A shocking new report compiled by the FTC (US Federal Trade Commission) details how internet service providers are collecting vast amounts of private information that includes browsing history, device information, and location data. This data is often shared within a broad network of advertisers and partners — but we’ll give you concrete steps you can take to restore your digital privacy against these abuses.
Would you be surprised if I told you that your internet service provider (ISP) was spying on and recording everything you do online?
Perhaps not — but you will probably be surprised by the quantity and type of information they gather, as well as what they do with it. In short article, we’re going to hit the high points of a recent FTC (Federal Trade Commission) study that shows us what the big US ISPs really know about us. It also gives us some idea of what they do with the data, and the lengths the big ISPs will go to to keep you from protecting your privacy.
Which ISPs were involved?
The full-length FTC report is based on information gathered from the six largest ISPs in the United States. Together, they comprise almost 82% of the fixed, and almost 99% of the mobile internet market in the United States at the end of Q1, 2021. Their names are:
- AT&T Mobility LLC
- Cellco Partnership (doing business as Verizon Wireless)
- Charter Communications Operating LLC
- Comcast Cable Communications (doing business as Xfinity)
- T-Mobile US Inc.
- Google Fiber Inc.
The FTC also demanded data from three advertising companies that are affiliated with some of these big ISPs. Their names are:
- AT&T’s Xandr
- Verizon’s Verizon Online LLC
- Verizon’s Verizon Media
The goal of the FTC was to do a comprehensive examination of the privacy practices of the 9 organizations above. We’ll dive into the results of this examination in a minute. But before we do, you may need a change of perspective. I know I did.
Note: This is going on all over the world (not just in the United States)
And for our international readers, we should also point out that these same alarming trends have been going on for years in other countries. Over the past ten years, we have seen the UK, Australia, and Canada all pass laws requiring internet providers to record browsing history and make this data available to government agencies.
Needless to say, you should assume your ISP is collecting everything you do online, regardless of where you live — unless you take appropriate counter-measures (discussed below).
Understanding the big US ISPs
The important thing to understand is that these 6 ISPs are no longer simply internet service providers. They are now integrated tech giants in their own rights. The FTC generated the following image to show all the different (and interrelated) businesses that major ISPs may control:
The big ISPs provide a huge range of services. Most or all of those services can gather, and potentially share, information about you and what you do, to the ISP parent company and any or all of the affiliates. This means that just one entity could collect data that is shared with a large network of other organizations.
What did the FTC discover?
The FTC uncovered a lot of disturbing information about the policies and practices of the big ISPs. The report describes the problems in some detail. But interestingly, it doesn’t name names. That is, they didn’t explicitly say Verizon did this, or T-Mobile did that. Also, much of the report is information that is of little interest to people like you and me.
The best I can do for you is to dig through the full 74-page report and pull out the information that I think regular internet users want to know. That means we’ll skip things like the history of the legal framework applicable to ISP privacy. Instead, we’ll talk about things like:
- The vast amounts of your personal information some ISPs gather
- The potentially harmful things some ISPs do with the information they gather
- The tricks some ISPs use to deny you meaningful control over your information
We’ll finish up by talking about some things you can do to fight back.
Here we go.
The vast amounts of personal information that ISPs can gather
Your ISP has access to a lot of information about you. To begin with, they probably know who you are and where you live since you probably have a signed contract with them. Since they typically configure your router to connect to a Domain Name Service (DNS) they control, they can see which websites you visit. If a website you visit doesn’t use encryption (HTTPS) your ISP can see whatever you do there. That’s a lot of information right there, but it gets worse.
ISPs are recording:
- Every website you visit
- Information from your web browser
- Data from other connected devices on your network
- Location data from mobile devices
Combined, this information could be useful for creating a very detailed profile of you that is extremely valuable for advertisers. But it gets even worse.
Remember that the big 6 US ISPs are now tech giants. They provide all sorts of services that have little or nothing to do with getting you connected to the internet. That means all sorts of additional information is available within their overall empire.
