A new Federal Trade Commission staff report filed Thursday points the finger at six of the largest internet service providers in the US, calling each out for amassing troves of personal data from their customers and failing to offer meaningful disclosures or options to control the collection of that data.
The six ISPs in question --, , , , and -- account for roughly 98% of the mobile internet market in the US, notes the report. With each, the FTC "identified several troubling data collection practices," including cases in which the ISP had combined user data including browsing history and app usage across product lines in order to serve them targeted ads; had grouped users according to sensitive identifiers like race or sexual orientation; and had shared the consumer's real-time location data with third parties.
"These companies have evolved into technology giants who offer not just internet services but also provide a range of other services including voice, content, smart devices, advertising, and analytics -- which has increased the volume of information they are capable of collecting about their customers," the FTC said in a press release.
The report goes on to note that while the companies in question claim to offer consumers choices and controls over how their data is gathered and used, many of them make it difficult to take advantage of those options, while some nudge consumers to share even more of their data.
The report also takes issue with ISP data retention practices, given that many of the companies say they retain user data as long as is necessary for "business practices" without offering clear or standardized definitions of what constitutes a business practice.
FTC: 'In practice users were thwarted'
In a separate statement,noted that the findings highlight shortcomings with the notice-and-consent framework for user privacy, especially in markets where consumers have limited ISP options to choose from.
"The report found that even in instances where internet service providers purported to offer customers some choice with respect to how their data was collected or used, in practice users were thwarted by design decisions that made it complicated, difficult, or near-impossible to actually escape persistent surveillance," said Khan. "A new paradigm that moves beyond procedural requirements and instead considers substantive limits increasingly seems worth considering."
Khan goes on to note that the report's findings, particularly with respect to the increasingly vertical nature of these companies -- many also offer streaming services, smart home integrations and other complementary offerings -- could be something worth taking into account as the FTC mulls potential mergers between media titans.
"The ways in which expansion across markets enables firms to combine highly sensitive -- and, often, highly valuable -- commercial data underscores the need for us to consider in our merger review process how certain deals may enable degradation of user privacy," Khan said.
When asked for comment, spokespersons for AT&T and Verizon referred CNET to the CTIA, a trade association for the wireless industry.
"Consumers' online safety and privacy is a top priority for the wireless industry, and federal legislation that uniformly protects users across all platforms is the best way forward," a CTIA statement reads. "We are looking forward to continuing to work with the FTC, lawmakers and companies across the ecosystem to ensure consumers are protected."
T-Mobile echoed that industry call for federal legislation that creates uniform standards for privacy and data security.
"T-Mobile shares the FTC's focus on consumer privacy and building trust, and we also support federal legislation that would create one uniform standard for all online companies," a spokesperson for T-Mobile said.
A spokesperson for Comcast declined to comment. Google and Charter didn't immediately respond to a request for comment.