• by Wendy Davis  @wendyndavis, March 9, 2021

Starting next month, mobile carrier T-Mobile will draw on subscribers' web browsing history and app usage in order to serve them personalized ads, unless consumers opt out of the program.

The company quietly disclosed its plans in a Feb. 23 update to its privacy policy, but the change largely went unnoticed until this week.

T-Mobile says the data won't be tied to people's names or information that directly identifies them, but will instead be connected to a “mobile advertising identifier” or “another unique identifier.”

A company spokesperson says the ad identifiers -- which will be alphanumeric strings -- are "anonymous" and resettable.

But privacy advocates have long argued that unique identifiers can be linked to people's identities.

In 2016, the Federal Communications Commission passed regulations that would have prohibited internet service providers from using subscribers' web-browsing history or app usage for ad targeting, without opt-in consent. The Republican-controlled Congress repealed those rules the following year.

A 2019 Maine privacy law requires broadband carriers to obtain subscribers' affirmative consent before “using, disclosing, selling or permitting access to customer personal information.” 

That measure's definition of “personal information” is relatively broad. It includes web-browsing history, precise geolocation information, IP addresses and device identifiers.

A group of broadband industry associations, including CTIA -- The Wireless Association, sued last year to block that bill. In July, a federal judge sided against the broadband providers and refused to immediately issue an injunction against enforcement.

But the judge also allowed the providers to develop more evidence supporting their claim. The matter remains pending in federal court.

T-Mobile's online privacy notice has a section devoted to Maine, which says the company "will not use, disclose, sell, or permit access" to people's broadband data unless that's allowed in the state.

"Maine customers have rights that they can exercise here," the company adds, linking to a page that invites people to change their settings. 

"If you’ve gotta see ads, you might as well enjoy them. Manage how data is used to make your ads more relevant," that page states.

Consumer advocates have long argued that broadband providers should be subject to heightened privacy standards, given that broadband carriers can glean detailed knowledge about subscribers' online activity by examining all unencrypted traffic that passes through their networks.

News of T-Mobile's move quickly drew criticism by watchdogs.

"T-Mobile's decision to not make this program opt-in themselves shows how little they care for their customer's privacy,” Gaurav Laroia, senior policy counsel at advocacy group Free Press, says. “If they believe customers are clamoring to have their web-browsing history shared with advertisers let them opt-into the program. This episode underscores why the broadband privacy rules were necessary in the first place and why comprehensive privacy legislation is needed now."

John Bergmayer, legal director at the group Public Knowledge, adds: "Carriers should not use customer web browsing information for ads at all -- certainly not on an opt-out basis."