Internet service providers are collecting and using data in unexpected and potentially harmful ways, the Federal Trade Commission said in a staff report issued Thursday.
Consumers “would likely be surprised at the extent of data that is collected and combined for purposes unrelated to providing the service they request -- in particular, browsing data, television viewing history, contents of email and search, data from connected devices, location information, and race and ethnicity data,” the agency said in its 76-page report.
“More concerning,” the FTC adds, “this data could be used in a way that’s harmful to consumers, including by property managers, bail bondsmen, bounty hunters, or those who would use it for discriminatory purposes.”
The report stems from a privacy investigation launched in 2019, when the agency sent detailed questions to six large broadband providers -- AT&T, Verizon Wireless, Charter Communications, Comcast, T-Mobile and Google Fiber.
The report also says two of the broadband providers used consumers' web-browsing activity for advertising, and a “significant” number shared customers' real-time location data with third parties.
“Internet service providers are surveilling users across a broad swath of activities, enabling hyper-granular targeting in the serving of ads and other services,” FTC Chair Lina Khan stated Thursday.
“The individualized and hyper-granular dossiers that internet service providers are collating can enable troubling -- and potentially unlawful -- forms of discrimination,” Khan added.
The report didn't name the carriers currently using web-browsing data for ad targeting, but some of the major mobile carriers say in their privacy policies that they target ads based on web-browsing activity.
In March, T-Mobile launched an ad program that draws on subscribers' web browsing history and app usage in order to serve them personalized ads, unless consumers opt out. T-Mobile said at the time that the data wouldn't be tied to people's names or information that directly identifies them, but would instead be connected to a “mobile advertising identifier” or “another unique identifier.”
The FTC also found that even though broadband carriers say they allow consumers to control the use of their data, that ability is hindered by confusing interfaces and cumbersome procedures.
The FTC has the authority to crack down on companies' deceptive and unfair practices, such as failing to honor privacy promises. But attempts by the agency to issue new privacy regulations could run into significant hurdles.
In 2016, a different agency -- the Federal Communications Commission -- passed privacy rules that would have required carriers to obtain opt-in consent before drawing on subscribers' web-surfing data and app usage history for ad targeting.
The following year, Congress voted to repeal those rules.
The ad industry had opposed those 2016 privacy rules, arguing that requiring broadband providers to obtain users' opt-in consent subjected carriers to tougher standards than search engines, social networking services and other web companies. In general, those companies allow consumers to opt out of receiving targeted ads based on web-browsing activity.
Privacy advocates approved of the FCC's opt-in approach. They argued that broadband providers should be held to higher privacy standards than other web companies, given that broadband providers have a comprehensive view of people's online activity. Not only can broadband providers see all unencrypted traffic on the network, but they also can make inferences about users based on encrypted traffic, according to the consultancy Upturn.
The FCC largely lost the ability to regulate privacy practices of broadband providers during the Trump administration, when the agency reclassified broadband as an “information” service.
Should the Biden-era FCC reclassifies broadband as a “telecommunications” service, that agency would again have the authority to police the carriers' privacy practices.