Internet service providers fail to disclose to consumers how they use sensitive data, obscure privacy practices and make it difficult to opt-out of collection, according to a study released Thursday by the Federal Trade Commission.
The study signals that telecommunications companies may not escape the agency’s efforts to establish consumer privacy protections, even as platforms like Facebook and Google dominate the conversation.
“While several ISPs in our study tell consumers they will not sell their data, they fail to reveal to consumers the myriad of ways that their data can be used, transferred, or monetized outside of selling it, often burying such disclosures in the fine print of their privacy policies,” the report concludes.
The report, which the agency ordered in 2019, looked at six of the largest ISPs — AT&T Mobility, Cellco Partnership (Verizon Wireless), Charter Communications Operating, Comcast (Xfinity), T-Mobile US, and Google Fiber — covering 98% of the mobile internet market. It also covered three affiliated advertising entities: AT&T’s Xander, Verizon Online and Oath Americas (Verizon Media).
The report comes as the agency weighs pursuing a privacy rule-making process as Congress dithers on passing a federal privacy law. Democratic lawmakers have urged the agency to look at creating rules around data collection practices highlighted in Thursday’s report.
The FTC anonymized data in the report, which avoided tying specific practices to specific providers. The key takeaways offer a scathing view of the industry’s privacy practices as a whole, FTC members suggested.
The study “points to the need for urgent actions across agencies and in Congress to protect users of these ubiquitous and critical services,” Democratic Commissioner Rebecca Slaughter said at an open meeting discussing the report.
Common collection practices across many of the ISPs included gathering data that wasn’t necessary to provide internet services, as well as using web browsing data to serve up specific advertisements. Targeted ad groupings, for instance, included categories such as “Gospel and Grits,” “Hispanic Harmony,” and “Asian Achievers.” (Public reports show that the practice of advertising along the lines of race, gender, economic status and sexuality can lead to “digital redlining” that violates civil rights laws, such as discrimination in housing and job ads.)
Numerous ISPs also shared real-time location data with third parties, allowing third parties to garner sensitive details about an individual’s life, such as if they visit a rehab or where their children go to daycare. The sharing of such data with third parties was recently tied to the public outing of a Catholic priest. The Federal Communications Commission in 2020 proposed fines against four major wireless carriers after a data breach revealed that the companies were sharing unauthorized data with a company that works with law enforcement.
The FTC report highlights how ISPs might pose a challenge to user privacy because of their relatively unfettered access to unencrypted internet traffic, user identity and local and the ability to combine data from across services.
Crucially, FTC staff found that ISPs made it both difficult for consumers to opt out of data collection by using a variety of tactics and for consumers to find out what ISPs had collected on them.
FTC Chair Lina Khan said that the report raised the need to consider “a new paradigm” when it comes to how consumers can consent to data collection. Khan made similar comments in a report on privacy and security shared with Congress in October in which she advocated for privacy legislation from Congress.
The FTC’s jurisdiction over ISPs is limited. The agency can oversee ISP’s internet privacy practices, but not voice services. It can also seek to punish “unfair or deceptive practices” such as misleading consumers about internet speeds.
As such, the FTC has historically partnered with the Federal Communications Commission in tackling the ISP industry. In 2015 the FCC reclassified ISPs as telecommunications services, allowing the agency to oversee privacy issues. However, that was rolled back in 2017 under Republican leadership.
Khan said she would “support efforts to reassert” the FCC’s authority over ISPs that would allow it to put privacy requirements in place.
“Protecting consumer privacy is a key priority for the FCC,” acting chairwoman Jessica Rosenworcel told CyberScoop in a statement. “I appreciate the FTC’s work to evaluate ISP privacy practices. We’re taking a close look.”