Do you know what your internet service provider is doing with your data? You probably know that it can see the sites you’re visiting, but have you ever thought about whether it’s selling that information to advertisers? Anti-regulation officials are planning to make sure your ISP never has to tell you.
In October 2016, the FCC enacted privacy rules that would require ISPs to get users’ consent before it sold their information to advertisers, as well as to keep customer data secure and to inform them of data breaches. The rules classified customer information into sensitive and non-sensitive data. For non-sensitive data, like how much data you use, customers would still have to opt out of allowing it to be sold, but for sensitive data, like social security numbers, geolocation data, and web browsing history, ISPs would be required to get customers to opt in.
As you might guess, those rules were strongly opposed by telecom companies like AT&T and Comcast, as well as their representatives in DC like the Internet and Television Association. An industry-funded think tank recently said that the rule “deserves to be thrown on the scrap heap of telecom history” and that abolishing the rules would allow “new business models that could support expensive, next-generation networks with revenue other than consumers’ monthly bills.” Perhaps the models it’s referring to include an idea once proposed by Comcast, whereby it would provide a lower price to customers in exchange for selling their data to advertisers—essentially charging customers more for privacy.
Good news for telecoms, then: FCC Chairman Ajit Pai, a former lawyer for Verizon, made the first move in dismantling those rules last Friday, announcing he’ll seek to delay the rule requiring ISPs to take “reasonable measures” to secure consumer data. In practice, this delay is indefinite, and because the commission is stacked 2-1 in his favor, that rule is likely doomed.
Surely we can all agree that keeping data secure is good and important and a sensible thing for the agency to require. So why go after that rule? In his statement, Pai rule wasn’t consistent with Federal Trade Commission (FTC) privacy standards. When he first voted against the rules last year, he said, that they “radically depart from the FTC framework”—which doesn’t tell you much, unless you’re a huge freakin’ nerd about telecom policy.
There are a lot of problems with this. According to Eric Null, Policy Counsel at the Open Technology Institute, the FTC regime is generally a much weaker, broader, “lowest common denominator” approach to privacy regulations. In short, the FTC’s approach hinges on whether or not the ISP is being deceptive—companies just need to be upfront about what they’re doing. In practice this means requiring that customers to opt out of data sharing, rather than asking them to opt in. But whereas the FTC’s job is to ensure customers are being properly informed, the FCC theoretically has a broader regulatory mandate to make sure companies are providing service on reasonable terms. Essentially, the FCC has more leeway to ensure privacy policies are actually fair, rather than just making sure companies tell you about those policies, whether they’re reasonable or not.
Still, Null says that the FCC has actually largely followed the FTC’s framework, but with one crucial addition that telecoms hate: web browsing and app data—the really valuable stuff—are considered sensitive data under the FCC rule, which means providers are required to get opt-in consent to it. That “seems to be the impetus for a lot of the fighting over this rule,” he said.
Pai’s other problem with the FCC’s rules is that it supposedly treats internet companies differently, in a way that’s unfair. Pai accused the privacy rules’ supporters of “corporate favoritism” for subjecting ISPs to different rules than “edge providers,” which means websites and apps like Facebook that provide online content but not internet service. The FTC regime, according to Pai and other opponents of the rules, is “technology-neutral” in not distinguishing between data collected by ISPs and edge providers.
But what’s the FCC supposed to do about edge providers, which aren’t in their jurisdiction? It’s just a rhetorical trick. If the FCC can’t regulate edge providers, and he also doesn’t want ISPs to be regulated differently to edge providers, all he’s really saying is that the FCC shouldn’t regulate ISPs.
And that’s really what all this opaque jargon about the FTC, edge providers, and privacy frameworks is about. It doesn’t sound so bad to say you want to restore the FTC’s privacy regime, if you can figure out what that means. But Michelle de Mooy, director of the Privacy and Data project at the Center for Democracy and Technology, says the fuss about the FTC is just a red herring. In reality, it’s less about the distinction between FTC and FCC regulation “and more about not wanting [ISPs] to be regulated at all.”
That would be the likely outcome of any rollback of these rules. Since the reclassification of broadband companies as “common carriers” (often known as the Title II decision), which gave us net neutrality, the FTC can’t regulate ISPs, just as the FCC can’t regulate websites. Unless that reclassification was rolled back, overturning the FCC’s privacy rules would mean there was no guidance on how the FCC should enforce privacy, and the FTC, overworked and limited in its capabilities to bring cases against offenders, would struggle to stop ISPs selling your data without consent.
Arizona Senator Jeff Flake intends to introduce a bill that would be an even more dramatic attack on the privacy rules. It would use the Congressional Review Act to repeal the whole lot, which allows Congress to overturn rules enacted in the last six months of an administration—and crucially, prevents the agency from issuing a “substantially similar” rule in the future. We have no idea what that standard really looks like, because the CRA has only been used once before this Congress, and has never been challenged or reviewed in court. It’s hard to say whether this has much chance of passing, but Congressional Republicans haven’t been shy about using the CRA to obliterate Obama rules on trifling matters like coal waste in rivers.
Advertisers are desperate for information that allows them to target consumers as specifically as possible. They want to know your gender and race and where you live, but also which websites you use, whether you get your news from the New York Times or Breitbart, and what time of day you’re most likely to check the weather. So it’s to be expected that telecoms would try to bolster their profits by selling your data to advertisers; their job is to make money, and they often spend huge sums of it on lobbying efforts to protect their interests. But it’s the government’s job to protect consumers, and it’s the FCC’s job to regulate telecoms. Pai’s attack on the privacy rules has nothing to do with that mission. It would only help telecoms make a quick buck on your data.