Broadband Privacy Enters the Home Stretch

Submitted on October 7, 2016

You’re reading the Benton Foundation’s Weekly Round-up, a recap of the biggest (or most overlooked) telecommunications stories of the week. The round-up is delivered via e-mail each Friday; to get your own copy, subscribe at www.benton.org/user/register

Robbie's Round-Up for the Week of October 3-7, 2016

On October 6, Federal Communications Commission Chairman Tom Wheeler announced the agenda for the FCC’s October open meeting and circulated a proposal to give broadband consumers increased choice over their personal information. The broadband privacy proposal requires broadband Internet access service providers (ISPs) to get consumer's' explicit consent before using or sharing personal data such as their Web browsing history, app usage history, geolocation information and the content of their e-mails and online messages. But the current proposal is a little weaker than the one offered for public comment in March, having been water-ed down after industry complaint. Let’s take a look.

Context and Rationale

The reasoning behind the rules requires a bit of context. As Chairman Wheeler points out, seldom do we stop to realize that our ISP is collecting information about us everytime we go online. If you have a mobile device, your provider can track your physical location throughout the day in real time.

Currently, there are no rules in place governing how ISPs may use and share their customers’ personal information. The Federal Trade Commission uses its enforcement authority to make sure Internet-based companies like Google and Facebook respect consumers’ privacy. The FCC is charged with protecting privacy for customers of telecommunications carriers. Why does Google privacy regulation go to FTC and, say, Comcast go to the FCC? Because the FCC reclassified broadband Internet access service (BIAS, if you’re scoring at home) as a Title II “common carrier” service in its Open Internet/network neutrality rulemaking. The Communications Act of 1934 explicitly gives the FCC the authority to regulate common carrier charges, practices, classifications. The law requires cable operators, satellite carriers, telecommunications carriers, and providers of interconnected Voice over Internet Protocol (VoIP) services to protect their subscribers’ privacy; and created and empowered the FCC to create other protections for consumers of broadband, broadcasting, cable, information, satellite, and wireless and wireline telecommunications services. In a nutshell, the reclassification of BIAS meant the FCC is in charge of ISP privacy concerns, rather than the FTC. The app on your phone collecting info? FTC. The data from your connection between your home PC, Comcast, and the Internet? FCC.

The FCC has a history of protecting telecommunications consumer privacy. For example, FCC regulations limit how your phone company can repurpose and resell what it learns about your phone activity without your consent. But similar rules do not exist for broadband service today. Chairman Wheeler insists this gap must be closed, that consumers who use the network of the 21st century deserve similar protections to that of the 20th century.

History of the Proposal and Notable Changes

In March 2016, the FCC launched a proceeding that aimed to extend telecom privacy protections to the information collected by your broadband provider. This proposal would have required customers to opt-in before any of their personal information could be shared by their ISP. The broadband industry criticized this plan, claiming that the rules didn’t apply to companies such as Amazon, Facebook, and Google. These Internet-based companies also collect and share customer information with advertisers. But these companies are subject to rules imposed by the FTC. In other words, ISPs were saying, “The privacy requirements in this proposal are strict, and more strict than what giant tech companies have to deal with over at the FTC.”

Those industry concerns grew louder, and after a lot of input (about 250,000 comments) from a variety of different organizations, the FCC used this “extensive feedback” to make some changes to the proposal. The new proposal follows the FTC’s approach, which only requires companies to obtain explicit consent before using "sensitive" data. What is “sensitive” data in this case? An FCC fact sheet lists:

Geo-location
Children’s, health, or financial information
Social Security numbers
Web browsing history
App usage history
The content of communications (like e-mails and online messages)

What isn’t classified as “sensitive” data? A consumer’s name or address, IP addresses or device identifiers, and type of data plan.

In all cases, broadband providers would have to notify customers about the type of information being collected, how it could be used, and the types of entities with which the information is shared. It also ensures that consumers will not be penalized if they choose to opt out of data collection.

