Unlocking Privacy Rules

What is the price of privacy for Americans?

That’s the single question Federal Communications Commission chairman Tom Wheeler is mulling as his agency tries to craft new broadband privacy rules that would put more restrictions on cable operators and other Internet-service providers than so-called edge providers — such as search engines and social-media platforms — all of which use personal consumer information to boost their business models.

To advocates in both camps, it is yet another flashpoint in the issue of online privacy and the different treatment given to companies in different industries.

The FCC deeded itself authority over broadband privacy when it reclassified ISPs as common carriers, which exempts them from the Federal Trade Commission oversight that used to be their regulatory governor. Wheeler, joined by the FCC’s other Democrats, proposed new rules requiring customers to opt into sharing their information with third parties.

The issue has been a hotbed of debate not just for consumers, but for the affected companies chafing against regulation. At press time, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” had generated more than 276,600 comments on the FCC’s docket; at one point, it racked up 17,753 comments in a single 30-day period. That was more than 10 times as many comments as the second-place docket.

The FCC’s current proposal to come up with bright-line rules on broadband customer privacy is only part of the larger issue of keeping consumer data safe from prying eyes while not kneecapping the targeted ad business model that allows for free online content. Protecting information from foreign and domestic hackers is a separate issue, though one that continues to dominate privacy vs. security discussions in Washington — in that case, national security.

Perhaps the biggest unknown involves the Internet of Things, which includes an endless variety of side doors into a user’s online information. (Quite literally, since it could include WiFi-controlled door locks.) As many as 200 million IoT devices could be deployed by 2020, according to Intel.

At stake for ISPs such as Comcast and Verizon Communications is their ability to profit from targeted marketing to their broadband subscribers versus edge providers ability to do so. Edge providers — firms such as Google, Facebook, Yahoo and others that provide Internet content — are not subject to the same restrictions on monetizing user information.

Wheeler’s proposed rules on broadband privacy — which include new restrictions on which types of information ISPs can share, new reporting requirements and deadlines — could come to a vote by the end of the year.

Complicating the enforcement of privacy rules is the jurisdictional issue of which agency regulates which activities. A simple question has a maddeningly complicated answer.

ISPs, for example, know where their customers are going online — and that information is highly prized by online marketers seeking to target ads. It’s for the FCC to decide how that data is used and what control consumers have over its use.

But the individual websites can also track their visitors, and that information, too, is valuable to third parties and online marketers. That data is under the FTC’s purview, although a recent federal appeals court decision has cast that into doubt.

As the FCC-branded gatekeepers of online information, cable operators and other ISPs are at the nexus of the issue.

Meanwhile, the Wheeler-led FCC says it must keep its hands off of edge providers. “[A]ny rules that apply to [only] broadband providers do not prevent” all other Internet companies from storing and manipulating that private information, said Scott Cleland, who runs NetCompetition, an e-forum backed by broadband companies.

“They only prevent one, the ISP,” Cleland said. “It is the functional equivalent of blocking one little square of a metal screen and imagining that one has plugged the whole screen.”

Public Knowledge has argued that Congress intended that broadband customers have control of how their information is used, period. They say that anonymization of that data, which ISPs say should be treated more lightly than identifiable personal information, would still “convey a windfall to the carrier at the expense of consumer control of the information in a way that Congress did not intend.”

ISPs point out that consumers also benefit through third-party use of their anonymized data since that data is the lynchpin of an ad-supported model of free online content that users have come to expect and, arguably, now view as something of an entitlement.

ISPs have pointed out that in other facets of privacy — such as app privacy and facial-recognition software — the Obama administration has sought to have stakeholders come up with voluntary guidelines rather than have government impose prescriptive regulations.

“The FCC’s proposed rules are seriously out of step with the technology-neutral approach — applied to both ISPs and non-ISPs — that that has guided the administration’s many efforts on privacy and cybersecurity policy, with great success,” Michael Powell, president of the National Cable & Telecommunications Association, told the leaders of the Senate Commerce Committee.

PAY FOR PRIVACY

The FCC’s proposed new broadband privacy rules do not ban what some dub “pay for privacy” — ISPs providing an incentive in the form of lower bills for users in return for customers allowing their information to be used for third-party targeted marketing. Indeed, Wheeler himself suggested to National Public Radio that was a way for consumers to control and monetize the value of that information.

But the chairman has left some wiggle room. The notice of proposed rulemaking asks whether “pay for privacy” is allowable under the Communications Act. It cites the example of AT&T’s GigaPower fiber-to-the-premises service that offers users a $30 price break off a $100 monthly fee for allowing their browsing information to be used to tailor ads.

