The Federal Trade Commission is investigating the privacy practices of major Internet service providers, and it has ordered top ISPs to disclose whether they share user Web browsing histories, device location information, and other sensitive data with third parties. ISPs also have to provide details on how they collect and use personal information to target advertisements at consumers.
The FTC yesterday sent orders demanding information to AT&T, Comcast, Google Fiber, T-Mobile, and Verizon. In the cases of AT&T and Verizon, the FTC sent separate information requests for the companies’ home Internet and mobile broadband divisions.
All major ISPs denied selling or sharing their users’ browsing histories and other sensitive information in 2017, when they convinced Congress and President Trump to prevent implementation of broadband privacy rules. But since then, it’s been reported that T-Mobile, Sprint, and AT&T were selling their mobile customers’ location information to third-party data brokers despite promising not to do so.
The FTC orders tell ISPs that they must provide even confidential information in response to the agency’s questions, though it’s not clear whether the FTC will make any of that public.
FTC Chairman Joseph Simons yesterday said the commission plans “much more,” including hearings, workshops, investigations, “and potentially enforcement actions,” according to . When issuing the orders, the FTC noted that it has authority to “enforce against unfair and deceptive practices involving Internet service providers.”
“The FTC is initiating this study to better understand Internet service providers’ privacy practices in light of the evolution of telecommunications companies into vertically integrated platforms that also provide advertising-supported content,” the commission said.
Defining “personal information”
ISPs must file special reports containing all the requested information within 45 days of receiving the orders. The FTC voted 5-0 to issue the orders.
To comply with the orders, ISPs must (among other things) describe in detail the personal information they collect about consumers and their devices, how the ISPs combine personal information from different sources, how they store and protect personal information, what they use the personal information for, and “whether such information is disclosed to any third party.” The ISPs must identify each third party that has received personal information and “describe in detail the types of information disclosed to each third party.” The ISPs must also say whether they obtain personal information about consumers from third parties.
The FTC orders define “personal information” as follows:
Information about a specific consumer or device, including: (a) first and last name; (b) home or other physical address, including street name and name of city or town, or other information about the location of the individual, including but not limited to location from cellular tower information, fine or coarse location, or GPS coordinates; (c) email address or other online contact information, such as an instant messaging user identifier or screen name; (d) telephone number; (e) a persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (“IP”) address, a device identifier, a device fingerprint, a hashed identifier, or a processor serial number; (f) nonpublic communications and content, including, but not limited to, e-mail, text messages, photos, videos, audio, or other digital images or audio content; (g) Internet browsing history, search history, or list of URLs visited; (h) video, audio, cable, or TV viewing history; (i) biometric data; or (j) health or medical information.
If ISPs collect and/or share any of the data in the above definition, they have to tell the FTC. They also have to describe how any targeted advertising services rely on the personal information ISPs collect.
For each ISP program or service that collects personal information, ISPs must disclose the number of subscribers and the number of “unique consumers targeted, tracked, or otherwise identified by its ad services.”
Worse service for users who choose privacy?
In cases where customers are given a choice about whether personal information is collected, ISPs also must tell the FTC how many customers opted for more privacy and whether the ISPs provide worse service to customers who choose privacy.
For example, ISPs must tell the FTC if they have “ever offered different levels of service, quality of service, rates, pricing, rewards, or other incentives for consumers who opt-in to the collection of information about themselves, their devices, their communications, their viewing history, or their online activities.” (AT&T used to charge home Internet customers extra for privacy, but ended that particular program in 2016. The FTC data request only covers the period from July 1, 2017 to the present.)
The FTC also asked each ISP if it has “ever denied service, or otherwise degraded the quality of service” to consumers who don’t opt into such data collection. ISPs even have to tell the FTC if they’ve conducted internal research about this kind of practice.
“[F]urther, produce any internal studies, analyses, tests, marketing research, or experiments that the company has conducted or caused to be conducted on the provision of different levels of service, quality of service, rates, pricing, rewards, or other incentives for consumers who opt-in to the collection of information about themselves, their devices, their communications, their viewing history, or their online activities,” the FTC letters to ISPs say.