Despite the growing use of encryption technology, Internet service providers still are able to glean a great deal of information about their subscribers, including whether they're researching medical conditions or seeking advice about financial matters.
That's according to a new report by Upturn, a Washington, D.C-based consultancy that advises policymakers about technology.
"Today, ISPs can see a significant amount of their subscribers' Internet activity, and have the ability to infer substantial amounts of sensitive information from it," the report states. Upturn's report was funded by the Media Democracy Fund.
"This is especially true when that traffic is unencrypted," the report says. "Moreover, ISPs and the vendors that serve them have clear opportunities to develop methods of inferring important information even from encrypted data flows."
The report was released in response to a paper published last week by privacy expert Peter Swire, who concluded that the growing use of encryption -- combined with other factors, like the proliferation of smartphones and tablets -- is depriving Internet service providers of comprehensive information about subscribers' Web use. Swire's paper was funded by the telecom industry group Broadband for America.
"We believe that the Swire paper, although technically accurate in most of its particulars, could leave readers with some mistaken impressions about what broadband ISPs can see," the Upturn report says. "We offer this report as a complement to the Swire paper, and an alternative, technically expert assessment of the present and potential future monitoring capabilities available to ISPs."
For the paper, Upturn examined the top 50 sites in health, news and shopping. More than 85% of those sites don't fully support encryption, the report states. "The sites included references on a full range of medical conditions, advice about debt management, and product listings for hundreds of millions of consumer products."
Upturn also notes that ISPs can glean information about consumers even when they visit encrypted sites. "By examining the features of the traffic -- like the size, timing and destination of the encrypted packets -- it is possible to uniquely identify certain web page visits or otherwise reveal information about what those packets likely contain," the report says.
Swire said through a spokesperson that the report "agrees with the overall factual accuracy of our working paper."
He added: "Our report is over 120 pages, and provides many facts for policymakers. We welcome additional studies to provide a strong factual record to inform policymakers.”
The new studies come as the Federal Communications Commission is preparing to craft privacy rules that could restrict broadband providers from tracking consumers in order to serve them with targeted ads. The agency's authority to issue those rules comes from its recent decision to reclassify Internet service providers as common carriers; that move subjects broadband providers to some of the same confidentiality requirements rules as telephone companies.
FCC Chairman Tom Wheeler has indicated that he favors at least some restrictions on broadband providers. While he hasn't said precisely what rules he'll propose, he's evidently preparing something that broadband providers might not like.
In a recent interview with The Verge, he said that he expects a battle over privacy. "There are three key concepts," he told The Verge. "One, that [broadband companies] are collecting data on me and it isn’t being held securely. Two, they’re collecting data on me and they ought to be telling me what they’re collecting and what it's being used for. And three, I ought to have the choice to say whether I want them to do that or not."