Last week security researchers discovered that Nest thermostats had been leaking homeowners’ zip codes thanks to an encryption flaw that has since been fixed. That information led on my local news as part of ever-increasing fear mongering over the connected devices that consumers are bringing into their homes. There are toilets that can be “hacked”. Baby monitors can be hacked because users don’t change their passwords from the factory default settings, and very real security holes exist thanks to old software and lazy manufacturers more concerned about cutting costs than curbing crime.

But this singular focus on new, connected devices, or older, connected routers ignores the elephant in the room. Your biggest security risk may in fact be your Internet Service Provider. A report out last week from the Open Technology Institute points out that ISPs often have a gold mine of information about their users’ Internet traffic and increasingly, they are not shy about using it.

For more on security watch our video.

For example, AT&T (T) already offers a discount to customers of its Fiber to the home plan if customers elect to share information about which sites they surf to with the ISP for marketing purposes. When they opt in to this program, they get $30 off their monthly broadband bill and received targeted advertising based on the sites they visit. From conversations with those who have been briefed on the program, most customers opt in. It makes sense. In my research, opting out is a costly proposition, leaving privacy a luxury few can afford.

However, the use of such data is a slippery slope. And one that several parties are hoping the Federal Communication Commission takes up as part of its network neutrality efforts. When the FCC issued its network neutrality rules in 2015, it decided to leave open the option to regulate consumer privacy as it relates to ISPs using their data. Now 58 organizations such as the American Civil Liberties Union, the Electronic Privacy Information Center, and the Center for Democracy and Technology are calling on the FCC to take action.

Get Data Sheet, Fortune’s technology newsletter.

The hope is that the agency will issue a Notice of Proposed Rulemaking within the next few months to start the process of figuring out what data an ISP is allowed to use. The data called Customer Proprietary Network Information, or CPNI, could include everything from customers’ names and addresses, to the IP addresses the devices in customers’ homes visit. It could also include things like when the customer is home, since idle Internet activity might signal someone who isn’t around, or location in the case of wireless providers. And as more devices send information over the web, their content too, might become fair game if not encrypted.

The OTI report paints a pretty grim picture.

ISPs’ role as Internet gatekeepers also enables them to obtain intimate insight into the otherwise confidential details of other companies’ dealings with their customers, including companies that compete directly with the ISP and its affiliates in other markets. For example, AT&T, which markets its own version of a home security system, could use its position as an ISP to surveil private business communications that pass between its subscribers and a home security company that competes with AT&T in that market. It might elect, for example, to track which users seek technical support on the competitor’s site, and extend special offers to those users.

ISPs are privy to enormous amounts of data because of the very nature of the service they provide. They have historically tried to make money off that privileged position in several ways, some of which have led to Congressional hearings. We’ll see if the FCC decides to stop this latest attempt.