The Federal Trade Commission, in what could be considered a prelude to new regulatory action, has issued an order to several major internet service providers requiring them to share every detail of their data collection practices. The information could expose patterns of abuse or otherwise troubling data use against which the FTC — or states — may want to take action.
The letters requesting info (detailed below) went to Comcast, Google, T-Mobile, and both the fixed and wireless sub-companies of Verizon and AT&T. These “represent a range of large and small ISPs, as well as fixed and mobile Internet providers,” an FTC spokesperson said. I’m not sure which is mean to be the small one, but welcome any information the agency can extract from any of them.
Since the Federal Communications Commission abdicated its role in enforcing consumer privacy at these ISPs when it and Congress allowed the Broadband Privacy Rule to be overturned, others have taken up the torch, notably California and even individual cities like Seattle. But for enterprises spanning the nation, national-level oversight is preferable to a patchwork approach, and so it may be that the FTC is preparing to take a stronger stance.
To be clear, the FTC already has consumer protection rules in place and could already go after an internet provider if it were found to be abusing the privacy of its users — you know, selling their location to anyone who asks or the like. (Still no action there, by the way.)
But the evolving media and telecom landscape, in which we see enormous companies devouring one another to best provide as many complementary services as possible, requires constant reevaluation. As the agency writes in a press release:
The FTC is initiating this study to better understand Internet service providers’ privacy practices in light of the evolution of telecommunications companies into vertically integrated platforms that also provide advertising-supported content.
Although the FTC is always extremely careful with its words, this statement gives a good idea of what they’re concerned about. If Verizon (our parent company’s parent company) wants to offer not just the connection you get on your phone, but the media you request, the ads you are served, and the tracking you never heard of, it needs to show that these businesses are not somehow shirking rules behind the scenes.
For instance, if Verizon Wireless says it doesn’t collect or share information about what sites you visit, but the mysterious VZ Snooping Co (fictitious, I should add) scoops all that up and then sells it for peanuts to its sister company, that could amount to a deceptive practice. Of course it’s rarely that simple (though don’t rule it out), but the only way to be sure is to comprehensively question everyone involved and carefully compare the answers with real-world practices.
How else would we catch shady zero-rating practices, zombie cookies, backdoor deals, or lip service to existing privacy laws? It takes a lot of poring over data and complaints by the detail-oriented folks at these regulatory bodies to find things out.
To that end, the letters to ISPs ask for a whole boatload of information on companies’ data practices. Here’s a summary:
- Categories of personal information collected about consumers or devices, including purposes, methods, and sources of collection
- how the data has been or is being used
- third parties that provide or are provided this data and what limitations are imposed thereupon
- how such data is combined with other types of information and how long it is retained
- internal policies and practices limiting access to this information by employees or service providers
- any privacy assessments done to evaluate associated risks and policies.
- how data is aggregated, anonymized, or deidentified (and how those terms are defined)
- how aggregated data is used, shared, etc
- “any data maps, inventories, or other charts, schematics, or graphic depictions” of information collection and storage
- whether consumers are given any choice in collection and retention of data, and what the default choices are
- total number and percentage of users that have exercised such a choice, and what choices they made
- whether consumers are incentivized to (or threatened into) opt into data collection and how those programs work
- any process for allowing consumers to “access, correct, or delete” their personal information
- data deletion and retention policies for such information
Needless to say some of this information may not be particularly flattering to ISPs. If only 1 percent of consumers have ever chosen to share their information, for instance, that reflects badly on sharing it by default. And if data capable of being combined across categories or services to de-anonymize it, even potentially, that’s another major concern.
The FTC representative declined to comment on whether there would be any collaboration with the FCC on this endeavor, whether it was preliminary to any other action, and whether it can or will independently verify the information provided by the ISPs contacted. That’s an important point, considering how poorly these same companies represented their coverage data to the FCC for its yearly broadband deployment report. A reality check would be welcome.