They could also have access to information like:
- Your television viewing history
- Email and search results
- Data from your home security
- Connected vehicles you drive
- Other internet-connected devices, such as fitness trackers, appliances, and other Internet of Things (IoT) devices
Feeling sick yet? No? Then you should know that the FTC says there is a trend in the ISP industry to:
“…combine the subscriber data with additional information from third-party data brokers, resulting in extremely granular insights and inferences into not just ISP subscribers but also their families and households.” -FTC
In other words, the big ISPs have the ability to create incredibly detailed profiles of our personal online activities.
And according to the FTC, at least some of the big 6 ISPs are already doing this right now. The question is, what do they do with all this information?
The potentially harmful things some ISPs do with the information they gather
One thing ISPs can do with all this information is help advertisers target you with ads, based on your unique data profile. They don’t need to sell your personal information to do this either. They can apply a process like the following to make money from advertisers without directly revealing your personal information. An ISP can do something like this:
- Combine the personal information they gather themselves with info they buy from third-party data brokers.
- Based on this information, divide their users into market segments.
- Serve targeted ads (provided by the advertisers) to each market segment on behalf of the advertisers.
- Earn advertising fees.
Note that none of your personal information leaves the ISP, yet you are still exposed to ads targeted based on the personal information they collect.
According to the FTC, a trend in the ISP industry is selling mobile device position data to third parties. This is how you end up receiving ads for some restaurant or department stores that are in your physical vicinity. That’s annoying, but this kind of real-time sharing of location data can lead to far worse outcomes. It can reveal where you live or work, as well as what school or house of worship you attend.
Numerous sources also report that the FBI uses mobile position data to arrest and detain people (including members of Congress) who happened to be near a suspected crime scene. And it gets worse.
In 2018 and 2019, news outlets reported that bounty hunters, bail bondsmen, and others were able to acquire mobile ISP users’ real-time position data through third-party location services. Although the position information wasn’t sold directly to those snoops by the ISPs, the FCC eventually proposed $200 million in fines for Wireless Location Data Violations, part of Section 222 of the Communications Act.
Another risk is that some of the big 6 US ISPs reserve the right to share your personal information with their partners and affiliates. And who exactly is within the web of “partners and affiliates”? Who knows.
Can things get worse? Yes, they can.
According to the FTC, several of these big ISPs use race and ethnicity data (or their proxies) for their advertising. Proxies for racial and ethnic data can be things like location data or other data that closely mirrors the data of a protected class.
For example, imagine that most of the population of a particular neighborhood belonged to a certain race and/or class of people. An ISP could segment its data so an advertiser could choose to target or avoid that neighborhood, in effect discriminating by proxy.
Given all the problems that could cause, it is good to know that many ISPs give you the ability to control how your data is used. But even here, the FTC found serious problems. ISPs appear to go out of their way to make it difficult for you to exercise meaningful control over your information.
According to the FTC staff, the ISPs studied make it difficult for consumers to opt out of data collection. They also make it hard to find out what information the ISPs have already collected on them. Let’s look at some of the ways ISPs do this.
The tricks some ISPs use to deny you meaningful control over your information
Some ISPs use tricks and techniques that make it hard for you to take control of your personal information. The options may be unclear, or even designed to push you toward sharing more information instead of less. User interfaces designed to influence users’ decisions like this are often referred to as dark patterns.
Examples of dark patterns that might be used by ISPs include:
- Interfaces with the desired option highlighted and the others greyed-out to make the user think they are not available.
- Interfaces that don’t allow the user to permanently opt out of data collection. There might be only two buttons, one that says you Accept data collection, and the other that says Remind me later. Neither option lets you permanently reject data collection.
- Interfaces that hide privacy options. Users are seldom given the equivalent of a, “Stop all surveillance now!” button. Instead, you must hunt down many separate options located in obscure or misleadingly named menus and sub-menus to get complete protection.
- Interfaces with unclear toggle settings. These appear to be intentionally designed to confuse you so you don’t know whether to turn the toggle on or off. The FTC provides the example of a toggle labelled, “Do Not Sell my personal information.” Should you set the toggle to On or Off to prevent the ISP from selling your information? Without additional information, there is no way to know for sure.
