ISPs and Customer Data

The FCC recently made a data request to cellular carriers asking how long the companies retain geolocation data on customers. For those not sure what that means, it means that the carriers record your location from your smartphone as you move around during the day. Your cellular company keeps data that can retrace everywhere you’ve been during the day. This rightfully makes most people nervous that somebody is watching and recording every place they visit.

Geolocation data is only one small piece of the data that cellular carriers collect on people. Cellular companies obviously know everybody you’ve called and texted, including the content of every text. They know every app you’ve used, websites you’ve visited, and the topic of every Google search you’ve made from your phone. Cellular companies also know the content of every email you send, assuming the email is not encrypted.

The FCC sent the data request in response to pressure from the public and politicians to put some commonsense caps on the collection and use of customer data. Here is a link to the responses from the fifteen largest cellular carriers.

Here are a few of the most common responses to the data request:

  • Cellular carriers said they retained records of customer activity to be able to respond to requests from law enforcement. This is a big turnaround from twenty years ago when telephone companies only tracked customer telephone usage after getting a valid subpoena to do so. It now seems that the carriers claim to record everything done by all customers to be able to respond to subpoenas involving only a minuscule percentage of people. The carriers cite law enforcement and FCC rules that force them to track customers.
  • Ten of the carriers said that customers have no options for opting out of having their locations tracked.
  • The amount of time that carriers retain data varies from two months to five years.

This is an issue that has been investigated at the FCC before. Several years ago, the FCC considered large fines against some of the largest cellular carriers for improperly misusing customer location data, such as selling data to bail bondsmen.

This FCC investigation centered only on geolocation data, but people are concerned about how ISPs and wireless carriers use all collected customer data. Company privacy practices vary widely, as does the way that carriers explain data collection practices. Consider what various carriers tell customers in the terms of service.

T-Mobile explicitly tells customers that it uses their data to consider marketing to them. Further, its privacy policy not only says that customer data is collected directly but that the company might buy or get personal data from third parties like social media platforms, analytic providers, and consumer data resellers.

AT&T says that it might share customer data with third parties, such as device information, advertisements you view, and demographic information like your age, gender, and ZIP code.

Verizon says it may collect demographic and interest data and look at how customers use the Verizon website and apps. That may not sound like a lot, but it includes “information about browsing, searching and buying activities; IP address, mobile phone number, device numbers and identifiers, web addresses of the sites you come from and go to next, screen recordings, browser and operating system information, platform type, connection speed, and other attributes.” Verizon also sells data to third parties.

At the other extreme are carriers like Comcast, which says that it doesn’t track or record the apps people use, or the websites visited.

But interestingly, most of the carriers that say they don’t use customer data have resisted any FCC or FTC attempts to restrict the data that might be collected.

The FCC inquiry only dips a toe into the fringe of data collection practices. It’s always been assumed that the carriers make a lot of money selling and using customer data, but none of them ever identify or quantify the financial benefits. I know I am probably like a lot of the public and would like to see more restrictions and disclosure requirements for carriers and ISPs. I know this view is shared by most small ISPs that don’t record or share data – I think they need to remind folks about this more often.