June 21, 2016
This article originally appeared on Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow Future Tense on Twitter.
As you read this post, your internet service provider is collecting information about you: what you’re reading right now on Slate, what URL you go to next, what time of day it is, and whether you’re on your home computer or your mobile device, among many other data points. Your ISP has similar data about apps you’ve used, how much data you consume at any given time of day, and your other daily internet habits and rhythms. Of course, your ISP has other up-to-date personal information as well—things like your name, address, telephone number, credit card number, and likely your Social Security number. In this way, ISPs have access to a uniquely detailed, comprehensive, and accurate view of you and every other subscriber. All of this at a time when consumer concern over privacy is increasing and has actually caused people to refrain from engaging in e-commerce and other activities online.
To make matters worse, you are essentially powerless to limit the data your ISP collects about you. While you may, in some instances, defend yourself against tracking by websites and apps by disallowing cookies or turning on “Do Not Track” in your browser settings, in many cases there is no way to protect against ISP tracking except by avoiding the internet altogether.
While there are some tools that can help consumers protect themselves, they are not prevalent. For example, ISPs cannot see full website addresses when that site uses encryption—denoted by a small lock icon in your browser bar. However, the website—not you—decides whether it will use encryption. And while Netflix traffic is encrypted (so your ISP only knows you’re watching videos, not specifically which ones you’re watching), WebMD traffic is not (so your ISP likely knows every page you’ve visited on WebMD), even though medical symptoms are clearly much more personal than your favorite TV program.
Another example of ways consumers can purportedly protect themselves is through virtual private networks, or VPNs, which route web traffic through another network and therefore effectively “hide” the traffic from the person’s ISP. But VPNs are difficult to use and configure. They often cost extra money, slow down your browsing, and simply send your data through some other access provider that may be collecting data about you, too. These options are not practical defenses for most consumers.
Currently, there are no rules to prevent your ISP from using these data for almost any purpose, including categorizing you and serving you advertisements based on those categories. Targeted ads may even be based on whether you have (or the ISP has inferred you have) a certain disease or what your income level is. Recently, Cable One was found to be using predictive analytics to determine which of its customers were “hollow” (that is, had low credit scores) and then offering them low-quality customer service. Cable One technicians, the company’s CEO stated, aren’t going to “spend 15 minutes setting up an iPhone app” for someone with a low credit score. Of course, making decisions based on credit scores is going to disproportionately affect communities of color and other vulnerable populations.
https://www.nclc.org/images/pdf/credit_discrimination/Past_Imperfect050616.pdf. Additionally, the data ISPs collect, often compiled into a “profile,” might be sold to third parties (like advertisers or data brokers) and used and reused for purposes for which they were not initially collected—in ways that often annoy people, such as when personal information is used to send a “barrage of unwanted emails.” And as the number of entities who hold your data increases, so too does the chance those data will be compromised by a leak or hack.
So you may find yourself between a rock and a hard place: Use the internet and give up your privacy, or forego internet access entirely—something that’s not exactly reasonable. But there is good news. The Federal Communications Commission is trying to make sure that you and all other ISP customers don’t have to confront this choice. In 2015, as part of decision to uphold net neutrality, the FCC ruled that ISPs are “common carriers.” (The U.S. Court of Appeals for the District of Columbia Circuit recently upheld that ruling.) Since then, the FCC has had a statutory obligation to protect the data ISPs collect about their customers. To accomplish that, the FCC recently proposed a new rule that would require ISPs, in most cases, to seek opt-in consent from customers before using data collected for purposes other than to provide service, such as to deliver certain kinds of ads or to sell to data brokers. That means that if the rule passes, your ISP would have to notify you of any new intended use of the data and give you the opportunity to say “yes, that is OK with me” or “no, that is not OK with me.” Of key importance in this rule is that if you said “no,” your ISP couldn’t just refuse to serve you—it would have to respect your wishes and still provide you with service.
The FCC’s proposal should be enacted, because you should not have to trade your privacy to access the internet. (New America’s Open Technology Institute, where I work, has been actively engaged on this issue and has submitted comments in the record. New America is a partner with Slate and Arizona State University in Future Tense.) It should go without saying, but it’s important enough that I will say it anyway: Internet access is imperative for personal and professional success in today’s digital world. Yet to gain access to the most important tool of the 21st century, you have to allow your ISP access to incredibly rich and private information about what you do online. You should get to control what it does with that data. Consumers deserve real choice when it comes to protecting their data, and the opt-in regime proposed by the FCC is a huge step in the right direction.
Yet—perhaps unsurprisingly—ISPs and several House committees have responded to the FCC’s proposal as if the sky is falling. They have mounted an all-out assault on the idea that you should have the right to choose how ISPs use your data. Their arguments range from the highly dubious (the proposal exceeds the FCC’s authority) to the downright silly (consumers will be confused by having different privacy rules for ISPs as compared with other companies, like search engines and social networks). Chances are your ISP is telling the FCC that you don’t need protections against exploitation of your data. (If you’re interested, you can see exactly what your ISP is saying—here are the responses from AT&T, Comcast, CenturyLink, T-Mobile,Verizon, and Sprint; unnamed ISPs may be represented by various trade associations like the National Cable and Telecommunications Association and CTIA for wireless.) However, as with the net neutrality debate that led to this proposal, consumers may feel differently.
The FCC has proposed a very strong rule that will help protect ISP customers from exploitative uses of their data. This battle for consumer choice will be ongoing for many months, but soon, you may finally be able to choose both having internet access and protecting your privacy.