How you can fight back against mass data collection
It might seem that the practices we have been discussing should be illegal or at least “against the rules.” According to Covington’s Inside Privacy blog, a bill attempting to deal with dark patterns was introduced in the 116th Congress (2019-2020), but it died without being voted upon. Even earlier, in 2017 the FTC attempted to make rules to prevent some of the worst abuses we have been discussing. But Congress actively blocked the rules from going into effect.
Since the government isn’t interested in doing anything about these abuses, it falls to you and me to protect ourselves.
Some of this stuff we really can’t do anything about. We can’t make our ISPs stop using dark patterns to confuse us. And we can’t stop ISPs from gathering vast amounts of our personal information and sharing it with their partners and affiliates.
But we don’t have to make things easy for them either. Here are two specific things you can do to minimize the amount of personal information your ISP can gather:
1. Use a secure email service
Most importantly, don’t use the free email service that your ISP provides.
If you use a free email client offered by your ISP, they can probably read your email and extract tons of personal information from it. Instead, use a secure and private email service that gives you full control over your inbox. We have reviewed many private email services that can encrypt your messages, thereby preventing third parties from reading them.
And even if you don’t (or can’t) use full inbox encryption, simply switching email providers to an alternative that is more private will go a long way. (We also have a guide on alternatives to Gmail here.)
2. Use a VPN whenever you are online
A VPN (Virtual Private Network) will encrypt all internet traffic traveling to and from your computer or internet-connected device. This encryption makes it impossible for your ISP to see what you are doing and where you go online. But a VPN can do even more.
The best VPNs automatically use a private DNS system. A Domain Name Service (DNS) translates the names of websites from human languages into something your computer can understand. Typically, your ISP will configure your internet connection to use a DNS controlled by the ISP. As a result, the ISP can easily see and record every website you visit.
The best VPNs provide their own private DNS. When you use this, your ISP won’t see the websites you visit or search for.
Finally, a VPN hides your IP address. When you use the internet, your IP address gets shared with every website you visit. Knowing your IP address makes it easier to track your activities throughout the internet. Because the VPN hides your real IP address, it becomes much harder to track your online activities.
Choosing the best VPN can be challenging simply because there are hundreds of VPNs to consider. To make life easier for you, we’ve done all the hard work. We’ve created a list of the best VPN services available. Any one of them will help you shield your personal information from the clutches of your ISP.
And to get up to speed on other solutions, check out our main privacy tools page for more info.
A new search engine: [https://you.com/]
@Bronco, Hi,
What is it about?
Would would you recommend it? If so why?
I don’t know. I just saw this in some news. It should be reviewed for sure
@JM
Thanks for this but does it matter who owns what? Boom Mobile uses T-Mobile’s and Verizon’s infrastructure, their towers etc. All the resellers do. I don’t really know how this works on a technical level, if Verizon has access to the data once it leaves their …what, servers? and goes to Boom Mobile Servers? I have no idea how this all works together.
Also, I’m using a VPN for trust so maybe that takes care of the problem right there. And no, I don’t trust blindly, the VPN uses their own servers, and there is no leak of my real IP. It’s the best I can do, and that’s all I can do.
@Brad,
I believe it does. For example: Metro is owned by T-Mobile. Therefore, T-Mobile has the ability to view, see, and reach into Metro’s service logs and customer base.
However, just because a service uses infrastructures, I do not think they can see the customer base from that. I believe they are able to only see usage and maybe the phone connected. Perhaps that gives them more detailed info but I cannot say for sure. Outside of the number and maybe who is assigned that, they would not have the idea of the phone used, the apps on the phone, the addresses, IP’s, etc. That is under the private owned company.
Again, that is starting to move to the side of this that I am not real familiar with. Maybe someone here will be able to answer that better than I can.
In regards to VPN use on a phone, great! I do as well and it is a good company that is recommended here on this site. That does also, on the private server, help to keep your privacy yours.
