In late March, articles appeared online about the “end of privacy” on the internet. The Electronic Frontier Foundation warned, “If the bill is signed into law, companies like Cox, Comcast, Time Warner, AT&T, and Verizon will have free rein to hijack your searches, sell your data, and hammer you with unwanted advertisements.”
Of course, Google does all these things, but Google isn’t an ISP. According to the internet providers, letting Google sell data, but not Comcast, gave Google an unfair advantage.
Responding to broadband industry complaints that regulations applying only to ISPs were unfair, both houses of Congress voted in March to rollback a December 2016 Federal Communications Commission rule limiting the internet traffic data ISPs could sell.
Here is the theoretical distinction: Facebook and Google do not force you to use their service. No website forces you to visit. Therefore, the data websites collect about you is given voluntarily. You have decided to use a service knowing the provider might (and probably does) analyze visitor information. Your ISP, however, is not much of a choice. If you use a cellphone, the cellular service provider is your ISP. Changing providers requires significant effort. If you have broadband internet at home, it is likely through a cable or phone company. Choices are limited.
The FCC decided that since you cannot easily choose an ISP, those companies should not have the same freedom to collect, analyze, and sell data on website and networked application usage. The ISP also knows precisely which houses or businesses are assigned to specific IP addresses, so the ISP could analyze data down to the neighborhood level. Some ISPs collect data to the MAC address level, allowing them to identify which devices visited websites or received data from specific services.
The ISPs remain restricted in what data they can sell to other companies by the Telecommunications Act of 1934 and its various revisions. Cell phone companies already warn you that data are collected and used. Sprint, for example, states in their contracts that the company tracks “web sites you have visited, applications purchased, [and] applications downloaded or used.” What the companies legally cannot sell is data identifying specific individuals. That was true before December and remains true today.
The dispute between the FCC and the ISPs is about interpretations. Section 222 of the Telecommunications Act specifically requires customer permission before collecting and selling data. It also bans selling “identifying” data to third parties. The ISPs argue that if their contracts state data might be sold, you are giving permission the moment you sign up for internet service. The FCC wanted to give people the right to “opt in” to data collection by ISPs, while current rules require customers “opt out.”
The FCC cannot regulate websites such as Facebook because sites are not “communications providers” legally. The FCC can only regulate companies that own cables and towers, the infrastructure of the internet.
By overruling the proposed FCC interpretation of Section 222, nothing changed. The new guidelines never went into effect.
We trade our privacy online for free services, vaguely aware that Facebook and Google make money from targeted advertising and search analytics. If these companies didn’t sell something, they’d have to charge users.
Every major website and online service tracks use data. When you connect to a website, the website must know your internet address to send data back to your computing device, be it a computer, a tablet, a phone or a smart TV. That internet protocol (IP) address is four bytes, written with periods between the values. For example, 192.168.0.12 could be an IP address within a local area network. The IP version 4 standard is slowly migrating to IP version 6, but the concept remains the same: every computing device connects to the internet directly or indirectly through a unique identification number.
Without unique numbers, there would be no way to send data to the correct device. The IP is like a phone number: it routes the traffic across the network to its final destination. You want your Netflix movie sent to the correct tablet or streaming device.
Your internet service provider (ISP) assigns a primary IP to your home network. Generally, this one number is what websites and services receive. That number reveals the company that provides your internet service and your primary region within that ISP’s network. Because ISPs randomize assignments, the websites you visit usually cannot identify your precise location, but they can get close. The ISP, however, can identify specific locations on their networks.
Using Google analytics, I know that nearly 90 percent of visitors to my blogs are from the United States, Ireland, United Kingdom, France and Canada. These data have value because I can write about topics of interest to people in those countries, thereby increasing the appeal of my blog. The advertisements can also be targeted, so someone in France sees ads for French companies or in the French language.
Data show more Mac, iPhone, and iPad users visit my blogs than Windows users. I know my sites are most popular after 5 p.m. Eastern, suggesting people read the blogs when they return home from work.
Analytics tell me from where, at what time, and for how long someone visited one of the websites I manage. I don’t need the name or address of someone to get a great deal of value from the data. And there’s no way to stop me (or any website) from collecting data because without them we cannot transmit web pages or data to users. We need IP addresses; storing them for analysis is merely one extra step.
Despite all the online uproar, the largest data merchants in the United States are credit card companies and processors. Every purchase you make with a credit or debit card is analyzed. Those data are valuable to groups ranging from ad agencies to political parties. Yes, it is possible to map likely political affiliations through purchasing patterns. If you’re afraid of what an ISP might know about you, a credit card company likely knows more already. Stores issue loyalty cards to avoid paying the credit card companies for the same data.
Should we limit the ability of ISPs to sell information about internet use? Such limitations make little difference. We surrendered privacy the moment we connected our lives to data networks.