Broadband Industry Has A Hissy Fit As FCC Unveils Some Fairly Basic New Broadband Privacy Protections

from the sky-is-falling dept

As had been hinted at for months, the FCC formally unveiled its plans to apply some relatively basic privacy protections for broadband service. And while you’ll likely see the broadband industry bitching up a storm over the next few months, none of the requirements are particularly onerous (and many are things ISPs are doing already). The agency’s full announcement (pdf) notes the rules will require that ISPs are a) transparent about what they’re doing, b) have basic systems in place to protect collected data and alert users in case of data breach and c) provide users with opt out technology that actually works.

When the FCC reclassified ISPs as common carriers under Title II, ISPs were automatically subjected to Title II?s Section 222 privacy protections regarding “customer proprietary network information” (CPNI). But because those rules were largely designed for ye olde phone company, the FCC is updating them to become very basic rules of the road for handling customer data. ISPs have been quick to complain that they shouldn’t face privacy protections that go beyond what Apple and Google deal with, but the FCC correctly argues that the lack of broadband competition make ISPs a unique animal:

“A consumer?s relationship with her ISP is very different than the one she has with a website or app. Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee.”

ISPs have also argued for the better part of a decade that they should be allowed to self-regulate on the privacy front, but their behavior has repeatedly indicated they’re not actually capable of this. Verizon, for example., was caught last year modifying user packets to track users around the Internet and build detailed subscriber profiles. The company engaged in this behavior for two years before it was even discovered by security researchers. It took another six months of public and FCC pressure for Verizon to even provide working opt-out tools.

Preparing for the FCC’s announcement the broadband industry has been pushing a number of “studies” trying to argue that broadband privacy protections also aren’t necessary because users can protect themselves with encryption or VPNs. But plenty of household data isn’t encrypted (including most IOT devices), and the FCC is quick to note that the lack of broadband competition makes the sector notably different from say, search engines:

“Even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website. Using this information, ISPs can piece together enormous amounts of information about their customers ? including private information such as a chronic medical condition or financial problems.”

In short what the FCC’s doing is again relatively straightforward, basic, and most ISPs will be doing this stuff anyway. But that didn’t stop AT&T from taking to its policy blog to complain that the modern broadband industry is just too damned evolved for privacy protections:

“In the 1980?s telecommunications industry, when companies were required by law to stay in their lanes, it might have made sense to have rules that applied only to one set of providers in an industry. But that was 30+ years ago, and we are long past that stage in U.S. communications policy…Limiting ISPs? ability to compete with ad supported business models ? which are overwhelmingly favored by consumers ? is bad for consumers and ultimately bad for broadband investment in this country.”

Except you should stop and take a look at what AT&T’s vision of modern broadband privacy standards looks like. The company has been using deep packet inspection to track its U-verse broadband customers for years. But instead of making it easy and transparent to opt out, AT&T requires that its broadband customers not only jump through a number of confusing hoops, but it actually charges customers upwards of $60 per month to do so. When you understand that AT&T’s vision of the broadband privacy future involves making actual privacy a cumbersome paid luxury, you can understand why companies like AT&T are opposed to even the most basic protections.

The FCC’s also making it very clear it’s not thwarting “innovation” in the user-tracking space, or seriously hindering the cash cow that is tracking users online. That was illustrated with the company’s recent settlement with Verizon over the afore-mentioned stealth trackers; the settlement lets Verizon happily continue fiddling with user traffic for the benefit of tracking them, just as long as the company’s clear about what’s happening and provides working opt-out tools. That’s really not a big deal by any standard.

So while you’re going to see ISPs and friends bitch endlessly about this being “yet another heavy-handed FCC power grab” and the like, there’s really not much here to be afraid of. It’s also worth remembering that ISPs like AT&T and Verizon had every opportunity to preempt privacy regulations by showing they were capable of self-regulating, but failed repeatedly and painfully at the task.

Filed Under: , ,
Companies: at&t, verizon

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Broadband Industry Has A Hissy Fit As FCC Unveils Some Fairly Basic New Broadband Privacy Protections”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Third party information brokering is mostly whitewashing of malware and a way to legitimize data obtained in decidedly illegal ways. A third party information sharing act should also concern websites since they are the main culprits in legitimizing information laundering.

Third party information sharing is practically comparable to whitewashing of money in some circumstances: As soon as you combine the illegal data with other data in the right way, you can sell it all completely legally! If you are a databroker, why not get better information at a lower price?

Capt ICE Enforcer says:

System Error

OMFG… Everything is now broken because of the FCC tampering with the internet. No Netflix, Hulu, or Prime. Oh No…. The Kurig coffee maker will not work due to my retina scan, Fingerprint, DNA and 3rd grade stick figure drawing being unable to contact their main server to ensure the safest coffee and not lock out competition. Kill me now

OldGeezer (profile) says:

I use AdBlock so I rarely see ads on any sites I use. I also have Ghostery and several opt out tracking extensions. I was using DoNotTrackMe but they changed hands and there was some sketchy behavior like wanting to store credit card numbers. When I go on Amazon the items “suggested for you” are often related to purchases I recently made on other web sites. I don’t want to delete all cookies because I lose the automatic login on frequently used sites. I know this is really no big deal but it still pisses me off that there seems to be no way to get rid of all tracking.

Anonymous Coward says:

Re: Re:

Client-side tracking across sites can be blocked. You can still allow cookies/dom (and you can clear them when you want), the key is to control XSS (cross site scripting) – eg by not allowing third party scripts eg from facebook, then fb cannot access any data. Only allow * and * on

You can control this on a per site level using uBlock Origin (not uBlock, but uBlock Origin) and/or uMatrix. Same author, they have slightly different purposes, but can also work together. Set a default (for me it’s block everything except css and images), then on a per site basis allow javascript or frames etc (this is in uMatrix). It’s not really that hard to understand. It’s a really granular fine control – you can allow specific XSS on a a specific domain: eg you can allow google apis on techdirt, but no where else (by default).

MikeNyrgs (profile) says:

Consumers would be given an opt-in

What is missed in this article, and what seems most important to me about this Notice of Proposed Rule Making, is how consumers would be given an opt-in right to control whether or not a broadband provider could share their network behavior with 3rd parties other than those providing broadband, telecom-related services, and for these, consumers would be given an opt-out right.

An interesting corollary to this, and to AT&T’s practice of charging consumers to opt out of monetization their network behavior, is H.R. 2666, a vague and sweeping bit of legislation that prohibits the FCC from regulating broadband fees. If this were to become law, ISPs, would argue that they could charge consumers for opting out of their privacy rights and the FCC’s hands would be tied. The legislation also threatens net neutrality because it would undercut the prohibition against fast lanes. Critics of net neutrality view this as ex ante fee regulation, forcing ISPs to set a price of $0 to connect edge providers to their customers. The House Energy and Commerce Committee votes on H.R. 2666 tomorrow, March 14, 2016.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...