Numerous surveys have shown that the vast majority of people are leery about ISPs recording and sharing data about them. As a small ISP you can take advantage of this sentiment to get a competitive advantage. Most small ISPs compete against the larger ISPs, and we all know that those companies have willingly and directly handed customer data to the NSA.
Probably the biggest step you can take in this area is to look at your data retention practices. I’ve visited clients who retain records of everything their customers have done on-line for the last year or even longer. They generally say this is done for the purposes of being able to trace network problems and also because data storage is cheap.
There are FCC requirements to retain originating telephone calling records for 18 months. That requirement was recently bolstered by asking you to keep even more data about calls placed to rural locations for six months. But there are no legal requirements that you must track the web sites people visit or retain emails or other web-related records for any length of time.
Think about the message that you can send to your customers if you make it a point to not store customer data for any longer than necessary. You probably want to keep things for a little while for the purpose of investigating network problems and answering custom inquiries. You should make an assessment of how often you need to look backwards at customer data to help determine the right time to keep records. You might even be able to justify not recording some things in the first place.
You can’t always erase customer data. Obviously you have to comply with law enforcement subpoenas, but those can only require you to record and turn over data going forward and you are not required to have kept older data. And most ISPs will voluntarily save and track data for customers who request it, such as somebody who is being cyber-harassed. The hardest data to have a policy for are emails. What you might want to consider is that when a customer deletes an email that you also permanently delete it. This puts emails into the control of your customers instead of you. But if they choose to retain emails you obviously must keep them. Otherwise there is very little reason for you to be keeping customer data. If you don’t have a very specific network security reason to store something, then don’t do it.
If you are proactive on customer privacy and data retention you should make sure that your customers know about your policies. You can openly pledge to customers that you are taking concrete steps to protect their privacy. Such pledges can be a good marketing tool for you, particularly if your competition can’t or won’t make such promises. So make sure you don’t miss an opportunity to talk about your practices.
You can go even further and educate people in general about practices which will help them preserve their privacy. Changing to a no-tracking search engine is a good start, but other practices like clearing their cache of cookies or turning off location identifiers are other ways for people to have a lower web profile. So you can create a few educational pages informing people about good web practices. Again, the point is to show that you care about their desire for privacy.
You obviously can’t help your customers if the NSA is somehow still snagging a lot of the data at some later point in the network. But very few people are as worried about the NSA as they are about the big web companies like Google that are gathering a detailed profile about them and then selling this to marketers of all types. So take whatever steps you can to assure your customer that you understand their concerns about privacy and that you are on their side.