At its March 31 public meeting, the agency voted 3–2 in favor of releasing a Notice of Proposed Rulemaking (“NPRM”) on “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.”
The almost 150-page document — containing more than 500 questions for public comment — is the Commission's blueprint for broadband consumer-privacy protections. Initial public comments on these questions are due at the end of May.
The FCC is building on its 2015 Open Internet Order, which reapplied Title II of the Communications Act to broadband providers, reclassifying them as common carriers. Last year the Commission told broadband providers that privacy protections were coming, based on Section 222 in Title II of the Communications Act. The beginning of the formal proceeding to get those rules in place has arrived.
These rules are much needed for internet users and long overdue. As the FCC notes in the NPRM, “absent legally binding principles, those [broadband] networks have the commercial motivation to use and share extensive and personal information about their customers.”
Companies like AT&T, Comcast and Verizon are the gateways to the internet and everything on it. By virtue of their position, they have near-unfettered access to data about the websites we visit, to our unencrypted online communications, and records of all the apps and services we use.
Should the FCC fulfill its congressional mandate and adopt strong safeguards, the rules would represent some of the most robust consumer-privacy protections put forward by the federal government. The agency recognized that ISPs need some access to private information to provide broadband services at all. For example, your ISP has to know who you’re talking to so it can direct network traffic to the right destination.
But they also act as “conduits of consumer information.” As such, ISPs gain “access to very sensitive and very personal information that could threaten a person’s financial security, reveal embarrassing or even harmful details of medical history, or disclose to prying eyes the intimate details of interests, physical presence, or fears.”
These access providers seek to profit in a big-data marketplace that denies consumers control of their private information. At its worst, this perpetuates a system where people can be denied social and economic opportunities based on stereotypes, racial profiling, and other potentially discriminatory determinations.
The NPRM rightly takes the privacy protections afforded to customers of other types of common carriers, like telephone providers, and applies the core privacy principles of “transparency, choice, and security” to broadband. At its root the proceeding focuses on ways to give internet users control over the private information that broadband providers collect.
Protecting customer privacy
In interpreting Section 222 of the Communications Act for broadband, the FCC proposed to cover a wide variety of information including geo-location, website addresses, application usage, and other such “metadata” about the services we use.
This is the type of addressing and usage information that the statute refers to as Customer Proprietary Network Information (CPNI). CPNI tells the provider where we go on the network and how much time we spend at each destination.
The NPRM also asks questions about protecting sensitive data like social-security numbers, racial identity, health and financial information and other personally identifiable information under the statutory term customer Proprietary Information (PI).
Three levels of consent
ISPs use CPNI in a variety of ways to facilitate the effective use of their network. But they might also try to share or sell that network information or customer PI for marketing purposes.
The proposed rules create a framework by which broadband providers must obtain their users’ affirmative consent in most cases before sharing or selling their private information.
The rules contemplate three levels of consent:
Implied consent: Consent for some information use happens when consumers buy broadband internet access. The NPRM says this includes activities necessary for the ISP to provide broadband service, like billing, or even selling additional broadband services and upgrades to its customers.
The NPRM also contemplates recognizing users’ implied consent for sharing information to make sure emergency services like 911 work, and to protect against cybersecurity threats.
Opt-out consent: The NPRM also suggests that consent for some activities may be considered given unless the customer decides against it. Many marketing activities by the ISP and its affiliated companies could fall under this category.
When a broadband provider wants to share information for marketing purposes with its affiliates — to offer bundles of communications services like TV, wireless and home internet, for example — the NPRM says that a broadband provider must give its customers an easy method to opt out of sharing their private information.
Opt-in consent: Sharing information in this category can only happen if customers affirmatively give their broadband provider consent to share it.
Under the proposed rules, the majority of uses for private information would require broadband providers to actively ask their customers for consent before sharing information. This includes using CPNI and customer PI for reasons other than providing the underlying broadband service or marketing an ISP affiliated communications-related service. ISPs would need to get affirmative consent from their customers before sharing personal data with third parties.
While there may be room to question the “opt-out” tier described above, all of the proposals in the NPRM represent a vast improvement over the status quo.
Free Press has concerns about implied consent for upselling broadband products and sharing so freely with affiliates; but the vast majority of questionable personal information sharing activities would require the affirmative consent of customers. That means Verizon wouldn’t be able to retain information on its customers’ internet traffic and sell it to other companies without first gaining customers’ permission.
Possible prohibited practices
The NPRM also asks whether there should be rules limiting or outright banning certain practices that may negatively affect customer privacy, no matter whether some customers might opt-in or not. The most troubling of these practices is making service contingent on waiving privacy rights, or reducing the price for service only if customers agrees to relinquish control of their data.
Some companies and economists may portray such pay-for-privacy schemes as a valuable and fair market exchange. But they have the potential to harm the millions of internet users who already struggle to get online, and simply can’t afford to pay more for privacy.
Making internet access entirely contingent on waiving privacy rights means consumers either have to let broadband providers track their online activity or lose service entirely. A pay-for-privacy scheme means that companies could offer a discount for those willing to give up their privacy, but it’s just as easy to characterize this as a penalty for customers asserting their privacy rights.
The FCC recognizes that these kinds of plans can “unfairly disadvantage low income or other vulnerable populations who are unable to pay for more expensive, less invasive options.” The FCC needs to take extreme care in analyzing and then regulating these practices to make sure that privacy is not a luxury available only to the rich.
Ensuring that low-income families and other vulnerable populations can meaningfully assert their privacy is an important civil-rights issue. Data brokers can and do build into each and every person’s profile that individual’s race, income level, sexual orientation, familiarity with English, and other categories that can be used to discriminate.
These profiles can be used against internet users seeking insurance, buying medical products, or applying for loans. The FCC can’t prohibit the practices of the data brokers to whom ISPs sell customer data, but it can at very least regulate carrier practices and require your broadband provider to obtain permission before selling such sensitive information.
While selling customer PI raises major privacy concerns, so does collection and retention of this data.
The more information companies collect about our online activities and the longer they retain it, the likelier it is that criminals will hack into a company’s database and use our personal information against us. Hundreds of such data breaches occur each year.
It’s worth noting again that broadband providers have to collect and use information to some extent just to provide you with broadband service. But having this level of access to detailed and personal information suggests that ISPs should be subject to clear rules to protect that data.
That’s just what Section 222 does — it commands carriers “to protect the confidentiality of proprietary information.”
In the NPRM, the FCC proposes a system of corporate accountability for data breaches and third-party misuse of customer information, while also asking for comment on mechanisms for limiting data retention and notifying users when their data has been stolen or otherwise breached.
ISPs must be held accountable for data breaches and must accept their responsibility to safeguard the data they gain access to to make their networks work.
Protecting consumer-privacy rights and giving users the dignity of choice and control over their data may be one of the last major actions of FCC Chairman Tom Wheeler’s term.
ISPs shouldn’t be able to make money by selling information about their customers’ private lives without permission. And yet these companies are now mobilizing to stop the proceeding before it even starts, arguing that additional privacy protections will “confuse consumers.”
The FCC proceeding is an opportunity for internet users and privacy advocates to say otherwise. Millions of people have already taken action to demand better privacy protections from Congress and the White House. That’s a clear message that should resonate at the FCC as well.