FTC Chair: Agency’s new ISP privacy report shows the FCC should have jurisdiction

Major Internet Services Providers (ISPs) use personal data in ways consumers may not expect—maintaining vast hordes of extremely granular information or identifying information and in some cases sharing it in ways that could harm consumers, a special report prepared by Federal Trade Commission (FTC) staff and released by the agency Thursday found. 

But the issues covered by that report only highlight the need for authority over ISPs to return to the Federal Communications Commission (FCC), agency Chair Lina Khan argued in her comments at an open commission meeting focused on the report. 

“The Federal Communications Commission has the clearest legal authority and expertise to fully oversee internet service providers,” she said. “I support efforts to reassert that authority and once again put in place the nondiscrimination rules, privacy protections, and other basic requirements needed to create a healthier market.”

Khan was joined in that sentiment by Commissioner Rebecca Kelly Slaughter, a Democrat appointed during the Trump administration,who said removing FCC authority allowed for a “race to the bottom” by ISPs in terms of consumer privacy.

The FCC, which generally oversees U.S. telecom infrastructure, adopted broadband privacy rules late in the Obama administration. But Congress overturned the rules before they went into effect using the Congressional Review Act during the first few months of the Trump administration, which meant the FCC can’t try to restore them without legislative action and kicked jurisdiction over to the FTC. 

This was a victory for ISPs because the FCC had actual regulatory power to make rules they would have to follow. However, FTC’s general enforcement authority for privacy and data security is limited to its power to go after companies for unfair or deceptive practices. 

The FTC ordered staff to investigate the special report during the Trump administration after that change in 2019, sending requests for information about the way the country’s six largest Internet Service Providers as well as three associated advertising firms use personal data. The information presented at the meeting by FTC attorney Andrea Arias and in the report is aggregate, rather than identifying the specific practices of each company.

Many of the concerns covered by the report have previously been reported in the media or were addressed by the nixed FCC rules. 

Among the agency’s findings was that ISPs commonly collect information beyond what’s necessary to deliver their services so they can use it in advertising, Arias said. A few also used web traffic to target advertising in ways that can persist even if users take steps to keep their information private—a practice known as supercookies, she added. 

Vertical integration with other services like advertising, email, as well as security cameras and other connected devices can allow some ISPs to make “extremely granular inferences” about individual subscribers and their families, Arias said. 

A “significant number of the companies share real-time location data with third parties,” the agency’s presentation noted. Public reports suggest that data ends up being used in ways that can be particularly harmful to consumers, such by bounty hunters. Many of the companies also group and allow advertising by sensitive categories including race, ethnicity, sexual orientation, or religious belief, Aria added. 

Many consumers would be surprised about how revealing the data held by ISPs might be, she said. The agency also observed that the information they collect could be used to carry out discriminatory practices, perpetuating existing societal harms through the delivery of services or information in ways that undermine civil rights. 

“Even where businesses do not intend to discriminate, certain uses of consumers’ personal information could disparately impact certain groups,” the report notes. 

Several ISPs told the agency they “hold data pursuant to record retention schedules, asserting that they only keep the information as long as it is needed for a business reason,” per the report. But Arias noted that was a vague term that could mean almost anything.

“Some ISPs in our study pass on consumer information to their affiliated ad networks, which do not delete the data at the end of the specified retention period,” the agency also noted. Those ad networks “deidentify or anonymize that data,” per the report, but research has long suggested that truly separating identity from large collections of aggregate data can difficult if not impossible. 

Commissioners voted unanimously, 4-0 due to a current opening, to release the report. 

However, not all of them agreed that the agency should cede oversight of the issue back over to the FCC. 

Commissioner Christine Wilson, a Republican nominated by then-President Donald Trump, said she was “disappointed” by her colleagues who she said were seeking to politicize the report. 

Khan, who is known for her antitrust criticism of the tech industry, was confirmed to lead the agency in June after being nominated by President Joe Biden and is among a number of consumer advocates the administration has proposed for high profile roles. 

Last month Biden nominated Alvaro Bedoya, a long-time privacy advocate, to fill the spot vacated by Rohit Chopra—Biden’s pick to lead the Consumer Financial Protection Bureau (CFPB), who was recently narrowly confirmed by the Senate. 

Chopra also made news Thursday, announcing a new CFPB inquiry into the financial practices of payment systems associated with major technology firms Thursday.