HideTechdirt is off for Thanksgiving! We'll be back with our regular posts on Monday.
HideTechdirt is off for Thanksgiving! We'll be back with our regular posts on Monday.

Broadband Industry 'Studies' Claim Users Don't Need Privacy Protections Because ISPs Are Just Harmless, Innovative Sweethearts

from the watching-the-watchers dept

With few protections in play, most of the last decade broadband ISPs have collected any and every shred of data about their customers' online behavior. It began with clickstream data, which ISPs sold to third parties, then either refused to comment on or outright lied about. Since then, more intelligent network hardware has let ISPs use deep packet inspection to track and monetize user online behavior down to the second. In wireless, carriers like AT&T and Verizon not only collect and sell user online behavior and location data, but now embed stealth packet headers to track and profile users across the entire Internet.

It was that last decision that raised eyebrows at the FCC, prompting the agency recently to consider whether it should use its new Title II authority to build at least some basic rules of the road regarding broadband user privacy. This has, of course made the broadband industry rather nervous. After all, the telecom industry has grown very comfortable with the fact that nobody has bothered to give half a damn about broadband privacy for the better part of a generation.

Enter the telecom-industry funded Information Technology and Innovation Foundation, which has released a new "study" (pdf) that argues no privacy protections are necessary because you can trust broadband providers to do the right thing. The report starts off on a highly scientific note, insulting those who'd like some basic broadband privacy protections as "broadband populists" that are pushing an agenda that will -- you guessed it -- will hurt puppies, innovation, broadband deployment, and tear giant holes in the time-space continuum.

Amusingly, the report claims that basic privacy protections would prevent ISPs from providing "numerous benefits" to consumers. The report also tries to claim that basic privacy protections will somehow stop ISPs from properly managing their networks:
"Limiting the use of broadband data...would constrain broadband providers’ ability to provide numerous benefits to consumers. Analyzing data is essential for ISPs to understand patterns and trends in Internet traffic and allows for informed adjustments to network functions and capacity, both in the long and the short term. Customer data is also important to help diagnose problems within the network and facilitate responses to customer requests for assistance with various issues."
The report goes on to claim consumers really don't need privacy protections because they have the option of using VPNs and encryption to hide their traffic from ISPs. But Nick Feamster over at Freedom to Tinker does a nice job explaining why it's not really that simple. ISPs can still observe user online behavior based on overall traffic pattern and volume, unencrypted portions of communication, and the growing volume of unencrypted Internet of Things traffic. And a VPN is no guaranteed blockade to ISP snooping either, since again IOT devices won't use the VPN, and ISPs can often still monitor user behavior via DNS anyway.

To be clear, what the FCC is proposing isn't particularly heavy-handed, nor would it stop ISPs from managing their networks or even profiting from snoopvertising. With the FCC's recent Title II move, ISPs are now subject to Title II’s Section 222 privacy protections regarding "customer proprietary network information" (CPNI). But since those rules were crafted for older phone companies, the FCC's looking to modernize them for the modern era. We're talking about relatively basic protections, such as requirements that you inform customers if you're tracking them and selling their data, and give them opt out tools that actually work.

Given the billions everyone is happily making hoovering up user data from Silicon Valley to K Street, there's really no serious political motivation to go beyond that, "populist" outcry or not. But the report argues that broadband users don't need privacy protections at all because hey, ISPs don't actually know much about you and industry "self regulation" works exceptionally well to thwart bad behavior:
"The privacy policies of operating systems like Apple’s OS X and Google Android are also subject to FTC enforcement if they misrepresent how they use their users’ personally-identifiable information. This is the model for a well-functioning, self-regulatory environment that maintains the flexibility needed for rapid innovation and experimentation with welfare-enhancing business models. Broadband providers should not face steeper burdens for implementing advertising than already exist.
Except not. One, broadband is notably different from Apple and Google because telecom operators hold a monopoly over the last mile. Whereas an Apple smartphone customer annoyed at Apple's privacy policies can migrate to Android, or a Google search customer can pick a new engine, most broadband customers don't have a real choice of providers. Meanwhile, the FTC has proven all but useless in telecom privacy enforcement, and the self-regulatory approach has worked about as well in telecom as it has in the banking industry thanks to generations of cronyism and dysfunction.

For years, Verizon repeatedly stated that more meaningful privacy protections weren't necessary for broadband providers because "public shame" would keep the company honest. Verizon-owned AOL recently parroted that idea when it insisted "the market" would keep companies on their best behavior. How does that actually work in practice? As we've seen with Verizon's "zombie cookies," not at all.

In fact, it took months for security researchers to even realize that Verizon was embedding user wireless packets with stealth tracking technology. It took another six months of public pressure before Verizon even gave users the option to opt out. The self-regulatory approach just doesn't work in telecom. What we get in reality are companies like AT&T that are now charging broadband users a $60 premium if they want to opt out of invasive snoopvertising, then calling that innovation.

Alongside the ITIF report, the industry is pushing a second report this week (pdf), funded by telecom-industry lobbying group "Broadband for America." While most people familiar with sockpuppetry and astroturf will disregard these reports as the conflicted proxy musings of the telecom industry, the press usually isn't so savvy. In fact, ReCode ran an article on the study with a headline informing readers that ISPs know "less than you might think" about them, and an opening paragraph claiming ISPs "have limited access to consumer data." Only in a later update at the bottom of the story did ReCode disclose the study was funded by AT&T, Comcast and Verizon.

It's clear the broadband industry is now engaged in a full court press to derail rules that might take a small bite out of billions in user-tracking revenues. And in typical telecom-industry fashion, that involves creating a sound wall of fauxcademics, fake consumer advocates, third-party consultants and other mouthpieces who will be spending the next six months informing you that ISPs are utter angels when it comes to respecting and protecting consumer privacy, and that the status quo (read: no real privacy protections whatsoever) is good enough.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: broadband, fcc, privacy, studies
Companies: itif


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    DannyB (profile), 9 Mar 2016 @ 7:19am

    Let's Encrypt

    The more encrypted web sites I visit:
    * the less my ISP knows about what I'm doing
    * the less they can deeply inspect my packets
    * the less they can inject zombie super cookies
    * the less they can inject unwanted ads
    * the less they can inject unwanted javascript (aka malware)

    Encrypting web traffic is probably as much about protecting oneself from their own ISP as it is from the NSA.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.