Should Your ISP Monitor What You Do With Your Internet Service?
For years, privacy advocates have warned, “if you’re not paying for it, you’re the product.” That is, services that are offered for “free” have to be monetized somehow, and it’s likely to be with your data. However, this axiom is too modest. In the era of Big Data, it doesn’t matter if you’re paying or not — you’re the product regardless.
Last month, AT&T announced significant proposed modifications to its privacy policy, allowing the company to monitor and use the data that its customers generate using its wireless and wireline networks for marketing and analytics purposes. To its credit, AT&T solicited comments from the general public about the changes and how the policy could be improved. CDT has long been concerned about ISPs and other intermediaries monitoring Internet traffic, and we believe that AT&T’s proposed policy does not offer sufficient assurances that its customers’ communications data won’t be retained indefinitely, potentially subject to various unwanted uses as well as to government access. We urge AT&T and other carriers with similar programs to modify their policies to place stricter limits on the collection and retention of data about individual usage of their networks.
Under the terms of the proposed policy, AT&T will now have the right to monitor its customers’ communications for marketing and research purposes. In doing so, AT&T is joining wireless carriers Sprint and Verizon which announced similar programs over the last two years. All three companies’ programs are similar: the carrier collects extensive information about what customers do on their networks — including the websites they visit, the apps they use, and their physical location. Based on that data, the companies compile market research reports about how people use their networks. For example, a carrier might sell to a local newspaper publisher information about what other types of sites were visited by users who went to the newspaper’s site. Or the carrier could tell a store how many phones are in or near the store at certain times of day.
The carriers already collect some of this data. There may be instances where intermediaries need to monitor traffic without affirmative opt-in permission – for example, to ensure stability and security of their networks. These needs are perhaps more acute for wireless carriers, as they may have a stronger interest in knowing the types of communications they are transmitting for network management purposes, given the bandwidth constraints of mobile networks. However, the case for needing to monitor and collect all information about customer communications has not been made to consumers. If some network collection is essential to the operation of the service, then collection should be limited to whatever is strictly necessary, the use of that data should be narrowly scoped, and the data should be deleted, de-identified, or aggregated as soon as possible.
Importantly, each of the carriers pledges that it will put in place safeguards in order to ensure that consumer data is kept secure. Also, the companies stress that information about individuals is never shared with other parties. The clients or partners that receive reports only receive aggregate information about users in general or about classes of users. Moreover, the user’s own experience won’t be changed at all unless users separately and affirmatively opt-in to a behavioral advertising product that customizes ads based on Internet usage.
While the information collected under these market research programs undoubtedly provides valuable insights for businesses, and while it won’t be shared with others in any way that can be tied back to an individual, the mass collection of customer data and the use of geolocation tracking nevertheless raise significant concerns. The aggregation of the data does eventually resolve these privacy concerns, but to the extent the data is kept in an individualized and identifiable form to subsequently generate aggregate reports, users’ privacy interests are at stake. If the aggregate reports were created from truly de-identified data sets, our concerns might be addressed, however, it’s not clear that that’s happening here. Even when identifiable data is collected and retained for limited purposes, consumers could reasonably worry that their data could later be used for new, unexpected, and unwanted purposes; accessed and misused by a rogue employee; breached by hackers; unwittingly exposed; or accessed by law enforcement or an intelligence agency without robust legal process.
Comprehensive Data Collection and Government Access
This last concern is exacerbated in light of recent revelations that the NSA is using Section 215 of the Patriot Act to require telephone companies on an ongoing basis to disclose metadata about all telephone calls to, from and within the U.S. — data that includes for every call the number dialed, when the call was made, and the length of the call. All of this data is demanded by the government under the theory that it is a business record already being collected by the phone company and therefore entitled to no Constitutional protection. Under the same theory, the NSA could use its broad interpretation of Section 215 to obtain, without individualized suspicion, the Internet usage data being collected by ISPs.
This business record doctrine — which CDT believes has been widely misapplied and should be rejected by the courts as outdated — has also been relied on by the government to argue that any transactional data collected by a phone company or ISP is accessible to law enforcement under the Electronic Communications Privacy Act for routine criminal investigations without a warrant and without showing probable cause. For example, in a recent case, In re Application of the United States of America for Historical Cell Site Data, the Fifth Circuit Court of Appeals accepted wholesale the argument that Americans have no cognizable privacy interest whatsoever in location records held by cell carrier. The court stated:
We understand that cell phone users may reasonably want their location information to remain private … But the recourse for these desires is in the market or the political process: in demanding that service providers do away with such records (or anonymize them) or in lobbying elected representatives to enact statutory protections.
