<link rel="stylesheet" type="text/css" href="https://newamericadotorg-static.s3.amazonaws.com/static/css/newamericadotorg.min.css"></link>

Remarks of Sarah Morris on Preserving Broadband Network Privacy

Delivered at Preserving Broadband Network Privacyevent hosted by Public Knowledge

Good morning everyone, and thank you to our partners at Public Knowledge for organizing this important event. Thank you too to all of you who are joining us today. My name is Sarah Morris, and I am Senior Counsel and Director of Open Internet Policy at New America’s Open Technology Institute. New America is a nonpartisan think tank and civic enterprise dedicated to the renewal of American politics, prosperity, and purpose in the Digital Age. Our experts work on a wide range of issues, from national security to the work-family balance, and of course technology and telecom policy. To that end, the Open Technology Institute brings together policy experts, technologists, and practitioners to promote ubiquitous, safe, and affordable access to communications technologies in communities in the United States and around the world.

OTI is deeply committed to ensuring that all Americans have Internet access that is both open and secure. The 2015 Open Internet Order had important privacy implications. As the FCC took on the critical task of reclassifying the delivery of Internet service under Title II of the Communications Act, it both laid the legal framework for sound net neutrality rules, and also recognized that broadband is a vital service that should be subject to the foundational principles that have guided communications policy for over a century.

Notably, the FCC forbore from many provisions in Title II. It declined to use its power under Title II to regulate rates or impose tariffs or unbundling requirements on Internet service providers. However, it did recognize the need for authority to, for example, protect people with disabilities; bolster universal service fund support for broadband service; and protect consumer privacy. As a result, the Commission recognized that the privacy protections that Congress envisioned for common carriers are applicable to the latest generation of Title II providers. The application of Title II provisions in this context is a reflection of the statute’s technology-neutral framework and the recognition that broadband access is an essential conduit for ubiquitous communications access and a platform for the open exchange of speech and ideas.

These protections are not only an appropriate extension of FCC authority, they are necessary in light of a carrier’s special relationship with its customers. From its perch as the “gateway” to the Internet, your Internet service provider has a unique window into your online behavior. By nature of its role, an ISP can build a comprehensive picture of users’ online activities, ranging across time, and across different sites, services, and devices. A clear privacy framework developed under the longstanding authority granted to the FCC under Section 222 of the Communications Act will benefit consumers, ensuring that the power asymmetry between customers and their Internet service providers is mitigated by consumer privacy protections.

In a policy paper released last month—copies of which are available here today—OTI explores the types of information that Internet service providers can learn about their subscribers and details the ways in which this information can be abused. Carriers can ascertain the content of all unencrypted Internet traffic. And even where traffic is encrypted, carriers know the destination information of that traffic through the domain name system -- or DNS. Under typical circumstances, an ISP can also see each site a user visits, and when and for how long, revealing user habits and other behavior.

This data collection can lead to myriad harms, allowing inferences about things like employment and health conditions, and undermining the Internet as an open engine of commerce.

To address these harms, OTI urges the FCC initiate a proceeding to adopt “rules of the road” for protecting consumer privacy online. This proposed framework includes an inclusive definition of Customer Proprietary Network Information -- or CPNI; an opt-in standard for non-service-related uses of CPNI; transparent access by customers to their CPNI; baseline requirements for data security and breach notification; and a clear process for consumer complaints.

As the FCC recognized when it reclassified broadband last year, broadband is no longer just a luxury—it’s an essential service, central to the way we communicate in the 21st century. That means we can no longer think of user-ISP interactions as something that consumers have any real choice about. It’s not a choice. If we want to use the Internet—and we all do—we have no alternative but to share intimate details of our private lives with a broadband provider. It’s only reasonable that we set strong baseline privacy rules to protect that information, so that the Internet can continue to flourish as a central forum for First Amendment–protected speech and association in the modern era.