While the Federal Communications Commission continues to weigh and delay new data privacy regulations for Internet service providers, researchers at Georgia Tech released a report Monday finding ISPs have far less visibility of customers’ web browsing habits than previously thought.
According to “Online Privacy and ISPs” out of the university’s Institute for Information Security and Privacy, the widely held belief that ISPs “have comprehensive and unique access to, and knowledge about, users’ online activity because ISPs operate the last mile of the network connecting end users to the Internet” is mistaken, and fails to take into account new technology and the advantage edge providers and mobile operating systems have in accumulating personal data.
“ISP access to user data is not comprehensive,” lead researcher Peter Swire said on a conference call with reporters Monday. “Instead technological developments substantially limit an ISP’s visibility.”
Swire is a professor of law and ethics at the Georgia Tech Scheller College of Business, former special assistant for economic policy to President Obama and U.S. Office of Management and Budget chief counselor for privacy under President Clinton.
“Second, ISP access to user data is not unique,” Swire continued. “Other companies often have access to more information, more sensitive information, and a wider range of user information than ISPs have access to. And so any policy decisions about privacy regulation should be made based on an accurate understanding of these facts.”
The FCC has been developing such a policy since it passed new net neutrality regulations one year ago, bringing ISPs’ data privacy practices out from under the jurisdiction of the Federal Trade Commission, which continues to oversee edge providers. The FCC course change on Internet classification and rules has spurred concerns among ISPs the agency will develop heavy-handed rules that will inhibit innovation and growth.
Swire’s report, commissioned by the ISP trade group Broadband for America and Georgia Tech, points to a number of technological and market factors to counter the popular narrative, including encryption, mobile browsing and proxy surfing.
Encryption prevents ISPs from seeing user content and activity online, and the adoption of user login or default encryption like HTTPS now spans all of the top ten websites and 42 of the top 50. An analysis of data crossing the Internet network backbone of one source found HTTPS adoption rose from 13 percent of total traffic in April 2014 to 49 percent today, and estimates 70 percent of traffic will be encrypted by the end of this year.
In addition to the growing use of anonymous browsing tools like virtual private networks and encrypted browsers like Tor, the average user connects to the Internet though 6 different devices, including on mobile devices, public WiFi hotspots and at work, further fragmenting any comprehensive, clear or unique view from any one access point for one ISP (as was the case at the advent of the web in the 1990s, when users typically connected through one desktop computer at home).
While ISPs can still see the host name a user visits, like Google or ACLU.com, the provider can’t see any of the multiple searches a user might execute, which is encrypted inside the browser, or where specifically the user goes on a webpage if the site is using HTTPS encryption.
Swire pointed out there’s little market use for just surface-level information like the host name, especially when compared to the troves of data amassed, stored, categorized, analyzed and assigned for targeted advertising by search giants like Google, social media platforms like Facebook or mobile OSs like Android and iOS.
Standard computer OSs like Windows traditionally only collected user information on crashes or flaws to send back to the developer and address bugs or security vulnerabilities. Mobile OSs treat data as a valuable commodity, allowing for the accumulation of data for personalized settings and efficient use with digital assistants like Siri and Cortana, and the sharing of user data between applications, across devices and back to developers and advertisers for upgrades and targeted ads.
The report finds the 10 leading ad-selling companies earn more than 70 percent of all online advertising dollars, none of whom gained their market dominance from their role as an ISP.
“I believe that there is no commercial use to be made today off those host names as a separate business,” Swire continued, “and the reason is, there’s an ecosystem that has far more granular information about the details of the person’s search, and the companies with the granular information have a competitive advantage over an ISP selling this thin amount of information about the host name.”
Swire said the technological trends outlined in the report show ISPs are being pushed out of having any overarching view of online user activity.
“That goes to one of the issues that people have been debating, which is to what extent does the ISP have a comprehensive view of a user’s activity?” Swire said. “And the clear answer is ISPs do not.”
During a speech Friday remarking on the one-year anniversary of the FCC’s adoption of Chairman Tom Wheeler’s net neutrality proposal, Commissioner Ajit Pai said new privacy rules are still coming, but he has no idea when or what they will look like.
“In theory, an online privacy rulemaking is coming,” Pai said. “It’s been promised — repeatedly. First, it was coming ‘in the fall.’ Once fall came, it was expected ‘in the coming months.’ And then it was due by the end of ‘football season.’”
“With the Super Bowl behind us, one wonders if Opening Day of baseball season will be the next target,” Pai said referencing Wheeler’s repeated delays. “Until then, ISPs and their customers must simply guess what the rules may be.”