar rule.
There has been a huge public outcry against the repeal of the privacy rules. Several people and organizations have started funding campaigns to buy the browsing history of the politicians who were responsible for repealing the rules.
It's likely that the ISPs saw the writing on the wall, and in January of 2017 many of the bigger Internet Service Providers got together and created their own document called ISP Privacy Principles.
Here is part of it:
Consumer Choice
ISPs will continue to give broadband customers easy-to-understand privacy choices based on the sensitivity of their personal data and how it will be used or disclosed, consistent with the FTC’s privacy framework. In particular, ISPs will continue to:
(i) follow the FTC’s guidance regarding opt-in consent for the use and sharing of sensitive information as defined by the FTC;
(ii) offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing; and
(iii) rely on implied consent to use customer information in activities like service fulfillment and support, fraud prevention, market research, product development, network management, and security, compliance with the law, and first-party marketing. This is the same flexible choice approach used across the Internet ecosystem and is very familiar to consumers.
Now I don’t speak legalese or obfuscation but I will try to translate this one paragraph.
ISPs will give “customers easy-to-understand privacy choices.” Notice it doesn’t say you are going to like those choices. In looking for the ISPs “easy-to-understand privacy choices” they were not particularly “easy to find.”
Section i) states that ISPs will follow the FTC's guidelines. The thing that doesn’t make sense here is the fact that in the last few years it has been determined that ISPs are governed by the Federal Communications Commission, NOT the Federal Trade Commission. Part of the industries’ disagreement with the FCC’s privacy rules passed last year was the fact that it was more restrictive than the FTC’s rules for Internet companies like Facebook and Google.
Section ii) states that you must OPT OUT to stop them from selling your nonsensitive data to other companies. That means unless you can find out how and where to opt out, you are opted in by default.
iii) The ISPs are assuming that you have given your OK for them to use your customer information in things like market research and marketing their own products to you.
Notice the phrase “the same flexible choice approach used across the Internet ecosystem and is very familiar to consumers.” This is perfect doublespeak in than it says it is a “flexible choice used across the Internet ecosystem.” but before that, they said it was “implied consent.” Do we have a choice or not? Does this “flexible choice” just say that they can make it mean whatever they want it to? Is the “implied consent” say if we are using their service we are agreeing to whatever they say?
Much of the privacy information and opt in or opt out terminology is buried in a long hard to understand Terms of Service agreement that you must click before proceeding with using the Internet. Who remembers or even read that when they signed up for service? No one reads those.
The trade groups and ISPs that signed the document:
- Altice USA
- American Cable Association
- AT&T
- Charter Communications
- Citizens Telephone and Cablevision
- Comcast
- Cox Communications
- CTIA
- Dickey Rural Networks
- Inland Telephone Company d/b/a Inland Networks
- ITTA – The Voice of Mid-Sized Communications Companies
- NCTA – The Internet & Television Association
- Northeast Louisiana Telephone Co., Inc. (NortheastTel)
- NTCA – The Rural Broadband Association
- SCTelcom
- T-Mobile
- USTelecom
- Verizon
- VTX1 Companies
- Wheat State Telephone, Inc.
- Wireless Internet Service Providers Association
- WTA – Advocates for Rural Broadband
Verizon, Comcast, Cox Communications and AT&T have all released statements saying they never have and don’t plan to sell users browsing history.
If your ISP is collecting information (and they probably are) they should have some sort of opt-out page on their website. You won’t be able to opt out of all collection of data but you should be able to limit it somewhat. You might need to be logged in to your account to find it but if you look around you should be able to find it.
For more information on how to limit the information your Internet Service Provider sees, check out our article, “VPNs – Now More Than Ever.”
Smaller ISPs Statement
On the other hand, before the rules were repealed, many of the smaller ISPs and other individuals and groups banded together in support of the privacy rules and sent a letter to Congress saying as much.
These are:
- Sonic
- Monkeybrains.net
- Cruzio Internet
- Etheric Networks
- University of Nebraska
- CREDO Mobile
- Aeneas Communications
- Digital Service Consultants Inc.
- Om Networks
- Hoyos Consulting LLC
- Mother Lode Internet
- Gold Rush Internet
- Ting Internet
- Andrew Buker (Director of Infrastructure Services & Research Computing, University of Nebraska at Omaha)
- Tim Pozar (co-founder, TwoP LLC)
- Andrew Gallo (Senior Network Architect for a regional research and education network)
- Jim Deleskie (co-founder, Mimir networks)
- Randy Carpenter (VP, First Network Group)
- Kraig Beahn (CTO, Enguity Technology Corp)
While these two groups are not automatically on opposing sides, they are taking a different stance. The bigger companies in the first group, for the most part, supported the repeal of the ”flawed” privacy rules and came up with their own privacy policy as a smokescreen whereas the smaller ISPs said we should keep the privacy rules enacted by the FCC last year.
Sonic cofounder and CEO Dane Jasper published an article on the Mashable website in support of consumer’s privacy rights.
A Bit of History
To think that ISPs won’t attempt to use your personal data against you is naive. Back in 2008 Cable One, CenturyTel, Embarq, Knology, and WOW! and some other ISPs partnered with a company named NebuAd to use their position as customer’s Internet provider to inspect their browsing behavior and deliver ads based on that behavior. The ISPs tested out the program by NebuAd, often without notifying customers.
Charter had actually planned to employ NebuAd’s program but backed down after public and congressional outcry. Shortly thereafter NebuAd and the ISPs that did try out the program were sued in a class action lawsuit.
NebuAd and the ISPs were charged with intercepting, collecting and storing private data from users.
The lawsuit said "NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software, and the owners of the servers they visit." and that NebuAd "exploits normal browser platform security behaviors by forging IP packets, allowing their own JavaScript code to be written into source code trusted by the web browser," reads the complaint. "NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software, and the owners of the servers they visit."
NebuAd went out of business in mid-2009. The case against some of the ISPs was dropped due to jurisdiction problems. The court case was finally settled in 2011 with a $2.4 million fine levied against NebuAd. The majority of the settlement was given to non-profits that promote consumer awareness and choice regarding privacy and security matters.
- By Wayne Porter