Quence
Gay man
- Joined
- May 13, 2020
- Messages
- 6,707
- Reaction score
- -42,231
EXECUTIVE SUMMARY
Approximately 93% of adults in the United States use the internet, and the average
consumer spends six hours and fifty-six minutes online each day. As the direct gateways to this
essential and ubiquitous tool, internet service providers (“ISPs”) can monitor and record their customers’
every online move, giving them the ability to surveil consumers and amass large amounts of information
on them as they go about their daily lives. In addition to providing internet, voice, and cable access,
these gatekeepers have also become major players in content creation and ad monetization.
Over the past few decades, the telecommunications industry has evolved into vertically-
integrated platforms that provide internet, cable, content, distribution, advertising, and analytics—all of
which has increased the volume of information available about consumers, improved the industry’s
insights into consumers’ behaviors, and strengthened the persistence of identifiers capable of tracking
users across platforms and assets.
Rapid consolidation has allowed ISPs to access and control a much
larger and broader cache of consumer data than ever before, without having to explain fully their
purposes for such collection and use, much less whether such collection and use is good for consumers.
In August 2019, the Federal Trade Commission issued identical
Orders to File Special Reports (“Orders”) under Section 6(b) of the FTC Act to the country’s six largest
ISPs (AT&T Mobility LLC, Cellco Partnership d/b/a Verizon Wireless, Charter Communications
Operating LLC, Comcast Cable Communications d/b/a Xfinity, T-Mobile US Inc., and Google Fiber
Inc.)—comprising approximately 98.8 % of the mobile internet market—and three advertising entities
affiliated with these ISPs (AT&T’s Appnexus Inc.—rebranded as Xandr—and Verizon’s Verizon
Online LLC and Oath Americas Inc.—rebranded as Verizon Media). The Orders sought
information from these ISPs as to their data collection and use practices, as well as any tools provided to
consumers to control these practices.
The companies’ narrativeresponses and several detailed data sets provide remarkable insight into how many of the ISPs in our
study surveil consumers, use and disseminate consumer data, and the privacy implications of such use
and dissemination.
--------------------------------------------------------------------
Key Findings
1. Collection and Use
- Some ISPs in Our Study Combine Data Across Product Lines. Three of the ISPs in
our study revealed that they combine information they receive from consumers across
their core services and at least some of their other services (e.g., TV and video streaming
services, home automation and security products, connected wearables, etc.).
- Some ISPs in Our Study Collect Data Unnecessary for the Provision of Internet
Services. Some of the ISPs in our study collect additional data from their customers that
is not necessary to provide ISP services in order to enhance their ability to advertise (e.g.,
app usage history).
- A Few ISPs in Our Study Use Web Browsing Data to Target Ads. Two of the ISPs in
our study stated that they use web browsing information to target ads to consumers, and
another reserves the right to use such information for advertising purposes.
- Many ISPs in Our Study Group Consumers Using Sensitive Characteristics to
Target Ads. Many of the ISPs in our study serve targeted ads across the internet on
behalf of third parties. In doing so, they place consumers into segments that often reveal
sensitive information about consumers, allowing advertisers to target consumers by their
race, ethnicity, sexual orientation, economic status, political affiliations, or religious
beliefs.
- Some ISPs in Our Study Combine Personal, App Usage, and Web Browsing Data.
At least three ISPs in our study report combining consumers’ personal information, app
usage information, and/or browsing information for advertising purposes.
- A Significant Number of ISPs in Our Study Share Real-Time Location Data With
Third-Parties. There is a trend in the ISP industry to offer real-time location data about
specific subscribers to the ISPs’ third-party customers.
---------------------------------------------------------------------
Privacy Practices
In response to the Orders, the ISPs in our study detailed their notice and disclosure; consent and
choice; and access, correction, and deletion practices. The ISP industry’s privacy practices raise
concerns in four key areas:
1. Opacity. While several ISPs in our study tell consumers they will not sell their data,
they fail to reveal to consumers the myriad of ways that their data can be used,
transferred, or monetized outside of selling it, often burying such disclosures in the fine
print of their privacy policies. In addition, three of the ISPs in our study reserved the
right to share their subscribers’ personal information with their parent companies and
affiliates, which seems to undercut the promises not to sell personal information.
2. Illusory Choices. There is a trend in the ISP industry to purport to offer consumers
some choices with respect to the use of their data. However, problematic interfaces can
result in consumer confusion as to how to exercise these choices, potentially leading to
low opt-out rates.
3. Lack of Meaningful Access. Although many of the ISPs in our study purported to
offer consumers access to their information, the information was often either
indecipherable or nonsensical without context, potentially leading to low access
requests.
