The Berkman Klein Center for Internet & Society at Harvard University is up to its old tricks. When last we checked in with them, they had published a study of government-owed networks that drew some dubious conclusions from a very narrow comparison of a handful of broadband networks. This time one of their junior researchers has published an op-ed in the UK Guardian arguing for state-level Internet privacy laws based on a set of blatantly false claims.

Recent law school graduate Salome Viljoen claims that ISPs have greater insight into our web use than Google and Facebook and are also less regulated. Both claims are wrong, hence the author has to create a deceptive set of factoids to support them. While Viljpoen’s claims are almost completely wrong, they’re not novel. So fact-checking the article is a good way to assess the divergence of the Internet privacy debate from reality. 

How Does the ISP Business Model Compare to the FAANG Model?

The op-ed gets off to a promising start, citing former Berkman fellow Zeynep Tufekci before crashing. Tufekci argues that Facebook’s over-collection and over-sharing of personal information is an inevitable consequence of its business model; the company lives and dies on the sale of advertising.

Hence, it’s naïve to expect Facebook and the other FAANGs (Amazon, Apple, Netflix, and Google) to place strict limits on the data they collect and monetize. This is what they do for a living.

But Viljoen fails to appreciate the fact that ISPs are not advertising-supported businesses. If the regulations on ISPs are the same as those for FAANGs, ISPs are less scary; they simply don’t have the need to sell everything they can see in order to make their numbers.

While ISPs do see advertising as an attractive secondary income stream, it’s never going to be as vital to them as it is for “free” services that fund themselves exclusively by selling personal information. Hence, the focus on ISPs as the major threats to privacy is inconsistent with Tufekci’s business model considerations. In fact, it would be good for advertisers to have some choice.

Are ISPs and FAANG on a Level Playing Field?

Viljoen makes a largely incoherent reference to the 2017 CRA Resolution repealing the Wheeler FCC’s privacy regulations: “As of last year [sic], Congress extended the same data-gathering practices [Does she mean “regulations?”] of tech companies like Google and Facebook to internet providers like Comcast, AT&T and Verizon.”

This observation is historical trivia. The CRA resolution was rendered moot by the Pai FCC’s reclassification of ISP services under Title I last year. That action, not the CRA resolution, replaced the FCC with the FTC as the ISP privacy monitor.

It did not change any “data-gathering practices” but it did subject everything ISPs do with personal data to the same controls the FTC applies to other Internet companies.  By that I mean it restored the status quo for ISPs that existed prior to the Wheeler’s 2015 “Open Internet” order.  In essence, this means ISPs can share non-sensitive data on an opt-out basis but they must get prior permission to share sensitive data such as social security numbers or health information, just as Google and Facebook must.

What Can ISPs See?

The op-ed claims ISPs don’t need consent for sharing sensitive data:

Because service providers serve as gatekeepers to the entire internet, they can collect far more information about us, and leave us with far less power to opt out of that process.

There are three factual errors in this one short sentence. Contrary to the claim:

1. The default opt-out of sensitive data collection is exactly the same for all users of all services, both ISPs and tracking networks.
2. While ISPs know which IP addresses we visit, they don’t actually see what we do on encrypted sites such as Google, Facebook, Amazon, and Netflix; such sites are increasingly the norm.
3. While ISPs are gatekeepers of a sort on the consumer side of web visits, FAANGs are increasingly gatekeepers on the web side. Without the ads FAANGs sell to web sites – and their associated trackers – the web’s financial model no longer works. And FAANGs see our web visits in plain text. We have no control at all over the ads that websites choose to run, of course.

ISPs are also less dominant that FAANGs. The largest US ISP, Comcast, has less than 25 million users. But Facebook has over two billion users and Google has seven lines of business with over a billion users each. ISPs would need to share data with each other to gain the reach that Facebook and and Google have, and they don’t (and can’t) do that.

While Viljoen’s claim that ISPs can know what sites we visit is true, it’s also true that most major websites contain tracking code that records our visits to FAANG tracking databases. And unlike ISPs whose knowledge stops at the IP addresses of encrypted sites, trackers see plain text.

What Does Choice Have to Do With It?

