There’s no doubt the Federal Communications Commission (FCC) has raised its profile of late in the privacy world. A number of high-priced enforcement actions, a long-awaited net neutrality order and a new director of enforcement have all contributed to the impression of an agency poised to flex more of its enforcement muscles in the near future.

On Tuesday, the dialogue about what the FCC’s role should be in protecting consumers' privacy as they use broadband services was in full force during a workshop hosted by the agency. Moderated by representatives from the FCC and the Federal Trade Commission (FTC), and informed by a wide range of industry, academic, legal and advocacy voices, the two-panel conversation examined several complex issues in the digital landscape.

Three main issues emerged from the day’s conversations: What defines an Internet service provider (ISP); what roles should the FCC and FTC play regulating those service providers, and how broadly should mandates to protect customer proprietary network information (CPNI) be applied to service providers?

“What is an ISP?” asked University of Pennsylvania Prof. Matt Blaze in his introductory presentation. “No one seems to want to be one.” Instead, the term has been replaced by broadband provider or wireless provider, or something slightly different, he said. Moreover, Blaze said networks have moved beyond mere facilitators of broadband data into smart networks that use “deep packet inspection (DPI)” domain name systems (DNS) integrated with search and cookie injection for tracking purposes.

“ISPs don’t just play one role within the ecosystem,” said the National Telecommunications and Industry Administration’s John Verdi. “Sometimes they act as service providers; sometimes they act as mobile app providers. It’s important to think about how these entities play these different roles in the ecosystem. Depending on that role, it has implications on how privacy notice and controls are provided to users.”

On one end of the debate, New America's Open Technology Institute Senior Policy Counsel Laura Moy contended that ISPs are “gatekeepers” that are in a unique position to track everything within their “essential service.” She said ISPs can inject headers into web traffic and can see what devices their customers use and websites they visit. Plus, Moy pointed out, in many areas, consumers do not have the option to choose among ISPs.

“The data we collect is not unique,” countered AT&T Senior Vice President-Federal Regulatory and Chief Privacy Officer Robert Quinn. “There are hundreds of companies that have the ability to track users,” he noted. “What page doesn’t have a Facebook like button?”

Quinn, citing the “democratization of data,” said organizations no longer need to be big companies to track users. For example, he said, the BlueKai "bluebook" has 60 different data sources where an interested organization or individual can purchase data on consumer categories, interests, ZIP codes, Google and Apple IDs. “All they need is a credit card,” he added. Quinn also said AT&T requires opt-in consent before the organization uses personal information.

“Just because there are hundreds of actors in the ecosystem doesn’t mean we shouldn’t consider protection for ISPs,” Moy argued. She also said AT&T charges customers extra to not be tracked, which leaves less-wealthy users in a disadvantaged position with their privacy.

Connecticut Assistant Attorney General (AG) Michelle Lucan noted she would be “surprised if it were the case that broadband providers are not in a unique position” as so-called “gatekeepers.” In addition to federal authorities, Lucan said state AGs have a role regulating the ecosystem. “Some of the best cases to come out of our office,” she said, “were in collaboration with other agencies.”

Yet, Quinn called “entity-based regulation” a “last-century approach to privacy,” saying it’s not “sound public policy.” He said, “Having two agencies (the FCC and FTC) regulate the advertising industry,” for example, “is an entity-based regulation. We should have a single policy for everyone and a consistent approach to it.” He offered that legislation could be one way to approach some of these issues. For the communications agency, Quinn called for "a consistent approach to privacy that doesn’t impede us in the ecosystem.”

DLA Piper Partner Jim Halpert said the FCC should apply a similar set of criteria as the FTC in regulating privacy. “This approach will avoid confusion,” he said, adding it’s important the FCC’s enforcement coincides with consumer expectations. “Look at your phone,” Halpert said. “Consumers wouldn’t think there are different sets of rules (for protecting their privacy) that apply here. Ultimately, applying a similar set of criteria as the FTC would fit consumer expectations and would be more popular with legislators looking to pass data breach legislation.”

Halpert pointed out that the FTC has held a workshop on comprehensive data collection and found no single actor in the Internet ecosystem could comprehensively collect consumer data. Plus, he added, “The FTC thinks AT&T has an ongoing value with consumers."

The future application of CPNI's definition and regulation was also a discussion point during the workshop. Wilkinson Barker Knauer Partner Nancy Libin said Section 222 of the Communications Act was drafted for two purposes. CPNI, she said, is a specific set of data that telephone companies collect for billing purposes. Congress wanted to protect that narrow set of data while also promoting competition. “Section 222 is different from other privacy laws that protect personally identifiable information,” she said, “because Congress wanted to protect a narrow category of information. Therefore, I caution the commission of applying 222 to broadband providers and to adopt a 21st-century approach by regulating consistently across the spectrum.”

Libin said applying Section 222 to broadband is complicated because, unlike telephone access, many entities in the Internet ecosystem—including app developers, operating systems and search engines—all have access to the same consumer information. “In fact,” she added, “some may have more comprehensive data because they may interact with consumers across broadband connections.”

“Data has a special purpose,” Libin said. “It’s the lifeblood of the Internet economy. I would caution the FCC in defining CPNI too broadly as it has a different effect on the Internet ecosystem than it does on telephony.”

The Center for Democracy & Technology’s (CDT) Erik Stallman characterized Section 222 as “a strong statute and model for privacy.” He said the CDT believes “ISPs stand in a unique position” in relation to their customer base and that “consumers’ relationship with broadband providers is comprehensive and unavoidable.” He said this could be an opportunity for looking at more widespread approaches to privacy. “While Section 222 is unique to broadband,” he explained, “it could be an opportunity for the entire Internet ecosystem.”

Georgia Institute of Technology Law Prof. Peter Swire, CIPP/US, said his organizing principle for consumer privacy in the broadband space revolves around the consumer benefits. He broke those up into four categories. Fraud prevention, he said, should match the risks to consumers. Cybersecurity needs to be balanced with privacy, and consequently, cybersecurity professionals should be talking with privacy professionals. Third, he noted, research about network usage should be allowed. He said he worked on the Health Insurance Portability and Accountability Act statute, and as such, “we wanted medical privacy, but we didn’t want to limit medical research." Finally, de-identification is important. Though there is a widespread debate about re-identification, Swire backed an approach that considers if something is “reasonably linkable.”

“Whatever the FCC comes up with here,” Swire concluded, “it should be something a good-faith company can comply with. I’ve worked with a number of privacy officers who really struggle with this issue.”

photo credit: IMG_5300 via photopin (license)