The telecom and cable industry recently urged the Federal Communications Commission to impose the loosest possible restrictions on broadband providers' ability to track people in order to serve them targeted ads.
This week, consumer advocacy groups responded by asking the FCC to take a hard line with ISPs.
"Because the United States currently lacks comprehensive privacy legislation or an agency dedicated to privacy protection, there are very few legal constraints on business practices that impact the privacy of American consumers," a coalition of 12 digital rights organizations including the Electronic Privacy Information Center, Center for Digital Democracy, ACLU and Public Knowledge say this week in a letter to the FCC.
The digital rights groups go on to ask the FCC to curb the "increasingly pervasive tracking practices" used by broadband providers.
The ACLU and other organizations make clear that they disagree with conclusions in a recent report by privacy expert Peter Swire. He said last week that ISPs no longer have a "comprehensive" view of subscribers' activity due to encryption, among other factors.
The advocates' letter points to several reasons why they believe Swire is wrong. For one, 65% of Internet traffic in North America was unencrypted as of last April, the letter states.
Second, even when traffic is encrypted, ISPs can still gather intelligence from the metadata -- including information about the time and size of the packets.
"HTTPS also does not prevent ISPs from seeing the websites to which a user navigates. Such information can reveal intimate details of the user’s lifestyle," the privacy groups write.
They add: "Regardless of encryption, ISPs still receive data related to the frequency, timing, location, and volume of a user’s Internet access. This information can reveal intimate details about the subscriber, such as when a user has recently become employed or given birth to a child."
The FCC is expected to move forward with broadband privacy rules by the end of April.
The agency had not yet proposed any specific rules, but its recent deal with Verizon suggests the FCC will require opt-in consent for certain types of tracking.
That settlement, released this week, stemmed from Verizon's decision to insert unique tracking headers -- 50-character alphanumeric strings -- into all unencrypted traffic on the mobile network. Ad networks were able to use those headers to send targeted ads to mobile users, even when they tried to avoid tracking by deleting their cookies.
After news of the headers became public, the FCC began investigating whether Verizon violated the Communications Act's privacy provisions -- which require carriers to protect customers' "proprietary information" -- as well as whether the company violated a 2010 net neutrality rule requiring disclosure of broadband management practices.
Verizon agreed to settle the investigation by paying a $1.35 million fine, and by promising to obtain subscribers' opt-in consent before sharing tracking headers with a third party for targeted ad purposes. The company now promised to allow subscribers to opt out of having headers inserted into mobile traffic, and to opt out of having the headers used for ad purposes by companies affiliated with Verizon.