“In today’s digital world, consumers deserve to be able to make informed choices about their privacy and their children’s privacy online. After all, it’s your data—shouldn’t you have a say over how it’s used?” -- FCC Chairman Tom Wheeler

Components

Pay-for-Privacy Plans
The proposal does not seek to ban Internet providers' offering of a discount to consumers in exchange for their personal data, as companies such as AT&T have done (until recently). Under these types of programs, consumers give up some of their privacy for lower-cost access to the Internet. The FCC will evaluate these programs on a case-by-case basis, weighing an intervention only if it appears as though a provider is forcing the option on consumers. The FCC fact sheet states, “Consumers should not be forced to choose between paying inflated prices and maintaining their privacy.”

Providers would be allowed to offer discounts or other incentives to customers to lure them to give consent to share more personal information, but would face “heightened” disclosure requirements for such plans.

Security Protections & Data Breach Notification
The proposal requires ISPs to take reasonable measures to protect the security of customer data. Those measures are based on FTC and National Institute of Standards and Technology cybersecurity guidelines. ISPs would have to notify customers within 30 days after determining that a data breach has occurred. ISPs would have only seven days to notify the FCC of any data breaches, and notify the FBI and the Secret Service of breaches that affect more than 5,000 customers.

Online Advertising and Privacy
In the Washington Post, Brian Fung wrote:

Internet providers increasingly want to use and share personal data with third parties as they expand their businesses beyond the provision of Internet connectivity. As they collect information on where their broadband customers go and what they do on the Web, providers can earn more money by selling targeted advertising spots to marketers — and by figuring out how to market their own, proprietary competitors to the likes of Netflix and Spotify.

Some, such as Verizon, have acquired major digital content and advertising companies in a bid to turn clicks into dollars. The strategy is what motivated its recent acquisition of Yahoo. But analysts have said that the FCC's privacy rules may make it harder for Verizon to make money on the investment. ‘It's not crazy to think that an opt-in regime would lower the addressable advertising opportunity by 50 percent,’ said Craig Moffett, a telecom analyst at MoffettNathanson, referring to the proposal on requiring consumers' affirmative consent before providers can use sensitive data. If approved, Wheeler's proposal could put companies such as Verizon at a disadvantage compared with Internet companies such as Google or Facebook, Moffett added.

Reactions
Not surprisingly, the proposal has received mixed reactions. In an op-ed on Wednesday, the day before the proposal was circulated, House Commerce Committee Ranking Member Frank Pallone, Jr. (D-NJ) said, "...some Congressional Republicans are actually trying to gut the FTC of its existing authorities, while simultaneously arguing that the FCC should model its rules on the FTC’s existing practices. These conflicting arguments defy logic. Their efforts also run counter to the public interest — consumers are demanding that Congress provide more privacy protections, not less."

In general, the public interest community appears to be pleased with the FCC's privacy proposal, particularly with the inclusion of web browsing history as “sensitive” data, and therefore requiring explicit consumer opt-in. Industry groups seem to be satisfied that the proposal is not as strong as it was in March, but still feel it is too harsh compared with the FTC’s privacy framework.

Public Interest Community
Electronic Privacy Information Center (EPIC) said, "The revised rules will require ISPs to obtain consumers consent only for use of 'sensitive' information. The original proposal offered privacy protections for all consumer data. ISPs will also be permitted to charge higher prices for basic privacy protections, subject to FCC review. EPIC has said that the FCC should go further to safeguard consumer privacy."

Harold Feld, Senior Vice President at Public Knowledge said, “The proposed rules will, for the first time, require broadband providers to actually ask consumers for permission before exploiting sensitive private information and tracking them online. But even this simple ‘ask first’ rule has met fierce resistance from the broadband industry...We urge the full FCC to approve Chairman Wheeler’s proposal on October 27. Consumers should no longer have to choose between getting the broadband they need or having the privacy they deserve.”

