Broadband Industry Has A Hissy Fit As FCC Unveils Some Fairly Basic New Broadband Privacy Protections
from the sky-is-falling dept
As had been hinted at for months, the FCC formally unveiled its plans to apply some relatively basic privacy protections for broadband service. And while you’ll likely see the broadband industry bitching up a storm over the next few months, none of the requirements are particularly onerous (and many are things ISPs are doing already). The agency’s full announcement (pdf) notes the rules will require that ISPs are a) transparent about what they’re doing, b) have basic systems in place to protect collected data and alert users in case of data breach and c) provide users with opt out technology that actually works.
When the FCC reclassified ISPs as common carriers under Title II, ISPs were automatically subjected to Title II?s Section 222 privacy protections regarding “customer proprietary network information” (CPNI). But because those rules were largely designed for ye olde phone company, the FCC is updating them to become very basic rules of the road for handling customer data. ISPs have been quick to complain that they shouldn’t face privacy protections that go beyond what Apple and Google deal with, but the FCC correctly argues that the lack of broadband competition make ISPs a unique animal:
“A consumer?s relationship with her ISP is very different than the one she has with a website or app. Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee.”
ISPs have also argued for the better part of a decade that they should be allowed to self-regulate on the privacy front, but their behavior has repeatedly indicated they’re not actually capable of this. Verizon, for example., was caught last year modifying user packets to track users around the Internet and build detailed subscriber profiles. The company engaged in this behavior for two years before it was even discovered by security researchers. It took another six months of public and FCC pressure for Verizon to even provide working opt-out tools.
Preparing for the FCC’s announcement the broadband industry has been pushing a number of “studies” trying to argue that broadband privacy protections also aren’t necessary because users can protect themselves with encryption or VPNs. But plenty of household data isn’t encrypted (including most IOT devices), and the FCC is quick to note that the lack of broadband competition makes the sector notably different from say, search engines:
“Even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website. Using this information, ISPs can piece together enormous amounts of information about their customers ? including private information such as a chronic medical condition or financial problems.”
In short what the FCC’s doing is again relatively straightforward, basic, and most ISPs will be doing this stuff anyway. But that didn’t stop AT&T from taking to its policy blog to complain that the modern broadband industry is just too damned evolved for privacy protections:
“In the 1980?s telecommunications industry, when companies were required by law to stay in their lanes, it might have made sense to have rules that applied only to one set of providers in an industry. But that was 30+ years ago, and we are long past that stage in U.S. communications policy…Limiting ISPs? ability to compete with ad supported business models ? which are overwhelmingly favored by consumers ? is bad for consumers and ultimately bad for broadband investment in this country.”
Except you should stop and take a look at what AT&T’s vision of modern broadband privacy standards looks like. The company has been using deep packet inspection to track its U-verse broadband customers for years. But instead of making it easy and transparent to opt out, AT&T requires that its broadband customers not only jump through a number of confusing hoops, but it actually charges customers upwards of $60 per month to do so. When you understand that AT&T’s vision of the broadband privacy future involves making actual privacy a cumbersome paid luxury, you can understand why companies like AT&T are opposed to even the most basic protections.
The FCC’s also making it very clear it’s not thwarting “innovation” in the user-tracking space, or seriously hindering the cash cow that is tracking users online. That was illustrated with the company’s recent settlement with Verizon over the afore-mentioned stealth trackers; the settlement lets Verizon happily continue fiddling with user traffic for the benefit of tracking them, just as long as the company’s clear about what’s happening and provides working opt-out tools. That’s really not a big deal by any standard.
So while you’re going to see ISPs and friends bitch endlessly about this being “yet another heavy-handed FCC power grab” and the like, there’s really not much here to be afraid of. It’s also worth remembering that ISPs like AT&T and Verizon had every opportunity to preempt privacy regulations by showing they were capable of self-regulating, but failed repeatedly and painfully at the task.