Sen. Edward Markey isn’t ready to throw in the towel over internet-consumer privacy just yet.
The U.S. senator from Massachusetts is among the more vocal opponents of a widely unpopular resolution rolling back online privacy protections crafted during the Obama administration.
On Monday, President Donald Trump signed the resolution into law, formally repealing Federal Communications Commission (FCC) rules that were designed to prevent internet service providers (ISPs), such AT&T and Comcast, from packaging and selling consumer data, including the web browsing behavior of their customers.
“The Republican-controlled Congress wants broadband companies to use and sell sensitive information about Americans’ health, finances, and even children without consent,” wrote Markey, a Democrat, in a statement last week. “The big broadband behemoths and their Republican allies have fired their opening salvo in the war on net neutrality, and broadband privacy protections are the first victim.”
A member of the Senate Committee on Commerce, Science, and Transportation, Markey now wants answers from the nation’s leading telecoms about how they intend to handle their customers’ data in this largely unregulated environment.
“In 2017, broadband access is no longer a luxury; it is essential,” wrote Markey in an open letter co-signed by seven other U.S. senators. ISPs are “gatekeepers,” they said, upon which Americans depend for access to vital services. Many will not have the option of switching providers if opposed to the way their data is being sold off.
“Given this limited choice, we urge your companies to provide your subscribers with the same level of privacy and security protections as stipulated in the FCC’s broadband privacy order,” concludes the letter, addressed to AT&T, Comcast, Charter, Verizon, Sprint, T-Mobile, and CenturyLink.
The letter was co-signed by Sens. Al Franken (D-Minn.), Richard Blumenthal (D-Conn.), Elizabeth Warren (D-Mass.), Bernard Sanders (I-Vt.), Ron Wyden (D-Ore.), Patrick Leahy (D-Vt.), and Chris Van Hollen (D-Md.).
Below is a list of 16 questions that Markey and his colleagues would like the ISPs to answer, including one concerning potential changes to internal privacy policies following the resolution’s passage:
- Do you obtain affirmative opt-in consent to use, share, or sell any of the following information: web browsing history, app usage history, the content of communications, children’s information, health information, financial information, geo-location, and Social Security numbers? If yes, please detail your policy. If no, why not? If no, please disclose what information you are sharing and selling and with whom you are sharing or selling that information.
- Do you provide consumers opt-out control over their information? If yes, for what types of information and please detail your policy. If no, why not?
- Do you maintain information or data related to former subscribers? If yes, what information do you keep, how is it maintained, and is it minimized? What are your data security and privacy policies for the data and personal information of former subscribers?
- Do you make “take-it-or-leave-it” offerings, where consumers are refused internet service if they do not permit their information to be used, shared, or sold? If yes, why? When updating privacy policies, must current subscribers agree to the new terms in order to continue service? Would a consumer be forced to pay a termination fee if service is denied for refusing to agree to new privacy or data collection terms? Please detail your policy.
- Do you make “pay for privacy” offerings, where consumers could be required to pay an additional amount to protect their privacy or receive compensation for declining to protect their privacy? Please detail your policy.
- Do you notify customers at the point-of-sale, before purchase, of the types of information collected, how and for what purposes you use and share this information, and with whom that information is shared or sold? If yes, please detail your policy. If no, why not?
- Do you develop and adhere to reasonable data security practices sufficient to protect the information you collect about your subscribers? If yes, please detail your policy. If no, why not?
- Do you notify customers within 30 days if their information has been breached or accessed by unauthorized parties? Do you also alert customers to any mitigating action they should take? Do you provide free services to mitigate the impacts of a breach, such as free credit monitoring service? If yes, please detail your policy. If no, why not?
- Do you practice strong de-identification or anonymization, such that de-identified personal information cannot be reasonably linkable to a person or device? If yes, please explain your process for de-identifying data. If no, why not?
- Do you prohibit third parties with whom you share or sell consumers’ sensitive information from re-identifying de-identified information? If yes, please detail your policy. If no, why not?
- Do you refuse to serve a customer who does not agree to mandatory arbitration clauses? If yes, why? Please detail your policy.
- Do you notify customers when you make material changes to your privacy policies? If yes, please detail your policy. If no, why not?
- Do you have a clear, user-friendly, easily accessible, and responsive complaint process for consumers who have evidence or reason to believe their privacy has been violated? If yes, please detail your policy. If no, why not?
- Many ISPs retain so called “netflow” records, related to their customers’ internet usage. Do you retain netflow records for your customers’ web browsing activity? If so, for how long do you retain them? Will you disclose netflow records pursuant to a National Security Letter, or only court orders?
- Under Section 222 of the Communications Act, carriers may not disclose subscriber location information without the “express prior authorization of the customer”. Over each of the last three years, how many times did your company disclose to third parties individually identifiable customer location data or other Customer Proprietary Network Information with a customer’s express prior authorization? Does your company obtain the consent from the subscriber directly? If not, and the third party obtains the consent (or claims they do), do you request or retain a copy of documentation showing that the customer provided such consent?