Senate Democrats have pressed major ISPs on if they are protecting consumer privacy in the wake of congressional Republicans' nullification of the FCC's broadband privacy rules, suggesting they should adhere voluntarily with all the FCC rules that those ISPs fought, while saying they remained committed to protecting sub privacy.
Sen. Ed Markey (D-Mass.), a longtime advocate for privacy rights who pushed back hard against the Republican effort, led a group of eight senators in letters to AT&T, Comcast, Charter, Verizon, Sprint, T-Mobile and CenturyLink.
The letter seeks answers to a host of questions (see below), including whether they require opt-in consent for sharing web browsing, app use, and other information, whether they have "take-it-or-leave-it" offerings refusing service to those who do not agree to share their info, whether they have "pay for privacy" options, and more, essentially restating the rules and asking if their voluntary policies match them, plus some additional questions.
"We strongly disagree with the CRA resolution, and believe that broadband providers should follow strong privacy and security rules that give consumers control over how their information is used and shared, as well as confidence their information will be protected,” they wrote, urging them on their own to "provide your subscribers with the same level of privacy and security protections as stipulated in the FCC’s broadband privacy order.”
Democratic members of the House Energy & Commerce Committee at a hearing Wednesday slammed Republicans for the CRA, suggesting promises that privacy would be protected were hollow.
Following is one of the letters, this one to AT&T CEO Randall Stephenson:
April 5, 2017
Dear Mr. Stephenson:
Congress recently passed a Congressional Review Act (CRA) resolution rescinding the Federal Communications Commission’s (FCC) broadband privacy and security rules. We strongly disagree with the CRA resolution, and believe that broadband providers should follow strong privacy and security rules that give consumers control over how their information is used and shared, as well as confidence their information will be protected. In light of this Congressional action, we write to ask how your company plans to protect the privacy of the millions of Americans who rely on your services to connect to the internet.
In 2017, broadband access is no longer a luxury; it is essential. Internet Service Providers (ISPs) are gatekeepers that control the infrastructure that Americans depend on to access vital applications and services. ISPs can use this privileged position to collect and use sensitive information about subscribers, including precise geo-location,
financial information, and web and app usage history. Yet, many consumers have limited choice for broadband service and cannot necessarily change ISPs if their privacy and security protections are not transparent or strong. Given this limited choice, we urge your company to provide your subscribers with the same level of privacy and security protections as stipulated in the FCC’s broadband privacy order.
We respectfully request that you provide a written response to the following questions:
1. Do you obtain affirmative opt-in consent to use, share, or sell any of the following information: web browsing history, app usage history, the content of communications, children’s information, health information, financial information, geo-location, and Social Security numbers? If yes, please detail your policy. If no, why not? If no, please disclose what information you are sharing and selling and with whom you are sharing or selling that information.
2. Do you provide consumers opt-out control over their information? If yes, for what types of information and please detail your policy. If no, why not?
3.Do you maintain information or data related to former subscribers? If yes, what information do you keep, how is it maintained, and is it minimized? What are your data security and privacy policies for the data and personal information of former subscribers?
4. Do you make “take-it-or-leave-it” offerings, where consumers are refused internet service if they do not permit their information to be used, shared, or sold? If yes, why? When updating privacy policies, must current subscribers agree to the new terms in order to continue service? Would a consumer be forced to pay a termination fee if service is denied for refusing to agree to new privacy or data collection terms? Please detail your policy.
5. Do you make “pay for privacy” offerings, where consumers could be required to pay an additional amount to protect their privacy or receive compensation for declining to protect their privacy? Please detail your policy for what purposes you use and share this information, and with whom that information is shared or sold? If yes, please detail your policy. If no, why not?
6. Do you notify customers at the point-of-sale, before purchase, of the types of information collected, how and for what purposes you use and share this information, and with whom that information is shared or sold? If yes, please detail your policy. If no, why not?
7. Do you develop and adhere to reasonable data security practices sufficient to protect the information you collect about your subscribers? If yes, please detail your policy. If no, why not?
8. Do you notify customers within 30 days if their information has been breached or accessed by unauthorized parties? Do you also alert customers to any mitigating action they should take? Do you provide free services to mitigate the impacts of a breach, such as free credit monitoring service? If yes, please detail your policy. If no, why not?
9. Do you practice strong de-identification or anonymization, such that de-identified personal information cannot be reasonably linkable to a person or device? If yes, please explain your process for de-identifying data. If no, why not?
10. Do you prohibit third parties with whom you share or sell consumers’ sensitive information from re-identifying de-identified information? If yes, please detail your policy. If no, why not?
11. Do you refuse to serve a customer who does not agree to mandatory arbitration clauses? If yes, why? Please detail your policy.
12. Do you notify customers when you make material changes to your privacy policies? If yes, please detail your policy. If no, why not?
13. Do you have a clear, user-friendly, easily accessible, and responsive complaint process for consumers who have evidence or reason to believe their privacy has been violated? If yes, please detail your policy. If no, why not?
14. Many ISPs retain so called “netflow” records, related to their customers’ internet usage. Do you retain netflow records for your customers’ web browsing activity? If so, for how long do you retain them? Will you disclose netflow records pursuant to a National Security Letter, or only court orders?
15. Under Section 222 of the Communications Act, carriers may not disclose subscriber location information without the “express prior authorization of the customer”. Over each of the last three years, how many times did your company disclose to third parties individually identifiable customer location data or other Customer Proprietary Network
Information with a customer’s express prior authorization? Does your company obtain the consent from the subscriber directly? If not, and the third party obtains the consent (or claims they do), do you request or retain a copy of documentation showing that the customer provided such consent?
Thank you for your attention to this important matter. We respectfully request that you provide a written response by May 1, 2017.