The FCC's Role in Protecting Online Privacy

An Explainer
Policy Paper
Jan. 21, 2016

Share intimate details of your life with strangers, or be shut out of the Internet.

ISPs today are fast gaining the technical capacity to force consumers into this dilemma. That situation is bad for consumers, bad for the public interest, and getting worse as the technologies of tracking continue to improve.  

Download the report

Fortunately, the FCC’s decision to reclassify Internet access as a common carriage service under Title II of the Communications Act gives the Commission powerful new tools to protect the privacy of online life. Specifically, the FCC has a statutory mandate to shield the sensitive information that a common carrier learns about customers in the course of providing a telecommunications service. This information includes both personal information about customers, termed “proprietary information” under the law, and information about a customer’s use of the service that she has no choice but to provide in the course of receiving service, known as “Customer Proprietary Network Information” (CPNI). Providers covered by the statute have a general duty to protect all proprietary information, including CPNI. Additionally, before a covered provider can use CPNI for any purpose other than providing the service, it must obtain the customer’s consent.  

Authorized by Section 222 of the Communications Act and first applied to telephone service, the FCC’s existing CPNI rules protect information including the numbers a customer texts or calls, for how long, and when. Phone companies can use that information to connect calls and calculate billing, but cannot share or use it for other purposes unless they get the customer’s permission. The FCC has also interpreted the provisions of Section 222 that require carriers to protect “proprietary information” to extend more broadly to “private information that customers have an interest in protecting from public exposure.” Although Section 222 has traditionally been applied to telephony, Congress designed the provision to be flexible.  

With reclassification of broadband as a Title II service, Section 222 now applies to broadband Internet access service providers—a category that includes both wireline providers such as cable companies, and wireless service providers that offer mobile Internet services. As the Commission has long recognized, “[c]onsumers’ privacy needs are no less important when consumers communicate over and use broadband Internet access than when they rely on [telephone] services.”  

The application of Section 222 privacy protections to ISPs is important and timely. Already, ISPs are developing and expanding ways to monetize their subscribers’ personal lives and daily habits by using subscriber information for lucrative non-service related purposes. On the wireless side, at least one mobile broadband provider has used its unique control over Internet access to proactively inject persistent individual identifiers into outgoing mobile web traffic, which enables third-party firms to silently track subscribers’ patterns and habits.  

From their position as gatekeepers to the Internet, ISPs have a uniquely detailed and comprehensive view of all of subscribers’ unencrypted online communications, personal habits, and daily lives. Subscribers have no choice but to share this information; to gain access to the Internet, they must connect through an ISP. By the nature of their role, ISPs can therefore build a comprehensive picture of users’ online activities, ranging across time, across different sites, services, and devices—from their streaming video habits on Netflix, to the frequency with which they request online banking services, to the times of day they are most active on Facebook and other websites.