On February 29, The Institute for Information Security and Privacy released a Working Paper titled, “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others.” Peter Swire, Senior Counsel at Alston & Bird and Professor at the Georgia Institute of Technology Scheller College of Business authored the paper, along with Alana Kirkland, an associate in Alston’s Technology and Privacy Group and Justin Hemmings, a policy analyst at Alston & Bird and a research associate at the Georgia Institute of Technology Scheller College of Business. Broadband for America contributed financial support for the paper.
The Working Paper addresses a widely-held view that Internet Service Providers (“ISPs”) have comprehensive and unique access to, and knowledge about users’ online activity because they operate the last mile of the network connecting end users to the Internet. Certain consumer advocates have cited this view to suggest that ISPs’ collection and use of their customers’ online data may justify heightened privacy restrictions on ISPs. Although the Working Paper does not take a position on what rules should apply to ISPs and other players in the Internet ecosystem, the Working Paper addresses two fundamental points that support the conclusion that there is no factual basis for heightened privacy regulation of ISPs.
First, ISP access to user data is not comprehensive as technological developments place substantial limits on ISP’s visibility. Particularly, in the 1990s, a typical user accessed the Internet from a single, stationary home desktop connected by a single ISP. Today, in contrast, the average Internet user has multiple connected devices, many of which are mobile and connect from diverse and changing locations (e.g., WiFi networks) that are served by multiple ISPs. Further, there is increasingly pervasive encryption of online sources, with new data showing that HTTPS usage rose from 13% in April 2014 to 49% by February 2016. Lastly, one integral function of ISPs has been domain name lookup—matching a user’s web address request to the correct domain and specific Internet Protocol address. Today, there is a small, but growing trend of Internet users using proxy services such as Virtual Private Networks and other proxy services offered by leading Internet companies, which prevent ISPs from seeing the domain name that a user is visiting, or the content of the data packets they are sending and receiving.
Second, ISP access to user data is not unique—other companies often have access to more information and a wider range of user information than ISPs. Non-ISPs are increasingly gathering commercially valuable information about online user activity from multiple contexts such as: (1) social networks, (2) search engines, (3) webmail and messaging, (4) operating systems, (5) mobile applications, (6) interest-based advertising, (7) browsers, (8) Internet video, and (9) e-commerce. Traditional ISPs are not market leaders in any of these major areas, and are just starting to compete in some of them. Additionally, non-ISPs tend to dominate in cross-context tracking, which is combining information from the various contexts above, as well as cross-device tracking.
The authors conclude that based on a factual analysis of today’s Internet ecosystem in the United States, ISPs have neither comprehensive nor unique access to information about users’ online activity.
The complete Working Paper is available for download here.