ISPs have an ally in their fight against prescriptive rules in Jon Leibowitz, the former chairman of the FTC under President Obama from 2009 to 2013. He has been working hard to convince the FCC to take the FTC’s approach to privacy, which means enforcing existing privacy policies rather than creating new rules requiring customers to opt in to third-party use of their info for marketing purposes.

In a letter to the FCC, Leibowitz, co-chair of the 21st Century Privacy Coalition and a partner at Davis Polk & Wardell advocating for telecom and broadband providers, said that applying an opt-in privacy regime for ISPs that does not apply to edge providers — still subject to the FTC’s enforcement policies — would undercut consumer benefits.

Instead, he has said, the FCC should adopt the more flexible privacy-by-design approach adopted by the FTC during his tenure, tailoring protections and consumer choice to the sensitivity of the information and how it is being used, and encouraging increased transparency.

That’s a way to apply privacy regulations in a tech-neutral manner to edge providers and ISPs, Leibowitz has said. It is also at the heart of an alternative to the FCC proposal that has been championed by the NCTA and others.

SIDEBAR: Terror Watch

WASHINGTON — Terrorism has reached into various aspects of American life, online privacy among them.

Last fall, in the wake of the terrorist attacks in Paris and ongoing urban violence, some in Congress asked Federal Communications Commission chairman Tom Wheeler what the agency could do to disrupt social media or other Internet communications used by terrorists to recruit or spread their messages of hate.

Wheeler has said the FCC has a limited role — he has long insisted the agency can regulate Internet-service providers, but not edge providers such as Google, Yahoo or Facebook.

“We do not have jurisdiction over Facebook and other edge providers, and we do not intend to assert jurisdiction over them, and I don’t believe, as legitimate as your concern is, I don’t believe we have the jurisdiction to do the kind of thing that you suggest,” Wheeler told Congress when asked if the government could “shut them down.”

But some privacy groups are concerned that the Department of Homeland Security is trying to step in and start regularly monitoring social-media posts.

The Center for Democracy and Technology, a Washington, D.C.-based nonprofit group, has told DHS to back off a proposal to ask some foreign visitors to the U.S. to volunteer information about their social media participation when applying to visit, which it calls an “avenue for overly-intrusive government surveillance.”

In comments to DHS, the CDT said it was concerned about “unspecified review and [“suspicion-less”] monitoring of their public online activity,” calling it a threat to privacy and speech protections.

While DHS has said the information was voluntary, the center fears that will not be the case with folks being asked by the government to supply information in the process of trying to secure entry.

SIDEBAR: Driven to Detection

WASHINGTON — The Federal Communications Commission’s privacy purview extends to actual superhighways as well as the information superhighway.

As the auto industry begins to deploy collision avoidance and other vehicle-to-vehicle communications using dedicated short-range communications (DRSC) spectrum, consumer and privacy groups — as well as some lawmakers — are pushing the agency to come up with customer-information privacy protections as commercial and noncommercial uses are developed for the Internet of (Vehicular) Things.

The FCC opened an inquiry into the issue after Public Knowledge petitioned it for an emergency stay of the rollout of so-called Vehicle-to-Vehicle (V2V) services. Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) wrote with their concerns, including that the FCC reserve the spectrum for matters of public safety, such as crash avoidance.

The issue is not just that cars can be hacked — which could put lives in jeopardy — but that retailers might sell commercial services using customer broadband information.

V2V services would make use of 5-GHz spectrum, the same swath of bandwidth cable operators use to fuel WiFi hotspots — the industry’s primary mobile broadband play. They’ve been pushing for more of that spectrum.

Public Knowledge says that the cybersecurity and privacy issues behind its effort are independent of the issue of sharing the band with WiFi. Delaying V2V rollout is necessary “whether or not the [FCC] allows operation of unlicensed devices in all or part of the DSRC band on a non-interfering basis.”

With regard to the retail issue, Public Knowledge points out that businesses could collect and analyze where a vehicle goes and how long it stays there — without the driver’s knowledge or consent. It could also serve them targeted ads via dashboard consoles, in-car entertainment systems or digtal billboards on gas pumps.

John Eggerton

Contributing editor John Eggerton has been an editor and/or writer on media regulation, legislation and policy for over four decades, including covering the FCC, FTC, Congress, the major media trade associations, and the federal courts. In addition to Multichannel News and Broadcasting + Cable, his work has appeared in Radio World, TV Technology, TV Fax, This Week in Consumer Electronics, Variety and the Encyclopedia Britannica.