Broadband privacy regulations fall into a gray area

Last year, for the first time since the advent of broadband technology, the Federal Communications Commission passed strict rules governing customer privacy for Internet service providers. Five months later, Congress voted to kill the rules.

Because President Donald Trump signed the resolution repealing the rules, no federal agency has the authority to protect the privacy of broadband customers. Major ISPs like Comcast, Verizon, and AT&T have promised to play nice, but no agency is ensuring that they will.



READ MORE ON BROADBAND PRIVACY

Looking to hide your traffic from ISPs? Not all VPNs are equal
ACLU’s Gillmor on privacy: ‘We pay for what we value’ (Q&A)
How to protect yourself when using airplane Wi-Fi


The repealed FCC rules required broadband providers to receive opt-in customer permission before sharing sensitive personal information, including Web-browsing history, geolocation, and financial details with third parties.

Broadband industry groups say there’s nothing to worry about. ISPs have pledged to follow the Federal Trade Commission’s privacy rules, a case-by-case enforcement model that requires companies to live up to the customer privacy promises they make for themselves.

“There hasn’t been any change on the ISP front,” says a representative of USTelecom, a broadband trade group. “The pledge to keep adhering to FTC rules still stands.”

While there’s no evidence yet of a significant shift in ISP practices, privacy advocates say the lack of federal oversight may lead to new schemes to track their subscribers.

Broadband providers have promised not to sell customer data directly, but many are “floating the possibility of selling profiles of their customers to third parties for targeted advertising,” says Gaurav Laroia, policy counsel at digital-rights advocacy group Free Press. “Companies like AT&T make it very clear they’re interested in delivering ads to their customers…‘across TV, online, and mobile.’”

Broadband providers and Republicans in Congress had protested the privacy rules because they covered only broadband providers—and not huge data collectors like Facebook and Google.

“ISPs have access to enormous amounts of sensitive Internet data their subscribers transmit.”—Yosef Getachew, policy fellow, Public Knowledge

But the FCC has never had clear authority to regulate the privacy practices of companies that aren’t ISPs or telecommunications providers, and the Googles and the Facebooks of the world remain under the oversight of the FTC.

Supporters of the rules had argued that ISPs have a broad view of subscribers’ personal information that, in many cases, even Google and Facebook cannot match.

Without the rules in place, broadband providers have an incentive to combine personal data from their customers’ Web-browsing habits with information they glean from bundled services, such as TV-viewing habits, privacy advocates say. This allows broadband providers to create comprehensive profiles of subscribers, they suggest.

“ISPs have access to enormous amounts of sensitive Internet data their subscribers transmit,’ says Yosef Getachew, policy fellow at digital-rights group Public Knowledge. “This unique window allows them to paint a detailed portrait of a consumer’s life and sell this information to the highest bidder without their consent.”

The major concern about the lack of rules isn’t that ISPs will sell data to other companies, adds Jeffrey Chester, executive director for online privacy group the Center for Digital Democracy. Instead, it’s more about allowing other companies to combine their data with ISPs’ for cross-device targeting, Chester says.

“Phone and cable companies are building massive data-targeting apparatus, filled by acquisitions such as Yahoo and Time Warner,” he adds.

Many privacy advocates also have complaints about Google, Facebook, and other large Web companies that track users across the Internet. Most would welcome comprehensive privacy rules that cover ISPs, websites, social media, apps, and other online services.

Groups like Public Knowledge have been pushing Congress for years to pass wide-ranging privacy regulations, but lawmakers haven’t been able to make it happen.

In May, Rep. Marsha Blackburn, a Tennessee Republican who led the fight against the FCC’s rules, introduced legislation that would require ISPs and websites to notify customers of their privacy policies and get opt-in permission to share sensitive personal information.

While most consumers would welcome strong privacy rules, one-size-fits-all regulations may not work, Getachew says.

“Consumers expect a certain level of privacy protection, regardless of the types of services they use,” he says. “[But] ISPs, dominant platforms like Google and Facebook, and small online startups all have different business models, and adopting the same privacy framework for all of these services without carefully considering the impact may be problematic.”

The FCC first passed its ISP privacy rules as a follow-up to the agency’s 2015 Net neutrality rules, which moved the authority for policing ISP privacy from the FTC to the FCC. The FCC, then controlled by Democrats, had classified broadband as a regulated, telecommunications-like service under its authority in an effort to give the Net neutrality rules a strong legal foundation.

The FCC, now under Republican control, now plans to repeal Net neutrality rules. If it does, privacy oversight for ISPs would go back to the FTC, which brings complaints against companies only after they violate their own privacy policies.

But some critics of the FCC’s rules question whether privacy advocates or consumers should be concerned about a current lack of ISP oversight from the federal government. The current oversight “gap” also existed between early 2015, when the FCC passed its Net neutrality rules, and late 2016, when it passed its ISP privacy rules, notes Evan Swarztrauber, director of public affairs at free-market think tank TechFreedom.

“The FTC has already said that an ISP selling consumer data requires an opt-in, so the doomsday scenario of ISPs ‘selling consumer data to the highest bidder without their consent’ is already illegal,” he says. “If people are looking to see if ISPs are going to dramatically change their privacy practices, they’re unlikely to find anything of note.”