For the average privacy-minded individual who is not doing anything that would specifically draw attention from invasive corporate-government complexes, a good no-logs VPN is the best choice and will more than suffice for accessing the wider Internet while remaining private. Of course modifying your behaviors/habits a little bit and using good tools for specific tasks (e.g. email) are also important.
Excellent article, Sven, as always. Your website has become the go-to place whenever I need to rethink what I’m using. (Like, all the time.)
This one is especially timely for me since I’ve been increasingly creeped out by T-Mobile.
I have a question though. From what I understand, resellers like Boost, Metro, etc. have their own privacy rules that they supersede the big guys’. Like, Boost won’t treat your information the same way T-Mobile does even though they use T-Mobile’s cell data, or towers, or what have you. Is this information correct?
Hi Brad, I’m not sure how resellers would fit into this equation, to be honest.
Brad,
Sorry, a little late to the party.
While they do have their own TOS and Privacy Policy, they are still owned by their respective companies.
For example:
Cricket Wireleass is owned by AT&T.
Virgin Mobile is owned by Sprint (who is now owned by T-Mobile)
Straight Talk is owned by TracFone.
Affinity Cellular is owned by Verizon
Boost is owned by Dish as of July 1, 2020
There is a greater list here: https://www.valuepenguin.com/personal-finance/best-mvno-plans
These are called MVNOs. There are a bunch of them, especially in the US. Some are owned by the big ones, but others are independent.
To help with the privacy, go with one who is not owned by the others. Here are the ones that I believe are owned by their own business and not one of the major providers:
Mint Mobile (Ryan Reynolds has an owner share)
Boom! Mobile – Owned by ECG
Patriot Mobile – Independent
i3 Mobile – Owned by Fatalistik LLC.
These are just four of the ones I recognize on the list. I have heard of the others but if you click on the respective names on the link below, you can go to a section titled, “Things To Know…”. That will tell you who owns what and where it is based.
The website: https://bestmvno.com/mvnos/#mvno-list
Outside of this, I really cannot say much more. But as I said, just because they are a different company, they will always answer home when called for.
Hope that gives you some help. Let me know if I can answer any other questions.
Just so you know, I replied earlier but it appears somewhere else, addressed to you @JM
Sven, I’m sure the readers of this website would love if you could do some research about the news that Restorer posted the other day: https://themarkup.org/ask-the-markup/2021/08/12/how-private-is-my-vpn
This might be one of those crucial revelations for wider privacy community. The main point could be: if something’s cheap, what is the price you pay as a customer? And consequently, would you rather pay more to get the real thing, or less or nothing, whichmeans that you pay with your private data? Etc, etc. I think you could agree this is the important subject.
No, this is not a “crucial revelation” — but rather a misconstrued argument we have seen for years, and it is nothing new at all. This is to confuse a VPN website with the VPN service itself. The line of thinking goes like this:
“A VPN website uses “trackers” and Google analytics, and therefore the VPN itself is not private and bad!”
What people fail to grasp is that VPNs need subscribers to stay in business. If the VPN falls behind, it will either close down entirely, or sell off to a conglomerate. Both are bad options in my opinion. So in order to acquire customers and actually stay in business, VPNs use advertising, ad campaigns, Google ad words etc., which are tracked with various tools on their website. Without these tracking and analytics tools, advertising campaigns simply do not work and you have ZERO clue what is going on with customer acquisition. So yes, trackers and analytics are not ideal, but they are usually necessary to acquire customers and keep the VPN financially solvent.
Another problem with this line of thinking is confusing a website’s logging policies with the logging policies of the VPN service itself. Again, there is obviously a difference here, but year after year, I still see people getting confused by this concept and falsely assuming that website logs must mean the “VPN is logging” – and this is completely wrong. Articles like the one you posted do not make a clear distinction and confuse lots of people.
And then people will say (like the article), “Look, here’s a VPN website without trackers!”
Yes, some VPNs can pull this off and never do advertising, but most can’t.
