US privacy groups want rules for how ISPs can track their customers

ISPs and privacy groups wrestle over proposed regulations at the FCC

Some Internet service providers are building powerful tools to track customers, and the U.S. Federal Communications Commission needs to step in, privacy advocates say.

Some privacy advocates are calling on the FCC to create new regulations that limit how ISPs can track their customers across the Internet. The agency could release a proposal for ISP privacy rules as soon as this month, FCC Chairman Tom Wheeler said last week.

Some ISPs are deploying "invasive and ubiquitous" tracking practices as a way to deliver targeted advertising to customers, 12 privacy groups said in a letter to the FCC this week. In recent years, large ISPs like Comcast and Verizon have entered into advertising partnerships or launched their own advertising services that take advantage of ISP customer data, the letter said.

Because U.S. lacks a comprehensive privacy law, "there are very few legal constraints on business practices that impact the privacy of American consumers," said the letter, signed by the American Civil Liberties Union, the Electronic Privacy Information Center and other groups. "The FCC has the opportunity to fill this void."

Calls for FCC privacy regulation from privacy groups are setting up a showdown with ISPs and their trade groups, which have resisted agency action on privacy. For years, the Federal Trade Commission has taken enforcement action against companies, including ISPs, that violate their own privacy policies, critics of FCC action note.

"Rather than advocating for a comprehensive privacy policy that applies to all entities in the Internet ecosystem," those privacy groups want the FCC to create new rules applying only to ISPs, said Anne Veigle, senior vice president of communications at USTelecom, a telecom and ISP trade group. "This effort will not give consumers the clear and consistent protections they should have and will only harm competition and innovation on the Internet."

USTelecom, CTIA and three other ISP trade groups sent their own letter to the FCC on March 1, with the groups calling for the agency to keep the rules "flexible" and targeted on unfair or deceptive conduct, as the FTC does, instead of creating extensive new regulations.

"Consumer information should be protected based upon the sensitivity of the information to the consumer and how the information is used -- not the type of
business keeping it, how that business obtains it, or what regulatory agency has authority over it," the trade groups' letter said.

The move of the FCC toward new privacy rules for ISPs is related in part to the agency's reclassification of broadband as a regulated, common carrier service as part of new net neutrality rules passed in February 2015. The FCC had other avenues for passing new privacy regulations, but reclassification of broadband moved the authority for policing broadband privacy from the FTC to the FCC, said Harold Feld, senior vice president at Public Knowledge, one of the privacy groups calling for strong new rules.

While the privacy groups haven't proposed many specific rules for the FCC to adopt, they want the FCC to go farther than the FTC practice of filing complaints only after the agency saw a privacy violation.

The ISPs "have an obligation" to disclose more details about the information they collect and their uses of it, Feld said. The groups want the FCC to look at how ISPs are coming cable data from customer set-top boxes with other sources to "create very detailed user profiles for marketing purposes," he added.

The privacy groups also want ISPs to get opt-in permission to use customer data for most purposes. "We want ISPs to secure clear permission from subscribers before using the data collected for any purpose other than to provide broadband service," he said.

But extensive new rules may not be necessary with more customers using encryption to protect their data, some critics said.

Even the privacy groups recognize that "the use of encryption only continues to grow," said Debbie Matties, vice president for privacy at CTIA. "While many other companies providing services on the Internet have the ability to see and monetize this encrypted data, ISPs cannot. Different rules for ISPs would only confuse consumers and is not supported by the facts."

Join the CSO newsletter!

Error: Please check your email address.

More about CTIAElectronic Privacy Information CenterFCCFederal Communications CommissionFederal Trade CommissionFTCVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place