FCC Wades Into Privacy Stream

Washington — The FCC has become focused on private parts.

No, the Federal Communications Commission is not cracking down on indecency as it did a decade ago. The private parts in question are the parts of its regulatory purview, or its interpretation of that authority, dealing with broadband privacy, including its new authority over broadband customer privacy, its extension of privacy protections to programming streams on set-tops, and only its second enforcement action under enhanced transparency rules.

FCC chairman Tom Wheeler last week circulated his proposal for how an Internet-service provider should treat customers’ information, such as which websites they visit or how their information is being used, and it includes an opt-in regime for most targeted advertising. ISPs already are required to protect CPNI (customer proprietary network information) — like VOD records — for traditional video service.

Cable operators and other ISPs had offered up a proposal to the FCC.

FAVORING FTC MODEL

The framework is based in the National Cable & Telecommunications Association’s argument that rather than come up with new rules and regulations, the FCC should “[pursue] reasonable enforcement actions against telecommunications service providers that have clearly violated these principles.” That is the Federal Trade Commission model. The FTC has enforcement authority, but very limited authority to promulgate new regulations.

ISPs do not concede the FCC even has the authority to regulate broadband CPNI, which is tied to the Open Internet order they are challenging. Bu they had wanted the FCC to steer clear of new rules and that doesn’t look like it is happening. (ISPs have argued that targeting them ignores the power of edge providers like Google and Facebook, which are not covered by the FCC’s proposal).

Cable ISPs have an ally in Republican FCC commissioner Michael O’Rielly. In a speech last week, O’Rielly said he had “deep concerns” about the “direction the commission may be headed on the use and analysis of data by broadband companies.” In the name of privacy, the FCC seemed “intent on doing great damage to the interworking of the Internet,” he said.

“Beyond the deeply flawed authority for privacy regulation generated from last year’s net-neutrality decision, which is still being challenged in the courts, the commission doesn’t understand how its new burdens will impose unnecessary and costly compliance on broadband providers,” he said.

Privacy groups, which were celebrating last week, argued that there need to be tough new rules. The FTC has limited enforcement authority, relying on the threat of lawsuits, while the FCC does not. Those groups, which include ACLU, Center for Digital Democracy, Free Press and Public Knowledge, want the FCC to use that regulatory authority.

“Fundamentally, the FTC is not a data-protection agency,” the privacy groups said. “Without regulatory authority, the FTC is limited to reactive, after-the-fact enforcement actions that largely focus on whether companies honored their own privacy promises.”

The FCC essentially deeded itself new authority over broadband CPNI when it reclassified Internet-access service as a telecommunications service, but said it would not simply graft the phone CPNI regulations onto broadband, and forbore from applying the Section 222 rules while it came up with a new approach.

Section 222 of the Communications Act “imposes a duty on every telecommunications carrier to protect the confidentiality of its customers’ information and imposes restrictions on carriers’ ability to use, disclose, or permit access to customers’ individually identifiable customer proprietary network information (CPNI) without their approval.”

The FCC agreed in the meantime to team with the FTC on oversight, and advised ISPs that while it was working on what the new privacy regime will be, they should be taking “reasonable, good-faith steps” to comply with the spirit of Section 222, rather than the “technical details” of the phone-centric rules.

BITING INTO ‘SUPERCOOKIES’

In a related move last week, in only the second enforcement action for the FCC’s new enhanced transparency rules under the Open Internet order, Verizon agreed to pay $1.35 million and get its customers’ permission to insert “supercookies” called unique identifier headers (UIDH) into their mobile Internet streams. Those headers allow Verizon and third parties to deliver targeted ads.

“As a result of the investigation and settlement, Verizon Wireless is notifying consumers about its targeted advertising programs, will obtain customers’ opt-in consent before sharing UIDH with third parties, and will obtain customers’ opt-in or opt-out consent before sharing UIDH internally within the Verizon corporate family,” the FCC’s Enforcement Bureau said in announcing the settlement.

Referencing the settlement, Karen Zacharia, Verizon’s chief privacy officer, took issue with the FCC’s use of “supercookie” to describe the UIHD, saying in a blog post that it was not a cookie, which is placed and stored on computers, but a “a piece of data included in the header of certain Internet traffic.” In any event, Zacharia said, the fact that the company settled does not change its view about the FCC broadband privacy rulemaking and its support for the ISP proposal.

“Any broadband privacy framework adopted by the FCC should be flexible enough to permit carriers to innovate and compete while providing customers the information they need to make privacy-related decisions,” she said.

PROTECTING THE STREAM

Also on the FCC’s agenda is how to protect cable customer information when it makes those programming streams available to third-party set tops, as it plans to do in a proposal adopted last month.

The agency’s proposal requires third parties to certify that they will protect the privacy of cable subscribers’ CPNI since, as edge providers and app developers, they are not subject to Section 222.

The FCC promises that it will not allow an MVPD to pass through its information streams to a third party without that certification. ISPs have argued that since the FCC does not trust them to self-certify they are not engaging in paid blocking, degrading or prioritizing, why would it assume edge providers can be trusted to comply with the privacy regulations.

John Eggerton

Contributing editor John Eggerton has been an editor and/or writer on media regulation, legislation and policy for over four decades, including covering the FCC, FTC, Congress, the major media trade associations, and the federal courts. In addition to Multichannel News and Broadcasting + Cable, his work has appeared in Radio World, TV Technology, TV Fax, This Week in Consumer Electronics, Variety and the Encyclopedia Britannica.