During Congressional hearings about Facebook’s data practices in the wake of the Cambridge Analytica fiasco, Mark Zuckerberg drew an important distinction between what we expect from our Internet service providers (ISPs, such as Comcast or Verizon) as opposed to platforms like Facebook that operate over the Internet.

Put simply, an ISP is a service you pay to access the Internet. Once you get online, you run into a whole series of edge providers. Some, like Netflix, also charge you for access to their services. Others, like Facebook and Google, are platforms that you use without paying, which support themselves using ads. There’s a whole spectrum of services that make up Internet use, but the thing they all have in common is that they are gathering data when you use them. How they use it can differ widely.

The divide between ISPs and edge providers is most obvious in the context of the net neutrality debate. Platforms, by and large, want as many people accessing the Internet as possible, as easily as possible. ISPs want to charge customers as much as possible for that access and also want to start double-dipping by charging platforms a fee when you visit their websites, as protection money, so the ISP doesn’t throttle or ‘de-prioritize’ your connection.

Zuckerberg brought up that difference a couple of times during the hearings. He mentioned how he had no ISP choice when he founded Facebook in college and that paid prioritization would have hobbled his new company. Whatever you think of Facebook, it’s not good for the Internet to have ISPs deciding what platforms are allowed to exist and succeed.

The distinction is also apparent in the privacy context. Your ISP is your conduit to everything you do online, so it has the opportunity to be even more invasive of your privacy than Facebook. You can protect yourself with VPNs and HTTPS, but the ISP still has a privileged position and is likely to be able to put together a pretty complete picture of most subscribers’ online habits.

That privileged position means that protecting your privacy vis-à-vis an ISP is a different issue than protecting it with respect to online platforms. Besides, you’re already paying your ISP for services; the idea that you’re willingly trading your privacy in exchange for a service does not apply.

ISPs, however, have attempted to muddy the waters to avoid regulation, by insisting that Congress come up with a ‘one size fits all’ approach to online privacy.

The issue was illustrated during the hearing on Tuesday, when Senator Roger Wicker of Mississippi posed this question:

I understand with regard to suggested rules or suggested legislation, there are at least two schools of thought out there. One would be the ISPs, the Internet service providers, who are advocating for privacy protections for consumers that apply to all online entities equally across the entire Internet ecosystem. Now, Facebook is an edge provider on the other hand. It is my understanding that many edge providers, such as Facebook, may not support that effort, because edge providers have different business models than the ISPs and should not be considered like services. So, do you think we need consistent privacy protections for consumers across the entire Internet ecosystem that are based on the type of consumer information being collected, used or shared, regardless of the entity doing the collecting, reusing or sharing?

ISPs are not truly advocating for privacy protections. When AT&T takes out a full-page ad in major newspapers about an “Internet Bill of Rights,” it’s not users they are seeking to protect. It’s the profits they can make from things like paid prioritization and monetizing your data. ISPs have a model that lets them make money by charging users, they want to double-dip by charging platforms, and triple-dip by using data for advertising, much the way Facebook does. But unlike Facebook, ISPs don’t rely on ads for their entire revenue stream.

For ISPs, a federal law that prohibits some activities, but leaves them the tactics that make the most money—while preventing states from passing more stringent protections—is their goal.

Both Facebook and ISPs present privacy concerns, but while Facebook is in the spotlight for its practices right now, we should not let ISPs off the hook for this.

No Escape From ISP Practices

As hard as it may be to escape Facebook, ISPs have an even tighter hold on their customers.

Most Americans don’t have a choice when it comes to high-speed Internet, as Zuckerberg mentioned in his testimony. There are a lot of historical reasons for this, but one simple one is that it’s expensive to break into a new ISP market, particularly when the incumbent can temporarily lower prices in that neighborhood and pay for it by jacking up prices elsewhere where they face no competition. Besides that, big ISPs have divided up the nation geographically to avoid competing.

Another factor is that large ISPs benefit from the regulatory landscape at the expense of small, upstart ISPs that might otherwise challenge them. For instance, ISPs did have privacy regulations applied to them, but lobbied Congress and successfully got them repealed. The end of those regulations helped cement large ISP power and block competition. Small ISPs may want to offer a service with privacy protections to users, but the market is already so uneven that they can barely compete. The market can’t provide customers with alternatives that protect privacy, and so regulation of the large ISPs is necessary.

In theory, you can leave Facebook and use Twitter or Snapchat, or a noncommercial platform like Mastodon. In practice, the company’s user base is so large that it’s able to keep users simply because it’s where friends and family already are. Zuckerberg was also asked to name Facebook’s competition, and the closest he could claim was that there are other services that overlap with some of the things Facebook offers.

Badly written laws in reaction to Cambridge Analytica could end up solidifying Facebook’s dominance, as only a company with their resources could comply. Protecting the privacy of Internet users is critically important, and a law that squashed competition to Facebook would only harm it in the long run.

There are a number of things that can be done to make platforms like Facebook accountable for their privacy policies. Making it so that users can truly delete the data these platforms collect, take their data with them when they leave, and understand and customize the privacy policies would go a long way. There are a whole host of things—practical, useful things—that can be done without creating laws that only a company the size of Facebook can afford to follow.

In his answer to Wicker’s question, Zuckerberg said:

I would differentiate between ISPs, which I consider to be the pipes of the Internet, and the platforms like Facebook or Google or Twitter, YouTube that are the apps or platforms on top of that. I think in general, the expectations that people have of the pipes are somewhat different from the platforms. So there might be areas where there needs to be more regulation in one and less in the other, but I think that there are going to be other places where there needs to be more regulation of the other type.

Zuckerberg wasn’t totally wrong when he said this. ISPs cannot be escaped, collect huge amounts data by virtue of being your conduit to the Internet, and do not need to monetize that data to survive. Subscription edge providers also do not need to monetize data to make money, but still collect some data; Netflix tracking what people watch and for how long, for example. And then there are ad-supported platforms where user data is the basis of their business model.

There are all sorts of ways our privacy is impacted by what happens online. It’s vital all companies make their policies transparent and that there are many options for users to choose from, so that they can choose the trade-offs that they are comfortable with.