The FCC this week informed broadband ISPs that the agency is no longer going to be napping at the wheel when it comes to broadband-related privacy enforcement. In a new enforcement advisory posted to the FCC website (pdf), the FCC said that with ISPs now classified as common carriers under the new Title II based net neutrality rules, the FCC’s going to be taking a long hard look at improving broadband privacy protections. While the actual rulemaking process is still being worked on, the FCC will be leaning on Section 222 of the Communications Act, historically used to protect Customer Proprietary Network Information (CPNI) on phone networks.
ISPs have already started complaining the FCC’s imposing draconian, ancient regulations on the modern Internet, and such rules will saddle them with all manner of new costs. Of course it should be noted that most of these privacy protections are fundamental common sense — and in some cases things most ISPs are already doing. They range from from requiring that ISPs keep private consumer data encrypted when being stored on servers, to not sharing consumer data with third parties without the explicit consent of consumers. The FCC shockingly found that absent such protections, things don’t work out well for consumers:
“The Commission has found that absent privacy protections, a broadband provider’s use of personal and proprietary information could be at odds with its customers’ interests and that if consumers have concerns about the protection of their privacy, their demand for broadband may decrease.”
Of course ISPs have grown pretty comfortable with regulators that couldn’t care less about (or lacked the authority to police) broadband privacy abuses. One case in point is Verizon’s recent decision to manipulate wireless traffic to create new, undeletable super cookies. Despite the fact it took security researchers two years to find Verizon’s zombie cookie and another six months for Verizon to even seriously acknowledge a problem, the telco has historically tried to argue greater privacy protections aren’t needed for broadband and wireless because “public shame” will keep the company honest.
Many users also might recall how ISPs have long sold user clickstream data to third parties, but have historically denied that they collect any of this data whatsoever. Similarly, AT&T has been charging its gigabit fiber users a $44-$66 fee if they want to opt out of having their traffic snooped on via deep packet inspection. In both instances regulators simply couldn’t have cared less. Obviously having regulators do absolutely anything at all to protect broadband user privacy is a pretty unsettling change for a industry awash in regulatory capture.
While the FCC hasn’t yet solidified the rules for modern broadband networks, it is telling ISPs that it can reach out to the FCC if they have any questions about how the FCC intends to interpret the rules in the snoopvertising age moving forward:
“Although no broadband provider is in any way required to consult with the Enforcement Bureau, the existence of such a request for guidance will tend to show that the broadband provider is acting in good faith. The application of Section 222 offers an opportunity for broadband customers to increase their demand for broadband by knowing that their privacy is well-protected. In that goal, the Enforcement Bureau believes its interests and those of the great majority of broadband providers are firmly aligned.”
While I know there’s an amazing amount of cognitive dissonance (my own head included) forged by the idea that a government so horrible on surveillance issues could possibly do anything good on the privacy front, the FCC’s recent track record of actually giving a damn about consumer issues is encouraging. It’s as if the FCC has awoken form a long, deep slumber, and after fifteen years of being an empty-headed bobble head doll, has suddenly started caring about issues like broadband competition, massive, billion-dollar telecom industry scams and state protectionist telecom laws.
None of this is to suggest FCC over-reach on privacy is impossible, but based on Wheeler’s behaviors of late it seems likely the FCC’s just looking to impose some common sense ground rules. Still, there will certainly be no limit of handwringing among ISPs how some basic broadband privacy protections will destroy the Internet. You know, just like the net neutrality rules are obviously doing.