The Federal Communications Commission (FCC) on Thursday formally approved its privacy proposal for Internet service providers, despite dissent from several commissioners.
“It’s as if we all forgot how the Internet economy actually works today,” said FCC Commissioner Michael O’Rielly, who opposed the proposal aimed at curtailing how telcos and ISPs collect, share and monetize customer data.
“There is a trade-off,” O’Rielly said. “Consumers receive free stuff offered by Internet companies, when in return the companies receive other things, such as data to place targeted ads that consumers may or may not want, but at the same time may be completely comfortable with within the context of the overall package.”
The proposal, originally proffered by FCC Chairman Tom Wheeler in March, passed 3-2 and now has the FCC’s official blessing. It’ll be circulated for public comment before it’s codified.
The rules are fairly stringent. Although Verizon, AT&T, T-Mobile and other broadband providers could use customer data to facilitate all the usual services, such as billing or enabling people to visit websites, they would be required to disclose the data they collect and provide transparency around how that data is shared with third parties for marketing purposes.
The crux of the issue is consent. While ISPs could share customer info with affiliates to market communications-related services, unless the user opts out the ISPs would need explicit opt-in to do basically anything else other than provide the expected services.
“There is one indisputable fact and that is that it’s the consumer’s information and the consumer should have the right to say whether it is used for non-network purposes,” Wheeler said.
But the language around opt-in as it stands within the unedited proposal is pretty broad, said Alan Chapell, chief privacy officer and outside counsel for Cinarra Systems, a startup that helps telcos anonymize and monetize customer data.
“I’m still holding out hope that the ultimate outcome is a little more nuanced than a blunt opt-in and opt-out rule set – even though I’m not even sure I agree with the justification for opt-in in the first place.”
There is a concern that operators are being treated differently than the edge providers, the entities that provide services to end users over the Internet, such as Google, Facebook, Amazon, Apple, Netflix or any one of hundreds of thousands of other companies. Yet they’re quite different beasts.
“At this point, you could make a pretty convincing argument that edge providers are collecting data from a larger swath of the Internet than ISPs,” Chapell said. “So if scale isn’t the issue, what is?”
One answer could be the FCC’s seeming quest to be the privacy cop on the beat, a position traditionally occupied by the Federal Trade Commission. The FCC made its first major move in that direction when it reclassified broadband as a utility, thereby bringing ISPs under its jurisdiction. The FCC’s move is currently being challenged in federal court.
“I think the FCC is looking to create a European-style standard and they’re starting with the one place they can control now and that’s the carriers,” Chapell said. “Perhaps they’re hoping the standard will then catch fire elsewhere.”
Although Wheeler’s proposal contends that ISPs are privy to vast amounts of consumer data, ”Think about it. Your ISP handles all of your Internet traffic,” wrote Wheeler in an op-ed in March – it pales in comparison to Google and Facebook.
A recent paper written by Peter Swire, a privacy expert, lawyer and former chief privacy counsel under the Clinton administration, points out that because of the fragmented way in which people use Internet services, moving between devices and Wi-Fi networks multiple times during the day, the carriers actually have less access to personal information than the online players.
It’s also true that the growing ubiquity of encryption and HTTPS means that ISPs will soon be blind to the majority of detailed URLs or what content is being accessed.
“It makes little sense to give some companies greater leeway under the law than others when they all have access to that very same personal data … for here is the reality – there is no good reason to single out ISPs, new entrants in the online advertising space, for disparate treatment,” said FCC Commissioner Ajit Pai in his dissenting opinion on Thursday’s vote. “The most commercially valuable information about online users is coming from other contexts.”
