Broadband internet providers are salivating at the prospect of selling information about how their customers use the internet, but the FCC is moving to apply longstanding telecommunications privacy rules to protect our privacy. As I wrote about Monday, this is an exciting opportunity to achieve a strong and important protection for our privacy鈥攂ut it's facing resistance from the telecom giants.
The industry and its allies are arguing against privacy protections using several notably weak arguments.
One line of attack on the FCC鈥檚 duty to protect privacy is to point to the prevalence of consumers who use encryption, and how encryption can hide some data about a customer鈥檚 use of the internet from ISPs. An industry-funded (summarized in this ) released this week details the use of such encryption. It points out that when a customer connects to a web site that uses HTTPS (as opposed to plain unencrypted HTTP), the ISP can鈥檛 see the exact pages within a site that a customer is reading, or the content of the pages that download. If a customer is using a Virtual Private Network (VPN), then the ISP can鈥檛 see either the customer鈥檚 content or the parties with whom he or she is communicating. As a result, an increasing amount of internet traffic cannot be read by ISPs.
There are multiple problems with this as an argument against network-level privacy protections:
- To argue that ISPs should be able to spy on their customers unless those customers use encryption throws the burden of protecting privacy onto the customers when the law clearly places it on carriers. It also attempts to normalize surveillance by arguing that it should be the default, when the default should be privacy.
- Essentially this argument says, 鈥渂ecause the ISPs can't see everything, we don't need to protect anything.鈥 Weak.
- Regardless of how many people use encryption, the law clearly states that the FCC is required to protect privacy (in particular section 222 of the Communications Act, as I discussed in my prior post). One can use a cipher when handwriting a letter, as correspondents have done for centuries鈥攂ut that doesn鈥檛 mean the Postal Service isn't barred from opening people鈥檚 envelopes.
- Even where the web site to which a customer connects uses HTTPS, the ISP can still see what web site the customer is connecting to, whether that be a political, medical, or sexually oriented web site, or anything else. Metadata is a very powerful form of information鈥攐ften viewed by law enforcement, for example, as more valuable than content itself.
- Many web pages do not use HTTPS. Perhaps someday all sites will, but in the meantime internet users deserve privacy regardless of how that evolves, and they deserve it right away without having to wait.
- VPNs can be a powerful means of protecting privacy, but many users do not know what they are or how to use them, or even that they exist. To protect their privacy, individuals who want to communicate and access the world鈥檚 information shouldn鈥檛 have to engage in a technological arms race with the companies they are paying. Many users cannot, and no user should have to pay extra to shield their activities from a prying ISP by buying a VPN service, when they are already paying for internet services that Congress has already clearly stated must protect privacy.
- Reliance on VPNs would therefore just create or widen a 鈥減rivacy digital divide鈥 in which the underprivileged suffer further disadvantage by losing their privacy.
- When you use a VPN, many details about your internet usage become invisible to middlemen such as your ISP鈥攂ut the party operating the VPN then gains access to all that information. Whether that is an employer or another 3rd party service, all the privacy concerns facing internet users just get shifted to that new party鈥攚hich, unlike the carriers, is not subject to privacy protections that have been written into law.
- Even when you use a VPN, your ISP can see how much data you are sending and receiving, and at what times. While not as revealing as content or metadata, that could still tell the ISP who stays up all night, who is home all the time and who travels a lot, who observes the Sabbath, who watches a lot of television, and no doubt much other personal information that could be cleverly gleaned. Congress specified that carriers must protect information that relates to, among other things, 鈥渢he quantity...and amount of use of a telecommunications service.鈥
The suggestion that 鈥渆veryone should just use encryption鈥 is akin to the infamous by President Reagan鈥檚 interior secretary in 1987 that instead of asking for regulations to address ozone depletion and heightened levels of dangerous ultraviolet radiation, people should just wear hats, sunglasses and sun creams to protect themselves. Of course doing so can be a good idea, but it was sensible government action that has the ozone depletion problem.
鈥淯nfair or deceptive鈥
Another industry argument is that the FTC already regulates privacy of internet companies, and so we should let them do it for the sake of 鈥渃onsistency,鈥 and the FCC should not enforce the law. (The industry sent a to the FCC making this argument, followed up by a more detailed along the same lines). As the letter states,
We believe it is important to maintain a consistent privacy framework for the Internet. Such an approach will protect consumers and avoid entity-based regulation that would create consumer confusion and stifle innovation. Consumers expect their data will be subject to consistent privacy standards based upon the sensitivity of the information and how it is used regardless of which entity in the Internet ecosystem uses that data.
鈥淵ou are using that thinner, cheaper fencing over there,鈥 argues the fox to the farmer, 鈥渟o for consistency's sake you should also use it around the henhouse. The hens expect consistent fencing. No need for that strong protective fence here.鈥
The FTC actually has very limited statutory authority to enforce adequate privacy standards. Indeed, we have called for Congress to give them such authority so that they might function like the independent privacy commissioners that most other advanced-industrial democracies possess. The FTC鈥檚 primary authority is its mandate to enforce Congress鈥檚 prohibition on 鈥渦nfair or deceptive acts or practices.鈥 What this means for privacy is that a company can鈥檛 say it鈥檚 doing one thing, yet do another. But if the company tells its customers that their privacy will be completely stripped bare, then the FTC has little authority to act based on the substantial privacy invasions. Meanwhile, as everybody knows, a wide array of online companies, including an entire ecosystem of shady advertising companies operating largely invisibly to consumers, are engaging in vast invasions of Americans' privacy on a daily basis, and there鈥檚 little the FTC can do about it because their regulatory approach is based on a 鈥渘otice and choice" regime that is widely recognized as inadequate.
It is true that some scholars have that the FTC is creating an emerging 鈥渃ommon law鈥 of privacy that constitutes the 鈥渇oundations鈥 for a 鈥渞obust privacy regulatory regime.鈥 But the telecom industry does not want regulation to be left to the FTC because that agency鈥檚 regime is so robust, but precisely because it is not. Indeed, the industry seems to want regulation specifically limited to the FTC鈥檚 limited 鈥渦nfair or deceptive鈥 mandate:
To achieve parity across the Internet ecosystem, any FCC framework for Internet service providers should be reflective of the deception and unfairness standard, consistent with the existing protections consumers receive when they engage with other companies in the Internet ecosystem.
Broadband providers鈥攃ompanies that provide internet connectivity鈥 want to lump themselves together with companies that use the internet to provide services. They want to be subject to the same light regulatory regime as the online services, and to have credibility when they cry that proper common carrier rules constitute 鈥渞egulating the internet!鈥 There is a fundamental difference between internet services and destinations that people choose to use online, and can abandon, and the internet infrastructure itself. There are many invasions of privacy online, but the situation will get far worse if such invasions get baked into the very structure of the internet.