In other words, the court said, if a company collects it, the Constitution doesn’t protect it – the market or legislatures will have to step in to create protections. We believe that this is wrong, and we will continue to argue in the courts for a re-examination and rejection of the business records doctrine as applied to data generated in connection with a person’s communications activities. However, now that carriers are monitoring and logging how their customers use the Internet, the government will likely argue that it can obtain any or all of that information without triggering privacy rights under the Fourth Amendment.(Law enforcement could also obtain this data prospectively through a traditional wiretap, though they’d need a court order based upon probable cause in order to do so.)
Historically, CDT has argued that consumers should have to affirmatively opt in to comprehensive data collection by intermediaries. This principle applies not only to ISPs, but also to other platforms for communication, such as a browser or operating system. Comprehensive collection of all a person’s Internet activity is inherently sensitive, revealing a lot about a person’s interests and activities. Moreover, in our view, consumers don’t expect their service providers to constantly monitor their traffic for secondary purposes. When it was announced several years ago that ISPs were contracting with a company called NebuAd to monitor data flows for behavioral advertising purposes, there was widespread uproar. Congress held investigatory hearings, ISPs backed out of their negotiations, and NebuAd went out of business. Today, however, many of the ISPs are collecting similar data from their customers directly.
Retention Limits and Choice Mechanisms
If collection of network communications is essential for the fundamental delivery of service, then mobile carriers should put in place strict retention limits for how long they hold on to that data. For data that isn’t necessary to render the service, we believe that it should only be collected when the user consents. For example, Amazon’s Silk browser for the Kindle Fire processes all web browsing in the cloud for the sake of efficiency; Amazon’s servers must collect data about the websites you’re browsing in order to render those pages for you. In its privacy policy, Amazon commits to delete or anonymize data about the websites you visit using the Silk browser within 30 days. Google’s Chrome browser lets you sign in to easily sync bookmarks and history across the different devices where you use Chrome; however, that functionality is not essential for the browser to work, and is offered on an opt-in basis. A user must affirmatively take steps to let Chrome collect and store information about the sites visited through that browser.
Social networks with the ability to monitor what users do on other sites — such as data gained through widgets like Facebook’s Like button or Google’s +1 button — have also publicly committed to relatively short data retention periods. These widgets allow Facebook and Google to know which third-party websites users visit, as long as those websites have these social buttons embedded in them. So if you visit a New York Times story with a “Like” button while logged into Facebook, Facebook logs the fact that you visited that page when it displays the button on the site. Google retains the data it collects through social widgets for just two weeks; Facebook, 90 days; and Twitter for 17 days. We are not convinced that this data needs to be retained at all, but at least these companies have promises in place to get rid of the data within a relatively short window.
If intermediaries do retain individualized data for non-essential purposes without affirmative consent, at the very least they should offer an opt-out mechanism that addresses retention rather than mere use. AT&T’s opt-out mechanism for its new policy only covers the use of personal information in anonymized mass consumer reports that it will develop based on the data collected under the new practices. This opt-out mechanism does not allow users to opt out of the collection of the data itself or the indefinite retention of such data. As far as we can tell, Verizon’s and Sprint’s opt-outs also only pertain to the use of data within market research reports. None of the companies make any affirmative promises about when they’ll delete your information, though Verizon does state that they will retain the data it collects for its behavioral marketing program for up to three years. (Verizon does, however, give you the ability to delete data that had been collected for its behavioral advertising product if you subsequently don’t want to participate in that program.)
ISP collection and retention of consumer Internet usage brings about many concerns for consumers. While AT&T has been upfront about its proposed changes, its customers deserve more stringent assurances on how the company monitors and retains information about their online communications. We call on AT&T, Verizon, and others to think more carefully about how much data they need to collect at all and then how much they need to retain and for how long in order to provide marketing insight. It may be that companies could derive marketing insight with less data and with data that is anonymized at the moment of collection. We also urge the ISPs to examine their retention policies, and to ensure that data is retained only for the minimum amount of time necessary to develop aggregated insights.