Image: Shutterstock

This week, President Donald Trump signed the widely-criticized bill repealing FCC ISP privacy rules, which would have required internet service providers to get opt-in consent before selling customers’ web browsing history. The rules hadn’t actually gone into effect, but the bill’s passage was a wake-up call for American internet users, who suddenly realized: Wait, what the hell, my ISP can sell my browsing history? And it’s not just that they can: they don’t have to make it easy, or even possible, to opt out.

Why you’re screwed

Without the repealed rules, the law dictating how ISPs get your consent for selling your data is very murky. In terms of browsing information, “each company can interpret what kind of consent is required,” according to Katharina Kopp, deputy director at the Center for Digital Democracy. The Communications Act requires that customers opt in before ISPs share their “proprietary information,” but without an FCC rule to interpret the statute, it’s unclear whether browsing history should count as proprietary information, and that lack of clarity means providers can decide for themselves that it doesn’t count. And without rules, there isn’t a standard for if or how they should provide options to opt out of data sharing, either. Even if ISPs’ data policies were in violation of the law, the lack of interpretation and the lack of will at the FCC means they’re unlikely to get in trouble for it.

Advertisement

Several ISPs, including Verizon and Comcast, signed onto voluntary set of principles on privacy earlier this year, which include a commitment to “offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing.” (Non-sensitive information includes web browsing history, according to them.) Of course, as Dallas Harris, a policy fellow at the internet advocacy group Public Knowledge, told Gizmodo, “I can’t trust my ISP to come between noon and three, so the idea they say, we’ll promise we’ll do this, is not very reassuring.”

So we’re all left to the mercy of our ISPs and their privacy policies, which sucks. These companies are horrible to deal with—Comcast consistently ranks as one of the most hated in America—and the privacy policies are vague and confusing. After the bill was repealed, I received many emails from readers who had struggled to opt out of having their data sold, either by going to their ISP’s website or by contacting customer service. And after I got those emails, I did a little digging myself to see whether I, professional tech writer, could find out how to opt out with the biggest ISPs.

Advertisement

It wasn’t easy. In fact, it was a frustrating, confusing, tear-your-hair-out experience.

There is no “opt-out” button

If opt-out options exist, they are hard to locate. It’s not as simple as logging into your ISP account and clicking a big red “opt out” button. My ISP, Comcast, does offer you the option of opting out of targeted ads (which isn’t the whole story—more on that later), but there’s no way to find that in your account settings online; in fact, as the company’s help page shows, the link is buried under an ad, in what appears to be the smallest font known to humans. I have Adblock turned on, so it doesn’t even show up for me.

ISP customer service is useless

As many readers found, calling your ISP to say that you want to opt out of having your data sold is infuriatingly futile. One reader who emailed me said they had called the CenturyLink customer service, “who informed me that the company does not take part in selling client personal or private data so there was nothing to opt out of.” But CenturyLink’s residential terms make clear that the company “gathers information about your Internet usage such as the sites visited,” “aggregates this information,” and “may share such aggregated information with other, trusted third parties from time to time.” (A CenturyLink spokeswoman wouldn’t comment on their privacy policies, even after repeated follow-ups, and instead directed me to a statement from US Telecom applauding the passage of the bill and a link to their privacy policy.)

Advertisement

Another reader told us that when they chatted online with Charter Communications customer service they were told that they simply cannot opt out of services. “Currently we do not have this option where we can opt out customer personal information but I will make a note on your account and we will work on it and you can choose that option in coming time,” a representative told the reader.

It’s odd that customer service would make this claim when Charter’s privacy policy says you can opt out of allowing them to display targeted ads “based on Your [sic] personally identifiable information or general location derived from your Charter IP address.” You’d be forgiven if you didn’t poke around enough to find this page where you can opt out of targeted digital advertisements.

The privacy fine print is ambiguous legalese

In the absence of a helpful customer service rep, it’s time to dig into your ISP’s privacy policy and other fine print to find out what the deal is. That is no easy task, nor is it one that ISPs can reasonably expect people can do. Everyone knows that no one actually reads the privacy policies, but most consumers barely even know what a privacy policy is or does, according to Pew. Other research shows that it would take a month for consumers to read all of the privacy policies they agree to in a year.

Advertisement

In their privacy policies, ISPs promise “personal information” won’t be sold, but aren’t totally clear about what that is. AT&T’s privacy policy, for example, states it doesn’t “sell your Personal Information to anyone, for any purpose. Period,” but it defines personal information as “information that directly identifies or reasonably can be used to figure out the identity of a customer or user, such as your name, address, phone number and e-mail address”—not web browsing or app usage data, which is the primary concern after last week’s bill. These sorts of tricks mean many customers are asking the wrong questions when they contact their ISPs. If you ask an AT&T rep if the company sells your personal information, they can reasonably say no.

These privacy policies also tend to promise that “personally identifiable” information won’t be sold, but make no promises about anonymous or aggregated data. Charter’s policy, for example, says “We may provide anonymous data to third parties who may combine it with other information to conduct more comprehensive audience analysis for us and for television advertisers.” But the policy doesn’t tell us what methods it uses to do so, or acknowledge that the company can’t just collect aggregate data—it has to be collected on an individual basis and then later aggregated.

That data collection has its own security implications: once it’s collected, it has to be stored somewhere, and that makes it vulnerable to hacking. It’s also not clear that “aggregated” data is the anonymity safeguard that ISPs want you to think it is: The American Library Association has pointed out the “surprising ease with which apparently anonymous data can be ‘reidentified,’” and recent research has bolstered this case. The more data points about a web user there are, the less anonymous that data is—and the more valuable it is to an advertiser.

Advertisement

And even when ISPs offer opt-outs, they aren’t always that comprehensive or clear about what you’re not opting out of. Most ISPs allow you to opt out of targeted ads—AT&T calls this “Relevant Advertising,” while Charter allows you to opt out of Targeted Digital Marketing Ads by entering your email address. These opt-outs mean your ISP can’t sell your web history or other data to advertisers who then use that information to target their customers through ads displayed on that network.

But does that mean they won’t sell your web browsing history to advertisers for other uses—as in, for ads that aren’t displayed through their network, for building demographic profiles, or other purposes? Charter’s privacy policy, for example, says “may provide anonymous data to third parties who may combine it with other information to conduct more comprehensive audience analysis for us and for television advertisers.” That doesn’t seem to be covered by the one targeted advertising opt-out we found. None of these policies offer a definitive, clear way to opt out of having your browsing history sold for any purpose, not just targeted ads.

This is why we needed the FCC rules

The difficulty of opting out shows just why the FCC rules were needed. Those rules would have replaced this insane, burdensome process with a simple opt-in question, which is why ISPs fought it so hard—they want it to be hard for you to opt out, because they want to sell your data. As it stands, these privacy policies are extremely confusing, and actually finding out how to opt out and what data you have control over is really hard, even for someone who reports on tech policy and has nothing else to do all day.

Advertisement

Customers concerned about privacy and the overturned FCC rules were united in deeming browsing history sensitive, private information that needs to be protected. ISPs just don’t, and they mislead customers by not being clear about that huge difference of opinion. And internet users shouldn’t have to spend an hour on the phone or reading privacy policies to figure that out.