Communications Daily is a Warren News publication.
'Red Herring'

ISPs Have Declining Access to Key Customer Data, Former Obama Adviser Says

With the FCC poised to take on privacy rules for ISPs, the Georgia Tech Institute for Information Security and Privacy released a paper Monday arguing ISPs have only limited access to consumer data and the data they have isn't unique. The paper was by Georgia Tech Professor Peter Swire, a former special assistant to President Barack Obama and advisor to President Bill Clinton on privacy issues. The study was paid for, in part, by Broadband for America, an ISP industry-funded coalition.

Sign up for a free preview to unlock the rest of this article

Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!

Swire emphasized on a call with reporters that the paper doesn't advocate any policy calls. FCC Chairman Tom Wheeler is expected to circulate an NPRM on agency rules for covered companies as early as the March meeting (see 1601110065). The FCC didn't comment. Swire said he decided to take on the paper after testifying at an FCC workshop on broadband privacy last April (see 1504280047): “There were sharp factual disagreements about what ISPs could or could not do, could or could not see.”

"ISPs have neither comprehensive nor unique access to information about users’ online activity,” the paper said. “Rather, the most commercially valuable information about online users, which can be used for targeted advertising and other purposes, is coming from other contexts.”

ISPs do not have a unique insight into users,” Swire said Monday. When data is encrypted, an ISP can see only the host name and the domain, he said. The search engine would see more information, including the history of all searches done by an individual user and a history of what links were clicked in what order, he said. “If you compare a top-level domain with a detailed search history, the detailed search history is enormously more detailed.”

Non-ISPs dominate cross-context and cross-device tracking and have access to more personal information than ISPs, the paper said. “Non-ISPs are increasingly gathering commercially valuable information about online user activity from multiple contexts, such as: (1) social networks; (2) search engines; (3) webmail and messaging; (4) operating systems; (5) mobile apps; (6) interest-based advertising; (7) browsers; (8) Internet video; and (9) e-commerce.”

The paper also said encryption is increasingly a fact of life, which hides data from ISPs. The nation’s top 10 websites either encrypt by default or on user log-in, as do 42 of the top 50 sites, the paper said. “Based on analysis of one source of Internet backbone data, the HTTPS portion of total traffic has risen from 13 percent to 49 percent just since April 2014,” the paper said. “An estimated 70 percent of traffic will be encrypted by the end of 2016.”

But Laura Moy, with the Institute for Public Representation at Georgetown University Law Center, said she's skeptical that 70 percent of Internet traffic will be encrypted by the end of 2016. “But even if it is, that still leaves a third of Internet traffic completely exposed to monitoring by ISPs, of which consumers have notoriously few marketplace choices,” Moy said. “And while consumers generally have a choice whether or not to engage with non-ISPs online, they must go through an ISP to gain access to any online site or service. Additionally, host names and domain names, which Swire admits are exposed to ISPs even when traffic is encrypted, can reveal an awful lot about consumers' public and private interests, medical conditions and inquiries, employment and financial status, and much more.”

Public Knowledge Senior Vice President Harold Feld questioned several of Swire’s findings. “There’s a lot of information that isn’t covered by encryption or VPNs [virtual private networks], which people want to protect, but which they can’t protect without rules that are specific to the ISP,” Feld said. Privacy protection is for everyone, he said, “not for people who can afford the extra money for a VPN or who are technologically sophisticated enough to use encryption.”

Feld also said it was “disingenuous” to base findings on the amount of data that's encrypted. “When Netflix starts to encrypt its traffic, the whole volume of [encrypted] traffic goes up,” he said. “Who cares? That’s not telling me whether somebody is able to track what retail websites I go to, what government services I access.”

Focusing Internet privacy concerns on ISPs rather than advertisers is the mother of all red herrings,” said Richard Bennett, blogger and network architect. “The most significant data the ISPs have today are the DNS [domain name system] queries users make while visiting web sites. Work currently underway in the Internet Engineering Task Force … allows users to cloak these queries from ISPs.” ISPs used to have much more visibility, “but the computation cost of creating context around Internet streams has always been too high for a financial return on harvesting and reselling user preferences,” Bennett said.