Fact-Checking the New York Times on Privacy

No sooner had the electrons settled around our last post than the New York Times published an editorial praising FCC Chairman Tom Wheeler’s proposal to protect America’s Internet users from the allegedly prying eyes of our Internet Service Providers. The editorial reiterates the claims made in Wheeler’s “privacy fact sheet” in a particularly shameless way.

Eery Similarities

For example, the Wheeler claims encryption doesn’t protect users from ISP snooping:

Even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website.

The Times repeats this claim just a little more succinctly (as you would expect an institution with good copy editors to do:)

But even when data is encrypted, companies can still tell what websites people are visiting.

Wheeler claims web sites and ISPs shouldn’t be regulated in the same way with respect to privacy because consumers can switch sites more easily than they can switch ISPs:

Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee.

And the Times once again echoes Wheeler’s argument:

And it is far easier for consumers to avoid those sites than to avoid their Internet service providers, especially since in many parts of the country people have only one or two choices for broadband.

Regarding the necessity for regulating ISP data gathering practices, Wheeler puts forward a question of principle:

Consumers have the right to exercise meaningful and informed control over what personal data their broadband provider uses and under what circumstances it shares their personal information with third parties or affiliated companies.

The Times once again echoes the chairman in its conclusion:

But these rules are necessary because consumers need to have control over their personal information.

Of course, there’s no problem with the New York Times reiterating Chairman Wheeler’s claims if the claims are true. Facts are facts, and nobody owns the truth. But if the assertions made by Mr. Wheeler and by the New York Times editorial board are false, the alignment of the falsehoods should raise some eyebrows.

Echoing false claims from the head of the FCC would suggest that the Times has either failed to do any meaningful research or is simply infected with the partisan bias that its critics on both the left and the right accuse it of having. And there’s another possible explanation as well, namely that the Times is acting in its self-interest as a vendor of advertising that is using its editorial page to advance its own business interests.

What do ISPs Know and When do they Know It?

But let’s not get ahead of ourselves before we’ve determined the truth or falsity of the joint claims. The first claim – that ISPs can see which web sites we visit even when the visits are encrypted – is only partially true at best, as we explained in the last post:

[The claim that ISPs can still tell what web sites we visit] is partially true for consumers who simply visit sites like Google.com that are encrypted by default with TLS, but it’s not at all true for consumers who use VPNs. It’s only partially true because the information that TLS exposes to ISPs is limited to IP addresses and flows to and from those addresses. This information is a lot less useful than Wheeler imagines because web pages are composed of page elements that have their own IP addresses and data flows. This is easy to confirm by looking at the ads that accompany typical web pages.

So the ISP can tell, in principle, what web sites we visit when we don’t use a VPN. But the web sites themselves have control over how much context they expose to the ISP. The ISP can always tell what IP addresses we visit, and with some computation they can tell who owns those IP addresses. But knowing that we visited Facebook is a lot less useful to a potential advertising seller than knowing what we do when we’re on Facebook.

While Facebook has the most detailed information about what we read, who we chatted with, and which statuses we liked during our visit to the world’s most popular social network, this is all opaque to the ISP. While there is some value to the ISP as a potential seller of ads in knowing which of its customers visit Facebook, it’s not very great. While it’s trivially true that ISPs can tell that we visit Facebook, Google, and Netflix, this information is not a sufficient basis on which to build an advertising business.

While the same can be said for some medical sites, such as the Mayo Clinic, it’s not the case for WebMD, a website that does not encrypt web traffic. So an ISP might want to build an advertising business on scraping WebMD interactions, that business would fail when and if WebMD chooses to encrypt.

So the reality is that the ISP only has as much information as the web site operator when sites are not encrypted and users don’t employ VPNs. The rest of the time, the ISP only has table scraps and in no case does the ISP have more information than the web site has about what the user does on the site. So I have to conclude that the claim that ISPs have some enormous power to snoop doesn’t hold water.

There is an argument to be made that the ISPs have the ability to compile useful and marketable profiles of user behavior from the table scraps, however. Even though they don’t know what searches we submit to Google, what we like on Facebook, what we buy from Amazon, and what we watch on Netflix, there is some marginal value in the big picture of the sites we visit. Whether there’s a business to be made from that marginal information is at best an open question.

