Internet Service Providers Collect, Sell Horrifying Amount of Sensitive Data, Government Study Concludes

“Even though several of the ISPs promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others."
Image: Nora Carrol Photography via Getty Images

Over the last few years the justified fixation on the bad behavior of Google, Amazon, Facebook and other Silicon Valley giants has let the abuses of the telecom sector fly under the radar. But a new FTC report showcases how when it comes to consumer privacy, broadband providers are every bit as terrible as you thought they were.

The new FTC report studied the privacy practices of six unnamed broadband ISPs and their advertising arms, and found that the companies routinely collect an ocean of consumer location, browsing, and behavioral data. They then share this data with dodgy middlemen via elaborate business arrangements that often aren’t adequately disclosed to broadband consumers.

“Even though several of the ISPs promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others and hide disclosures about such practices in fine print of their privacy policies,” the FTC report said.

The FTC also found that while many ISPs provide consumers tools allowing them to opt out of granular data collection, those tools are cumbersome to use—when they work at all. 


“Many of the ISPs also claim to offer consumers choices about how their data is used and allow them to access such data,” the FTC said. “The FTC found, however, that many of these companies often make it difficult for consumers to exercise such choices and sometimes even nudge them to share even more information.”

ISPs often provide privacy-specific website portals proclaiming to provide users with a wide variety of opt out options but these choices are often “illusory,” the FTC found. 

The agency’s report also found that while ISPs promise to only keep consumer data for as long as needed for “business purposes,” the definition of what constitutes a “business purpose” is extremely broad and varies among broadband providers and wireless carriers.

The report repeatedly cites Motherboard reporting showing how wireless companies have historically sold sensitive consumer location data to dubious third parties, often without user consent. This data has subsequently been abused from everyone from bounty hunters and stalkers to law enforcement and those posing as law enforcement.

The FTC was quick to note that because ISPs have access to the entirety of the data that flows across the internet and your home network, they often have access to even more data than what’s typically collected by large technology companies, ad networks, and app makers.

That includes the behavior of internet of things devices connected to your network, your daily movements, your online browsing history, clickstream data (not only which sites you visit but how much time you linger there), email and search data, race and ethnicity data, DNS records, your cable TV viewing habits, and more.

In some instances ISPs have even developed tracking systems that embed each packet a user sends over the internet with an individual identifier, allowing monitoring of user behavior in granular detail. Wireless carrier Verizon was fined $1.3 million in 2016 for implementing such a system without informing consumers or letting them opt out.

“Unlike traditional ad networks whose tracking consumers can block through browser or mobile device settings, consumers cannot use these tools to stop tracking by these ISPs, which use ‘supercookie’ technology to persistently track users,” the FTC report said.

The FTC found that much of the data collected isn’t necessary for the everyday business purposes of ISPs. The collection and storage of such massive troves of unnecessary data harms consumers via potential exploitation by “property managers, bail bondsmen, bounty hunters, or those who would use it for discriminatory purposes,” the FTC said.

Most of the FTC’s revelations have been documented for years, but actual attempts to rein in the behavior have proven hard to come by. The United States still doesn’t have a privacy law for the internet era, in large part thanks to a cross-industry coalition of lobbying opposition. 

Efforts to rein in broadband privacy abuses specifically are also often quickly dismantled by telecom industry lobbyists. In 2017 the FCC attempted to pass broadband specific privacy rules requiring transparency in what data is collected and sold, but a heavily-lobbied Congress dismantled the agency’s rules before they could even take effect

Complaints from consumer groups on wireless, fixed-line broadband, or cable set top box privacy abuses are routinely not followed up on by U.S. regulators. While the FTC voted 4-0 to approve and issue its latest report on telecom privacy practices, actually doing something to rein in the industry’s bad behavior will prove to be another issue entirely.