Free Press Policy Counsel Gaurav Laroia said, “Today’s announcement signals that the FCC is on track to restore people’s privacy rights against internet service providers’ unpermitted use of personal information...Thankfully, it looks like the FCC proposal defines sensitive data broadly, and doesn’t follow the ISPs’ entirely unworkable and invasive suggestion that the FCC should protect visits to some kinds of websites but not others. That industry-backed approach would put companies like Comcast right in the middle of private conversations, and put them in the business of reading our messages before they decide whether to protect them.”

Katharina Kopp, Deputy Director for the Center for Digital Democracy said, “Because we know that ISPs’ big data analytical capabilities can turn seemingly non-sensitive information into highly private information about our lives, and because all our browsing data and the content of our communications is incredibly sensitive to begin with, we had asked the FCC to avoid drawing distinctions between “sensitive” and “non-sensitive” categories of information. Still, we believe that the proposal’s framework can work for consumer privacy provided the FCC’s definition of “sensitive” is robust and meaningful.”

The Center for Democracy & Technology said, “CDT still does not support drawing a distinction between “sensitive” and “non-sensitive” information in the broadband context, but were pleased that that the proposal defines sensitive information broadly to include all content, browsing information, and app usage data. The details on how information will be de-identified and what controls providers can meaningfully impose to avoid future re-identification must also be addressed.”

Information Technology & Innovation Foundation telecom policy analyst Doug Brake said, “The privacy framework announced today, like the Title II common carrier designation before it, sets a terrible precedent likely to reverberate throughout the Internet ecosystem for years to come. This proposed order represents one more slide down the slippery slope, away from the innovation-friendly world of flexible guidelines and effective oversight and towards a paternalist mother-may-I regime that will necessarily raise consumer costs and limit investment. Let’s be clear: This proposal is a vehement rejection of the type of U.S. regulatory oversight that has allowed U.S. businesses to thrive online and a sharp reversal from past claims that the U.S. government is committed to using multistakeholder processes for creating Internet-related policies. Instead, it would create a rigid regulatory regime and introduce a new collective action problem that would limit the use of virtually all data that can be put to economically beneficial uses."

Industry
NCTA--The Internet & Television Association wrote, “The Chairman’s Fact Sheet describes a regime that departs from the FTC’s proven sensitivity-based approach to consumer privacy in several key respects. Specifically, in its treatment of web browsing data and first party marketing of ISP services, the FCC departs from past FTC practice in ways that violate principles of fair competition and deny consumers the benefit of a consistent approach to online privacy protection. If the Chairman insists on advancing this approach, we would hope that his fellow commissioners would ‘opt-out’ and seek a result more faithful to the FTC’s proven framework of protecting consumers."

US Telecom President Walter McCormick said, “Consumers are best served when privacy rules are clear and consistent across the entire internet. We are pleased that the FCC has recognized the importance of providing consumers with a common expectation of privacy without regard to service or platform, and that the sensitive nature of the information being shared should be the determining factor in what is afforded increased protection. We are concerned, however, that the commission, which has no expertise with regard to determining the content of speech, is now attempting to redefine what consumers may regard as sensitive. In this regard, consumers would be better served if the FCC were to defer to the expertise of the FTC in this area, and the two agencies were to pursue a uniform approach.”

Verizon chief privacy officer Karen Zacharia said, "At Verizon, we are encouraged that the FCC appears to have taken seriously the input provided by a wide range of stakeholders and seems to be moving towards an approach that provides for more consistent standards across the Internet ecosystem....Where the FCC draws the line between sensitive and non-sensitive data will be important, but in general we agree that a sensitivity-based approach is more closely aligned with the Federal Trade Commission’s’ choice framework and better for consumers.”

The proposal is scheduled to be voted on by the FCC at its Oct. 27 meeting. At this point, it is likely to be approved.

Quick Bits