Sven, it’s not about website trackers, it’s about trackers in mobile VPN apps. I could agree with most part of your comment, but this article is not about websites and its tracking techniques whatsoever. A firewall with blockers in mobile phones can clearly show that even if these apps are not in use, they are regularly sending different tracking infos. And that, in my view, is not fair and certainly not transparent when you read various VPN privacy policies. By the way, some of these trackers are “stealing” much more than the usual adverts do (also easy to check this if you research about certain trackers). Nowadays we have a good set of tools to check all of the internet traffic, so it’s easier to check what goes out of your device (at least in mobile systems). If the company wants to be fair, they need to explain this precisely, at least. If we talk about trust.
No Bronco, I’m wondering if you read the actual article, which looks at both websites and mobile apps. From the article:
“We also ran their websites through Blacklight, our tool for detecting third-party trackers.”
Mobile apps are convoluted, and many of the “trackers” are bug/crash monitoring tools, but also some advertising IDs, which again ties in directly with what I was already talking about: advertising to acquire VPN customers and stay in business. There is nothing nefarious going on here, other than some VPNs being more aggressive in customer acquisition than others.
OK, but if you put things in that perspective (making money, keeping it solvent), who the hell we are fighting against? Who are snoopers we are hiding from? Google isn’t. What privacy we are trying to keep? 😊 Matomo or Google Analytics, doesn’t mean a thing then. I hope you get my points here, I understand that privacy companies need revenues for living, but if they can’t make it by playing a fair game, maybe they have to change their business model and stop preaching “zero trackers and zero logs”. No hard feelings, I just tried to trigger a good argument here😊
All good Bronco, I definitely see your points here and agree with much of what you are saying. I think there is probably a middle ground option and ideally there would be zero trackers / reporting tools in the apps, although website analytics does not really bother me.
The trackers are so stubborn and mostly invisible. That’s why nothingprivate.ml can show how powerful or not your browser is in blocking trackers. While desktop privacy browsers Brave and Firefox can pass this test, in their mobile versions they can’t. I’ve found only two efficient browsers in that respect: Bromite and SnowHaze. SH is overlooked in this website, I assume the reason is that it’s not tested and because it’s iOS only. But at the same time DDG browser is promoted, which is totally inferior to SH. SnowHaze is in my opinion the greatest privacy browser, by far. Followed up only by Bromite on Android.
I just tried the nothing private website on my phone and it blew my mind. Even with all cookies and history cleared, when I came back to the website, it knew my identity. Insane.
Here are two more sites to test browser fingerprinting and blow your mind.
1. https://fingerprintjs.com
2. https://noscriptfingerprint.com
Great tips! Thanks
I went to http://www.nothingprivate.ml and all it said was if it can remember my name imagine what else it can track but showed nothing to prove it does more. I tried this on Brave and Chrome both on Android
Thanks for mentioning SnowHaze. I’ve been giving it a try and I like it except sometimes there is an issue with opening a website, and it’s not JavaScript which I did enable.
Have you also have experienced trouble with some sites?
Hi, Brad. Yes, SH is very strict in blocking certain things. I had experienced some websites blocked, but you can set everything per page. If it’s not JavaScript it’s probably some cookies. So it’s not so hard to balance everything, just play around a bit. I really rate SH.
You’ve asked about Firefox. I don’t use it on IPhone, it’s worthless there. But in desktop you can set everything through about:config. Ublock Origin is maybe enough of ad-ons. I’d recommend setting network DoH as well. AdGuardDNS is very good and very fast, for example.
Ghostery Dawn is also fine browser that is based on Firefox and you can set everything like in FF. Dawn is touch faster than FF. I’m very satisfied with both browsers on my desktop.
But for iOS, you won’t find better than SnowHaze. Safari as 2nd browser.
@Bronco, I’m starting to really enjoy SH. (Although, ironically, the Reply button under each post here won’t work and I had to switch to a different browser. It has its quirks, I guess.)
I agree about FF. What I noticed on Mobile when I got rid of it for a while my device immediately ran cooler. There’s always an awful lot of churning going on in the background with FF. Firefox Focus seems more calm. It also doesn’t accumulate an incredible amount of data, like regular FF and DDG, the search engine and browser that doesn’t save data. (What a joke.)
