FTC on ISPs. PHOTO: Cybercrime Magazine.

FTC Warns On ISPs Storing Data From U.S. Consumers

Watchdog says practices do not permit user choice or consent

Charlie Osborne

London – Oct. 30, 2021

Major internet service providers (ISPs) have come under fire in a new report published by the U.S. Federal Trade Commission (FTC).

Concerns surrounding the collection and use of data belonging to U.S. consumers prompted the regulator to launch an investigation and to publish a staff report on ISP practices, as well as their ramifications for customer privacy and choice.

In 2019, the FTC ordered AT&T Mobility, Cellco Partnership (Verizon Wireless), Charter Communications Operating LLC, Comcast Cable Communications (Xfinity), T-Mobile U.S., and Google Fiber to hand over information concerning data collection.

The ISPs above make up an estimated 98 percent of the mobile internet market in the United States, according to the FTC, accounting for millions of subscribers.

In addition, three advertisers were also required to provide information on data collection and usage practices: AT&T’s Appnexus (Xandr), Verizon Online, and Oath Americas (Verizon Media).

The FTC labels some of the practices as “troublesome,” noting that today’s ISPs “access and control a much larger and broader cache of consumer data than ever before, without having to explain fully their purposes for such collection and use, much less whether such collection and use is good for consumers.”

This information is gathered from a variety of sources including internet usage and traffic reports, mobile apps, web browsing data, and services beyond internet connectivity — such as smart devices, advertising, analytics, and web content views.

“The vertical integration of ISP services with other services like home security and automation, video streaming, content creation, advertising, email, search, wearables, and connected cars permits not only the collection of large volumes of data, but also the collection of highly granular data about individual subscribers,” the FTC says.

According to the report, ISPs gather customer data at will, without offering consumers “meaningful choices about how this data can be used.”

To make matters worse, the FTC alleges that ISP consumer data is used in what could be considered in a reckless or, potentially, biased fashion: as consumers are grouped into “sensitive” categories relating to race, ethnicity, religion, political leanings, or sexual orientation for the purpose of ad targeting and monetization.

In addition, the report claims that a “significant” number of ISPs share real-time location data with third parties, such as salespeople, property managers, and bondsmen — and potentially without clear consent to do so.

The FTC says that there are four main areas of concern that need to be tackled. The first is a common, opaque approach to how consumers are told their data is used. While customers may be promised that their information will not be sold, there are other ways to monetize it — and this information may also end up in the hands of parent companies and affiliates.

The second topic is what the regulator calls “illusory choices”: the deliberate use of tactics to confuse customers when making decisions over consent and opt-in/out services, and the third problem is an overall lack of clarity when users request their information. The FTC says that in many cases, these records are “indecipherable or nonsensical without context.”

Finally, the use of “business purposes” to keep hold of consumer data has been highlighted as a term that often lacks definition, granting ISPs “virtually unfettered discretion” in how long data is kept.

FTC Chair Lina Khan commented, “As the internet has become increasingly essential for navigating modern life, scrutinizing the practices of the firms that provide these key services is critical.”

CTIA, the wireless industry association, of which Verizon is a member, told us, “Consumers’ online safety and privacy is a top priority for the wireless industry, and federal legislation that uniformly protects users across all platforms is the best way forward. We are looking forward to continuing to work with the FTC, lawmakers and companies across the ecosystem to ensure consumers are protected.”

Comcast chose not to comment but pointed us to a past pledge to uphold the privacy of Xfinity users. T-Mobile said that the telco “shares the FTC’s focus on consumer privacy and building trust, and we also support federal legislation that would create one uniform standard for all online companies.”

A USTelecom spokesperson said, “As the FTC has called for numerous times, and as previously urged by USTelecom, Congress must enact a national, comprehensive federal privacy framework that puts consumers first and applies uniformly to all companies operating online.”

Charlie Osborne is a journalist covering security for ZDNet. Her work also appears on TechRepublic, Cybercrime Magazine, and other media outlets. 

Go here to read all of Charlie’s Cybercrime Magazine articles.