Investigations and Tools

  • Amazon’s Advantage
  • Organ Failure
  • Blacklight
  • Pixel Hunt
  • Citizen Browser
  • Privacy
  • Languages of Misinformation
  • Still Loading
  • Machine Learning
  • Working for an Algorithm
  • About Us
  • Donate
  • Awards
  • Have a Tip?
  • Team
  • Show Your Work
  • Jobs
  • Newsletters
  • Events
  • Facebook
  • Twitter
  • Instagram
  • Mastodon
  • RSS Feed
Skip navigation
Menu The Markup Donate
  • About Us
  • Donate

Hello World

A weekly newsletter—delivered every Saturday morning—that goes deep into our original reporting and the questions we put to big thinkers in the field. Browse the archive

Please complete this CAPTCHA to help us ensure our subscription list is not abused.
hCaptcha accessibility

Newsletter: Hello World

When You Pay for the Product but Still Are the Product

October 29, 2022 08:00 ET

Hello, friends, 

There’s a famous phrase about the internet that you’ve probably heard: “When you don’t pay for the product, you are the product.” 

It’s meant to explain the so-called privacy trade-off that exists when we use free services that seek to cover their costs by monetizing our data. The classic example is Facebook—a free service that makes money by selling advertisers the ability to customize ads based on our behavior.

But increasingly you can’t escape being the product even when you pay for a product. Internet and wireless service providers are classic examples of companies that we pay a lot to but who also have robust practices of monetizing user data.

Last year, the Federal Trade Commission issued a report raising concerns about the privacy practices of major internet service providers. The report stated that two of the country’s top six providers were surveilling users’ web browsing data to use in their ad targeting businesses. 

Unfortunately, the report, which was based on survey responses from leading internet providers AT&T, Verizon, Charter, Comcast, T-Mobile, and Google Fiber, did not name which ones were engaging in this intrusive practice. The report also stated that “a significant number” of the internet providers surveyed shared users’ real-time location data with third parties.

This is a huge shift from how we viewed the privacy of our communications during the analog era. If a telecom company wanted to listen in on your telephone calls, it would be breaking the law. The government can only listen in if they obtain a special type of search warrant that shows that they have exhausted all other possible ways to obtain the information they need. 

But strangely there are no similar legal protections for browsing the internet even though when your computer visits a website, it is essentially a phone call to another computer seeking to obtain the information on that webpage—a very similar idea to the content of a phone call.

To understand the lack of broadband privacy online and the move by a few states to increase privacy protections, I interviewed Scott Jordan, a professor of computer science at the University of California, Irvine, who is an expert on broadband policy issues. From 2014 to 2016, Scott served as the chief technologist at the Federal Communications Commission.

Our conversation, edited for brevity and clarity, is below.

Headshot of Scott Jordon
Scott Jordon UC Irvine

Angwin: Can you give us a brief overview of the state of broadband privacy protections?

Jordan: In the 1990s, Congress wrote a law that said if the service you’re buying is dominantly carrying information between you and another person, or carrying information between you and someplace else in the network, then you get certain rights. One of the rights you get is privacy. In the ’90s it was obvious that one of the services that fell into this description of a telecommunication service was telephone services. This means that your telephone company can’t listen in on the content of your telephone calls, or make a list of people that you call, and use that without your permission for anything other than implementing the service.

In 2015, the Federal Communications Commission, which has oversight over telecommunications services, asked the same question about your internet service. When you buy broadband service from your internet service provider (ISP), is the ISP carrying your internet traffic between you and somebody you’re talking to or some website you’re going to? In 2015, the FCC said yes, that’s exactly what you’re buying from your internet service provider. Because of this, in 2016 the FCC said, well, Congress had already told us that if that’s the nature of the service, then you have privacy rights, so the same thing that applies to telephone calls applies to internet traffic. This means that your ISP cannot use your internet browsing, for instance, without your permission for anything other than getting you to where you want to go on the internet. That’s where we were in 2016. In 2017, Congress repealed the rules from the FCC, essentially without explanation, so we’re back to having no such protection for internet service. We still have the protection for telephone services, but no such protection for your web browsing.

Angwin: After this protection was lost, many state lawmakers introduced privacy bills, but very few passed. One bill that did succeed was Maine’s, which was challenged by telecommunications companies. Where does that stand?

