Redrawing the Battle Lines in the ISP Privacy Debate

As Americans spend more and more time online and on their devices, they also
want to see increased privacy protections. Last year, the Federal
Communications Commission made a move in that direction by enacting strong
privacy rules giving broadband customers more control over data collected by
their internet service providers. Unfortunately, on April 3, President
Trump signed into law a repeal of these rules. This move
rightly caused significant public outrage, but there are still some paths
forward. The battle isn’t over—it’s just shifting. 

In October 2016, the FCC passed robust, clear broadband
privacy rules focusing on consumer choice, data security, and transparency.
Among other things, the rules required ISPs like Comcast, Verizon, and AT&T
to protect by default information the FCC deemed “sensitive.” The rules
protected web browsing and app usage history in addition to categories
traditionally considered sensitive—such as information about health, finances,
and Social Security Numbers. These increased protections likely would have
helped prevent people’s private information from being used in unknown,
intrusive, and harmful ways.

Consumers overwhelmingly favored the rules, most of which
were scheduled to go into effect in December 2017. When Congress held votes to
repeal the restrictions, the public inundated Congress with criticism and phone
calls demanding legislators vote against the repeal. Recent polls showed that the objections were widespread. Despite
the public’s response, Congress and the administration took a sledgehammer to
the rules. They also hamstrung the FCC by preventing it from enacting
“substantially similar” rules in the future.

The enormous public response had at least some effect on the
congressional vote. The measure passed very narrowly in both the Senate (50–48)
and House (215–205). Votes were cast mostly along party lines, but 15 House
Republicans bucked their party leadership and voted against the repeal.

Congressional repeal of the rules has significantly confused
the privacy landscape. Without clear rules, there is no explicit prohibition on
ISPs, for instance, targeting individuals with advertisements based on
sensitive information such as income level or health ailments. ISPs may also
sell data (such as web browsing history) with some identifying information
removed, but evidence shows that this data can easily be
re-identified. While some carriers have “pledged” not to sell customer
data, it is not clear whether the FCC will enforce those promises.

Moreover, the repeal did not shift authority back to the
Federal Trade Commission, as some (including the FCC and FTC chairs) ultimately desire. While the FTC polices
privacy practices in many industries, right now its authority does not include
ISPs and other “common carrier” industries regulated by the FCC. (A “common
carrier” is a business that transports goods to the public for a fee. Railroads
and telephone providers are two examples. More on what “common carriers” have
to do with all of this in a minute.)

Even if the FTC had authority over ISPs, it lacks the
ability to write prescriptive rules. It relies almost exclusively on
hard-to-predict, after-the-fact enforcement. Leaving the FTC—a “small agency with limited resources” as Acting Chair Maureen
Ohlhausen has called it—alone in charge of enforcing privacy promises of ISPs
is not exactly a great solution to the problem of protecting broadband privacy.

But Americans shouldn’t give up—we just have to get more
creative. While having privacy protections at the federal level is the most
effective way to protect consumers, some states have stepped up to fill the
void left after the repeal. Two states, Minnesota and Nevada, already impose pro-consumer privacy requirements
on ISPs. Minnesota’s existing law protects
the personally identifiable information of all ISP customers. The Minnesota
Senate just passed further ISP privacy protections in response to Congress’
vote to repeal the broadband privacy rules. Nevada protects “all
information concerning a subscriber” except email address—though
customers can choose to protect their email address as well. Other states have
proposed similar bills, including Maryland and New York. But many state
legislative sessions will soon come to a close, some until next year, so the
window for action is narrow.

Additionally, the fight is not over in Congress.
Massachusetts Sen. Ed Markey, a prominent privacy champion, has introduced legislation to codify the FCC’s privacy rules.
Nevada Rep. Jacky Rosen also introduced a bill that would reverse the repeal. If you care about your privacy, tell your
legislators that they should support these proposals. The more
calls legislators receive and the more public outrage they see, the more likely
it is that Congress could approve the bill.

Congress could also repeal the “common carrier” exemption I
mentioned earlier. The common carrier exemption currently prevents the FTC from
taking enforcement action against ISPs. Repealing it would allow both agencies
to have authority over ISP privacy and could work more closely together to
protect consumers. Repealing the common carrier exemption could put two
complementary privacy cops on the beat for ISPs. As FTC Commissioner Terrell
McSweeny testified in 2016, “[t]he FTC has decades of experience,
and specific statutory tools such as consumer redress, that complement FCC
oversight of common carriers. We have a long history of successfully working
together with the FCC and look forward to continuing that tradition of shared
jurisdiction.” McSweeny and New Jersey Rep. Frank Pallone Jr. similarly defended,
in Future Tense, the FCC’s broadband privacy rules as a “historic”
step in protecting consumer privacy.

In other words, the agencies play complementary roles, and
can contribute their own expertise in protecting the privacy of ISP customers.
For instance, the FCC has expertise on communications networks and technologies,
while the FTC has experience with enforcing companies’ privacy promises. They
often work together on issues such as mergers and “do not call” list
enforcement. They also have a Memorandum of Understanding on consumer protection issues
and they worked together extensively throughout the broadband privacy
rulemaking process.

There is at least one additional reason to repeal the exemption.
In a recent 9thU.S. Circuit Court of Appeals case, FTC v. AT&T
Mobility, the court injected confusion into the common carrier exemption. The
court held that AT&T Mobility, as an entity, was a common carrier because
it provided telephone service (in addition to other non-common-carrier
services). Thus, even non-common-carrier services provided by AT&T Mobility
were swept up by the common carrier exemption and were thus outside the FTC’s
authority. Now, it is unclear whether, for instance, a non-common-carrier like
AOL is beyond the FTC’s authority because it is owned by Verizon, a common
carrier, further complicating the question of who has authority over internet privacy.

But repealing the common carrier exemption is as far as
Congress should go. For instance, some have argued the FCC should not have
privacy authority at all because it lacks privacy “expertise, personnel, or understanding.” But Congress should
not heed those arguments. The FCC has long protected the privacy of telephone
customers and would use that expertise in enforcing broadband privacy. Nor
should Congress attempt to gut the FTC’s authority by, for instance, capping
the time period of consent decrees at eight years rather than the typical 20
years, which Congress has indicated it wants to do. The FTC has been an effective privacy protector
for the past two decades in part because it has many tools to protect
consumers. Congress would be making a mistake should it undermine either
agency’s authority in the name of “protecting” consumer privacy.

Americans want and deserve better privacy protections—and
they almost got them. Unfortunately, Congress and the president had different
plans and have made it more difficult for consumers to protect their privacy.
But there are still some paths forward, even if less optimal, to protect
broadband privacy. The battle lines have been redrawn, and we have to
adjust—quickly.

Future Tense is a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.