Can a New Zealand ISP sell your web browsing history? The surprising answer
PLUS: Eric Crampton argues internet providers should be able to sell to hawk your web browsing history to advertisers.
PLUS: Eric Crampton argues internet providers should be able to sell to hawk your web browsing history to advertisers.
In the US, Congress has voted to free ISPs from privacy limits that were due to kick in this year, allowing them to sell their customers’ web browsing histories.
President Donald Trump says he will sign the bill as part of his push to cut regulations.
NZ Initiative research head Eric Crampton says, “Why not?”
In a high-temperature exchange with NBR Radio’s Grant Walker, he argues market forces will take care of things. If there’s demand for a service that guarantees privacy, ISPs will supply it. Even a monopoly broadband provider would offer privacy-protecting plans if demand warranted, he maintains.
Conversely, if some people want to subscribe to a plan that is, say, $10 cheaper a month because their data will be hawked to advertisers, then they should have that option, Dr Crampton argues.
One thing Dr Crampton and Mr Walker agree on is that the government shouldn’t get its mitts on your data – but it’s something you can imagine happening indirectly if, say, a credit rating agency buys browsing histories from an internet service provider, then onsells to the IRD or another Crown agency.
Mr Walker also argues that privacy shouldn’t just be for people who can afford it. Bear in mind, too, that we’re in a market where most people are locked into 12 or 24-month plans with stiff break fees, so it’s not cheap or easy to hop between providers (listen to Crampton v Walker on SoundCloud here).
Privacy Commissioner John Edwards: “In New Zealand, there is no prohibition on selling customer information."
No prohibition in New Zealand
It's been established that privacy is being chucked out the window in the US. But what’s the situation here?
“In New Zealand, there is no prohibition on selling customer information but I would be concerned about such a practice if it were widespread, given the potential to associate an individual with an access log,” Privacy Commissioner John Edwards says.
He has seen no evidence this is an issue with ISPs here but if they did decide to sell someone's web browsing history, then under the Privacy Act they would have to tell the person first. They also have to tell the person if they’re collecting his or her data in the first place.
The important thing is that ISPs are upfront about things, so customers can exercise choice, he says.
Selling data would also provoke a portion of customers into using VPNs (virtual private networks) and other software and services that can mask your identity and/or hide your web tracks. The downside: They often slow performance or reduce website's functionality.
Like Mr Edwards, NBR is not aware of any instances of internet providers selling browser histories. Perhaps the most creepy assertive example of customer data going on sale comes from Spark's "big data" unit Qrious, which has drawn controversy for selling (anonymised) data about Spark mobile customers' physical movements to customers including Auckland Council's Ateed.
The situation today
The pending Privacy Act overhaul will have a number of positives, including a new requirement that makes it mandatory for organisations to report data breaches. But Mr Edwards does not expect it will directly address ISPs.
So here's the specifics of the situation today, which will likely remain:
“Under the Privacy Act, ISPs have the same obligations as all agencies to tell their customers what personal information they collect and what they do with it. This is set out in the act's information privacy principles,” Mr Edwards says.
“Principle one says personal information shall not be collected by any agency unless:
"Principle eleven says an agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes the disclosure is:
“ISPs have to comply with these requirements, just as all agencies are required to do," the privacy commissioner says.
"The important thing is that by informing customers, customers will be able to choose which provider they trust and adopt.”