I do use FF on my phone again, occasionally, and installed Searx to try to “tame” it, lol.
I’m also using Qwant quite a bit. Qwant has the decency to separate their browser bar from the search bar which almost no browsers do.
For Safari I’m trying out Ecosia right now and I like it so far. What I like about Safari is that it lets you avoid using JavaScript as much as possible which I think is unique. So many websites don’t need it, it’s ridiculous that all browsers force you to use it.
How do you know that certain browsers are successful at blocking trackers? Last time I used FireFox, it opened a gzillion connections straight to Google. And I only know this because I use ccport which shows the connections made when I go online. My point is, if you don’t look under the hood you won’t see what really goes on.
Thank you for the article. Besides no logging, the history/background of VPN companies as well as trackers employed by VPN websites and services should also be considered.
https://themarkup.org/ask-the-markup/2021/08/12/how-private-is-my-vpn
This is interesting. That’s one of the reasons I’m not with NordVPN anymore. I’ve seen this about a year ago through my firewall blocker. The combination of a good firewall (which can block trackers) and a good VPN that is rich in features, might be the best solution against the surveillance. Another way is to use 2 different VPN brands, first for the network and second for browsing. That way, you’ve got your own TOR. 😊
Hi Bronco,
I wasn’t aware that a Firewall could block trackers. Can you point me to a good resource on the topic?
Regards,
BoBeX
Sure, there are a few good mobile firewalls that can block ads and trackers in mobiles. Lockdown for ios can block trackers, and you can combine it with a VPN for additional privacy. For Android, I’ve found ReThinkDNS, a good and highly customizable firewall and blocker on dns level. AdGuard and BlahDNS are two good and free options for dns over https blocking. You can google it… pardon, metager it for more infos on dns blockers 🙂
Hi Restorer,
Great link!
I especially like themarkup.org’s “Blacklight” tool.
(For others it scans websites for privacy infringing activity such as tracking and fingerprinting etc. and reports back the results)
They have quite a readable article explaining how it works:
https://themarkup.org/blacklight/2020/09/22/how-we-built-a-real-time-privacy-inspector
Regards,
BoBeX
Hi BoBeX,
Webbkoll is also a good tool.
https://webbkoll.dataskydd.net
Banner article and 100% decent advice!!!
Hi Heinrich and RP Team,
A fantastic article!
Your efforts in research and ability to communicating your findings in a digestible way is very much appreciated.
Heinrich, there has always been a mystic to your profile, “set sale to off shore locations,” “travels the world keeping his location secret”… Well I guess we could just ask your ISP where you are?
… Just a joke.
It is appreciated that this article and many others provide practical and accessible solutions to the problems you rightly bring to our attention.
A big concern would be an insurer obtaining search information and using that data to attempt to demonstrate that an claiming policy holder may have been reasonably aware of information that was not disclosed to the insurer. I believe there has been a case where a person ‘A’ was researching medical condition that affected a family member (person ‘B’). At a later date person ‘A’ the too was affected by the same condition, and when the called on there insurer to support their treatment, person A was declined by the insurer on the basis that they were reasonably aware of this risk, this being based on their web research activity, and this risk was not reported to the insurer, and the insurer claimed this invalidated the policy. (I believe this to be true – sorry for not sighting a source)
Installing an add-blocker is not enough. I, and I imagine many readers of RP don’t get adds. But the data still can be collected and sold, and be consequential.
For me, browser finger printing is my biggest concern, other mitigation steps (other than Tor) seem not to defeat this activity. With the collection and sales, using a trusted VPN seems to diminish in value; if the browser can be fingerprinted, the user is in the same scenario; data can be collected, correlated and sold.
I do also wonder if financiers and insurers will use big data to assess applicants. What if having no available data leads to the vendor in their assessment to consider that an individual with no available big data is a greater risk because they can’t measure it?
I wonder how much more powerful is transactional history? They know what was purchased, along with all the data.
There are services for this but not available in my country.
There is room for a service, for a Privacy company to address these matters and do it really well. For users, privacy should not require in-depth technical knowledge; privacy should be default