This week, President Donald Trump signed the widely-criticized bill repealing FCC ISP privacy rules, which would have required internet service providers to get opt-in consent before selling customers’ web browsing history. The rules hadn’t actually gone into effect, but the bill’s passage was a wake-up call for American internet users, who suddenly realized: Wait, what the hell, my ISP can sell my browsing history? And it’s not just that they can: they don’t have to make it easy, or even possible, to opt out.
Without the repealed rules, the law dictating how ISPs get your consent for selling your data is very murky. In terms of browsing information, “each company can interpret what kind of consent is required,” according to Katharina Kopp, deputy director at the Center for Digital Democracy. The Communications Act requires that customers opt in before ISPs share their “proprietary information,” but without an FCC rule to interpret the statute, it’s unclear whether browsing history should count as proprietary information, and that lack of clarity means providers can decide for themselves that it doesn’t count. And without rules, there isn’t a standard for if or how they should provide options to opt out of data sharing, either. Even if ISPs’ data policies were in violation of the law, the lack of interpretation and the lack of will at the FCC means they’re unlikely to get in trouble for it.
Several ISPs, including Verizon and Comcast, signed onto voluntary set of principles on privacy earlier this year, which include a commitment to “offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing.” (Non-sensitive information includes web browsing history, according to them.) Of course, as Dallas Harris, a policy fellow at the internet advocacy group Public Knowledge, told Gizmodo, “I can’t trust my ISP to come between noon and three, so the idea they say, we’ll promise we’ll do this, is not very reassuring.”
So we’re all left to the mercy of our ISPs and their privacy policies, which sucks. These companies are horrible to deal with—Comcast consistently ranks as one of the most hated in America—and the privacy policies are vague and confusing. After the bill was repealed, I received many emails from readers who had struggled to opt out of having their data sold, either by going to their ISP’s website or by contacting customer service. And after I got those emails, I did a little digging myself to see whether I, professional tech writer, could find out how to opt out with the biggest ISPs.
It wasn’t easy. In fact, it was a frustrating, confusing, tear-your-hair-out experience.
If opt-out options exist, they are hard to locate. It’s not as simple as logging into your ISP account and clicking a big red “opt out” button. My ISP, Comcast, does offer you the option of opting out of targeted ads (which isn’t the whole story—more on that later), but there’s no way to find that in your account settings online; in fact, as the company’s help page shows, the link is buried under an ad, in what appears to be the smallest font known to humans. I have Adblock turned on, so it doesn’t even show up for me.
Another reader told us that when they chatted online with Charter Communications customer service they were told that they simply cannot opt out of services. “Currently we do not have this option where we can opt out customer personal information but I will make a note on your account and we will work on it and you can choose that option in coming time,” a representative told the reader.
These privacy policies also tend to promise that “personally identifiable” information won’t be sold, but make no promises about anonymous or aggregated data. Charter’s policy, for example, says “We may provide anonymous data to third parties who may combine it with other information to conduct more comprehensive audience analysis for us and for television advertisers.” But the policy doesn’t tell us what methods it uses to do so, or acknowledge that the company can’t just collect aggregate data—it has to be collected on an individual basis and then later aggregated.
That data collection has its own security implications: once it’s collected, it has to be stored somewhere, and that makes it vulnerable to hacking. It’s also not clear that “aggregated” data is the anonymity safeguard that ISPs want you to think it is: The American Library Association has pointed out the “surprising ease with which apparently anonymous data can be ‘reidentified,’” and recent research has bolstered this case. The more data points about a web user there are, the less anonymous that data is—and the more valuable it is to an advertiser.
And even when ISPs offer opt-outs, they aren’t always that comprehensive or clear about what you’re not opting out of. Most ISPs allow you to opt out of targeted ads—AT&T calls this “Relevant Advertising,” while Charter allows you to opt out of Targeted Digital Marketing Ads by entering your email address. These opt-outs mean your ISP can’t sell your web history or other data to advertisers who then use that information to target their customers through ads displayed on that network.
The difficulty of opting out shows just why the FCC rules were needed. Those rules would have replaced this insane, burdensome process with a simple opt-in question, which is why ISPs fought it so hard—they want it to be hard for you to opt out, because they want to sell your data. As it stands, these privacy policies are extremely confusing, and actually finding out how to opt out and what data you have control over is really hard, even for someone who reports on tech policy and has nothing else to do all day.
Customers concerned about privacy and the overturned FCC rules were united in deeming browsing history sensitive, private information that needs to be protected. ISPs just don’t, and they mislead customers by not being clear about that huge difference of opinion. And internet users shouldn’t have to spend an hour on the phone or reading privacy policies to figure that out.