4. Data Retention and Deletion. While several of the ISPs in our study provided time
frames for deleting information, many asserted that they keep information as long as it
is needed for a business reason. However, many ISPs in our study have the ability to
define (or leave undefined) what constitutes a business reason, giving them virtually
unfettered discretion.
---------------------------------------------------------------------
Observations
As a result of the findings detailed above, we make the following four observations:
1) Many ISPs in Our Study Amass Large Pools of Sensitive Consumer Data. Several
ISPs in our study and their affiliates collect significant amounts of consumer information
from the range of products and services that they offer. The vertical integration of ISP
services with other services like home security and automation, video streaming, content
creation, advertising, email, search, wearables, and connected cars permits not only the
collection of large volumes of data, but also the collection of highly-granular data about
individual subscribers. Moreover, there is a trend in the ISP industry to combine the
subscriber data with additional information from third-party data brokers, resulting in
extremely granular insights and inferences into not just ISP subscribers but also their
families and households.
2) Several ISPs in Our Study Gather and Use Data in Ways Consumers Do Not Expect
and Could Cause Them Harm. While consumers certainly expect ISPs to collect
certain information about the websites they visit as part of the provision of internet
services, they would likely be surprised at the extent of data that is collected and
combined for purposes unrelated to providing the service they request—in particular,
browsing data, television viewing history, contents of email and search, data from
connected devices, location information, and race and ethnicity data. More concerning,
this data could be used in a way that’s harmful to consumers, including by property
managers, bail bondsmen, bounty hunters, or those who would use it for discriminatory
purposes.
3) Although Many ISPs in Our Study Purport to Offer Consumers Choices, These
Choices are Often Illusory. Although many of the ISPs in our study purported to offer
consumers choices, some of these choices were not offered clearly and indeed, nudged
consumers toward more data sharing.
4) Many ISPs in Our Study Can be At Least As Privacy-Intrusive as Large
Advertising Platforms. Despite ISPs’ relative size in a market dominated by Google,
Facebook, and Amazon, the privacy challenges that permeate the advertising ecosystem
may be amplified by ISPs because: (1) many ISPs have access to 100% of consumers’
unencrypted internet traffic; (2) several ISPs are able to verify and know the identity of
their subscribers; (3) many ISPs can track consumers persistently across websites and
geographic locations; and (4) a significant number of ISPs have the capability to combine
the browsing and viewing history that they obtain from their subscribers with the large
amounts of information they obtain from the broad range of vertically integrated
products, services, and features that they offer.
Approximately 93% of adults in the United States use the internet, and the average
consumer spends six hours and fifty-six minutes online each day. As the direct gateways to this
essential and ubiquitous tool, internet service providers (“ISPs”) can monitor and record their customers’
every online move, giving them the ability to surveil consumers and amass large amounts of information
on them as they go about their daily lives. In addition to providing internet, voice, and cable access,
these gatekeepers have also become major players in content creation and ad monetization.
Over the past few decades, the telecommunications industry has evolved into vertically-
integrated platforms that provide internet, cable, content, distribution, advertising, and analytics—all of
which has increased the volume of information available about consumers, improved the industry’s
insights into consumers’ behaviors, and strengthened the persistence of identifiers capable of tracking
users across platforms and assets.
Rapid consolidation has allowed ISPs to access and control a much
larger and broader cache of consumer data than ever before, without having to explain fully their
purposes for such collection and use, much less whether such collection and use is good for consumers.
In August 2019, the Federal Trade Commission issued identical
Orders to File Special Reports (“Orders”) under Section 6(b) of the FTC Act to the country’s six largest
ISPs (AT&T Mobility LLC, Cellco Partnership d/b/a Verizon Wireless, Charter Communications
Operating LLC, Comcast Cable Communications d/b/a Xfinity, T-Mobile US Inc., and Google Fiber
Inc.)—comprising approximately 98.8 % of the mobile internet market—and three advertising entities
affiliated with these ISPs (AT&T’s Appnexus Inc.—rebranded as Xandr—and Verizon’s Verizon
Online LLC and Oath Americas Inc.—rebranded as Verizon Media). The Orders sought
information from these ISPs as to their data collection and use practices, as well as any tools provided to
consumers to control these practices.
The companies’ narrativeresponses and several detailed data sets provide remarkable insight into how many of the ISPs in our
study surveil consumers, use and disseminate consumer data, and the privacy implications of such use
and dissemination.
--------------------------------------------------------------------
Key Findings
1. Collection and Use
- Some ISPs in Our Study Combine Data Across Product Lines. Three of the ISPs in
our study revealed that they combine information they receive from consumers across
their core services and at least some of their other services (e.g., TV and video streaming
services, home automation and security products, connected wearables, etc.).
