Last week, dozens of privacy advocates and other organizations pressed the Federal Communications Commission to move forward with broadband privacy rules.
The groups specifically want the FCC to prohibit broadband carriers from sharing data about subscribers with advertisers, without the subscribers' opt-in consent. FCC Chairman Tom Wheeler said last year that he intends to craft broadband privacy rules. But Wheeler has not yet said whether he thinks providers should obtain explicit permission from consumers before using Web-surfing data for ad purposes, or whether those companies should notify consumers about the practice and allow them to opt out.
The Open Technology Institute at New America, which joined in the call for new regulations, argues in a new 16-page report that Internet service providers pose unique risks to consumers' privacy, and therefore should be required to obtain people's opt-in consent before sharing data about them.
The group points out that Internet service providers don't just have access to nearly all sites users visit, but also know people's usage patterns -- which in themselves can be revealing. "Thanks to their unique position as access providers, ISPs can detect even subtle changes to a subscriber’s daily use habits," the report states.
For instance, the authors propose a scenario where a subscriber has lost his or her job and suddenly starts using a home broadband connection to visit job sites during the weekday. Merely visiting job sites might not signal that someone is unemployed. But when combined with the shift in Web usage, the job-site visits become a stronger indicator of a change in employment status.
The report's authors propose that a broadband provider in that situation could infer that the customer is now unemployed. "That information could be sold to predatory financial vendors or other troubling actors -- a chain of events whose root cause would never be visible to the subscriber herself," the report states.
The report also discusses a scenario where a subscriber visits a doctor's site, or a prescription refill page. That activity "could allow the ISP or a data broker partner to infer that the subscriber or someone close to the subscriber has been diagnosed with a new medical condition, such as a heart condition, depression, or another personal health condition," the report states. "In a worst case scenario, ISPs could sell this package of information and inferences to healthcare companies or to potential employers, all without authorization from the subscriber herself."