Actually, Congress Did Undermine Our Internet Privacy Rights
Don't listen to the telecom lobby. Congress' vote to repeal the Federal Communications Commission's (FCC) broadband privacy rules has a profound impact on your online privacy rights.
According to those who supported the repeal, the rules never took effect (they were scheduled to do so throughout 2017), so the repeal doesn't change anything. You hear it from the likes of AT&T as well as lawmakers like Senator Jeff Flake (R-AZ), the author of the legislation who was asked about it at a recent town hall. You are hearing it now in state legislatures that are working diligently to fix the gap Congress created.
But that argument is meant to distract you from the real issue - you had a legal right to privacy from your broadband provider, and when Congress repealed the broadband privacy rules using the Congressional Review Act (CRA), Congress diminished that right and may have hamstrung the FCC from enforcing it in the future.
Here are the facts.
The FCC’s Broadband Privacy Rules Were Based on a Law Passed by Congress
All regulations passed by federal agencies must be founded in laws passed by Congress. In essence, a regulation from a federal agency is supposed to be a means of enforcing the law. Here, the underlying law is Section 222 of the Communications Act (under Title II of the Communications Act). Congress created Section 222 in 1996 as a means to protect our privacy from telecommunications carriers who have unique access to our communications and personal information. There was a window of time when Section 222 did not apply to broadband companies, but as a matter of law today it does. When you look at what the House and Senate said about the law when they passed it, it is clear Congress intended Section 222 to create an affirmative right to privacy in our communications.
The CRA repeal had a direct effect on Section 222. Obviously if the ISPs spent close to $8 million lobbying Congress to pass it, it must have had some impact. Here is what their money bought. Before the broadband privacy repeal, Internet providers had an obligation to follow all of the legal duties and responsibilities that protect our right to online communications privacy per Section 222 through FCC enforcement. But when Congress utilized the CRA to repeal the FCC’s broadband privacy rules, they effectively told the FCC “you can’t enforce the law in this specific way.” There was a lot to like in the now repealed privacy rules, but now that Congress has prohibited the FCC from enforcing those rules (or passing “substantially similar” rules) as a matter of federal law, it is basically up to the states to step in to fully restore our privacy rights until a new federal law is passed or the courts minimize the impact of the repeal.
Some More History on Section 222 in Terms of Broadband Privacy
From 1996 until 2005, Section 222 applied to telephone service and DSL broadband. It was unclear how the law applied to cable modems because the FCC had not explicitly decided how to classify broadband Internet through cable, though cable companies were generally regulated as television providers by the FCC. In an attempt to resolve this discrepancy and harmonize the application of the law the FCC embarked on a long and ultimately failed journey to classify broadband service as an “information service” under Title I while still retaining oversight akin to that for Title II telecommunications carriers through a now defunct legal theory known as ancillary jurisdiction.
This means that even when cable modems were “information services” as of 2002, and DSL in 2005, the FCC still believed it had authority over broadband companies to do things like enforce network neutrality—and did so during a Republican administration. However, Comcast defeated the “ancillary jurisdiction” theory in the courts and Verizon later defeated the FCC again assuring that anything classified as an “information service” under Title I is no longer subject to any meaningful consumer protections (this is also why Comcast, Verizon and AT&T want to be classified as information services today). If the FCC wanted to retain consumer protection authority over broadband companies, they needed to re-evaluate how it applied the law.
As the high speed broadband market became less competitive and given the dramatic power Internet providers can wield over how we use the web, EFF and others strongly advocated that the FCC put broadband back under Title II of the Communications Act so that the agency could enforce simple, light-touch regulations to protect privacy and net neutrality. The FCC (and federal courts) agreed, and in 2015, in a victory for fans of Internet freedom, the Commission re-classified broadband providers as telecommunications carriers under Title II. That means the law Congress passed in 1996 to protect our communications privacy, Section 222 of the Communications Act, once again clearly applied to all broadband Internet providers.
And This is What Congress Took Away
The FCC’s now-repealed and prohibited privacy rules divided Internet subscriber’s personal information into three distinct categories, each requiring broadband companies to get different types of consent from their customers before they could use or disclose that information. Those categories were “sensitive,” “non-sensitive,” and “exceptions to consent.” Sensitive information, including browsing history, app usage data, and the contents of communications, was given the highest protection. Before they could legally use that information for anything other than providing Internet service, your Internet provider needed your explicit opt-in consent.
The FCC agreed with privacy advocates including EFF that carriers have a legal duty under Section 222 (a) of the Communications Act to protect the "confidentiality of proprietary information of...customers." The now repealed privacy rules were the FCC’s attempt to define the contours of that legal duty. The other category of information that was subject to opt-in consent was “customer proprietary network information” (CPNI), defined as "information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer...made available to the carrier by the customer solely by virtue of the carrier-customer relationship." The full list of what the FCC considered CPNI can be found in paragraphs 58 to 84 of the now repealed Report and Order.
To reiterate, all of these consumer protections listed above are now prohibited as a matter of law and the FCC is not allowed to interpret and enforce the communications privacy law in this way at this time. That is, in essence, what Congress took away with its CRA repeal.
The Cable and Telephone Industry are Not Done Eliminating our Rights
Now that they have a law, Comcast, AT&T, and Verizon are coming in for the final blow against both privacy and Internet freedom. FCC Chairman Pai recently released his plan to reclassify broadband Internet provides as Title I information services. Make no mistake, such a plan will not only end Internet freedom by drastically enhancing the power of Comcast, AT&T, and Verizon to dictate the future of the Internet, but it will assure that any vestiges of privacy protections that remain under a neutered Section 222 are completely removed. Worst yet, the plan ignores the obvious gap in consumer protection that exists for telephone companies ever since the 9th Circuit Court of Appeals found that common carriers are exempt from FTC enforcement as well for the western United States.
We must put a stop to this plan. We came very close to stopping the broadband privacy repeal, and now we have to redouble our efforts, recruit more of our friends, and tell Washington D.C. that we value a free and open Internet that is protected by law.