Is Your ISP Helping the Feds Spy on You?

PC World
Monday, August 21, 2006; 10:10 PM

As a longtime DSL customer of the ISP now known as AT&T, I've been following with concern the coverage of AT&T's recently revised privacy policy. It seems to indicate that I shouldn't expect much from it in terms of safeguarding my personal information--and I'm seriously debating whether to express my displeasure by jumping ship.

AT&T's reworked privacy policy asserts that the company owns customer records--even the e-mail addresses of people with whom I correspond--and appears to allow considerable leeway in what AT&T can do with this information. Coming in the wake of allegations that the company has been handing over phone records to the National Security Agency, the privacy policy change is troubling.

Company spokesperson Walt Sharp says AT&T isn't doing anything other ISPs aren't. "Our policy is consistent with the policies of other major corporations and with others in the industry," he says.

But I found that not all ISP privacy policies are created equal. As explained below, your best chances for keeping your personal information and online activities private may be to go with a cable operator for Internet access.

AT&T's controversial privacy policy change, which took effect in late June, applies only to its broadband Internet access partnership with Yahoo and to its video services. "These kinds of services don't fall under the traditional telecom privacy law that's in place," says Ari Schwartz, deputy director of the Center for Democracy and Technology. "Telecom [privacy] laws cover only voice, not data." But data is protected if you use a cable Internet provider--laws restrict those companies from disclosing it.

The most startling revision to the policy is found under the "Legal Obligations/Fraud" heading: "While your Account Information may be personal to you, these records constitute business records that are owned by AT&T. As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others, or respond to legal process."

Elsewhere in the document (read it in all its legalistic glory here ), your Account Information is defined as including not just contact data (your name, address, phone number, and e-mail address--info the company needs to send you bills), but records on the services you use, your transactions (such as online purchases) and service charges, the equipment and software you're using, and even "your Social Security number and/or credit card information, passwords, and usernames." I have difficulty getting my head around the notion that my Social Security number is now an AT&T business record.

Another part of the "Legal Obligations/Fraud" section that sets off alarm bells is a sentence saying that AT&T can use "your information" to "investigate, prevent, or take action regarding illegal activities...or as otherwise required or permitted by law." If all that isn't a blank check to give out my information (especially the "permitted by" part), I don't know what is.

Contrast this with the privacy policy for Comcast's high-speed Internet service (AT&T Yahoo's principal competitor in my neck of the woods). Read the policy here , and you'll find this sentence: "Comcast considers the personally identifiable information contained in our business records to be confidential." Sure, it's still part of a business record, but the whole tenor of the statement is markedly different from AT&T's pronouncement. And it's followed by a sentence in which Comcast says it can disclose a customer's personal information only in certain cases--to conduct business related to the customer's services, if "required by law or legal process," or for mailing lists (if the subscriber doesn't opt out).

Time Warner Cable's privacy policy page specifically references several laws that the policy complies with: The Cable Communications Policy Act of 1984, the Electronic Communications Policy Act of 1986, and the Online Copyright Infringement Liability Limitation Act of 1998. In most regards, Time Warner Cable's privacy policy is similar to Comcast's.

"We have all kinds of privacy laws that don't make any sense," Schwartz says of the situation. "They're based on how the information is being communicated rather than the type of information."

An example of how privacy requirements vary based on the delivery mechanism has to do with video. The confidentiality of records of video rentals from Blockbuster and its competitors is strictly protected by the Video Privacy Protection Act of 1988 (enacted after a newspaper disclosed the video-rental records of Supreme Court nominee Robert Bork). Schwartz says it's likely that law would also apply to DVD rentals from companies such as Netflix. But AT&T's video-on-demand transactions, which the company now classifies as business records, may not be covered by the law.

U.S. Representatives Ed Markey (D-Massachusetts) and Joe Barton (R-Texas) are working on bills to address these contradictions, and Senator Hillary Clinton (D-New York) has called for a privacy bill of rights. Schwartz says the Federal Communications Commission and the Federal Trade Commission are examining the issue. But for now, if you prefer to keep your Internet activities and video-viewing habits private, opt for cable.

© 2006 PC World Communications, Inc. All rights reserved