Feb. 1, 2016
If you had a choice between someone constantly watching your Internet activity–what sites you visit, who you email, and on what devices–or not accessing the Internet at all, what would you choose? Chances are you would opt for the former. This choice between privacy and connectivity is a false one—and, if forced, one that could significantly harm consumers.
From its perch as the “gateway” to the Internet, your Internet service provider (ISP) has a unique window into your online behavior. As the Center for Democracy and Technology explains, Internet traffic is exchanged in the form of “packets”: small bundles of data that are sent, swapped, and reassembled between computers and networks to provide you with the Internet experience that you know and love. ISPs serve as the delivery men for these packets, and much like a delivery man can make certain inferences about you and your proclivities based on the number, size, and frequency of the boxes you receive from Amazon, ISPs can glean a great deal of information about you based on the IP addresses you interact with and how frequently.
Even if ISPs do not conduct what is known as “deep packet inspection”–that is, opening up your packets and seeing what exactly you are doing online–ISPs are rapidly gaining the technical capacity to curate incredibly detailed profiles of their customers based on the data collected in the course of providing service. However, (and unlike delivery men) ISPs aren’t subject to strong privacy rules dictating who can access, share, or even sell this information. This creates myriad opportunities for abuse.
As explained in a new paper recently released by New America’s Open Technology Institute (OTI), the Federal Communications Commission (FCC) has an opportunity to set strong privacy rules that deal explicitly with Internet service providers. OTI strongly believes that a clear privacy framework will benefit consumers and that the FCC has a role in creating and enforcing that framework. In addition to releasing new research, OTI also joined a group of nearly 60 organizations calling for the Commission to promptly begin a broadband privacy rulemaking.
While an online retailer might track how you buy and browse on their individual platform, an ISP can capture your behavioral data across multiple websites. Beyond just your browsing history, this could include ambient data transmitted by your smart thermostat, your connected insulin pump, or your child’s learning device, creating a sweeping and comprehensive profile of your personal habits and information. In the words of FTC Commissioner Julie Brill, speaking late last year, “even if an ISP just looks at the IP addresses to which you connect and the time at which connections occur, it can get an intimate portrait of your interests, daily rhythms, habits–as well as those of all members of your household.”
Online personal data in combination with predictive analytics has already been used to determine customers’ pregnancies and display inflated discriminatory prices to Asian Americans. Data could predict a consumer’s health condition or learn if you are having an affair. Once collected, personal data could slip into the shadowy world of online data brokers, where it could be sold to marketers, insurance agencies, or even become vulnerable to spear phishers. Alternatively, an obscure algorithm could mischaracterize you based on a faulty assumption about your web traffic, without alerting you and providing no way to correct the inaccuracy.
Because many American markets lack a choice of high-speed internet providers, a consumer who disagrees with an ISP’s privacy practices may not have the ability to switch to a comparable alternative service. That is, assuming they are even aware of how their data is being collected in the first place. ISPs do not currently need consent to collect and sell this data, and many consumers are unaware of these practices or feel completely helpless regarding their data privacy.
The Federal Trade Commission has often served as a leading online privacy watchdog, but the FTC’s jurisdiction over broadband providers is limited. The FTC’s legal authority to protect consumer privacy specifically exempts “common carriers,” a category that includes Title II telecommunications providers. Broadband providers were reclassified as a Title II service last year, thereby limiting the FTC’s role. The authority and responsibility to enact strong, ISP-specific privacy rules now lie squarely with the FCC.
The FCC has long safeguarded consumer privacy in the context of legacy telecommunications services such as landline phones. Using its authority under Section 222 of the Communications Act, the FCC has long protected “Customer Proprietary Network Information,” or “CPNI,” which is defined as a category of information that your telecommunications carrier learns about you in the course of providing service. The FCC is currently mulling over how to translate these CPNI rules for the Internet context.
OTI’s paper includes a number of recommendations for how to apply privacy rules to broadband providers. OTI recommends requiring opt-in consent, as well as developing an inclusive definition of CPNI. The paper also suggests requirements regarding baseline data security and breach notification, clear processes for consumer complaint handling, and prohibiting “paid privacy” practices, which could potentially turn privacy into a luxury good with discriminatory socio-economic impacts.
Given the centrality of broadband Internet to the 21st century economy, the absence of broadband privacy rules would create a power asymmetry between customer and provider. The long term consequences of this asymmetry are troubling. When announcing the 2015 Open Internet Order, which represented a historic win for consumers, FCC Chairman Tom Wheeler remarked that “broadband networks are the most powerful and pervasive connectivity in history,” and that “everyday, we rely on high-speed connectivity to do our jobs, access entertainment, keep up with the news, express our views, and stay in touch with friends and family.” In line with the FCC’s dedication to protecting consumers and promoting competition, the FCC should ensure that consumers do not have to ransom away their privacy to access the Internet.