May 2016 Preface
Total Page:16
File Type:pdf, Size:1020Kb
Peter Swire, Associate Director, The Institute for Information Security & Privacy at Georgia Tech; Huang Professor of Law, Georgia Tech Scheller College of Business; and Senior Counsel, Alston & Bird LLP Justin Hemmings, Research Associate, Georgia Tech Scheller College of Business and Policy Analyst, Alston & Bird LLP Alana Kirkland, Associate Attorney, Alston & Bird LLP May 2016 Preface May 2016 Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others This Working Paper provides a detailed, factual description of today’s online ecosystem for the United States, with attention to user privacy and the data collected about individual users. The Working Paper addresses a widely-held, but mistaken view about Internet Service Providers (“ISPs”) and privacy. That view asserts that ISPs have comprehensive and unique access to, and knowledge about, users’ online activity because ISPs operate the last mile of the network connecting end users to the Internet. Some have cited this view to suggest that ISPs’ collection and use of their customers’ online data may justify heightened privacy restrictions on ISPs. This Working Paper takes no position on what rules should apply to ISPs and other players in the Internet ecosystem going forward. But public policy should be consistent and based on an up-to-date and accurate understanding of the facts of this ecosystem. The Working Paper addresses two fundamental points. First, ISP access to user data is not comprehensive – technological developments place substantial limits on ISPs’ visibility. Second, ISP access to user data is not unique – other companies often have access to more information and a wider range of user information than ISPs. Policy decisions about possible privacy regulation of ISPs should be made based on an accurate understanding of these facts. Technological Developments Place Substantial Limits on ISPs’ Visibility into Users’ Online Activity: 1. From a single stationary device to multiple mobile devices and connections. In the 1990s, a typical user accessed the Internet from a single, stationary home desktop connected by a single ISP. Today, in contrast, the average Internet user has 6.1 connected devices, many of which are mobile and connect from diverse and changing locations that are served by multiple ISPs. By 2014, 46 percent of mobile data traffic was offloaded to WiFi networks, and that figure will grow to 60 percent by 2020. Any one ISP today is therefore the conduit for only a fraction of a typical user’s online activity. 2. Pervasive encryption. We present new evidence about the rapid shift to encryption, such as the HTTPS version of the basic web protocol. Today, all of the top 10 web sites either encrypt by default or upon user log-in, as do 42 of the top 50 sites. Based on analysis of one source of Internet backbone data, the HTTPS portion of total traffic has risen from 13 percent to 49 percent just since April 2014. An estimated 70 percent of traffic will be encrypted by the end of 2016. Encryption such as HTTPS blocks ISPs from having the ability to see users’ content and detailed URLs. There clearly can be no “comprehensive” ISP visibility into user activity when ISPs are blocked from a growing majority of user activity. 3. Shift in domain name lookup. One integral function of ISPs has been to match the user’s web address request to the correct domain and specific Internet Protocol (“IP”) address. Today there is a still small, but growing, trend of Internet users utilizing proxy services that displace this traditional ISP function. Examples include Virtual Private Networks (“VPNs”) and new proxy services offered by leading Internet companies. When a user accesses the Internet through an encrypted tunnel to one of these gateways, ISPs cannot even see the domain name that a user is visiting, much less the content of the packets they are sending and receiving. 3 Non-ISPs Often Have Access to More and a Wider Range of User Information than ISPs: 1. Non-ISP services have unique insights into user activity. At the same time that the above technological and marketplace developments are reducing the online visibility of ISPs, non-ISPs are increasingly gathering commercially valuable information about online user activity from multiple contexts, such as: (1) social networks; (2) search engines; (3) webmail and messaging; (4) operating systems; (5) mobile apps; (6) interest- based advertising; (7) browsers; (8) Internet video; and (9) e-commerce. This Working Paper explains the data flows and mechanisms for advertising for each of these contexts, many of which gather insights about users that are not available to ISPs. Traditional ISPs are not market leaders in any of these major areas; rather, they are just starting to compete in some of them. 2. Non-ISPs dominate in cross-context tracking. Each of the above-listed