Much attention has been paid to the pervasive surveillance that consumers face from social media companies, but a recent study from the Federal Trade Commission (FTC) suggests that internet providers may know just as much, if not more, about their users.
Differing from social media platforms and other websites, internet service providers (ISPs) give their customers access to the infrastructure powering the internet. As such, ISPs have access to all unencrypted internet traffic taking place on their networks.
“Unlike many other entities, these ISPs have access to each of the websites a consumer visits, and they can target based on subscriber information,” the report reads, also using the analogy of how recipients of mail can’t hide their address from a letter carrier.
“Notably, unlike traditional ad networks whose tracking consumers can block through browser or mobile device settings, consumers cannot use these tools to stop tracking by these ISPs, which use ’supercookie' technology to persistently track users.”
This state of affairs has led to what the FTC has called “troubling” data collection practices among these companies, including mixing data across product lines; combining personal, app usage, and web browsing data to target ads; placing consumers into sensitive categories, such as race and sexual orientation; and sharing real-time location data with third parties.
The ability for ISPs to granularly track consumers is heightened further by the fact that many of them offer various other services, such as video streaming, content creation, advertising, email, search, and wearables, according to the report.
For example, Google offers Gmail and YouTube, while also operating the internet provider Google Fiber in many parts of the country. Additionally, ISP Comcast owns NBC Universal, Verizon purchased AOL in 2015 before selling it earlier in 2021, and Amazon received approval in 2020 to deploy and operate 3,236 satellites to deliver broadband services in the United States.
“This rapid consolidation has allowed ISPs to access and control a much larger and broader cache of consumer data than ever before, without having to explain fully their purposes for such collection and use, much less whether such collection and use is good for consumers,” the report reads.
“This means a single ISP has the ability to track the websites their subscribers visit, the shows they watch, the apps they use, their energy habits, their real-time whereabouts and historical location, the search queries they make, and the contents of their email communications.”
According to the report, one ISP told the FTC that it doesn’t combine data from its various services, but three other ISPs admitted to doing so. The report is based on information provided by six major ISPs: AT&T, Verizon Wireless, Charter Communications Operating, Xfinity, T-Mobile U.S., and Google Fiber. The report doesn’t state which specific ISPs engage in specific data-collection practices.
Some states have responded with laws seeking to regulate how ISPs use data. Maine approved a law in 2019 preventing ISPs from using, disclosing, selling or permitting access to customer personal information unless customers give them consent to do so.
The report doesn’t make any policy recommendations, but FTC Chair Lina Khan suggested in a statement that further antitrust scrutiny should be placed on ISPs that offer a variety of other services.
“The ways in which expansion across markets enables firms to combine highly sensitive–and, often, highly valuable–commercial data underscores the need for us to consider in our merger review process how certain deals may enable degradation of user privacy.”
As for consumers, the report suggests that they could protect their privacy from ISPs by using virtual private networks (VPNs)—tools that provide what amounts to a private, encrypted network over the public internet. However, the report notes that only about 6 percent of Americans use VPNs because most are subscription services.