Jordan: Yes, this is where the state of Maine jumped in. Maine said, we think that it’s in the public interest of our residents to have this kind of protection. Maine passed a law that protects users’ personal information. In a broadband context, this includes what websites you browse, what apps you have installed on your phone and how you use them, and your GPS location. The Maine law says that your ISP can use that to implement your internet service, but if the ISP wants to use this information for a reason other than providing the service, then they need to give you a choice. The default is that the ISP can’t use it unless you tell them that they can, so it’s an opt-in choice.

A number of the trade associations that represent internet service providers’ interests challenged Maine’s statute, claiming that the law was not constitutional on First Amendment grounds, but recently the trade associations withdrew their lawsuit. I provided an expert report for the state of Maine, explaining the nature of how the internet works and how an ISP can collect, use, and share your personal information. At that point, the case could have gone forward, but the ISPs withdrew the complaint. 

Angwin: Two other states, Nevada and Minnesota, also passed broadband privacy bills. And California is preparing to implement a comprehensive privacy measure that includes some provisions to protect broadband customers. Can you talk about how the California law differs from the Maine law? 

Jordan: There are usually two related privacy provisions that a law might specify. One is transparency—that a company is required to tell you what information they’re collecting, how they’re using it, and how they’re sharing it. The other is choice—do you have a choice, and is that choice opt-in or opt-out?

The California law focused on both of those provisions, while the Maine law focused more on choice. The California law gives users the right to know what categories of personal information a company collects, why they’re collecting and using this information, and whether they share that personal information with third parties. The California law also gives users a choice over whether their personal information is shared.

Privacy policies need to be more transparent. For instance, you can try to read Comcast’s privacy policy to figure out if they share your browsing history with ad brokers, but the problem is that even I can’t figure that out from the privacy policy. Although, the Federal Trade Commission did a study recently, and they said some ISPs do collect your browsing history and share it with ad brokers, but they didn’t say who.

Angwin: So I’m in New York, and my ISP could be collecting my browsing history? I’m feeling very shocked. Is Congress doing anything about this issue?

Jordan: I hope that they pass something because the whole nation deserves some protections, not just certain states. There are improvements that they should make on transparency. For example, if Facebook’s privacy policy says, “We use information about groups you follow to personalize ads,” as opposed to if they say, “We use the content of your communications to personalize ads,” I think most consumers would think of those as different. Some people may be more comfortable with one rather than the other. Right now, we don’t know which one Facebook does, because all they say is “We use your personal information.” That’s an easy fix. Additionally, Congress is still wrestling with whether, if a company uses your personal information beyond implementing the service you asked them to, it should be an opt-in choice versus an opt-out choice.

Congress is also trying to provide a higher level of protection for what they define as sensitive personal information, but there are disagreements about what is sensitive. For example, when the FCC did its now-defunct set of regulations, it said that your web browsing history and your app usage history are sensitive, but not all of the congressional drafts and bills make the same decision on that. Your web browsing history and your app usage history should qualify as sensitive personal information.

Angwin: How did we get to the point where our internet providers are allowed to spy on what we are reading online?

Jordan: During the Trump years, the FCC greatly reduced its oversight over ISPs and repealed net neutrality rules. The only cop left on the beat is the Federal Trade Commission, but it must deal with privacy across all kinds of companies, and it doesn’t have the same authority from Congress [as the FCC] to implement privacy rules. Since Congress hasn’t done anything yet and the FCC hasn’t yet reestablished its authority broadly over broadband service and only a few states have laws, most people are left without any modern privacy rules applying to internet service.

As always, thanks for reading.

Best,

Julia Angwin

The Markup

(Additional Hello World research by Eve Zelickson.)

Return to The Markup's homepage

Your contributions help us investigate how technology influences our society.

Donate
  • About Us
  • Our Donors
  • Ethics Policy
  • Events
  • Board of Directors
  • Jobs
  • Team
  • Have a Tip?
  • Newsletters
  • A Letter from the President
  • Awards
  • Privacy Policy
  • Terms of Use
  • Facebook
  • Twitter
  • Instagram
  • Mastodon
  • RSS Feed

Sign up to get the Hello World newsletter in your inbox every Saturday.

Please complete this CAPTCHA to help us ensure our subscription list is not abused.
hCaptcha accessibility