By Electronic Frontier Foundation, Mozilla, and The Internet Society
As people learn more about how companies like Google and Facebook track them online, they are taking steps to protect themselves. But there is one relatively unknown way that companies and bad actors can collect troves of data.
Internet Service Providers (ISPs) like Comcast, Verizon, and AT&T are your gateway to the Internet. These companies have complete, unfettered, and unregulated access to a constant stream of your browsing history that can build a profile that they can sell or otherwise use without your consent.
Last year, Comcast committed to a broad range of DNS privacy standards. Companies like Verizon, AT&T, and T-Mobile, which have a major market share of mobile broadband customers in the U.S., haven’t committed to the same basic protections, such as not tracking website traffic, deleting DNS logs, or refusing to sell users’ information. What’s more, these companies have a history of abusing customer data. AT&T, Sprint, and T-Mobile, sold customer location data to bounty hunters, and Verizon injected trackers bypassing user control.
Every single ISP should have a responsibility to protect the privacy of its users – and as mobile internet access continues to grow, that responsibility rests even more squarely on the shoulders of mobile ISPs. As our partner, Consumer Reports, notes: even opting in to secondary uses of data can be convoluted for consumers. Companies shouldn’t be able to bury consent within a terms of service or use a dark pattern to get people to click “OK” – while claiming they are acting with users’ explicit consent.
Nearly every single website you visit transmits your data to dozens or even hundreds of companies. This pervasive and intrusive personal surveillance has become the norm, and it won’t stop without action from us.
In that vein, Mozilla, the Internet Society, and the Electronic Frontier Foundation are individually and collectively taking steps to protect consumers’ right to data privacy. A key element of that is an effective baseline federal privacy law that curbs data abuses by ISPs and other third parties and gives consumers meaningful control over how their personal data is used.
But effective regulatory action could be years away. We must proactively hold the ISPs accountable today. Laws and technical solutions can go a long way, but we also need better behavior from those who collect our sensitive DNS data.
Today we are publishing an open letter calling on AT&T, T-Mobile, and Verizon to publish a privacy notice for their DNS service that commits to deleting the data within 24 hours and to only use the data for providing the service. It is our hope that they heed the call, and that other ISPs take note as well.
Open Letter: ISPs Must Commit to Basic User Privacy Protections
Image by Viktor Talashuk via Unsplash