Hold on to your data, because Internet service providers are ready to give up your phone calls, your web surfing habits and troves of other personal information they have under the idea that regulating privacy based on industry specific rules is archaic, an AT&T executive said Tuesday. Robert Quinn, a senior vice president for AT&T who handles federal regulatory matters, said “entity-based regulation,” such as the Health Insurance Portability Accountability and Assurance Act, which protects medical data, “is a last-century based approach to regulation.”
Quinn, speaking at workshop hosted by the Federal Communications Commission, didn’t detail the rules he’s hoping to see the agency implement. But he did point to AT&T’s current privacy policy for its new GigaPower gigabit broadband Internet service, as an example of the types of privacy that Ma Bell favors. Customers of the GigaPower service, which AT&T sells in Austin, Texas, and is rolling out in a few other markets, can choose between paying $70 per month for gigabit broadband service in exchange for letting AT&T see what websites they visit or pay $99 per month for the same service without the snooping (plus a $7 monthly modem rental fee and $99 activation fee that AT&T doesn’t like to mention in its marketing). Ma Bell uses the data of customers who opt into the program to show them more targeted online ads.
Laura Moy, senior policy counsel at New America’s Open Technology Institute, a consumer advocacy group, brought up the idea that this sort of privacy was dependent on income as opposed to real privacy, because most people will overwhelmingly choose cheaper internet service. Quinn deflected that argument by saying that other companies offer similar ad-supported services in exchange for discounted pricing. What Quinn seems to be ignoring is that those other ad-supported services such as Facebook run on top of the broadband networks. AT&T is actually proposing tapping the networks themselves and using a technology called deep packet inspection to peek at people’s web surfing as a way to improve its marketing.
It’s a tactic that ISPs tried back in 2008 by using the services of companies such as Phorm and NebuAd, which provided such deep packet inspection technology. After users complained, those companies got dragged in front of the U.S. Senate. After that, the US ISPs dropped their efforts, NebuAd shut down, and Phorm moved to other markets. But if AT&T can get away with it here, I’ve already heard executives at other ISPs express interest in trying to do so again.
That’s only one threat to consumer privacy from ISPs on their broadband networks. The other issue brought up in the workshop was access to what’s known as customer proprietary network information, or CPNI. This includes a lot of detailed information that telecommunications companies collect about you. Wireless providers, for example, know where you are when you have your cell phone turned on, who you call and how long you talk to them, the type of device you carry, and thanks to certain questionable tactics, exactly what sites you visit. Internet service providers have even more information including data about the types of devices you have connected to your home broadband network, and if you use the ISP’s equipment.
The FCC regulates how the ISPs share this data — and for the most part — ISPs can’t. However, with the new network neutrality rules, the FCC is eyeing how it wants to enforce privacy on ISPs. There is also a law called the Data Security and Breach Notification Act of 2015 recently made its way out of a House committee that could limit the FCC’s ability to oversee how ISPs share that information. This has consumer advocates worried that ISPs might suddenly use that treasure trove of data they have to offer more intrusive marketing campaigns or share the information with data brokers.
At the hearing, those privacy advocates tried to push a list of additional privacy considerations that the FCC and Federal Trade Commission should consider sacrosanct even as data becomes the currency of the digital economy. They include:
- ISPs should not engage in deep-packet inspection, which looks at consumer’s internet data at the individual packet level and can show where they search and the apps they use online;
- ISPs should not snoop on consumers’ home networks (devices or files) via their Wi-Fi routers;
- ISPs should not use so-called “perma-cookies” to track customers across websites even after customers turn cookies off
- ISPs should be cautious about storing children’s web surfing data
- ISPs should have reasonable policies about how long surfing histories are stored
Reasonable experts may quibble over some of the proposals. For example, many networks use deep-packet inspection as a tool to understand what kind of traffic is slowing across their networks so they can better manage it. And it’s not just AT&T or Verizon that sniffs out the devices on your home network. Software running on your phone has the same capability. For example, I have an app on my phone that let’s me control connected devices on my home Wi-Fi network. It can only do so because the app sniffs for devices that have a connection.
But as the government eyes privacy in an ever-more connected world, its clear that the telecommunications providers are eager to turn customer data into cash. And it’s just as clear that many consumers view that information as sensitive as the chart above from the Pew Research indicates. We’ll see who the government listens to.
