The FCC Must Update ISP Privacy Rules
It is time for the agency to use its authority to protect consumer privacy.
The Federal Communications Commission (FCC) is collecting comments from the public about how the laws that govern consumer privacy over broadband networks should be applied. In its response, EFF has called on the FCC to ensure that the legal obligations of Internet Service Providers (ISPs) to their customers are clearly established and that the agency prohibits practices that exploit the powerful position ISPs hold as gatekeepers to the internet.
When the FCC reclassified broadband internet service providers as "telecommunications" providers as part of its Open Internet Order, the agency left open the question of how the privacy obligations of telecommunications providers must fulfill apply to ISPs. The Notice of Proposed Rulemaking (NPRM) sets out to answer those questions.
How Best to Protect Consumers
Congress has given several regulatory powers to the FCC for protecting consumer privacy, such as: establishing what type of information is sensitive enough for legal protection; setting restrictions on how private information can be disclosed by companies; determining what type of information cannot be used at all for purposes unrelated to provision of service to the customer; and establishing the steps ISPs must take in order to secure permission from the consumer. These protections are critical because consumers do not have a lot of options when choosing high-speed internet access. In fact, most Americans only have one choice for speeds above 25 mbps. Given that most consumers have no real choice among ISPs, establishing a strong legal duty is necessary to protect private consumer information.
One of the most pivotal privacy provisions within the Communications Act is Section 222(a), which establishes that "every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to...customers." We argue that this legal duty to protect confidential information prohibits ISPs from harvesting consumer data through deep packet inspection (DPI) for purposes that are unrelated to actually providing broadband communications.
We also argued that as part of their general duty to customers, ISPs should not retain personal information for an extended period of time beyond that which is necessary for legitimate business purposes. This, along with restraints on DPI use by ISPs, would ensure that consumers are given the highest level of protection for their confidential information and would avoid making ISP databases of customer information the targets of criminal or foreign governments seeking to exploit that data. Of course, sometimes it doesn’t even take an outside actor to violate consumer privacy: in California, the Public Utilities Commission had to investigate a breach by Comcast when the names, addresses, and telephone numbers of 75,000 Californians was accidentally published despite the fact that these Comcast customers paid extra money to keep their information private.
How to Keep The Rules Up to Date
The FCC is thinking about what types of information falls within protected categories, but trying to be too surgical could end up defeating the purpose of these privacy protections. We've proposed that the agency establish a broad rule covering all of the content of all communications so that an ISP complying with the rules does not need to inquire into the specific contents of a communication to determine if it’s protected. Companies have developed extraordinarily sophisticated methods to collect an array of seemingly unimportant data in order to learn a lot of personal information about an individual. The Commission could weaken the privacy rules it seeks to adopt if it allows certain content to be accessible to the ISP via these methods. Furthermore, given how technology continues to rapidly evolve in this space, the FCC should provide the industry with illustrative examples of what type of information practices comply with the new rules and update those examples frequently.
Transparency is essential for keeping the ISP industry accountable to its customers. The FCC has a few proposals in the right direction, but we think some improvements can be made. Specifically, the agency asks whether ISPs should publish the names of the specific entities they intend to share customer information with. We answer that question with an unequivocal "yes," as the cost of compliance would be negligible and the value to consumers who opt-in is tremendous. In fact, we think it would be a benefit to the industry: consumers would be more willing to opt in to sharing their information because they will be able to check into the third parties that partner with ISPs and decide if they want their information shared. Finally, much in the same vein as the Open Internet Order, the FCC must have the rules apply equally to wireless providers (if not more stringent rules, given that wireless carriers have highly sensitive location information).
Some Potentially Dangerous Loopholes
Two proposals that the NPRM requests comment on involve instances when an ISP can access private information without permission. The Commission’s overall permissions or consent framework sets out three categories: opt-in, opt-out, and no customer approval (or notice) needed. We disagree strongly with the Commission’s assessment that the privacy provisions in the Communications Act allow for a category of personal data where the ISP never needs to notify its customers of its use. Rather, the law envisions ISP use of consumer data to be tied to authorized use through some form of approval. The law does not allow for an ISP to consider "no approval" as "approval."
The NPRM also proposed that ISPs be allowed to invade your privacy under an exemption for investigating “unlawful uses,” particularly in the areas of copyright and trademark infringement. We are concerned that ISPs would simply use DPI technology for all content on the grounds that they are investigating unlawful uses, thus defeating the purpose of the privacy rules. EFF recommended that the agency avoid providing an exemption for copyright and trademark infringement given that Congress already protects ISPs from liability. It should not be the ISPs job to police content as opposed to passing data traffic in a non-discriminatory manner. However, if the agency decides to provide an exemption, it should adopt a narrow rule that requires an ISP to have concrete and specifically identified instances of infringement first, and that notice be provided to the customer.
The FCC is entering its final stage of listening to the public and will begin to make decisions in the coming months on how it should use its legal authority to establish the privacy obligations of ISPs. If you wish to read EFF's full submission you can find it here. EFF will continue to fight for consumers's privacy interests and against efforts to have the agency adopt rules that do little to protect the privacy rights of internet users. Congress passed these laws to curtail the ability of telecommunications carriers to harvest their customer's data and the agency must do its part to update and enforce the law.