Last Thursday, the FCC released a Fact Sheet announcing Chairman Wheeler had circulated to his fellow Commissioners a proposed Order with new privacy rules for ISPs, along with some high-level details of his proposal.  At the same time, the Chairman posted a blog titled “Protecting the Privacy of Broadband Customers” – a title that implies there is currently no protection for broadband customer privacy and the proposed rules would increase privacy for broadband customers. These implications are made more explicitly in both the fact sheet and the blog, but neither is wholly correct.

The FCC is scheduled to vote on the Chairman’s proposal at the Commission’s Oct. 27 Open Meeting; less than two weeks before the rest of the population votes to elect the next President. 

Just as the presidential candidates make their case for votes in these final weeks, Chairman Wheeler’s Fact Sheet and blog attempt to make arguments and justifications in support of his proposed rules. Many of the statements made are true, but some may be misleading or irrelevant, such as the fact that 91 percent of consumers feel like they have lost control over how companies collect and use their information. When put in context, the FCC’s proposal will do nothing to address that concern. Other statements appear to be true on their face, such as the Chairman’s shift to a sensitivity-based framework; but in practice, the statements may actually be false because the proposal recommends such a broad definition of sensitive information that almost all collected information could be “sensitive,” effectively reverting to the initially proposed use-based restrictions that differentiate between ISPs and edge providers.

In the spirit of the election-year, five statements from the Fact Sheet and the Chairman’s blog are highlighted and evaluated below. 

truth-meter-1-3

When the FCC released its Privacy NPRM, the initial proposal required ISPs to obtain opt-in consent for the vast majority of its uses of customers’ information (regardless of data sensitivity), and permitted opt-out consent for very limited uses of customer information that often require no consent at all under other privacy frameworks. 

According to the Fact Sheet and the blog, the revised proposal takes into account numerous comments, including those from the FTC, resulting in a sensitivity-based framework that only requires opt-in consent for the use of “sensitive” information. However, the FCC’s proposed definition of “sensitive” information goes far beyond the FTC’s framework and recent comments. In addition to information about children, health, financial, precise location, and Social Security numbers (all included in the 2012 FTC report as “sensitive”), the FCC’s proposal also includes the content of communications, browsing history and application usage history.  

It is true that the FTC advocated in its comments to the FCC that the content of a customer’s communications should be considered sensitive. As a consumer, I agree that my communications with third parties should not be harvested from my ISP’s network and used for my ISP’s own marketing or advertising purposes. 

However, neither the FTC nor the Administration has taken the approach that general web-browsing activity or app usage was sensitive – only when it relates to one of the previously defined sensitive topics (e.g., health or children’s information). Nor do consumers generally consider such information to be sensitive, as evidenced in the same Pew Research Center report relied on by the Chairman in his blog, in which less than a third of respondents indicated such information was “very sensitive.” Additionally, both the FTC and the Administration specifically recognize a customer’s implied consent with first-party marketing, while the FCC’s Fact Sheet makes no similar allowance. 

While the devil will certainly be in the details, it is hard to see how the Chairman’s proposal is “in harmony” with other key privacy frameworks. On the other hand, it is easy to envision a sensitivity-based framework where “sensitive” information is defined so broadly that the resulting rule operates more like the FCC’s initially broad use-based restrictions.

truth-meter-2-3

In today’s world, consumers use an average of 6.1 connected devices, many of which connect from varying locations and are served by multiple ISPs. For instance, my home broadband provider may be able to determine that I went to the IAPP’s website to check for late-breaking privacy developments I missed overnight; when I travel to work, my cellphone carrier may be able to determine that I am on the Wall Street Journal’s site; and when I arrive at work, an entirely different ISP may be able to determine that I am using the FCC website. Depending on how those sites use encryption, the ISP may simply be able to determine the sites I visited, but not the actual information accessed. As a result, no ISP has a broad view of all of my unencrypted online activity. In contrast, every one of the sites I visited contains cookies from Google or one of its affiliates, who can correlate all of that activity.

truth-meter-3-3

While this statement may be true, it relates to companies generally, not to ISPs specifically, and originates from a research report titled, “The State of Privacy in Post-Snowden America.” In fact, the report relies on another Pew report that found, “[t]hose who are more aware of government surveillance efforts feel they have less control over the way their information is collected and used on a typical day.”  

The FCC’s proposed rules do nothing to address this. 

truth-meter-4-3

Until very recently, ISPs operated under the same FTC regulatory framework as every other entity that participates in the internet ecosystem. Additionally, every ISP has a published privacy policy and was subject to the FTC’s Section 5 authority over unfair or deceptive acts and practices. As such, ISPs have long adhered to the FTC’s guidance and consumer’s privacy has been protected. There is no indication that any of this has changed, despite the FCC’s 2015 reclassification of broadband Internet access service from an “information service” to a “telecommunications service” now subject to Title II of the Communications Act and the Commission’s implementing regulations, and a recent Ninth Circuit decision that questions the FTC’s ability to use its Section 5 enforcement authority over any aspect of an ISPs business activities. Additionally, the FCC itself has asserted that it can bring enforcement actions against ISPs for alleged consumer privacy harms, even in the absence of established rules. 

Therefore, hints that consumer privacy is currently at risk are misleading.

truth-meter-5-3

The FCC has consistently stated that any new privacy rules will not apply to edge providers. This is exactly the issue and the reason why the Chairman’s proposal should truly be harmonized with other existing and well-understood privacy frameworks. Consumers do not benefit from disparate treatment of their information. To release rules that purport to give consumers “the ability to make informed choices about their online privacy” when in reality those rules only govern one entity in the online ecosystem could actually lure consumers into a false sense of security (or privacy), especially when those consumers do not understand that many edge providers collect vastly more information about them than their ISPs. Many privacy advocates and industry participants alike have argued for comprehensive privacy reform in recent years that would take account of converging business platforms, advances in technology, and greater data collection and use. That, however, is a job for Congress. The FCC is already stretching the legislature’s intent by applying a statute designed to promote competition and protect a narrow type of telephone information to broadband services and activities that simply could not have been anticipated in 1996. 

In the meantime, it would be beneficial for the FCC to adopt consistent rules that re-affirm baseline protections for consumers, while working with other government agencies at the state and federal level, as well as industry, to determine whether additional privacy protections are needed and how they can be effectively implemented by and enforced against all online participants in ways that meaningfully protect consumer privacy. 

Top image: from federal government site, fair use