Earlier this month, President Trump signed an order that halted upcoming rules preventing internet service providers from collecting and sharing user data without consent. As it stands, ISPs can legally collect their users’ browsing history and sell it to marketers or others.
For some, that sounds like a huge breach of privacy. For others, it’s the sound of opportunity knocking.
It remains to be seen which ISPs will take advantage of their legal right to monetize user data. But there’s plenty of evidence that diminished privacy legislation carries very real risks.
“If there’s not a law that says you can’t sell it, then probably someone will try to sell it,” data analytics consultant Meta S. Brown told Digital Trends. “A lot of the stuff that we want to keep private, there are laws that keep it private.”
Drawing a portrait from a million points of data
Consider medical records and credit card transactions, two types of personal information that are protected by law. Such information would be very useful to various groups, as evidenced by numerous recent hacks targeting hospitals and other medical providers. But there are laws in place to prevent such data from being shared.
The legislation policing ISP’s capacity to share our browsing histories was meant to provide similar protections. Without such legislation, there’s nothing to stop the sale of such data for profit. In this situation, why wouldn’t companies take advantage?
For ISPs, the problem may be with the product itself.
“If I had browsing histories, and I could sell them — and let me make it clear, I am not in favor of this, it’s one of the reasons why I think we need reasonable privacy laws — I don’t think that the best place to sell that would be to businesses for marketing,” said Brown.
While ISPs have the right to collect and share user data, they’re impeded by the fact that most of their customers are households, rather than individuals. If each person in a household was tied to a user account, then their browsing history would give better insight into their interests, which could be used to advertise products and services. With several browsing histories intermingled, the data needs to be processed if it’s to be of much use. There are also other privacy risks, like one member of the household being served ads based on the browsing history of a fellow resident.
Data is valuable because it allows companies to perform direct marketing, rather than mass marketing — meaning that they’re targeting potential customers based on data, whether it’s public records that indicate that they recently bought a new home, evidence of an interest taken from browsing history, or something else entirely. Data collected from an entire household is too imprecise to be useful.
Yet companies don’t necessarily have to process data on their own. Companies like Acxiom specialize in aggregating this information from various sources. Publicly available information is combined with data collected from various sources, ranging from in-person surveys to purchases made on online accounts. The end goal is a comprehensive view of a prospective customer. ISPs could make money by selling off your browsing history to such an aggregator.
If there’s not a law that says you can’t sell it, then probably someone will try to.
“Many companies are discovering that they have people-based data assets,” reads the Audience Monetization section of Acxiom’s website. “But just because you have them doesn’t mean that you’ll be able to effectively leverage them.” The firm offers services to help other companies turn the data they’re collecting into a “corporate asset,” which can be used to make money.
The idea that someone could approach your ISP and ask to buy a record of your browsing history is largely a paranoid fantasy. Yet the truth might be even more uncomfortable.
Organizations like Acxiom are trawling all available sources for information on consumers. The data your ISP collects can be combined with data from other sources to form a sharper profile of your habits than any one source can achieve.
In this, ISPs do not deserve special shame. A variety of organizations, including social media networks and major retailers, have profiled customers for years. Not everyone is comfortable with that situation, however, and blocking ISPs from profiting on private data was an opportunity to set a new standard in a major industry, and show that limits can and should be implemented. Halting the rules is a major setback for privacy advocates.
Ways and Means
It’s difficult for the government to regulate the communications industry, given that it’s in a constant state of change thanks to the influx of new technology. As a result, the FCC typically prefers to interpret existing legislation, rather than come up with something wholly new and tailor-made for today’s standards of communication. In 2014, the Communications Act of 1934 was described as “the most important internet law” by VentureBeat.
This situation means that legislation pertaining to the internet can sometimes be flimsy and vague, allowing companies to bypass, if not break, the rules. The regulations that were set to go into effect later this year were intended to make the rules clear-cut. Given that they were repealed, rather than replaced with another set of rules, the status quo has been preserved — and it’s something of a wild west.
