U.S. Internet Service Providers Don’t Need to Protect Customer Privacy

It’s official: Internet service providers in the United States can continue to sell information about their customers’ Internet usage to marketers — and to anyone else who wants to use it.

In 2016, during the Obama administration, the Federal Communications Commission (FCC) tried to require ISPs to get customer permission before using or sharing information about their web browsing. According to the FCC, the rule change, entitled, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” meant:

The rules implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, giving broadband customers the tools they need to make informed decisions about how their information is used and shared by their ISPs. To provide consumers more control over the use of their personal information, the rules establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information. This approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights.

More specifically, the rules required that customers had to positively agree to have their information used in that fashion. Previously, customers had to opt-out. Again, according to the FCC,

Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

Consumer Privacy Never Happened

That rule change, however, ended up being stuck with legal challenges and never took effect. In March 2017, both chambers of Congress voted to reverse that change. The resolution, passed by both the House and Senate, was simple:

Resolved by the Senate and House of Representatives of the United States of America in Congress assembled, That Congress disapproves the rule submitted by the Federal Communications Commission relating to “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” and such rule shall have no force or effect.

What’s the net effect? In some ways, not much, despite all the hyperbole. The rule only applied to broadband providers. It didn’t apply to others who could tell what consumers were doing on the Internet, such as social media (think Facebook) or search engines (think Google) or e-commerce (think Amazon) or streaming media (think Netflix). Those other organizations could use or market their knowledge about consumers, bound only by the terms of their own privacy policy. Similarly, advertising networks and others who tracked browser activity via cookies could also use the information however they wanted.

What’s different about the FCC rule on broadband carriers, however, is they can see just about everything that a customer does: Every website visited, every DNS address lookup, and every Internet query sent via other applications like email or messaging apps. Even if that traffic is end-to-end encrypted, the broadband carrier knows where the traffic is going or coming from – because, after all, it is delivering the packets. That makes the carriers’ metadata information about customer traffic unique, and invaluable, to marketers, government agencies, and to others who might wish to leverage it.

Customers Can Shield — To Some Extent

Customers can attempt to shield their privacy, such as by using end-to-end VPN services to route their Internet traffic to a single relay point, and then use that relay to anonymously surf the web. However, a privacy VPN is technically difficult for many consumers to set up and the service costs money. Also, for true privacy fanatics, that VPN service could also be a source of danger, since it could be compromised by an intelligence agency, or used for a man-in-the-middle attack.

So in the United States, the demise of the FCC ruling means that customers’ Internet usage data — including websites visited, phrases searched for, products purchased and movies watched — remains available for marketers and others who use to study it and exploit it. However, in reality, that was always the case.