All hope of broadband privacy bites the dust

The FCC and Congress are working hard to ensure nothing stands in the way of ISPs profiting off your personal data

All hope of broadband privacy bites the dust
Credit: Damien du Toit

Another week, another consumer protection falls. Get ready to kiss good-bye forever rules aimed at protecting broadband users’ privacy.

Plans to strip the FCC of its authority are continuing apace. At the 11th hour, the agency’s chairman, Ajit Pai, put the skids on rules that would have required ISPs to take utterly reasonable measures to protect consumers’ data and notify consumers should a breach take place.

Even more shocking is the bill introduced this week by Arizona Senator Jeff Flake and co-sponsored by more than 20 Republicans. Their resolution not only kills the privacy rules, which had been set to go into effect last week, it uses an obscure, expedited legislative process to prohibit the reissuing of any new rule that is substantially the same. That sound you hear is a door slamming in consumers’ faces.

The Congressional Review Act (CRA), penned in 1996 and used only once before this year, has been getting a vigorous workout of late. It’s been used to kill everything from regulations that curbed runaway fees on prepaid debit cards to rules that banned coal-mining companies from dumping debris and waste into nearby waterways.

The broadband privacy rules crafted last year by Tom Wheeler’s FCC upset ISPs, which cried foul because they were being held to a different standard than internet companies like Google and Facebook—which are regulated by the FTC. But as Wheeler correctly pointed out, the lack of broadband competition means “a consumer’s relationship with her ISP is very different than the one she has with a website or app. Consumers can move instantaneously to a different website, search engine, or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee.”

ISPs are able to gather personal information about people when they are on their PCs, mobile devices, and—as underscored this week—even while watching TV. Unlike the opt-out standard of privacy applied by the FTC to edge providers, the FCC wanted to require opt-in consent before ISPs could sell to third parties sensitive data like Social Security numbers, geolocation, financial information, health information, and browsing histories. The FCC also recommended a system of corporate accountability for data breaches that included notifying users when their data was stolen. The nerve!

To hear Republicans and telecom industry groups tell it, the new rules would harm consumers by creating “confusion” over the FCC’s and FTC’s differing approaches to privacy oversight. “Americans care about the overall privacy of their information when they use the internet, and they shouldn’t have to be lawyers or engineers to figure out if their information is protected differently depending on which part of the internet holds it,” FCC Commissioners Pai and Maureen Ohlhausen wrote.

To which Ars Technica reader Cognac commented: “I’m not quite sure [they] understand how the internet works. This is kind of like saying big retail stores need to adhere to the same standards as the companies that make and maintain the roads consumers drive on to get to those stores, otherwise people will be confused.”

Pai and Ohlhausen said they favored having privacy oversight uniformly administered by the FTC. But they disingenuously failed to mention that the FTC is barred by statute from regulating common carriers—and the FCC reclassified broadband as a utility in 2015 in order to implement net neutrality rules. The FTC wrote the new privacy rules to close the gap in oversight the move created.

While Republicans will certainly turn their attention next to overturning net neutrality, even that may not restore the FTC’s authority over ISPs. Ars Technica notes that because of a federal appeals court ruling last year, “even if broadband loses its common carrier designation, AT&T would still be a common carrier because of its landline telephone and mobile voice services. Verizon, CenturyLink, Frontier, T-Mobile USA, and Sprint would all still be common carriers as well. … In short, the FTC might not be able to regulate all ISPs unless that court ruling is overturned or Congress changes the law to let the FTC regulate common carriers.”

Ultimately, “this elimination of basic data security rules gives ISPs a free ride, while online services and other edge providers are still required to take reasonable measures to protect their customers’ information under the FTC’s framework,” consumer advocacy group Public Knowledge said. “That is not a level playing field.”

A study last year found that more Americans are worried about their data privacy than they are about losing their main source of income. It’s the government’s job to protect consumers, but the current administration doesn’t seem to view it that way. This attack on broadband privacy rules “would only help telecoms make a quick buck on your data,” Gizmodo writes.

Electronic Frontier Foundation has called on people to contact their senators and representatives to oppose the use of the CRA to roll back the FCC’s privacy rules.