Current rules require little information be given to users up front. For example, Verizon Wireless users can find documentation related to data tracking in the legal section of the company’s website, but it’s well hidden compared to the resources aimed at “agencies, brands and channel partners” interested in sourcing user data via a program like Verizon’s Precision Market Insights.
There isn’t a legal obligation for ISPs to share how they utilize user data.
Precision Market Insights uses Verizon’s PrecisionID technology to offer access to “precise target audiences.” Official documentation describes this as “privacy-safe,” though that’s in dispute. In 2014, it was described by Wired as a “privacy-killing machine.”
Outside of Verizon’s marketing jargon, PrecisionID is known as a perma-cookie by the label X-UIDH. It works by injecting a unique device identifier into web requests made via the company’s network, which helps tie browsing habits to a data plan for marketing purposes. In 2014, the EFF expressed concerns about both the company’s usage of the technology and its potential vulnerabilities in a detailed blog post. Because of widespread criticism, customers were eventually offered the ability to opt-out.
In 2015, Verizon completed its $4.4 billion acquisition of AOL, which was widely observed as an attempt to secure a strong video advertising platform. Verizon has the means to find out what its users are interested in via PrecisionID, so buying technology that can serve up relevant ads based on that data would seem a wise investment.
There’s no confirmation that this is the company’s intent — but if the pieces fell into place by chance, it was a lucrative coincidence. The global market for telecommunications data as a service is expected to hit $79 billion by 2020, according to a report from Ad Age. The lion’s share of that will be made in the United States and Asia, because of tighter privacy regulations in the European Union.
The perceived value of internet service has dropped as the public has gotten used to ubiquitous network availability. However, if ISPs can make money elsewhere, they can afford to give their customers a better deal. It’s up to us to decide whether it’s worth giving up our privacy to get a better rate.
What do you really know about your ISP?
Now that the FCC’s planned consumer privacy rules have been struck down, ISPs are deciding what to do with user data behind closed doors. The proposed legislation would have meant that users had to opt-in, confirming that they’re aware of their ISP’s practices. Comcast has already pledged that users will be able to opt-out of data collection, but that requires users to be aware of the issue and have an impetus to make the decision, which is very different from an opt-in model.
“You can’t say for sure, unless you’re seeing the data that’s being sold,” said cybersecurity expert and CEO of Keeper Security Darren Guccione, when I asked him about how ISPs might utilize user data. “You don’t know the extent of the information that’s being transferred to a separate party.”
There isn’t a legal obligation for ISPs to share how they monetize our data — although, like many of the regulations pertaining to user privacy, it’s a murky subject. “As a federal matter, it is much less clear what the obligations are for ISPs,” wrote Ernestro Falcon, legislative counsel for the Electronic Frontier Foundation, corresponding with Digital Trends via email. “Even more so if you live in a state covered by the 9th Circuit Court decision (FTC vs AT&T Mobility), where the FTC itself is legally barred from addressing the practices of common carriers such as telephone and cable companies.”
The status quo is something of a wild west.
“Transparency laws regularly try to meet this goal of informing consumers about the products they are using,” he explained. “So yes, a law can be introduced that requires transparency on data collection practices.”
There is no such law, however. Companies may choose to publish reports of their own volition, as Comcast did shortly after the repeal, but it’s not legally required. “The bottom line: Comcast values our customers’ trust, and we will continue to protect the privacy and security of personal information,” wrote the company’s chief privacy officer Gerard Lewis. That’s a noble sentiment, but also one that’s driven by public relations.
Consumers would do well to reward companies that practice transparency with their business. Full, frank accountability should be the norm, not the exception. In lieu of laws to rein ISPs in, the average internet user can make their opinion heard by voting with their wallet. If your privacy is more valuable than having cheaper internet access subsidized by advertising, make sure you don’t sign a contract with a company that doesn’t make its stance on data collection public.
“There’s very little transparency in terms of the expanse of information that’s being traded in this ecosystem,” said Guccione. “I think the level of transparency is going to have to be greatly increased, or the result is going to be a tremendous amount of litigation.”