With few protections in play, most of the last decade broadband ISPs have collected any and every shred of data about their customers' online behavior. It began with clickstream data, which ISPs sold to third parties, then either refused to comment on
or outright lied about. Since then, more intelligent network hardware has let ISPs use deep packet inspection to track and monetize user online behavior down to the second. In wireless, carriers like AT&T and Verizon not only collect and sell user online behavior and location data, but now embed stealth packet headers
to track and profile users across the entire Internet.
It was that last decision that raised eyebrows at the FCC, prompting the agency recently to consider
whether it should use its new Title II authority to build at least some basic rules of the road regarding broadband user privacy. This has, of course made the broadband industry rather nervous
. After all, the telecom industry has grown very comfortable with the fact that nobody has bothered to give half a damn about broadband privacy for the better part of a generation.
Enter the telecom-industry funded Information Technology and Innovation Foundation, which has released a new "study"
(pdf) that argues no privacy protections are necessary because you can trust broadband providers to do the right thing
. The report starts off on a highly scientific
note, insulting those who'd like some basic broadband privacy protections as "broadband populists" that are pushing an agenda that will -- you guessed it -- will hurt puppies, innovation, broadband deployment, and tear giant holes in the time-space continuum.
Amusingly, the report claims that basic privacy protections would prevent ISPs from providing "numerous benefits" to consumers. The report also tries to claim that basic privacy protections will somehow stop ISPs from properly managing their networks:
"Limiting the use of broadband data...would constrain broadband providers’ ability to provide numerous benefits to consumers. Analyzing data is essential for ISPs to understand patterns and trends in Internet traffic and allows for informed adjustments to network functions and capacity, both in the long and the short term. Customer data is also important to help diagnose problems within the network and facilitate responses to customer requests for assistance with various issues."
The report goes on to claim consumers really don't need
privacy protections because they have the option of using VPNs and encryption to hide their traffic from ISPs. But Nick Feamster over at Freedom to Tinker
does a nice job explaining why it's not really that simple. ISPs can still observe user online behavior based on overall traffic pattern and volume, unencrypted portions of communication, and the growing volume of unencrypted Internet of Things traffic. And a VPN is no guaranteed blockade to ISP snooping either, since again IOT devices won't use the VPN, and ISPs can often still monitor user behavior via DNS anyway.
To be clear, what the FCC is proposing isn't particularly heavy-handed, nor would it stop ISPs from managing their networks or even profiting from snoopvertising. With the FCC's recent Title II move, ISPs are now subject to Title II’s Section 222 privacy protections regarding "customer proprietary network information" (CPNI). But since those rules were crafted for older phone companies, the FCC's looking to modernize them for the modern era. We're talking about relatively basic protections, such as requirements that you inform customers if you're tracking them and selling their data, and give them opt out tools that actually work
Given the billions everyone is happily making hoovering up user data from Silicon Valley to K Street, there's really no serious political motivation to go beyond that, "populist" outcry or not.
But the report argues that broadband users don't need privacy protections at all
because hey, ISPs don't actually know much about you
and industry "self regulation" works exceptionally well to thwart bad behavior:
"The privacy policies of operating systems like Apple’s OS X and Google Android are also subject to FTC enforcement if they misrepresent how they use their users’ personally-identifiable information. This is the model for a well-functioning, self-regulatory environment that maintains the flexibility needed for rapid innovation and experimentation with welfare-enhancing business models. Broadband providers should not face steeper burdens for implementing advertising than already exist.
Except not. One, broadband is notably different from Apple and Google because telecom operators hold a monopoly over the last mile. Whereas an Apple smartphone customer annoyed at Apple's privacy policies can migrate to Android, or a Google search customer can pick a new engine, most broadband customers don't have a real choice of providers. Meanwhile, the FTC has proven all but useless in telecom privacy enforcement, and the self-regulatory approach has worked about as well in telecom as it has in the banking industry thanks to generations of cronyism and dysfunction.
For years, Verizon repeatedly stated that more meaningful privacy protections weren't necessary for broadband providers because "public shame
" would keep the company honest. Verizon-owned AOL recently parroted that idea
when it insisted "the market" would keep companies on their best behavior. How does that actually work in practice? As we've seen with Verizon's "zombie cookies," not at all.
In fact, it took months for security researchers to even realize that Verizon was embedding user wireless packets
with stealth tracking technology. It took another six months of public pressure before Verizon even gave users the option to opt out. The self-regulatory approach just doesn't work in telecom. What we get in reality are companies like AT&T that are now charging broadband users a $60 premium
if they want to opt out of invasive snoopvertising, then calling that innovation.
Alongside the ITIF report, the industry is pushing a second report this week
(pdf), funded by telecom-industry lobbying group "Broadband for America." While most people familiar with sockpuppetry and astroturf will disregard these reports as the conflicted proxy musings of the telecom industry, the press usually isn't so savvy. In fact, ReCode ran an article on the study
with a headline informing readers that ISPs know "less than you might think" about them, and an opening paragraph claiming ISPs "have limited access to consumer data." Only in a later update at the bottom of the story did ReCode disclose the study was funded by AT&T, Comcast and Verizon.
It's clear the broadband industry is now engaged in a full court press to derail rules that might take a small bite out of billions in user-tracking revenues. And in typical telecom-industry fashion, that involves creating a sound wall of fauxcademics, fake consumer advocates, third-party consultants and other mouthpieces who will be spending the next six months informing you that ISPs are utter angels
when it comes to respecting and protecting consumer privacy, and that the status quo (read: no real privacy protections whatsoever) is good enough.