April 05, 2017

Van Hollen Questions Major Broadband Providers About Privacy Rules

Today U.S. Senator Chris Van Hollen (D-Md.) joined Senator Edward J. Markey (D-Mass) and six other Senate Democrats in sending a letter questioning the nation's largest broadband internet providers on their rules to protect the privacy and security of their subscribers. This week, President Donald Trump signed a Congressional Review Act (CRA) resolution formally rescinding the Federal Communications Commission's (FCC's) broadband privacy rules, which required broadband providers to get consent before sharing their subscribers' sensitive information and adopt reasonable data security protections. Without these broadband privacy rules in place, broadband providers can use, share, and sell Americans' sensitive information about their health, finances, and families without permission. The senators sent letters to AT&T, Comcast, Charter, Verizon, Sprint, T-Mobile, and CenturyLink.

"We strongly disagree with the CRA resolution, and believe that broadband providers should follow strong privacy and security rules that give consumers control over how their information is used and shared, as well as confidence their information will be protected." In the letter, the Senators write to, "urge your company to provide your subscribers with the same level of privacy and security protections as stipulated in the FCC's broadband privacy order."

The following Senators cosigned the letter: Senators Al Franken (D-Minn.), Richard Blumenthal (D-Conn.), Elizabeth Warren (D-Mass.), Bernard Sanders (I-Vt.), Ron Wyden (D-Ore.), and Patrick Leahy (D-Vt.).

Full text of the letter is below.

Dear Mr. Stephenson:

Congress recently passed a Congressional Review Act (CRA) resolution rescinding the Federal Communications Commission's (FCC) broadband privacy and security rules. We strongly disagree with the CRA resolution, and believe that broadband providers should follow strong privacy and security rules that give consumers control over how their information is used and shared, as well as confidence their information will be protected. In light of this Congressional action, we write to ask how your company plans to protect the privacy of the millions of Americans who rely on your services to connect to the internet.

In 2017, broadband access is no longer a luxury; it is essential. Internet Service Providers (ISPs) are gatekeepers that control the infrastructure that Americans depend on to access vital applications and services. ISPs can use this privileged position to collect and use sensitive information about subscribers, including precise geo-location, financial information, and web and app usage history. Yet, many consumers have limited choice for broadband service and cannot necessarily change ISPs if their privacy and security protections are not transparent or strong. Given this limited choice, we urge your company to provide your subscribers with the same level of privacy and security protections as stipulated in the FCC's broadband privacy order.

We respectfully request that you provide a written response to the following questions:

1. Do you obtain affirmative opt-in consent to use, share, or sell any of the following information: web browsing history, app usage history, the content of communications, children's information, health information, financial information, geo-location, and Social Security numbers? If yes, please detail your policy. If no, why not? If no, please disclose what information you are sharing and selling and with whom you are sharing or selling that information.

2. Do you provide consumers opt-out control over their information? If yes, for what types of information and please detail your policy. If no, why not?

3. Do you maintain information or data related to former subscribers? If yes, what information do you keep, how is it maintained, and is it minimized? What are your data security and privacy policies for the data and personal information of former subscribers?

4. Do you make "take-it-or-leave-it" offerings, where consumers are refused internet service if they do not permit their information to be used, shared, or sold? If yes, why? When updating privacy policies, must current subscribers agree to the new terms in order to continue service? Would a consumer be forced to pay a termination fee if service is denied for refusing to agree to new privacy or data collection terms? Please detail your policy.

5. Do you make "pay for privacy" offerings, where consumers could be required to pay an additional amount to protect their privacy or receive compensation for declining to protect their privacy? Please detail your policy.

6. Do you notify customers at the point-of-sale, before purchase, of the types of information collected, how and for what purposes you use and share this information, and with whom that information is shared or sold? If yes, please detail your policy. If no, why not?

7. Do you develop and adhere to reasonable data security practices sufficient to protect the information you collect about your subscribers? If yes, please detail your policy. If no, why not?

8. Do you notify customers within 30 days if their information has been breached or accessed by unauthorized parties? Do you also alert customers to any mitigating action they should take? Do you provide free services to mitigate the impacts of a breach, such as free credit monitoring service? If yes, please detail your policy. If no, why not?

9. Do you practice strong de-identification or anonymization, such that de-identified personal information cannot be reasonably linkable to a person or device? If yes, please explain your process for de-identifying data. If no, why not?

10. Do you prohibit third parties with whom you share or sell consumers' sensitive information from re-identifying de-identified information? If yes, please detail your policy. If no, why not?

11. Do you refuse to serve a customer who does not agree to mandatory arbitration clauses? If yes, why? Please detail your policy.

12. Do you notify customers when you make material changes to your privacy policies? If yes, please detail your policy. If no, why not?

13. Do you have a clear, user-friendly, easily accessible, and responsive complaint process for consumers who have evidence or reason to believe their privacy has been violated? If yes, please detail your policy. If no, why not?

14. Many ISPs retain so called "netflow" records, related to their customers' internet usage. Do you retain netflow records for your customers' web browsing activity? If so, for how long do you retain them? Will you disclose netflow records pursuant to a National Security Letter, or only court orders?

15. Under Section 222 of the Communications Act, carriers may not disclose subscriber location information without the "express prior authorization of the customer". Over each of the last three years, how many times did your company disclose to third parties individually identifiable customer location data or other Customer Proprietary Network Information with a customer's express prior authorization? Does your company obtain the consent from the subscriber directly? If not, and the third party obtains the consent (or claims they do), do you request or retain a copy of documentation showing that the customer provided such consent?

16. Please detail any changes you have made to your privacy policy or practices since the President signed the broadband privacy CRA into law.

Thank you for your attention to this important matter. We respectfully request that you provide a written response by May 1, 2017.

Sincerely,