5 things to watch in Internet privacy fight

Getty

Advocates are pressing the Federal Communications Commission to quickly propose strong Internet privacy rules, one of the unfinished parts of last year’s net neutrality order.

The agency is expected to release a proposal any month now. It'll come after nearly a year of meetings with stakeholders about the scope of the commission’s new authority.

The FCC’s controversial decision last year to reclassify broadband Internet as a telecommunications service also gave it new authority to police the privacy practices of companies like Comcast, Verizon and AT&T.

ADVERTISEMENT
Decisions will have to be made about what information should be private, how companies get consent from customers to share that information, and how to handle data breaches.

A formal rule making process has been put off since net neutrality rules were approved, and an initial fall 2015 deadline for proposed rules has already passed.

As the clock ticks and pressure mounts, here are five important factors shaping the debate. 

 

Scope of FCC authority

The 1934 Communications Act requires all “telecommunications carriers” to protect the confidentiality of customer information.

The FCC’s enforcement authority traditionally applied only to phone companies and voice service. But now that Internet service providers (ISPs) like Comcast and Verizon have been reclassified as telecommunications carriers, the privacy concerns of their Internet offerings fall under FCC authority. 

The FCC has detailed rules governing telephone customers’ privacy, but it must now write separate rules to apply to Internet service specifically. In the meantime, the FCC has issued vague guidance telling service providers to take “reasonable, good faith steps” to comply with the law. 

Opponents of net neutrality, who question the FCC's new privacy powers will be watching closely to see how expansive the new rules will be.

The FCC's authority, though, won't extend to Web companies like Google or Facebook, whose business model sells targeted advertising based on user data. They are still regulated by the Federal Trade Commission.   

 

New tracking technologies

Advocates for strong privacy rules point to Verizon as evidence service providers are increasingly looking for ways to profit off customers’ private information.

They point to the company’s $4.4 billion acquisition of AOL’s advertising technology and last year’s controversy about a hard-to-delete Verizon “supercookie” that helped track the mobile Web traffic of customers to offer up more targeted ads.

Last year, the FCC said it was looking into the controversy and Verizon created an opt-out feature under pressure. 

Advocates say strong privacy protections are important because “subscribers have no choice but to share this information” since they have little choice in service providers.

Most consumers have a choice between four mobile carriers and between 1 to 3 Internet providers.

How the FCC views the supercookie could help establish its privacy and data security standards.

 

Pressure from tech and consumer groups

Both sides in the internet privacy fight have drawn their battle lines and are ramping up their efforts to sway the agency.

A group of nearly 60 consumer groups and digital activists pressed the FCC to come out with “strong” proposed rules “as quickly as possible" in a letter this week.

It was signed by groups including the American Civil Liberties Union, the Center for Digital Democracy, Public Knowledge, the Electronic Frontier Foundation, Free Press, and Consumer Watchdog.

On the other side, large telecom industry trade groups like the National Cable & Telecommunications Association saythe new legal burdens of complying with privacy laws would cause “irreparable harm." They say there is no evidence that their “existing privacy and security measures are wanting.”

Telecom companies have raised concerns about the costs of changing existing practices, like using information about a broadband customer to sell them other services, like voice or TV. 

 

Data access

Internet service providers usually have the ability to see every site a customer visits, when they visit it and for how long.

Advocates for strong rules say service providers have the potential to access more information than Web companies like Google or Facebook because they “are able to collect a constant stream of information across multiple devices and multiple platforms,” according to the Open Technology Institute (OTI). 

The increasing adoption of encryption, usually signified on a site by the letters “HTTPS” and a lock, has limited the information that Internet service providers can access in recent years.

Without that protection, service providers would be able to have access to private chats, the content of emails or information about the products people purchase. OTI says that about 65 percent of Internet traffic in North America is not yet encrypted, but others say protection is quickly rising.

Virtual private networks (VPNs) can also shield an ISP from even seeing the websites a customer accesses, but those are not widely used.  

 

Consumer protections

The Communications Act bars telecom companies from using customer proprietary network information (CPNI) for purposes other than providing service. 

Advocates are calling for a broad definition of customer proprietary network information to now include data like, “subscriber location information, sites visited, specification of connected devices, and time, amount, and type of Internet traffic.”

They want to require providers to get affirmative consent before sharing or even collecting customer information for purposes other than providing service. They want customers to opt-in and to be made aware of the information covered.

They also want the FCC to require providers to disclose breaches to customers and hold them accountable for a failure to protect against an attack.