Broadband Industry 'Studies' Claim Users Don't Need Privacy Protections Because ISPs Are Just Harmless, Innovative Sweethearts

from the watching-the-watchers dept

With few protections in play, most of the last decade broadband ISPs have collected any and every shred of data about their customers' online behavior. It began with clickstream data, which ISPs sold to third parties, then either refused to comment on or outright lied about. Since then, more intelligent network hardware has let ISPs use deep packet inspection to track and monetize user online behavior down to the second. In wireless, carriers like AT&T and Verizon not only collect and sell user online behavior and location data, but now embed stealth packet headers to track and profile users across the entire Internet.

It was that last decision that raised eyebrows at the FCC, prompting the agency recently to consider whether it should use its new Title II authority to build at least some basic rules of the road regarding broadband user privacy. This has, of course made the broadband industry rather nervous. After all, the telecom industry has grown very comfortable with the fact that nobody has bothered to give half a damn about broadband privacy for the better part of a generation.

Enter the telecom-industry funded Information Technology and Innovation Foundation, which has released a new "study" (pdf) that argues no privacy protections are necessary because you can trust broadband providers to do the right thing. The report starts off on a highly scientific note, insulting those who'd like some basic broadband privacy protections as "broadband populists" that are pushing an agenda that will -- you guessed it -- will hurt puppies, innovation, broadband deployment, and tear giant holes in the time-space continuum.

Amusingly, the report claims that basic privacy protections would prevent ISPs from providing "numerous benefits" to consumers. The report also tries to claim that basic privacy protections will somehow stop ISPs from properly managing their networks:
"Limiting the use of broadband data...would constrain broadband providers’ ability to provide numerous benefits to consumers. Analyzing data is essential for ISPs to understand patterns and trends in Internet traffic and allows for informed adjustments to network functions and capacity, both in the long and the short term. Customer data is also important to help diagnose problems within the network and facilitate responses to customer requests for assistance with various issues."
The report goes on to claim consumers really don't need privacy protections because they have the option of using VPNs and encryption to hide their traffic from ISPs. But Nick Feamster over at Freedom to Tinker does a nice job explaining why it's not really that simple. ISPs can still observe user online behavior based on overall traffic pattern and volume, unencrypted portions of communication, and the growing volume of unencrypted Internet of Things traffic. And a VPN is no guaranteed blockade to ISP snooping either, since again IOT devices won't use the VPN, and ISPs can often still monitor user behavior via DNS anyway.

To be clear, what the FCC is proposing isn't particularly heavy-handed, nor would it stop ISPs from managing their networks or even profiting from snoopvertising. With the FCC's recent Title II move, ISPs are now subject to Title II’s Section 222 privacy protections regarding "customer proprietary network information" (CPNI). But since those rules were crafted for older phone companies, the FCC's looking to modernize them for the modern era. We're talking about relatively basic protections, such as requirements that you inform customers if you're tracking them and selling their data, and give them opt out tools that actually work.

Given the billions everyone is happily making hoovering up user data from Silicon Valley to K Street, there's really no serious political motivation to go beyond that, "populist" outcry or not. But the report argues that broadband users don't need privacy protections at all because hey, ISPs don't actually know much about you and industry "self regulation" works exceptionally well to thwart bad behavior:
"The privacy policies of operating systems like Apple’s OS X and Google Android are also subject to FTC enforcement if they misrepresent how they use their users’ personally-identifiable information. This is the model for a well-functioning, self-regulatory environment that maintains the flexibility needed for rapid innovation and experimentation with welfare-enhancing business models. Broadband providers should not face steeper burdens for implementing advertising than already exist.
Except not. One, broadband is notably different from Apple and Google because telecom operators hold a monopoly over the last mile. Whereas an Apple smartphone customer annoyed at Apple's privacy policies can migrate to Android, or a Google search customer can pick a new engine, most broadband customers don't have a real choice of providers. Meanwhile, the FTC has proven all but useless in telecom privacy enforcement, and the self-regulatory approach has worked about as well in telecom as it has in the banking industry thanks to generations of cronyism and dysfunction.

