How Much Does Your ISP Know About You? Less Than You Might Think
ISPs have limited access to consumer data — often, less than other online players do — according to a new study from noted privacy and cyber security expert Peter Swire, a law professor at the Georgia Institute of Technology who worked as chief privacy counsel in the Clinton White House.
And that limited access is a reflection of their weakening economic position. Even though ISPs are moving into digital advertising, online platforms like Google and Facebook sponge up far more info and revenue. Of all the indicators of personal data collected, “traditional ISPs are not market leaders in any of the areas,” Swire said on a press call. “If you look at where the dollars are, which is a sign of where the valuable data is, it’s not the ISPs that are a part of that.”
Privacy is as important as ever, especially given Apple’s current standoff with the FBI. Right now, the Federal Communications Commission’s Open Internet Order gives regulators the authority to impose tougher privacy rules on broadband providers. Up until now, privacy protection has fallen to the Federal Trade Commission, which proposed a Do Not Track initiative that is making painfully slow progress.
“We’re existing in a world where the capital asset of the 21st century is information, and it ends up being information about you and me,” FCC Chairman Tom Wheeler told interviewer Charlie Rose last fall. “You and I ought to have a voice in the collection of information about us. This is on our agenda as well. You will see us, within the next several months, addressing the question of privacy practices of those who provide network services and how it affects you and me.”
Privacy advocates including the American Civil Liberties Union, the Center for Democracy & Technology, the Electronic Frontier Foundation and a long list of others are cheering the FCC on, saying consumers need strong rules to protect them from having their personal information collected and shared by their ISPs without their consent.
Industry trade groups, such as the CTIA and National Cable & Telecommunications Association, are saying, um, not so fast. We like things the way they are.
Swire decided to hit both sides of the debate with a little knowledge, so policy makers can make informed choices. He and co-authors Justin Hemmings and Alana Kirkland just published a 125-page report. They leave the larger policy question to the folks in D.C.
Here are some of the key findings:
Back in the 1990s, people accessed the Internet from a desktop computer connected to a single Internet provider. Today, the typical Internet user has more than six connected devices that access the Internet in a variety of ways, via multiple ISPs. Nearly half of mobile traffic comes via Wi-Fi. So any one ISP accounts for just a fraction of a user’s online activity. Encryption is pervasive. All of the top 10 websites encrypt by default or when a user asks. One analysis of Internet backbone data revealed that roughly half of total traffic comes through at the secure HTTPS protocol, which blocks the ISPs from seeing users’ content or detailed URLs. A host of other online players — online social networks like Facebook, Google+, Pinterest and Twitter, search engines like Google, webmail services like Gmail and Yahoo Mail, messaging apps including Facebook Messenger, Snapchat and WhatsApp — track online activity for advertising purposes. The real insights come from combining information across services or platforms, known as “cross-context tracking.”
“The evidence does not support a claim that ISPs have ‘comprehensive’ knowledge about their subscribers’ Internet activity,” Swire and the study’s other authors conclude. “Similarly, ISPs lack ‘unique’ insight into users’ activity, given the many contexts where other players in the ecosystem gain insight but ISPs do not.”
Update: The report was funded by Broadband for America, a coalition whose members include AT&T, Comcast, Time Warner Cable and Verizon; as well as the Institute for Information Security and Privacy at Georgia Tech and the Georgia Tech Scheller College of Business.