Congress voted on Tuesday to overturn privacy rules passed in November 2016, late in the Obama administration, that would have prevented Internet Service Providers (ISPs) from sharing customers’ Internet history with third parties. President Trump has announced that he plans on approving the measure. Companies such as Verizon Communications and AT&T, which have expressed that the rules would have prevented them from competing with data miners like Google and Facebook (that would not have been subject to the rule), have applauded the move.
Due to the amount of information that ISPs collect, these companies can create comprehensive data profiles of their customers. With the restrictions lifted, an ISP could track the websites and apps its users visit in order to better target online ads. If a customer uses the same provider for Internet, mobile, and television services, the ISP could theoretically track the majority of his or her media consumption. ISPs could, due to the ruling, also expand the scope of the data they track beyond media usage. Verizon has theorized coupling its data with AOL’s technology to log users’ locations to test the effectiveness of ads. For example, it could monitor locations to see if individuals who saw an ad for a hotel actually went to stay at that hotel.
This rule, however, does not mean the total erasure of consumers’ digital privacy, as it remains unlikely that firms will collect data to the fullest possible extent. Companies do not necessarily have the motivation to aggressively mine data, and ISPs do not rely as heavily on advertising as Internet companies like Facebook. Kevin Werbach, a professor at the University of Pennsylvania’s Wharton School, argues that “they could conceivably sell to the highest bidder someone’s browsing history, but it’s not clear that would fly as a business model.” AT&T had previously collected browsing data from some customers and charged a $29 per month fee for those who declined to participate in the program, but the company announced last September that it has canceled both the fee and the collection program. The tentative FCC rule would have allowed ISPs to offer financal incentives to customers for their consent (such as discounts) but they would have been barred from imposing penalties for opting out. In January 2017, ISPs had promised not to share browsing history without user consent regardless of any changes to FCC regulations.
Regardless of the industry’s actions, companies will not be able to collect specific user data due to existing privacy protections, meaning consumers’ privacy will not change from the status quo of before November 2016. After the Edward Snowden leaks, many highly-frequented websites have adopted HTTPS encryption, which prevents anyone other than the user and the site (such as ISPs) from viewing accessed site data. According to privacy advocates, 50 to 70 percent of users’ web traffic, which includes e-commerce and mail services, is encrypted and consequently out of ISPs reach. Thus, John Doe’s complete internet and purchasing history is not going to be widely available.
With ISPs’ own limitations and the Internet’s current level of encryption, user specific profiles are out of ISPs’ reach. Instead, ISPs will likely build more comprehensive demographic profiles of groups of individuals. Thus, the rule change will more than likely lead to highly accurate targeted ads instead, which while unnerving to some does not represent a significant violation of privacy nor a drastic change to pre-existing norms.