Recent events involving the FBI and FCC read like a tale of two governments: one fighting doggedly to strip away the encryption protecting your phone's privacy, and the other advancing rules to safeguard your online personal info.
It's an appealing story in contrasts. Unfortunately, the privacy advocates heralding the FCC's "strict new privacy rules" and its role as "privacy cop" have been too quick to celebrate. Ultimately, these changes will do little to defend consumers' privacy from the increasingly ubiquitous surveillance of the digital age.
The proposed rules prohibit ISPs from selling users' data, such as customer name, address, location and Internet activity, to third parties without users giving opt-in consent to share that information. This is the same kind of privacy protection that already applies to telephone customers' data, and it barely scratches the surface of the motherlode of data generated through online activity.
Internet providers will also not be allowed to track customers without consent by using a unique number tied to a user's Internet activity or phone location. This month, Verizon paid $1.35 million to settle zombie cookie privacy charges and agreed that any future use of hidden undeletable numbers to track mobile users would be by consent only.
That decree didn't apply to tracking done by AOL, which Verizon acquired last year for $4.4 billion. But under the FCC proposal, subsidiaries would only be allowed to use an Internet provider's customer data to market "communications related services." Thus, AOL's use of online advertising technology would also need to be opt-in.
The rules don't ban programs like the one AT&T rolled out last year that charges customers a premium for the privilege of not being tracked. Even FCC Chairman Tom Wheeler admitted he was concerned about privacy becoming a luxury service. But "at this point in the debate, we have to deal with what we can deal with today," he said.
What we seemingly can deal with today is a determined emphasis on "opt-in." Despite all the predictable hand-wringing from cable industry groups about "burdensome privacy regulations," the proposed rules say nothing about prohibition. They're simply about getting permission to do what ISPs have been quietly doing all along: collecting and selling customers' personal info. How burdensome for them.
It's unclear what that opt-in process will look like, but if it takes the form of terms-of-service contracts that users routinely agree to without reading, it's hard to see this as anything more than business as usual for surveillance capitalism.
"Surveillance is the business model of the Internet," security expert Bruce Schneier has said. "We build systems that spy on people in exchange for services. Corporations call it marketing." Data is currency online, and consumers are willing to hand it over in exchange for "free or convenience," Schneier said.
"At a most fundamental model, we are tenant farming for companies like Google. We are on their land producing data," he said.
To date, Internet users have been very productive creating -- and giving away for free -- what Goldman Sachs calls a "gold rush" of personal data. Theoretically, if every user decided not to opt-in, it would threaten the flow of information on which the burgeoning telecom-data-as-a-service market relies -- a field currently worth $24 billion per year and on its way to $79 billion in 2020, according to estimates by 451 Research.
Companies like SAP, IBM, HP, and others are hoping users remain complacent and do nothing to upset the under-the-radar partnerships with carriers that give them access to consumers' data, according to an Ad Age investigative report. Insiders say carriers exploring these kinds of data-sharing businesses are tight-lipped because "fear of consumer complaints is always lurking in the background."
"The practices that carriers have gotten into, the sheer volume of data and the promiscuity with which they're revealing their customers' data creates enormous risk for their businesses," said Peter Eckersley, chief computer scientist at privacy watchdog Electronic Frontier Foundation.
"While the world is riveted by the showdown between Apple and the FBI, the real truth is that the surveillance capabilities being developed by surveillance capitalists are the envy of every state security agency," says Shoshana Zuboff, professor emirita at Harvard Business School and author of the forthcoming book "Master or Slave: The Fight for the Soul of Our Information Civilization."
Indeed, Gartner security analyst Avivah Litan believes the FBI's focus on encryption backdoors is misplaced. "There is a ton of rich data at ISPs that can be used to identify and track terrorists and criminals. In fact, this data is more fertile than what is on a personal smartphone because it reveals networks and connections that involve crime or terrorist rings," Litan told Computerworld.
Now the FCC wants to give consumers the option to keep some of their data secret. "Privacy rights confer decision rights, but these decision rights are merely the lid on the Pandora's Box," Zuboff says.
The FCC's actions are a welcome baby step toward privacy rights, but hardly in the same category as tough data protection rules passed in December by the European Commission. "Europe's approach to privacy is much stronger than in the United States," Peter Church, a technology lawyer in London, told the New York Times. "There's a fundamental difference in culture when it comes to privacy."