Facts regarding ISPs selling customer data
By Robbie Adair, PS LIGHTWAVE Consultant
In March 2017, the United States Congress voted to repeal the FCC Internet privacy rules that were going to go into effect later this year. The FCC Internet privacy rules were explicitly designed to prohibit Internet providers like Comcast, Verizon, AT&T, and PS Lightwave from sharing, selling or utilizing client data like usage history, browsing habits, geolocation information, and more. There were policies in place before these rules, but they were unclear and confusing. By repealing the new rules, something that was lobbied for by many of the large scale Internet providers, the common fear is that ISP’s will be more aggressive in data gathering and sharing of your online activities.
Who’s setting the Rules now?
Internet provider services are classified as “common carriers” under Title II of the Communications Act of 1934. With that, the FCC still can interpret the Communications Act of 1934 as they see fit. The FCC can even pursue legal action against a company they determine has broken the rules as they interpret them. No one knows yet how the new Chairman of the FCC is going to interpret them. With that, the ISP’s are in unknown territory. If an ISP starts taking advantage of the fact that the Internet privacy rules are repealed, they might cross FCC guidelines. In addition, if an ISP breaks its own privacy policies or starts collecting customer meta-data for sharing with 3rd parties, a state attorney general could also take a company to court if this practice could be construed as “unfair” to other businesses or violates state law.
What might ISPs do with your data?
Websites such as Google, Facebook and other social media sites and search platforms are monetizing your data already, either by using it in targeted ads that fit your “profile” or by sharing it with 3rd parties. Your ISP has much more information about you and your entire household, or company by the mere fact that they are the gateway between you and the Internet. ISPs know your personal information; your name and address, maybe your credit card or bank account. They know your browsing and streaming history, what websites you visited, what files you downloaded, what games you’re playing, what video networks you stream from and so on. They might not know exactly what you did on a website, especially if you are using sites secured by HTTPS (link to other blog post), but they do know that you visited and at what time and how much data you transferred. The information is important to your ISP to help them balance their networks and give you the best connection and service experience. Your ISP is analyzing all this data in bulk reports, so it stays anonymous. But it is the same information that could be used to target advertising to you in a very narrow scope, or could be sold to another company that wants to use it to target its ads. This information would more than likely be sold in large data sets, not individual data, but there is no set rule on how the data has to be packaged.
Scared yet?
Many ISP’s such as AT&T, T-Mobile, Verizon and Sprint already use this data to advertise to their own customers and they plainly state the fact in their privacy policy, even though, under the current FCC rules they don’t have to reveal that information to their customers. Most ISPs belong to organizations that have voluntarily committed to an agreed upon set of privacy prinicples (link to https://www.ncta.com/news-and-events/media-room/content/protecting-consumer-privacy-online ) on transparency, choice, security, and notifications in the case of a data breach. ISPs will also be held under the laws on individually identifiable data. The United States government in a 2007 memorandum defined “personally identifiable” information as follows: “Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
In theory, if someone wanted to buy your individual browsing history, that would be a direct violation of the individually identifiable data laws, but this is not a rule by the FCC.
What can you do about this to protect your privacy?
One of the easiest solutions is to find an ISP that does not use not use this data for advertisement, or shares or sells the data. PS Lightwave, an ISP for commercial clients, is one of the ISPs that only uses aggregated data to improve their network and explicitly states they will not sell or share your data, nor do they do any ad serving to their customers.
Rhonda Cumming, CEO of PS Lightwave, stated: “We recognize that security and privacy are a high priority for our government, health care, educational, and enterprise business clients. We believe your private data should remain private and will continue to honor our commitment to safeguard your privacy by never selling your data regardless of whether the other guys are doing so.”
If your ISP does say in their privacy policy that they are collecting and using the data for advertising and other uses, investigate if they offer an opt-out option. Make sure you understand what the opt-out option covers. Is your opt-out letting you opt out of the ads, or will you opt out that your data is shared or sold?
There are some privacy tools that help you keep your browsing data and habits from your ISP. A (paid) VPN service will encrypt and redirect all your traffic to a VPN provider. Make use of encryption for email and your messenger service whenever possible. Another way to be anonymous to your ISP is to use the Tor Network. It will move your web browsing traffic across different Tor servers and encrypts it, so it can’t be tracked back to you.
