Today the Massachusetts Special Senate Committee on Net Neutrality and Consumer Protection meets to discuss critical law reform regarding internet service providers’ (ISPs) use of consumer data. ISPs have access to mountains of personal information including our browsing history, personal and professional records, and financial information, but due to actions by the GOP Congress and the Trump administration, their use of this information is totally unregulated.
Back in 2016, the FCC proposed extensive regulations to protect consumer privacy online. The rules would have required ISPs to disclose details about their collection and use of consumer data, including how they disseminate that information to third-parties. Crucially, the regulations would have required ISPs to obtain consumers’ consent before selling sensitive data to third parties. These rules would have been enacted in December of 2017, but in March of that year Congress voted to halt their enforcement. This action opened a dangerous door for ISPs to enter into the advertising game.
Companies across industries collect and share data about users to tailor digital advertising. The data-driven, online advertising business is worth billions of dollars a year, and has fueled the exponential growth of companies like Facebook, Amazon, and Google. Though advertising companies have had considerable success with these tactics, they have trouble putting together a users’ activity when it’s split across several electronic devices. ISPs, however, can overcome this hurdle. For example, with its Audience Symphony program, Comcast collects user activity across its “digital, mobile, and social platforms.” Reports indicate that Comcast compiles extensive user profiles for its own advertising, and absent regulations or state laws, it can also sell the information to other companies, even without user consent.
In light of Congress’ action to kill internet privacy regulations, several state legislatures stepped up to protect consumer privacy. Here in Massachusetts, the special committee’s proposed legislation would limit ISPs’ use and dissemination of consumers’ personal data. It mandates that ISPs obtain customers’ permission before they can “use, collect, disclose or allow access to a customer’s data for purposes such as selling that data to third parties.”
The bill would also forbid ISPs from taking financial punitive action against consumers who choose to opt out of data collection and disclosure, and from offering financial rewards to those who opt-in to data sharing. Additionally, under the legislation, consumers would have the right to receive a list of all the data collected by their ISPs within 30 days of such a request. ISPs that fail to comply with any portions of the bill would be subject to legal action from the state Attorney General as well as private consumers.
Recent news underscores the need for these privacy protections. Facebook made headlines last week when news broke that Cambridge Analytica, a political consulting firm that worked on the Trump campaign, gained access to information from 50 million people’s accounts. A few years ago, Facebook allowed University of Cambridge researcher Aleksandr Kogan to collect users’ information through an app that purported to quiz people on their personality traits. To use the app, users authorized it to collect their profile information and their friends’ information. So, while only around 270,000 people used the app, Kogan managed to collect 50 million people’s data. Although Facebook policy prohibited Kogan from sharing this information, he nonetheless sold the data to Cambridge Analytica. Facebook discovered this in 2015 but did not notify consumers that an unauthorized third party had obtained their personal information. The company merely obtained written agreements from Kogan and Cambridge Analytica that they would delete the data and then moved on.
Whistleblowers and undercover videos indicate Cambridge Analytica attempted to use the Facebook data to influence the 2016 election. While experts indicate it’s unlikely that one firm could have ultimately decided the outcome, consumers are nonetheless right to be worried about how information collected about them can be used, in secret and possibly nefarious ways.
Facebook collects enormous quantities of sensitive data through the information users put on their profiles, the accounts they connect with through Facebook, and the permissions they give the Facebook mobile app. The company also makes user information available to app developers and “researchers” like the Cambridge academic who sold sensitive user information to the Steve Bannon-connected political firm. In light of the Cambridge Analytica news, CEO Mark Zuckerberg indicated that he expects Congress to regulate his business.
The FCC under the Obama administration already tried to regulate ISPs, which have a breadth of access to information that even Facebook and other companies like it can’t match. Our country is engaged in a critical conversation about information, power, personal privacy, control, and democracy. The Massachusetts legislature must send a strong message in support of personal control and democratic openness, and act to reinstate the privacy protections we lost when Congress and the Trump administration killed regulations that would have barred Comcast and Verizon from selling our sensitive information without our consent.
Take action now to support this critical legislation, and spread the word.
This blog post was written by ACLU of Massachusetts Technology for Liberty intern Iqra Asghar.