Working Paper: Online Privacy and ISPs

ISP Access to Consumer Data is Limited and Often Less than Access by Others

A Working Paper by Peter Swire, Justin Hemmings, and Alana Kirkland

Download the Paper

March 2016 Addendum
Feb. 2016 Original Working Paper

This Working Paper provides a detailed, factual description of today’s online ecosystem for the United States, with attention to user privacy and the data collected about individual users. The Working Paper addresses a widely-held, but mistaken view about Internet Service Providers (“ISPs”) and privacy. That view asserts that ISPs have comprehensive and unique access to, and knowledge about, users’ online activity because ISPs operate the last mile of the network connecting end users to the Internet. Some have cited this view to suggest that ISPs' collection and use of their customers’ online data may justify heightened privacy restrictions on ISPs.

This Working Paper takes no position on what rules should apply to ISPs and other players in the Internet ecosystem going forward. But public policy should be consistent and based on an up-to-date and accurate understanding of the facts of this ecosystem. The Working Paper addresses two fundamental points. First, ISP access to user data is not comprehensive – technological developments place substantial limits on ISPs’ visibility. Second, ISP access to user data is not unique – other companies often have access to more information and a wider range of user information than ISPs. Policy decisions about possible privacy regulation of ISPs should be made based on an accurate understanding of these facts:

Technological Developments Place Substantial Limits on ISPs’ Visibility into Users’ Online Activity
This paper examines the following factors:

  • Evolution from a single stationary device to multiple mobile devices and connections
  • Pervasive encryption
  • Shift in domain name lookup

Non-ISPs Often Have Access to More and a Wider Range of User Information than ISPs
This paper examines the following factors:

  • Non-ISP services have unique insights into user activity
  • Non-ISPs dominate in cross-context tracking
  • Non-ISPs dominate in cross-device tracking

In summary, based on a factual analysis of today’s Internet ecosystem in the United States, ISPs have neither comprehensive nor unique access to information about users’ online activity. Rather, the most commercially valuable information about online users, which can be used for targeted advertising and other purposes, is coming from other contexts. Market leaders are combining these contexts for insight into a wide range of activity on each device and across devices.


Public comment about this Working Paper -- with the intention of correcting mistakes or lack of clarity -- is welcome and encouraged. Comments can be submitted to

Research support for this Working Paper comes from Broadband for America, the Institute for Information Security & Privacy at Georgia Tech, and the Scheller College of Business at Georgia Tech. The views expressed here are those of the authors.