This blog post was co-written by EFF, the Internet Society, and Mozilla.
As people have learned more about how companies like Google and Facebook track them online they are increasingly taking steps to protect themselves, but there is one relatively unknown way that companies and bad actors can collect troves of data.
Internet Service Providers (ISPs) like Comcast, Verizon, and AT&T are your gateway to the Internet. These companies have complete, unfettered, and unregulated access to a constant stream of your browsing history that can build a profile that they can sell or otherwise use without your consent.
Last year, Comcast committed to a broad range of DNS privacy standards. Companies like Verizon, AT&T, and T-Mobile – which have a major market share of mobile broadband customers in the U.S. – haven’t even committed to these basic protections like not tracking website traffic, deleting DNS logs, or refusing to sell users’ information. What's more, these companies have a history of abusing customer data: AT&T (along with Sprint and T-Mobile) sold customer location data to bounty hunters and Verizon injected trackers bypassing user control.
Every single ISP should have a responsibility to protect the privacy of its users – and as mobile internet access continues to grow, that responsibility rests even more squarely on the shoulders of mobile ISPs. As our partner, Consumer Reports, notes: even opting in to secondary uses of data can be convoluted for consumers. Companies shouldn’t be able just bury consent within their terms of service or use a dark pattern to get people to click "OK” and still claim they are acting with users’ explicit consent.
Nearly every single website you visit transmits your data to dozens or even hundreds of companies. This pervasive and intrusive personal surveillance has become the norm, and it won’t cease without action from us.
In that vein, Mozilla, the Internet Society, and the Electronic Frontier Foundation are individually and collectively taking steps to protect consumers' right to data privacy. A key element of that is an effective baseline federal privacy law that curbs data abuses by ISPs and other third parties and gives consumers meaningful control over how their personal data is used.
But effective regulatory action could be years away, and that’s why we need to proactively hold the ISPs accountable today. Laws and technical solutions can go a long way, but we also need better behavior from those who collect our sensitive DNS data.
Today we are publishing an open letter calling on AT&T, T-Mobile, and Verizon to publish a privacy notice for their DNS service that commits to deleting the data within 24 hours and to only using the data for providing the service. It is our hope that they heed the call, and that other ISPs take note as well. Click here to see the full letter.