services and platforms gathers volumes of data about users, frequently with insights into content (social networks, webmail, etc.) and other information often characterized as sensitive in privacy debates. While it is analytically instructive to understand each service/platform, the real insights come from combining information from multiple services/platforms – what we call “cross-context tracking” linked to a particular user device or across devices. The 10 leading ad-selling companies earn over 70 percent of online advertising dollars, and none of them has gained this position based on its role as an ISP. 3. Non-ISPs dominate in cross-device tracking. Yesterday’s desktop has evolved into today’s tablets and smartphones, and tomorrow’s innumerable devices in the Internet of Things. A growing share of advertising tracking targets the user across multiple devices. Market leaders are companies for whom users log in across multiple devices, such as smartphones, tablets, and laptops. Today, cross-device data collection from logged-in and not logged-in users is led by non-ISPs. In summary, based on a factual analysis of today’s Internet ecosystem in the United States, ISPs have neither comprehensive nor unique access to information about users’ online activity. Rather, the most commercially valuable information about online users, which can be used for targeted advertising and other purposes, is coming from other contexts. Market leaders are combining these contexts for insight into a wide range of activity on each device and across devices. 4 Executive Summary May 2016 Executive Summary Online Privacy and ISPs: ISP Access to Consumer Data Is Limited and Often Less than Access by Others1 This Working Paper provides a detailed, factual description of today’s Internet ecosystem for the United States, with attention to user privacy and the data collected about individual users. For two decades, there have been complex policy discussions about how to protect users’ privacy online while also enabling the provision of advertising-supported content and robust commercial activity on the Internet.2 This Working Paper is intended to provide information useful to Congress, federal agencies, and the general public in consideration of online privacy issues. Among other relevant fora, in 2015 the Federal Communications Commission (“FCC”) issued its Open Internet Order, which brings Internet Service Providers (“ISPs”) under the common carrier requirements of Title II of the Telecommunications Act.3 Title II contains Section 222, which governs how telecommunications service providers use and disclose Customer Proprietary Network Information.4 In April 2015, the FCC held a hearing on broadband Internet privacy, for which one of the authors of this Working Paper was invited to testify.5 This Working Paper grew out of the April hearing, where there were large factual disagreements about important aspects of online privacy for broadband services newly covered by Title II. At the hearing, FCC officials expressed interest in better understanding these facts. This Working Paper, in response, is intended to provide a factual and descriptive foundation for making public policy decisions about the privacy framework that should apply to ISPs and other companies that collect and use consumers’ online data.6 1 The authors thank Marie Le Pichon for creating the Diagrams, which are under a Creative Commons Attribution 4.0 license and should be attributed to her. We also thank Brooks Dobbs and Addison Amiri for assistance on technological aspects of this Working Paper. Research support for this Working Paper comes from Broadband for America, the Institute for Information Security and Privacy at Georgia Tech, and the Georgia Tech Scheller College of Business. The views expressed here are those of the authors. 2 Peter Swire, “Markets, Self-Regulation, and Government Enforcement in the Protection of Personal Information,” U.S. Department of Commerce, Aug. 15, 1997, (http://papers.ssrn.com/sol3/papers.cfm?abstract_id=11472). This Working Paper addresses issues relevant to law and policy in the United States. Other nations have different privacy regimes, but this Working Paper does not specifically address practices outside of the U.S. 3 This Working Paper uses the familiar term Internet Service Provider (“ISP”) in the way it is generally understood – an organization that connects users to the Internet. Discussions of data collected by an ISP refer to information received by a company specifically by virtue of its providing end users a connection to the Internet. In its Open Internet Order, the FCC used a somewhat different term: “Broadband Internet Access Services.” The FCC defined these as a “mass-market” retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up Internet access service. “In the Matter of Protecting and Promoting the Open Internet,” Report and Order, FCC 15-24 app.