There’s a huge and mostly hidden data economy and the big U.S. internet service providers want in on it. That’s why the cable and telco lobbyists have been pushing hard in the capital to scrap a new set of broadband consumer privacy protections adopted by the FCC under Obama-era chairman Tom Wheeler.
The rules govern the ways big ISPs like Comcast and Verizon collect and use personal information, and require that consumers be given the option to opt out of tracking data collection. In other words, it prevents them from making money by selling some of that data to third parties and advertisers.
The current FCC commissioner (and former Verizon attorney), Republican Ajit Pai, is a long-time opponent of new privacy protections for consumers’ personal data. He submitted an dissenting position when Wheeler’s FCC approved the rules last October. Last week he put on hold provisions in Wheelers rules requiring ISPs to protect consumer data from hackers.
Tuesday was a big day for Pai and the FCC. Donald Trump nominated him for a second term as chairman, and a resolution was introduced in the Senate to permanently do away with the ISP privacy protections. Senator Jeff Flake’s (R-AZ) resolution relies on an obscure thing called the Congressional Review Act, which would require only a majority vote in both houses for passage. Twenty-one other Republican senators signed on to the resolution.
Republicans and Big Cable and Big Telco leaders have long complained that ISPs are subject to tougher privacy rules than internet companies like Google and Facebook.
“The rule harms consumers because it creates confusion in the regulatory environment in which customer data is regulated by two different agency standards, based on whether information is used by an internet service provider or edge provider,” says a letter sent to Congress yesterday from the National Cable Technology Association (NCTA), the CTIA (the wireless industry’s trade group), and, notably, the Interactive Advertising Bureau, which represents the thousands of ad agency, ad tech, marketing tech, and personal data brokerage companies operating in the U.S.
But, as the ACLU points out, there’s a good reason for the the two standards. “While it is true that advertisers and big data firms are already collecting, using, and selling information about your online habits, ISPs are afforded an even greater vantage point as they sit atop the internet backbone,” writes the ACLU’s Nathaniel Turner in a blog post. “Using just your browsing history alone, they can paint an intimate picture of your religious practices, sexual activities, health problems—your aspirations and your fears.”
The trade groups claim that the Federal Trade Commission (FTC) has its own set of rules to manage ISP privacy abuses. But while the FTC punishes offenses that have been committed, it doesn’t set rules that govern behavior.
The main argument against the resolution is that it will over-reach, and create a gap in the regulation of the ISPs. David Sapin, Price Waterhouse Cooper’s U.S. Tech, Media & Telecom Risk & Regulatory Leader points out that the Congressional Review Act would not only zap the new privacy rules, but would preclude the FCC from making “reasonably” similar rules in the future. This would put the onus on the FTC to regulate privacy. But: “Technically, the FTC does not have jurisdiction over broadband providers as they are deemed a utility under Title II of the Communications Act [and] subject to FCC oversight,” Sapin wrote in a email to Fast Company.
The groups claim in their letter that the FCC under Wheeler never provided evidence supporting the need for new privacy protection rules, adding that consumers already have the protections provided in Section 222 of the Communications Act.
But that evidence does exist, and ISPs have misbehaved under the protections in Section 222, says Electronic Frontier Foundation senior staff technologist Jeremy Gillula. “All you have to do is point directly to the Zombie Cookie tracking program that Verizon got in trouble for in 2015.”
Verizon was inserting hidden and unblockable cookies in its users’ browsers to track their web browsing habits. “They were saying ‘Oh, well, only our affiliates will be able to use this,” Gillula said. But a third party soon figured out how to exploit the tags to track the browsing habits of all users, Gillula explains.
The company ended up paying a $1.35 million fine to the FTC, and agreed to ask users for an opt-in, instead of an opt-out, when using cookies.
“It’s exactly that type of practice that the new rules are designed to prevent,” Gillula said. “It’s absurd to say that the ISPs have not behaved terribly—It’s selective memory on their part.”
Finally, the trade groups return to the familiar veiled threat that if the rules aren’t favorable to them, the big ISPs will stop investing to improve their networks. “Consumers enjoy the advertising-supported internet and innovation, and investment thrived before the rule’s adoption,” the letter reads. “The FCC’s rule also threatens the economic health of broadband providers whose infrastructure is critical to new technology like 5G and the Internet of Things.”
Flake and his GOP allies have an excellent chance of repealing the FCC’s privacy rules. All it will take is a vote along party lines. In other words, the survival of the rules will depend on the slim chance that a few Republican defectors emerge when the resolution comes down to a vote.
Consumer groups like ACLU and the EFF are saying that the rules’ survival may depend on the level of pressure that constituents apply to their representatives in the coming weeks to vote against Senator Flake’s resolution. There may a good deal of that: Studies show that Americans are more worried than ever about data privacy and security.