- Some ISPs in Our Study Collect Data Unnecessary for the Provision of Internet
Services. Some of the ISPs in our study collect additional data from their customers that
is not necessary to provide ISP services in order to enhance their ability to advertise (e.g.,
app usage history).
- A Few ISPs in Our Study Use Web Browsing Data to Target Ads. Two of the ISPs in
our study stated that they use web browsing information to target ads to consumers, and
another reserves the right to use such information for advertising purposes.
- Many ISPs in Our Study Group Consumers Using Sensitive Characteristics to
Target Ads. Many of the ISPs in our study serve targeted ads across the internet on
behalf of third parties. In doing so, they place consumers into segments that often reveal
sensitive information about consumers, allowing advertisers to target consumers by their
race, ethnicity, sexual orientation, economic status, political affiliations, or religious
beliefs.
- Some ISPs in Our Study Combine Personal, App Usage, and Web Browsing Data.
At least three ISPs in our study report combining consumers’ personal information, app
usage information, and/or browsing information for advertising purposes.
- A Significant Number of ISPs in Our Study Share Real-Time Location Data With
Third-Parties. There is a trend in the ISP industry to offer real-time location data about
specific subscribers to the ISPs’ third-party customers.
---------------------------------------------------------------------
Privacy Practices
In response to the Orders, the ISPs in our study detailed their notice and disclosure; consent and
choice; and access, correction, and deletion practices. The ISP industry’s privacy practices raise
concerns in four key areas:
1. Opacity. While several ISPs in our study tell consumers they will not sell their data,
they fail to reveal to consumers the myriad of ways that their data can be used,
transferred, or monetized outside of selling it, often burying such disclosures in the fine
print of their privacy policies. In addition, three of the ISPs in our study reserved the
right to share their subscribers’ personal information with their parent companies and
affiliates, which seems to undercut the promises not to sell personal information.
2. Illusory Choices. There is a trend in the ISP industry to purport to offer consumers
some choices with respect to the use of their data. However, problematic interfaces can
result in consumer confusion as to how to exercise these choices, potentially leading to
low opt-out rates.
3. Lack of Meaningful Access. Although many of the ISPs in our study purported to
offer consumers access to their information, the information was often either
indecipherable or nonsensical without context, potentially leading to low access
requests.
4. Data Retention and Deletion. While several of the ISPs in our study provided time
frames for deleting information, many asserted that they keep information as long as it
is needed for a business reason. However, many ISPs in our study have the ability to
define (or leave undefined) what constitutes a business reason, giving them virtually
unfettered discretion.
---------------------------------------------------------------------
Observations
As a result of the findings detailed above, we make the following four observations:
1) Many ISPs in Our Study Amass Large Pools of Sensitive Consumer Data. Several
ISPs in our study and their affiliates collect significant amounts of consumer information
from the range of products and services that they offer. The vertical integration of ISP
services with other services like home security and automation, video streaming, content
creation, advertising, email, search, wearables, and connected cars permits not only the
collection of large volumes of data, but also the collection of highly-granular data about
individual subscribers. Moreover, there is a trend in the ISP industry to combine the
subscriber data with additional information from third-party data brokers, resulting in
extremely granular insights and inferences into not just ISP subscribers but also their
families and households.
2) Several ISPs in Our Study Gather and Use Data in Ways Consumers Do Not Expect
and Could Cause Them Harm. While consumers certainly expect ISPs to collect
certain information about the websites they visit as part of the provision of internet
services, they would likely be surprised at the extent of data that is collected and
combined for purposes unrelated to providing the service they request—in particular,
browsing data, television viewing history, contents of email and search, data from
connected devices, location information, and race and ethnicity data. More concerning,
this data could be used in a way that’s harmful to consumers, including by property
managers, bail bondsmen, bounty hunters, or those who would use it for discriminatory
purposes.
3) Although Many ISPs in Our Study Purport to Offer Consumers Choices, These
Choices are Often Illusory. Although many of the ISPs in our study purported to offer
consumers choices, some of these choices were not offered clearly and indeed, nudged
consumers toward more data sharing.
4) Many ISPs in Our Study Can be At Least As Privacy-Intrusive as Large
Advertising Platforms. Despite ISPs’ relative size in a market dominated by Google,
Facebook, and Amazon, the privacy challenges that permeate the advertising ecosystem
may be amplified by ISPs because: (1) many ISPs have access to 100% of consumers’
unencrypted internet traffic; (2) several ISPs are able to verify and know the identity of
their subscribers; (3) many ISPs can track consumers persistently across websites and
geographic locations; and (4) a significant number of ISPs have the capability to combine
the browsing and viewing history that they obtain from their subscribers with the large
amounts of information they obtain from the broad range of vertically integrated
products, services, and features that they offer.