Hollow privacy promises from major Internet Service Providers
It’s no surprise that Americans were unhappy to lose online privacy protections earlier this month. Across party lines, voters overwhelmingly oppose the measure to repeal the FCC’s privacy rules for Internet providers that Congress passed and President Donald Trump signed into law.
But it should come as a surprise that Republicans—including the Republican leaders of the Federal Communications Commission and the Federal Trade Commission—are ardently defending the move and dismissing the tens of thousands who spoke up and told policymakers that they want protections against privacy invasions by their Internet providers.
Since the measure was signed into law, Internet providers and the Republicans who helped them accomplish this lobbying feat have decried the “hysteria,” “hyperbole,” and “hyperventilating” of constituents who want to be protected from the likes of Comcast, Verizon, and AT&T. Instead they’ve claimed that the repeal doesn’t change the online privacy landscape and that we should feel confident that Internet providers remain committed to protecting their customers’ privacy because they told us they would despite the law.
We’ve repeatedly debunked the tired talking points of the cable and telephone lobby: There is a unique, intimate relationship and power imbalance between Internet providers and their customers. The FTC likely cannot currently police Internet providers (unless Congress steps in, which the White House said it isn’t pushing for at this time). Congress’ repeal of the FCC’s privacy rules does throw the FCC’s authority over Internet providers into doubt. The now-repealed rules—which were set to go into effect later this year—were a valuable expansion and necessary codification of existing privacy rights granted under the law. Internet providers have already shown us the creepy things they’re willing to do to increase their profits.
The massive backlash shows that consumers saw through those industry talking points, even if Republicans in Congress and the White House fell for them.
Now that policymakers have effectively handed off online privacy enforcement to the Internet providers themselves, advocates for the repeal are pointing to the Internet providers’ privacy policies.
“Internet service providers have never planned to sell your individual browsing history to third parties,” FCC Chairman Ajit Pai and FTC acting Chairwoman Maureen Ohlhausen wrote in a recent op-ed. “That’s simply not how online advertising works. And doing so would violate ISPs’ privacy promises.”
Aside from pushing back on oversimplification of the problem at hand, we should be asking: What exactly are the “privacy promises” that ISPs are making to their customers?
In blog posts and public statements since the rules were repealed, the major Internet providers and the trade groups that represent them have all pledged to continue protecting customers’ sensitive data and not to sell customers’ individual Internet browsing records. But how they go about defining those terms and utilizing our private information is still going to leave people upset. These statements should also be read with the understanding that existing law already allows the collection of individual browsing history.
Comcast said it won’t sell individual browsing histories and it won’t share customers’ “sensitive information (such as banking, children’s, and health information), unless we first obtain their affirmative, opt-in consent.” It also said it will offer an opt-out “if a customer does not want us to use other, non-sensitive data to send them targeted ads.” We think leaving browsing history out of the list of information Comcast considers sensitive was no accident. In other words, we don’t think Comcast considers your browsing history sensitive, and will only offer you an opt-out of using your browsing history to send you targeted ads. There’s no mention of any opt-out of any other sharing of your browsing history, such as on an aggregated basis with third parties. While we applaud Comcast’s clever use of language to make it seem like they’re protecting their customers’ privacy, reading between the lines shows that Comcast is giving itself leeway to do the opposite.
Verizon similarly pledged not to sell customers’ “personal web browsing history” (emphasis ours) and described its advertising programs that give advertisers access to customers based on aggregated and de-identified information about what customers do online. By our reading, this means Verizon still plans to collect your browsing history and store it—they just won’t sell it individually.
AT&T pointed to its privacy policies, which carve out specific protections for “personal information … such as your name, address, phone number and e-mail address” but explicitly state that it does deliver ads “based on the websites visited by people who are not personally identified.” So just like Verizon, we think this means AT&T is collecting your browsing history and storing it—they’re just not attaching your name to it and selling it to third parties on an individualized basis.
In a filing to the FCC earlier this year, CTIA—which represents the major wireless ISPs—argued that “web browsing and app usage history are not ‘sensitive information’” and said that ISPs should be able to share those records by default, unless a customer asks them not to.
The common thread here is that Internet providers don’t consider records about what you do online to be worthy of the heightened privacy protections they afford to things like your social security number. Internet providers think that our web browsing histories are theirs to profit off of—not ours to protect as we see fit. And because Congress changed the law, they are now free to change their minds about the promises they make without the same legal ramifications.
These “privacy promises” are in no way a replacement for robust privacy protections enforced by a federal agency. If Internet providers want to get serious about proving their commitment to their customers’ privacy in the absence of federal rules, they should pledge not to collect or sell or share or otherwise use information about the websites we visit and the apps we use, except for what they need to collect and share in order to provide the service their customers are actually paying for: Internet access.
That would be a real privacy promise.