Like most critics of ISPs, Viljoen complains about limited consumer choice.  This well-worn argument depends on readers forgetting that they change ISPs several times a day: we use our wired service at home, another one at the office, a Wi-Fi service at the coffee shop, and we use our cell providers while on the go.

These providers do not share information with each other, so each has a limited view. And we switch between them much more frequently that we switch social networks, preferred retailers, or preferred search engines. Websites have very little choice among advertisers, with Facebook and Google selling more than 90% of all new ads.

In fact, we have more choice and more control over our ISPs than we have over the ad networks that gobble up our browsing histories whether we use the Facebook  and Google sites at all. While Viljoen’s observation that choosing “not to use an internet provider to avoid surveillance is not really a choice at all” is true, she fails to mention that we have no ability to choose which trackers are embedded in any of the web sites we visit. And we have no choice at all over Google’s use of the email we send to Gmail users.

We can selectively block them with Ghostery, but in many cases blocking trackers prevents us from using particular web sites. This is clearly the case with general-purpose ad blockers.

What Sort of History Do ISPs Have with Sensitive Data?

ISPs are not immune to data breaches: Rogers in Canada was breached by a social engineering attack and Sprint is a frequent target in the US. Just last year, Verizon was hit with an attack exposing some personal information of 14 million users. But this isn’t preference data or browsing histories, it’s standard account information such as names, email addresses, and PINs.

So there’s no real comparison between these breaches and the kind of deliberate sharing of information about the activities of Facebook users’ friends we saw in the Cambridge Analytica event or the logging of detailed locations by Android.

ISPs have no way of knowing who our Facebook friends and Twitter followers are. Because these sites are encrypted, all the ISPs know is whether we visit them or we don’t. They have no idea what we do while we’re on them. Viljoen’s claim that ISPs “know what you do on Facebook” is 100% false.

Do we Really Want States Calling the Shots?

Viljoen utterly misrepresents the current state of ISP privacy regulation:

Last March, Republicans and President Trump overturned these rules, allowing providers like Verizon and Comcast to monitor their customers’ behaviour online and, without their permission, sell that data for targeted ads. In other words, instead of restricting the dangerous and exploitative market of consumer data, Congress has expanded that market to include internet service providers.

The Congressional Review Act resolution passed by Congress striking down the Wheeler FCC’s action subjecting ISPs to more harsh restrictions than those that apply to the FAANGs was rendered moot by the Pai FCC’s Restoring Internet Freedom Order passed in December. So this statement is misleading if not utterly false. The current state of the law is that ISPs and FAANGs are regulated by uniform standards enforced by the FTC.

We can argue about what the standard should be, but it’s impossible to make a case for a patchwork of different regulations on firms that perform the same actions. State-level privacy laws inevitably create such a patchwork. Given that such laws have an obvious relationship with interstate commerce, their legality is dubious.

Being forced to comply with 50 different laws to do business in the US is no way to promote innovation, obviously. And doesn’t everyone involved in Internet policy complain about the capture of state legislatures by commercial interests? Viljoen’s fellow Berkman Klein scholars certainly do.

Conclusion

There are three ways to harvest lawful information about web browsing:

1. ISPs and Wi-Fi routers can see the IP addresses of all sites visited by customers who don’t use VPNs, and they can see plain text payloads of unencrypted sites. Operating systems and browsers see even more, and without any limitation by VPNs or encryption.
2. Popular websites such as Facebook, Google, Amazon, iTunes, and Netflix can see everything we do when we visit them regardless of VPNs or encryption.
3. Tracking networks – mostly run by the FAANGs – see our visits to most popular websites. Facebook, for example, sees most our web visits whether we use Facebook directly or not. #DeleteFacebook has no effect on this.

Singling out any of these three modes of data gathering for special restrictions – as the Wheeler FCC did with its phony-baloney ISP privacy regulations – is a hallmark of industry capture. Enacting a nationwide patchwork of distinct regulations is the surest way to inhibit Internet innovation.

The surest way forward is to increase the FTC’s authority to police data gathering practices across the whole nation’s Internet economy. Once we have our national house in order, we can address the innovation harms inherent in Europe’s General Data Protection Regulation (GDPR). But that’s a post for another day.