 How Easy is it to Switch, Really?

The FCC and the Times repeat the well-worn cliche that switching from one website to another is easy but switching ISPs is hard. While it’s true that it’s easier to click on a link than to change from Comcast to CenturyLink, the implications of switching aren’t that simple. In the course of a day, most of us probably search Google from both our wireline ISPs and from our wireless ones. According to Search Engine Land, 75% of US Internet users rely on Google as their primary search engine on desktops and 78% prefer it for wireless searches. While we can in principle use Yahoo, Bing, DuckDuckGo, Ask, or AOL, we don’t actually use them much in practice.

For social networking, switching platforms isn’t nearly as easy because we would have to convince our friends to switch as well. While Facebook holds a 61% share of social network logins and 45.4% of all social networking visits, the other networks on the list aren’t really competitors as much as complements. Many people use both Facebook and Twitter, but not for the same purposes.

Social Networking Visits Feb. 2016. Source: Statista

Social Networking Visits. Source: Statista

The most direct equivalent for Facebook is Google+, which is nowhere close in terms of market share. People do not really switch from Facebook to Google+ over the long term the way they switch ISPs, which is about 1 – 2% per month for mobile carriers:

Verizon said retail postpaid churn was 0.90 percent, its lowest postpaid churn rate in three years, down from 1.03 percent in the first quarter and 0.94 percent in the year-ago period. AT&T said postpaid churn was 1.01 percent, up from 0.86 percent in the year-ago period. T-Mobile’s branded postpaid phone churn was 1.32 percent in the second quarter, down from 1.48 percent in the year-ago period and up slightly from 1.30 percent in the first quarter. Sprint said postpaid churn was 1.56 percent in the quarter, a record low, compared to 2.05 percent for the year-ago period and 1.84 percent for the first quarter.

In practice, we don’t drop social networks after we’re invested in them but mobile carriers are a different story. So the “ease of switching argument” is pretty much a myth, but it’s a very widespread one because it has so much “truthiness.”

Is There an Urgent Need to Regulate This Space?

Building on this foundation, Chairman Wheeler and the New York Times conclude there’s an urgent need to regulate any prospective efforts by ISPs to harvest the limited data available to them for sale to other parties in the advertising space. But at least their choices of words are a little different: While Wheeler asserts a “consumer right to exercise meaningful and informed control over personal data,” the Times imply invokes a “need to have control over their personal information.” OK, the language isn’t that different.

In reality, the information that’s available to ISPs has a different character than that available to web sites and massive advertising networks such as Google’s. While the web sites have deep insight into the interests, financial standing, and behaviors of their users, ISPs potentially have a wide and shallow picture of overall web activity. The ISPs could answer questions that might refer advertisers to sites like Facebook and Amazon who know what people are buying and how much money they have, for example.

And they could answer questions about which people use Amazon and Google+ but don’t use Facebook, for another. They would presumably know which people visited a dozen or more health-related sites, but they wouldn’t know which users were doing so on their own behalf versus those who are searching for insights on the health conditions of family members or friends.

But it certainly appears that ISP knowledge about our Internet habits would be more in the nature of a complement to the existing troves of information already assembled by the ad networks that want to sell us the products we already bought last week. Because this is merely complementary information rather than the killer app to end all other forms of data collection, it would appear that it’s a good candidate to be regulated under the same framework the FTC applies to the narrow and deep pool of information collected by web sites.

But whether broad and shallow information is the same as narrow and deep is a policy question I’ll leave to others. It’s important that we dig for the facts rather than simply parroting the opinions of our allies. The holy grail for advertisers is the financial transaction data held by credit card companies, PayPal, and retail businesses. Credit card transactions are 100% hidden from ISPs regardless of who uses a VPN and which websites are encrypted. That’s where the action is so the controversy over ISP insights is little more than a diversion.

If you want to be a big player in targeted advertising, it’s best to be a bank who owns a social network, a retail site, a search engine, and several ISPs.

Epilogue: The New York Times reported today that its editorial page editor, Andrew M. Rosenthal, is stepping down in favor of James Bennet. Perhaps editorial quality will improve.