The growing use of encryption, combined with consumers' increasing reliance on smartphones and tablets, has deprived Internet service providers of comprehensive information about their subscribers' Web use, privacy expert and former White House official Peter Swire argues in a new paper.
Swire, former Chief Counselor for Privacy in the Office of Management and Budget, says the 125-page report aims to address "a widely-held but mistaken view about Internet service providers and privacy."
His report comes as the Federal Communications Commission is preparing to propose new privacy rules for broadband providers. The report says it isn't making any specific policy recommendations, but broadly argues that "public policy should be consistent and based on an up-to-date and accurate understanding of the facts of this ecosystem."
Dozens of consumer groups have urged the FCC to require broadband providers to obtain consumers' explicit consent before tracking them for ad-targeting purposes. One of those organizations, the Open Technology Institute at New America, which joined in the call for new regulations, recently published a report arguing that Internet service providers pose unique risks to consumers' privacy.
Swire's report aims to cast doubt on that assertions. The report was funded by Broadband for America -- a coalition that includes AT&T, CenturyLink, CTIA - The Wireless Association, Comcast, National Cable and Telecommunications Association (NCTA), Telecommunications Industry Association (TIA), Time Warner Cable, USTelecom Association, and Verizon -- and the Institute for Information Security and Privacy at Georgia Tech, and the Georgia Tech Scheller College of Business. Swire says the report expresses his own views.
The report argues that consumers today access the Web through multiple devices, as well as multiple broadband providers. The result, he says, is that any one ISP has "far less of a comprehensive view of a user’s Internet activity."
"Roughly half of mobile traffic is offloaded to WiFi hotspots today, and that fraction will grow rapidly. The image of an ISP having 'comprehensive' visibility due to its provision of home broadband service is outdated" the report states.
He also argues that many popular Web sites use encryption technology that prevent ISPs from seeing detailed URLs and content. "There clearly can be no “comprehensive” ISP visibility into user activity when ISPs are blocked from a growing majority of user activity," Swire writes.
The report also argues that other companies -- namely social networks and search engines like Google -- are able to glean a great deal of information about people.
Swire says that Google and Bing are able to see search results and destination pages, but that ISPs can only see that a user has visited the root domain (like www.Google.com), when the results are encrypted. Google has encrypted all organic search results since 2013.
Swire writes that his comparison of search engines with ISPs "undermines the widely-held, but mistaken view that ISPs have comprehensive and unique knowledge about users’ online activity because they operate the last mile of the network."
He adds: "Non-ISP search engines are able to gain much unique insight into online user activity, often greater than that of an ISP."
But Harold Feld, senior vice president at consumer advocacy group Public Knowledge, says the report "dramatically overestimates the value of what encryption hides, and dramatically underestimates the value of information encryption cannot conceal."
He adds that even if ISPs don't know what Google searches people conduct, ISPs still are able to amass a great deal of information from people's activity at sites like Google and YouTube. "First, the ISP knows how long I'm there, which tells it whether or not this is search," he says in an email. "If I stay a long time, they know I am getting some other kind of information. .. If the ISP sees me regularly going to YouTube at around 1 a.m. and staying on the sight steadily downloading video until about 2:30-3 a.m., they deduce all kinds of things about me and my behavior."
Feld adds: "Modern information marketing is not a one-shot thing. It is all about identifying patterns of behavior."
Jason Kint, CEO of the publishers' group Digital Content Next, adds that consumers need more control over their data -- regardless of whether ISPs can collect more information than other companies.
"Much of the report hinges on this idea that Google, Facebook and ad tech companies are able to collect more consumer information than ISPs," he says in an email to MediaPost. "Regardless whether this is true, we need to build trust across the ecosystem rather than take a lowest-common denominator approach. Simply put, consumers need transparency and simple, persistent choice to not be tracked across the web."
Digital Content Next recently said in a letter to the Federal Communications Commission that ISPs should inform consumers about online tracking and give them a "meaningful choice" about whether their data will be used for behaviorally targeted ads. The industry group also asked the FCC to work with the Federal Trade Commission "to ensure that other entities with similar access to all or substantially all of a consumer’s online activity are held to a similarly high standard so that consumers are not confused by different standards across the same ecosystem."