Monday, October 24, 2005

Comcast Privacy Practices

Normally, I don't spend time commenting on national news - plenty of other people do that already - and just keeping up with the local events takes all the time I can afford to give. However, this news is close enough to home that I feel obliged to comment on it.

Recently, a town councilmember in Smyrna, Delaware tried to find out the identity of a blogger. The blogger had accused the councilmember of "obvious mental deterioration" and made a pun on his name suggesting he was gay.

ISPs generally will not turn over subscriber information except when required by court order. And such a court order was made - to Comcast. However, the case was appealed and ultimately worked its way to the Delaware Supreme Court. That court ruled that the anonymous blogging was akin to anonymous political pamphleteering, a subject that the US Supreme Court has ruled on.

Specifically, the statements were found to be opinion; Chief Justice Myron Steele wrote: ... no reasonable person could have interpreted these statements as being anything other than opinion. ... The statements are, therefore, incapable of a defamatory meaning.

Bottom line: Comcast was not forced to expose the blogger's identity.

Good job Comcast!

Or is it? What about Comcast's other privacy practices? Probably few people read Comcast's subscriber privacy policy. It's difficult to understand, boring as hell, and well, what's the big deal? Didn't Comcast just show that it protected a subscriber's identity?

Yes, but Comcast's privacy policy nonetheless raises significant concerns. You might even call them holes. Giant gaping holes.

Comcast actually has several privacy policies. For instance, it's got http://www.comcast.net/privacy for internet service. And it's got another for TV service. And another for phone service. And yet another for their website.

Each of them explains that simply by using the service, you accept their privacy policy - whether or not you have read it. Or agree with it.

Let's delve into their internet privacy policy for a moment. Their policy mentions a dispute resolution process and alludes to compliance with TRUSTe, but a closer read finds many exclusions. In short, if you disagree with Comcast's privacy policy, your only recourse is to avoid using their service.

Examples

What are some examples of the holes in Comcast's Internet Privacy Policy?
  1. "Co-branded" Services. Services operated by other companies but with Comcast's name are not covered by the privacy policy. If you enter data about yourself, the company is free to do what it wants with it. This includes services such as newsgroups, video mail, instant messaging, and web hosting. Oh and let's not forget support. Since half of Comcast's support is carried out by contractors, anyone who calls in a few times is highly likely to have exposed their personal information to the privacy policies of other companies; policies that you have not read or have any idea about.

  2. Marketing. Although Comcast's privacy policy says it is "committed to maintaining your privacy" there are too many holes in the words surrounding that phrase. For example, consider this: Comcast may combine personally identifiable information, which we collect as part of our regular business records, with personally identifiable information obtained from third parties for the purpose of creating an enhanced personal database to use in marketing and other activities related to the Service and our other services.
Who knows what that could mean? Elsewhere, the policy is more overt: Comcast may use and disclose personally identifiable information as provided for by applicable law in order to perform, for example: ... marketing.

And this: We sometimes disclose personally identifiable information about you to our affiliates but with no explanation of what "affiliates" are.

And this: We sometimes also disclose personally identifiable information about you to our employees for Comcast's internal business purposes, as well as to outside auditors, professional advisors and service providers, potential business transition partners, and regulators. ... We may also disclose certain personally identifiable information about you to third parties such as, for example, charities, marketing organizations, or other businesses, in connection with disclosures made for "mailing list" or other purposes as described below in this Policy.

And not only can personally identifiable information include your name, address, cable plan, and usage, but also your internal computer settings, cookies, preferences, and so on.

Finally - not that it matters by now - Comcast reserves the right to change their policy at any time and without notification: If we change this Policy, we will post those changes on the homepage of the Service Web site, or in other places we deem appropriate, so our subscribers are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. We will use information in accordance with the Privacy Policy under which the information was collected. Your decision to continue receiving the Service after we make any changes to this Policy shall be deemed to be your express consent to the changes in the revised Policy.

Cable Office Weighs In

The Montgomery County Cable Office is also upset about Comcast's Privacy Policy. However they only have authority over the Cable TV Privacy Policy. Their TV policy has some differences from their internet policy. And it is further governed by the 1984 Cable Privacy Act. However their TV policy also has distressing similarities. Yes, there are enough loopholes in it that Comcast could be said to be adhering to the letter of the law if not the spirit of it.

However one clear violation is as follows: The Comcast franchise (see section 9.f.4) with Montgomery County requires all information distributed to customers - including the privacy policy - to be approved by the Cable Office. And Comcast has not done that. Instead, Comcast has claimed that they now have a national policy and do not have the flexibility to have a local policy that would be different.

As I understand it then, Comcast is in violation of the franchise and the County has not seen fit to live up to its responsibility and take action. Yes, they have notified Comcast but basically Comcast has ignored them. I have no inside knowledge of these interactions but I can only presume that the Cable Administrator has informed the Executive and the Executive has declined to take further action.

This is a mistake. Protection from abuse by our franchisees is one of the reason we pay our franchise fees - that's 5% on top of the bill that goes directly to the county. In addition, disinterest in enforcing parts of the franchise opens the door for Comcast to ignore other parts with similar reasoning.

Conclusion

So there you have it. Comcast gets headlines for protecting subscriber privacy with one hand while at the same time, well, not protecting subscribe privacy with the other hand. Don't like the policy? Too bad. By using the service, you have already accepted it.

No comments: