In April 2017, consumer privacy took a body blow when U.S. President Donald Trump signed a repeal of the broadband privacy rules set in motion by the Obama administration. The yet to be enforced FCC rules required Internet Service Providers (ISPs) to obtain consent from customers to allow the use of their personal data for advertising and marketing. With ISPs providing the gateway to the internet, consumers would be giving up private information on their location, web browsing habits and other data that can facilitate online behavior tracking and targeting.
If you live either in a developing or developed country, chances are that you use the internet for both private and business activities – in fact it is unimaginable in this day and age that an individual could thrive in our industrialized society without access to online services. Those who use the internet must make use of the services provided by an ISP – and this is increasingly exposing them to data mining practices by the very ISPs that provide these essential services.
In the U.S. at least, broadband internet users had previously taken comfort in the fact that they were provided with at least a measure of protection from ISPs hoping to use their data for marketing purposes – and even in preventing the on selling of this data to external marketing companies.
In 2015, the U.S. Federal Communications Commission (FCC) reclassified broadband providers as ‘common carriers’, and set about developing a new set of online privacy rules that were stricter than those of the Federal Trade Commission (FTC). Specifically, the rules would have added web browsing history to the list of things that companies needed customers’ opt-in permission to sell. Already on that list were sensitive information like social security numbers, medical information or location data.
Repeal of broadband privacy rules
At the beginning of the second quarter of 2017 this changed. The American Congress took the momentous decision to repeal Obama-era broadband privacy rules developed by the FCC that protected the privacy of individual ISP customers and to forbid the FCC from issuing similar rules in the future. This decision was then signed into law by President Donald Trump.
Applauding the move, FCC Chairman Ajit Pai said in a statement, “President Trump and Congress have appropriately invalidated one part of the Obama-era plan for regulating the internet. Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers.”
This happened in the face of vocal objections by voters, however neither the representatives of the Republican Party, nor the FCC or FTC were moved by pleas to leave the protections in place. Instead the public was assured that nothing would change – that the ISPs could be trusted to in essence police themselves. That users’ data was as safe as it has ever been and broadband privacy would continue to be respected.
Single standard across the internet ecosystem?
The argument many politicians put forth was in favor of what they labeled ‘consistency’. Those in favor of the new legislation were of the opinion that if Google and companies like Facebook and other owners of social media sites can mine personal information for use in targeted advertising then why should ISPs not be able to do the same? According to Republican representative Greg Walden “What America needs is one standard across the internet ecosystem.”
It’s worth noting that the new legislation was promulgated before the Obama era broadband privacy rules came into effect – so ISP customers were technically not losing any protection, they were simply not going to enjoy enhanced internet privacy.
A flawed argument against broadband privacy
Even the most casual observer of the capitalist system would come to the conclusion that this approach is a patent absurdity. It seems incredible (in the truest sense of the word) to expect a company that is entirely driven by reporting profits to its shareholders to ignore the revenue generating potential of leveraging the vast amounts of information that would be available by mining the data provided by the habits of its customers.
The fact of the matter is Google and Facebook offer services which are at least nominally ‘free.’ The deal users make is that in exchange for using their services they will mine data to provide (amongst other things) targeted advertising. Google at least makes advertising expansions expressly opt-in.
If the U.S. wants to continue doing business with other regions they will have to take into account the latest evolution of privacy rules in other regions such as the EU. The latest GDPR rulings suggest that this approach to privacy will simply not meet the increasingly high standards set in the greater Europe. The confusion surrounding responsibilities between the FCC and FTC will only muddy the waters.
Scenario: The worst case
At this point unless new legislation is promulgated in the U.S. there is nothing to stop an ISP selling data without asking the permission of its customer. The scope for abuse is enormous. And the situation is that it is now not only browsing data – it’s every piece of information that the ISP can gather.
This raises nightmare scenarios such as insurance providers being able to buy information that would allow them to profile ISP clients according to their medical history and potentially refuse to pay for medical treatments. And that is only the tip of the iceberg. Direct selling organizations would dearly love to have location information that would allow them to further tighten their approach when reaching out to consumers – and this may have grave implications for those already bombarded with marketing messaging.
What next? It’s complicated
The primary argument for repealing these broadband privacy rules was that the FTC already handles privacy protection. The FTC does handle issues such as when (hypothetically) Target’s loyalty card system gets hacked, or if Facebook or Twitter are involved in collusion to exploit members. But in 2015, the FCC exerted authority specifically over ISPs, removing them from the FTC’s jurisdiction.
The repeal of the existing legislation puts responsibility back in the hands of the FTC. But, and it’s a big but – the FTC is legally barred from regulating ISPs. The FCC’s move in 2015 actually allowed the FTC to take the lead when problems were identified on the business side of the ISP. A good example would be price fixing on a national level. But a recent court decision put ISPs solely in the jurisdiction of the FCC.
So the consumer is faced with a situation where both the FCC and the FTC are now barred from making broadband privacy rules for ISPs. In effect no one is policing the privacy rights of ISP customers.
Technically the FCC still has some authority over telecoms, but the current commission has made it clear they don’t consider ISPs telecoms, The latest moves on the legislative front mean that, in essence ISPs have carte blanche when it comes to their subscribers’ data. All is not completely lost – there may be some ways that the current situation can be remedied. New broadband privacy guidelines could be drawn up by the FCC – the danger is that they too closely resemble those that have recently been rescinded and would therefore be rejected.
Congress would have to pass new legislation that would give the FCC authority over common carriers.
ISPs could still sell customer data without asking for explicit permission. But it might level the playing field and bring some semblance of order to the rules. Politicians in the U.S. should have started down that path. Instead, they chose a path that preserves inconsistency and creates even more confusion. The only thing that is currently certain is that the privacy of ISP customers in the U.S. remains compromised.
The example of the U.S. is illustrative of the fraught relationship between government, big business in the form of ISPs and customers – or the man on the street. Other countries and regions such as the EU are taking careful note of the complexities that can surround these relationships and the increasingly complex nature of privacy in the age of the internet. The U.S. authorities would do well to study the results of extensive research that has been done elsewhere in order to comply with norms that the rest of the world is rapidly coming to accept. If the idea is to bring ‘consistency’ to the U.S. market then the same ideal should apply to bringing that entire market into compliance with what is happening across the globe.