For years, Verizon repeatedly stated that more meaningful privacy protections weren't necessary for broadband providers because "public shame" would keep the company honest. Verizon-owned AOL recently parroted that idea when it insisted "the market" would keep companies on their best behavior. How does that actually work in practice? As we've seen with Verizon's "zombie cookies," not at all.

In fact, it took months for security researchers to even realize that Verizon was embedding user wireless packets with stealth tracking technology. It took another six months of public pressure before Verizon even gave users the option to opt out. The self-regulatory approach just doesn't work in telecom. What we get in reality are companies like AT&T that are now charging broadband users a $60 premium if they want to opt out of invasive snoopvertising, then calling that innovation.

Alongside the ITIF report, the industry is pushing a second report this week (pdf), funded by telecom-industry lobbying group "Broadband for America." While most people familiar with sockpuppetry and astroturf will disregard these reports as the conflicted proxy musings of the telecom industry, the press usually isn't so savvy. In fact, ReCode ran an article on the study with a headline informing readers that ISPs know "less than you might think" about them, and an opening paragraph claiming ISPs "have limited access to consumer data." Only in a later update at the bottom of the story did ReCode disclose the study was funded by AT&T, Comcast and Verizon.

It's clear the broadband industry is now engaged in a full court press to derail rules that might take a small bite out of billions in user-tracking revenues. And in typical telecom-industry fashion, that involves creating a sound wall of fauxcademics, fake consumer advocates, third-party consultants and other mouthpieces who will be spending the next six months informing you that ISPs are utter angels when it comes to respecting and protecting consumer privacy, and that the status quo (read: no real privacy protections whatsoever) is good enough.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: broadband, fcc, privacy, studies
Companies: itif

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 10 Mar 2016 @ 5:52am

    This is a layer 3 or layer 4 problem.

    If you want to fix this, look into IETF working groups. This is where things like this get solved, and where the people who know how to solve these kinds of problems communicate.


    The fix is re-engineering something like DNS to run at layer 3, with some native cyptographic signature features, adding at least one bit to the layer 4 header to allow end users to designate that they "reserve all rights without prejudice" on every single datagram, and to implement those features in an open source replacement for Berkeley Sockets, or whatever has since replaced it in the kernel.

    What is happening instead, is the cable cabal is aligning with their neighbors over at the wintel alliance, and building networks around an end-node distribution model using teredo. Effectively this forks the whole Internet. The move towards "competative markets for cable boxes" is nothing more than a marketing move. If the Internet is a "box" in the consumers mind, it isn't a community, speech or a civil right. They don't want you to interface with your computer, they want you to interface with a box, because they can CONTROL the box.

    What about TOR? TOR is not a solution. It is a symptom of the larger problem: TCP is deprecated. Which is also a smaller problem, considering that protocol code is TINY compared application code.

    So what fixes this? Again, a drop in replacement for the system protocol stack that's what. What doesn't fix this? Anything currently being flogged by any of the big players.

    Network engineers need to start looking at the law as a loadable module. It is no different that calling into C from python, perl or ruby. But YOU DO have to read the code, and implement references to the respective methods.

    In a nutshell the software license for the new protocols has to say something like: "If you run this code you agree that if bit position N is true during transmission, it designates that the transmitting party reserves all of their rights without prejudice. This convention must cascade to all derived works, or any technology using this protocol."

    That simple phrase, or something like it, is all that is needed to facilitate the 1st, and 4th amendments across the Internet in a way the cabal can do nothing about. It is a nail on which to hang litigation.

    After 20 years of Internet, we still haven't standardized a simple mechanism for citizens to DECLARE a reservation of their civil rights. This can be attributed to ignorance or arrogance on the part Internet architects, and to bad civics teachers everywhere. "certain unalienable rights" was not law, it was a part of a hate mail letter.

    Internet is layer 3. A consumer SHOULD be able to pass ANY conforming datagram over it. If this is still the case, then really ANYONE could do this. If my C was good enough I'd have done it years ago.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.