Federal Trade Commission releases report on privacy practices of US Internet Service Providers

October 24, 2021 |

The Federal Trade Commission (the “FTC”) released a report titled A Look At What ISPs  Know About You: Examining the Privacy  Practices of Six Major Internet Service Providers on 21 October 2021.   It is a very significant report as it lays out in detail the poor privacy practices of ISPs in the United States of America. Thsi follows on from FTC previously signalling interest in formulating new online privacy rules

The report makes for grim reading in terms of privacy invasive conduct by ISPs in the USA including:

  • many ISPs collect a host of information from their customers to provide the services they request, and they  generally use some of this data for advertising purposes. Some ISPs even collect additional data from their customers that is not necessary to provide ISP services, in order to enhance their ability to
  • there is a trend in the ISP industry to buy consumer information from third party data  brokers, which many ISPs use for advertising purposes. A sizable number of the ISPs  also buy data from data brokers about their existing customers.
  • many of the ISPs  engage in targeted advertising and their practices raise bias and equity concerns.
    Several ISPs serve targeted ads across the internet on behalf of third parties using cookies, beacons, pixels, and tags on a consumer’s browser, or they use device identifiers, mobile software development kits (“SDKs”), or similar technologies on a consumer’s mobile device.
    They buy demographic and interest information from data brokers and then combine this information with additional information about ISP subscribers to place these subscribers into segments. These segments often reveal sensitive information about consumers.
  • several ISPs have the ability to target consumers on a granular basis, because unlike many other entities, they have access to each of the websites a consumer visits, allowing them to   target based on subscriber information. At least three ISPs  combine consumers’ personal information, app usage information, and/or browsing information for advertising purposes.
  • ISPs offer real-time location data about specific subscribers to their third-party customers including car salesmen, property managers, bail bondsmen, bounty hunters, and others without reasonable protections or consumers’ knowledge and consent
  • while many ISPs  promise not to sell consumers’ personal information these ISPs buy consumer information from data brokers, use it to infer additional information about them, categorize them into segments, and serve targeted ads to them on behalf of third-parties.  Three of the ISPs  reserved the right to share their subscribers’ personal information with their parents and affiliates, which seems to undercut the promises not to sell personal information.
  • ISP’s offering consumers choice about the use of their data is illusory because:
    • a few of the ISPs made the process of selecting privacy choices complicated while others spread out multiple choices across multiple tabs and sections and to fully exercise a privacy intention, a consumer would have to adjust settings in each and every section. In many cases, the disclosures next to consumers’ opt-out choices often contained lengthy descriptions.
    • it can be cumbersome to exercise choices. Two of the ISPs require consumers to manually
      enter each phone number, email address, and physical address that they wish to opt out. Some ISPs require consumers to make privacy selections on a per device basis
    • changing options can make it difficult for consumers to exercise their privacy intentions
  • offers to let consumers have access to their information, is largely illusory, given that the information is either indecipherable or nonsensical without context
  • Several of the ISPs assert that they only keep the information as long as it is needed for a business reason but defines (or leave undefined) what constitutes a business reason, giving them virtually unfettered discretion.
  • the vertical integration of ISP services with other services like home security and automation,
    video streaming, content creation, advertising, email, search, wearables, and connected cars permits not
    only the collection of large volumes of data, but also the collection of highly-granular data about
    individual subscribers.
  •  a single ISP has the ability to track the websites their subscribers visit, the shows they watch, the apps they use, their energy habits, their real-time whereabouts and historical location, the search queries they make, and the contents of their email communications.
  • several ISPs combine the data from their subscribers with additional information from third-party data brokers, resulting in extremely granular insights and inferences into not just their subscribers but their subscribers’ families and households. This data is used to create advertising segments, including segments that reveal sensitive data such as race, religion, national origin, sexual orientation, financial status, health status, and political beliefs.
  • data  is collected, retained, and combined for purposes unrelated to providing the service,  particularly in ways that could cause them harm. At least three ISPs engage in cross-device tracking. Location information is obtained for advertising purposes and sold to third parties. Real-time location information  reveals other sensitive information and associations, such as childcare locations, visits to drug treatment or mental health clinics, and private meetings.
  • several of the ISPs use race and ethnicity data (or proxies for such data such as location data) for advertising purposes and the sale of such data to unrelated businesses raises concerns, particularly around the practices of “digital redlining,”
  • although many of the ISPs purported to offer consumers choices, some of these choices were not offered clearly and indeed, nudged consumers toward more data sharing. These types of practices are referred to as  “dark patterns. They include:
    • interfaces with the preferred choice highlighted and the other choice greyed out.
    • Interfaces that do not allow consumers to reject information collection or continuously
      prompt consumers if they select a disfavored setting.
    • Choices may be buried or hidden from consumers
    • Unclear toggle settings that can confuse consumers into selecting a privacy setting that they
      did not intend
  • many of the ISPs  have access to 100% of consumers’ unencrypted internet traffic.
  • significant number of the ISPs can track consumers persistently across websites and geographic location Two ISPs  persistently track consumers by appending undeletable identifiers to consumers’ internet traffic.  Commonly used measures for protecting privacy, such as switching browsers and devices, enabling “private browsing mode,” or deleting cookies, can not prevent these two ISPs from continuing to persistently track their subscribers.  Mobile internet providers can target consumers based on their real-time and historical location through the use of cellular tower data, even when location tracking on their phones is deactivated.

Of course in Australia there is no reason for being satisfied that ISPs behave in a more responsible manner.  The regulation of ISPs is light touch and the regulators are timid.



Leave a Reply