The quid pro quo for using any major online service, social networks in particular, is the surrender of extraordinary amounts of personal data.
Even regular websites can deploy dozens of trackers and trying to surface those don’t, using a search engine perhaps, makes everything several times worse. The position today is simple: accept being tracked in some way, shape, or form, or stay off the internet.
While the privacy-invading aspects of the wider internet are broadly discussed, much less attention is given to the companies that allow us to get online in the first place. Without broadband providers the internet would die but by default, all traffic generated by subscribers goes through them. There’s a much bigger conversation to be had on the role of ISPs and their handling of subscriber data but our focus here is on a very specific niche.
When ISPs and Content Providers Collide
All kinds of radical antidotes were up for discussion in the early days of file-sharing, but one often dismissed out of hand most was always destined to pose the biggest threat. In general terms, ISPs ‘owned’ the access tubes of the internet and rightsholders owned the content. Two decades later, these previously warring parties are frequently found under the same corporate roof.
Content owners exercising total control over subscriber connections isn’t yet a reality but close working relationships and shared interests with ISPs suggest travel in that general direction. In 2019, it emerged that a UK-based anti-piracy company, known for its work against pirate IPTV providers, was sharing data with one or more UK ISPs to determine subscribers’ consumption of content from various ‘pirate’ servers.
The arrangement was referenced again in October 2020 when it was revealed that traffic data from UK ISP Sky supported a successful UEFA High Court ISP blocking injunction. A year later it emerged that Sky had compiled data on high-traffic IP addresses accessed via its network to help an anti-piracy company working for the Premier League.
At this point we should highlight how this work was framed. This wasn’t Sky spying on customers’ connections via the modem in the home, we were told. This was activity at completely the other end, i.e monitoring the levels of traffic flowing inbound from the pirate servers’ IP addresses. Some might argue that any type of monitoring is unacceptable but what if UK ISPs actually had permission to do more?
Permission to Monitor Pirates?
After receiving information suggesting that other ISPs may also be collaborating in similar anti-piracy work, we requested proof to show that is indeed the case. While that is yet to surface, we were invited to consider legal documents issued by two leading UK ISPs: Sky and Virgin Media, and for comparison, BT.
These documents – customer agreements and their related privacy policies — reveal that when people sign up as customers to at least two UK ISPs, they do so on the understanding that piracy might lead to their information being shared with third-parties.
Sky documentation contains several references to the protection or enforcement of its own rights, and of “any third party’s rights.” For example, in the ‘How we use it” section relating to contact details and account information, the policy contains the following:
The same declaration appears in the ‘IP Addresses & Online Identifiers’ section where Sky notes that subscriber information can be used where it has a “legitimate interest” including the protection or enforcement of its own or any third party’s rights. “This may involve analysing activity on our network to help stop unauthorized access to content or publication of or access to unlawful content,” the company notes.
As a content provider in its own right, much of the above will relate directly to Sky’s own delivery platforms and its ability to prevent unauthorized access to content under its own control. However, in the section titled “Sharing with third parties” statements become much more explicit.
“We share your personal data, such as your contact details, financial data and other information described below, with credit reference and fraud prevention agencies and other relevant parties…for the prevention and detection of crimes such as fraud, piracy and money laundering,” the section reads.
“Where we reasonably suspect that you are pirating Sky or third-party content, we may share information with other organizations with a similar legitimate interest in preventing, detecting and prosecuting piracy.”
How these policies work in practice is unknown, but they are there for a reason. That Sky subscribers effectively grant these permissions shows once again that nobody reads the small print.
“We rely on Legal Obligation and Legitimate Interests Legal Bases to use your information to ensure we comply with our legal and regulatory obligations (these are our legitimate interests),” Virgin’s policy reads.
“We use information about who you are and your use of our products and services to block unauthorized or illegitimate content on our TV platforms, respond to court proceedings and enforcement authorities, and help authorities and industry organizations with any security, fraud, anti-piracy, crime or anti-terrorism enquiries.”
In the section where Virgin declares use of customer data to “develop, manage and protect” its business, the company says it does so “to identify and prevent piracy and other crime” and to “identify threats to our network that result in TV piracy.”
The company further states that it collects information about its customers from third-party or external sources, including “fraud and anti-piracy prevention agencies.”
Virgin also has a dedicated anti-piracy relating to its own TV services.
“We keep information about how you’re using your broadband to help us understand and manage traffic flows on our network, improve our services and tell you about products you might be interested in. That includes IP addresses and other traffic data including websites you’ve visited,” the ISP reports.
“We are sometimes contacted by third parties who monitor illegal online file sharing on behalf of copyright holders. If we receive a claim that there has been illegal sharing on your broadband service, we may use your IP address to notify you. But unless we are required to by law, we will not disclose your personal information to the copyright holder or any party acting on their behalf.
While these three leading UK ISPs all see piracy as problem to be countered, from these policies it’s evident that Sky’s approach is the most uncompromising, at least on paper. How much data it shares externally is unknown but having put that intent in black and white, one has to assume that anything is possible.