New FTC Report Admits that ISP Surveillance is Practically Inescapable

Posted on October 24, 2021

According to The Register, a new report by the FTC has concluded that it is nearly impossible for internet service provider (ISP) customers to escape surveillance from these companies in actual practice. In particular, the report notes that add-on services allow ISPs to aggregate more data on customers than they could derive with browsing data alone, and that deliberately un-intuitive design choices (known as “dark patterns”) hide data privacy settings so that very few users are able to enable them. In practice, then, the vast majority of ISP customers, who make use of service bundles and trust default settings, enjoy no privacy protections against their ISP.

By virtue of the position they occupy between Internet users and access to the public Internet itself, ISPs wield considerable power to spy on their customers, even without leveraging “vertical integration” services such as TV streaming. To start with, because of how the Internet is structured, an ISP will automatically know each user’s approximate geolocation. And if customers don’t utilize a VPN or other proxy services, the ISP will also know which sites their customers browse to. Granted, the ISP may not necessarily be aware of what individual page or specific content a user is viewing if they have an encrypted connection, but oftentimes the domains that a user is viewing at a given time (and over time) is enough to establish patterns that are valuable to targeted ad vendors.

Reporting over the years has corroborated the FTC’s latest assessment that hiding from one’s ISP is not so simple. ISPs have been caught multiple times stripping out encryption on users’ connections to certain sites. VPNs may also not be much help if the ISP also serves the server of the site that the user is connecting to, or serves the VPN provider itself. In these cases, the ISP would be in a position to do a traffic correlation attack, where they correlate the connection leaving one’s home and arriving at one’s destination VPN or server moments later.

Worse yet, if users wish to punish their ISP for exploitative practices by seeking alternatives, it is rare that users will find any available. Since most regions are dominated by one or two ISPs, and because customers in rural areas and in apartment complexes typically only have one ISP with the infrastructure in place to serve them, few Americans have any real choice of ISP.

The risk of monitoring by one’s ISP is not theoretical. In 2017, President Trump signed a bill firmly cementing ISPs’ right to sell customer browsing data (though that’s not to say it wasn’t already happening). Regardless, ISPs have every incentive to do so, since that poses an additional revenue stream free for the taking. Trump’s FCC, headed by former Verizon lawyer Ajit Pai, abdicated responsibility for regulating ISPs, stating that this was a job for the FTC. Thankfully, the FTC appears to have seriously picked up the mantle of reining in ISPs, potentially to the benefit of consumer savings and privacy.

You can read the full piece from The Register here.