Yes, There Are Other Laws That Protect Privacy, But FCC's Rules Were Still Helpful
from the setting-the-record-straight dept
There’s been a lot of hype and confusion about Congress’s decision (supported by the new FCC) to kill off the broadband privacy rules that were put in place late last year by the Tom Wheeler FCC, though they had not yet been officially implemented. As we noted, it’s an unfortunate exaggeration (pushed by some well meaning folks) to say that ISPs will now be packaging up and selling individuals’ specific browsing history. That’s just not true. Some people responded to us by noting that just because that’s not how the ad market works today, it doesn’t mean that won’t change. But… that’s probably not the case. Don’t get me wrong: getting rid of these privacy rules is still a really bad idea, but let’s look a little deeper at what ISPs can’t do, before we explain why those privacy rules are still important.
First off, as we noted, the market for internet data is not in sharing some sort of dossier on what you like, but rather connecting into a marketplace, where the information is shared for the purpose of displaying ads, but not in a way where your actual info goes to the advertiser. That is, when you, say, go shopping for a camera, and then start seeing ads for cameras everywhere, it’s not that the camera makers now know that you, Joe Schmoe, like cameras. Instead, what happens is that some company took that info (Joe Schmoe is shopping for cameras) and that gets put into a marketplace where some real time bidding happens for ad placement, such that when Joe Schmoe visits another site, there’s a near instantaneous call out for who will pay the most for the ad slot, and with that info is, effectively, this otherwise anonymous person was just looking at cameras, and the camera company will say “I’ll pay an extra $0.0002 for that ad compared to the TV maker” and thus the camera ad gets shown. The camera maker or retailer never knows its Joe Schmoe, and doesn’t somehow “know” anything more about Joe.
But… but… but… people say. There are data brokers out there who do sell more personalized profiles on you. And… that’s true. Many of those companies are pretty awful. But that’s unrelated to any of this. And, no, the ISPs can’t just turn themselves into the next big data brokers.
Even without the privacy rules, there are rules that prevent that from happening. Section 222 of the Communications Act still stops carriers from selling your info. Of course, that’s part of Title II of the Telecom act, so if the FCC or Congress figure out a way to roll back Title II, there is at least some greater concern. Separately, as Orin Kerr notes at the Washington Post, certain other “surveillance” activities by service providers are limited by the Wiretap Act — and there are some fairly stiff penalties should a broadband provider end up on the wrong side of that. Kerr (and others) have used these laws to suggest that the privacy rules repeal isn’t that big of a deal. That’s inaccurate.
Both of these things can be true: repealing the privacy rules does not magically create a free-for-all with your ISPs out there “selling” your browsing history to the highest bidder and the privacy rules were useful and should not have been repealed.
The issues are — as with so many things — a bit more nuanced than folks on either side of the debate are making them out to be. Again, part of this goes back to the way in which online advertising works and the ways in which your data is mined and used.
Broadband providers have a fairly terrible history in respecting your privacy. No, they haven’t been directly selling browsing history dossiers, but they do have long histories of snooping on you in ways that were (1) totally hidden from you and (2) extremely difficult to block. Both AT&T and Verizon, for example, were caught using nearly undetectable “super cookies” to secretly track users across multiple devices and networks — which (despite promises that they couldn’t be abused) were abused by advertisers.
And this gets back to another point that I’ve made repeatedly over the years: privacy is not a “thing,” rather privacy is about a set of trade-offs, in which individuals recognize that they give up some privacy for some benefit and then get to decide if it’s worth the trade-off. The extreme example I’ve used in the past is that if you leave your home to go to the store to buy some milk, you are giving up a tiny bit of privacy. Someone may see you leaving your house. They may recognize you. They may see that you’re buying some milk. For most people, it’s easy to judge the costs and benefits of that trade-off and to decide that the minimal loss of privacy is worth it for the ability to buy the milk (some people — such as celebrities with paparazzi followings — may view the trade-off differently).
But the really important thing in privacy settings is making sure that two things are true for individuals: (1) that they have the information necessary to weigh the benefits and costs of the trade-offs and (2) they have some control over those trade-offs and can adjust at least some aspects of them, by having the options be more granular and controllable.
The problem with ISP snooping and the related advertising efforts is that neither of these conditions tends to be met. The snooping is done in a way that is surreptitious and not at all clear to the end user, and their ability to control how it’s done, and perhaps change some of the factors involved, is basically non-existent. The FCC’s rules (somewhat weakly) were put in place to change that. First, they required more transparency about what your access provider was actually doing and, second, gave the end user more control by requiring opt-ins to particularly “expensive” behavior and opt-outs to less privacy-invasive offerings.
This is what makes people — quite reasonably — upset. If they were given transparent understanding of what was happening, with at least some ability to control the situation, then they could decide for themselves what information is worth giving up for what services. But, instead, the internet access industry and the online ad industry apparently continue to believe that the only way they can do what they want to do is to trick people into letting themselves be spied on, and to hide the reality of the situation. This is dumb, and will do much more harm than good to the internet in the long run.
The danger here is not so much that Verizon will be selling me the websites that you visited. It’s that these ISPs, which get tremendous insight into where you surf, will make use of that data in ways you don’t understand and don’t control, and do things that make you feel more and more uncomfortable, and less interested in using services that can and do provide tremendous benefit. That is not good for anyone. It makes people less trustful of their services, and less willing to use the internet in unique and innovative ways. If there were a truly competitive broadband market, then that situation would be limited. Verizon or AT&T’s bad behavior would be limited, because people could go elsewhere. But the issue we have today, in the US especially, is that for many users, there really are no other options — which is why those companies have been repeatedly caught doing those kinds of sketchy, privacy-invasive things in ways that its paying subscribers both are kept in the dark about and given little to no way to block.
So, no, these new privacy rules won’t create new data markets of your browsing history — and, yes, there are other laws in place that block them from doing truly egregious activity. But the lack of a competitive market, and the nature of online advertising, combined with the fairly stupid belief that people need to be tricked into giving up their info, creates a dangerous environment, one that will harm both end users and innovation. The former FCC privacy rules took a (very small) baby step towards preventing that kind of situation… and now they’re dead.