A new report from U.S. consumer rights and privacy advocacy group, the Center for Digital Democracy, has set out the case for the Federal Communications Commission (FCC) to tighten data protection rules around how ISPs and telcos collect and use consumer data.
The FCC is currently consulting on proposals to changes to the rules on how ISPs can gather and utilize customer data — with an internal vote due at the end of this month. If the commissioners vote for the rule changes (as expected), a wider U.S. public consultation would then take place ahead of any new regulations being forged.
Making the public case for updating consumer protections earlier this month, FCC chairman Tom Wheeler argued it boils down to a matter of consumer choice.
“Every broadband consumer should have the right to know what information is being collected and how it is used. Every broadband consumer should have the right to choose how their information bits should be used and shared. And every consumer should be confident that their information is being securely protected,” he wrote in an article in the Huff Po, flagging up the visibility ISPs such as TechCrunch’s parent AOL’s parent Verizon can have into users’ digital lives.
“This is not to say network providers shouldn’t be able to use information they collect — only that since it is your information, you should decide whether they can do so. This isn’t about prohibition; it’s about permission.”
“Simply by using the Internet, you have no choice but to share large amounts of personal information with your broadband provider,” added Wheeler. “You have a right to know what information is being collected about you and how that information is being used. That’s why establishing baseline privacy standards for ISPs is a common sense idea whose time has come. The bottom line is that it’s your data. How it’s used and shared should be your choice.”
The FCC chairman is by no means the lone voice raising privacy concerns here. Back in January Wheeler was sent a letter co-signed by around 50 consumer rights and privacy organizations all urging the FCC to create stronger rules to regulate broadband providers’ use of data.
“What tracking is going on now and how the info is being used is in most cases not readily apparent,” Susan Grant of the Consumer Federation of America — one of the letter’s co-signatories — told TechCrunch at the time.
The CDD was another co-signatory. In its report it’s now seeking to further flesh out what’s at stake — by profiling in some detail the data harvesting practices of specific ISPs and cable providers, including AT&T, Comcast, Dish Network, Time Warner Cable, Verizon, Disney/ABC, News Corp (Fox) and others, as well as detailing some of the interplay between ISPs/broadband/cable providers and different data brokers and larger Internet companies also involved.
It’s this complex and non-transparent (from a consumer point of view) web of data harvesting and processing relationships that has enabled ISPs to amass sophisticated consumer tracking and ad targeting infrastructures in recent years (including via the acquisition route), the CDD argues.
“ISPs have made partnerships with powerful data brokers, giving them insights into our online and offline behaviors. They are incorporating state-of-the-art “Big Data” practices — such as “programmatic advertising” — that significantly threaten the privacy of subscribers and consumers,” it writes.
“The stealth data-profiling apparatus that determines whether a person is bought, sold, or ignored, and used to target family, friends and others, requires the Federal Communications Commission to address the use and consequences of practices that threaten privacy and pose consumer-protection concerns,” the report adds.
The CDD is urging the FCC to adopt rules to help reverse what it dubs “the tide of ever-growing and unchecked collection and use of consumer data across devices”.
“A truly “open” Internet that embraces “network neutrality” must have privacy and consumer protection at its core. Otherwise, powerful data and digital marketing gatekeepers will be in an even more influential position to influence the kinds and diversity of programming available in the marketplace,” it goes on to assert, suggesting there is a risk of consumer information being used in “unfair and discriminatory ways that can harm individuals and families” — by, for example, financial data being used to target high-interest credit card or loan offers to at-risk consumers; the singling out of seniors to promote unnecessary medical devices and services; basing targeting profiles on racial and ethnic data; and taking advantage of young people.
The CDD is advocating for consumer protection rules and privacy policies that reflect “Fair Information Practices”, rather than just requiring opt-in consumer consent for data harvesting and processing — arguing for a total bar on “pervasive and continuous data collection”, such as via crossdevice tracking (a technique used by TechCrunch’s parent AOL, for instance) and offline/online data profiling; and for data minimization safeguards “to ensure that online records are kept to a minimum and cannot be used for ongoing targeting”. It also wants a ban on deep-packet inspection being used by ISPs to allow them to examine the content of communications.
As you’d expect, ISPs are opposed to the FCC’s proposals for stricter regulations around data use and consumer privacy — and have claimed they are amply regulated by the FTC already. However they may well be whistling into the wind there. The FCC’s reclassification of broadband as a public utility last year has paved the way for what is a more powerful regulatory body with (unlike the monitoring body, the FTC) legal authority to create new rules. Last year’s strict net neutrality rules now look like only the FCC’s first order of business, vis-a-vis broadband providers.
Beyond ISP’s philosophical objections to being more strictly schooled in how much snooping they can do on users, one more specific criticism of the FCC’s proposals — made by ISPs and others — is that it focuses only on ISPs and does not loop in larger Internet companies, such as Google, which may also have amassed sophisticated data processing, user tracking and ad-targeting capabilities. Internet companies remain the regulatory purview of the FTC.
Indeed, the CDD report itself includes Google as one of the companies profiled, noting that the company is “in the forefront of using programmatic and other data-driven advertising across platforms, including digital video” and adding: “Google illustrates how the role of data and our use of digital devices is fundamentally transforming our viewing across screens”.
“I added Google and others to show that the basic data collection business model — all your data, all the time — is impacting every part of the media, communications and advert sector,” adds the CDD’s Jeffrey Chester, when asked about this. “While ISPs have unique and powerful ways to capture consumer data, such as deep packet inspection, they are part of a digital environment where privacy is always at risk.”
Earlier this month, in a response to the FCC’s proposals, the Electronic Privacy Information Center also called for the new privacy rules to be applied more broadly. “While ISPs are engaged in invasive consumer tracking and profiling practices, focusing only on these providers misses a vast amount of data collection activities by other service providers,” it argued, also calling for the FCC to establish “a broad framework for communications privacy, based on Fair Information Practices.
And in another blurring of the line here, one of the big Internet companies in question (Google) is also an ISP (via its fiber program). Albeit a far more dominant Internet company than it is ISP.
The CDD report notes that Google is using data-targeted ads as part of its Google Fiber Internet and TV service in Kansas City, adding that: “Google Fiber set-top boxes are IP based,” which allows for continuous monitoring and changes via the cloud — including for targeted marketing.”
You can read the full CDD report here.