Experts Debate Extent of FCC Privacy Regulation on ISPs
While some experts said the FCC has a golden opportunity to impose rules on ISPs to provide greater consumer privacy, others said during a Future of Privacy Forum discussion Thursday that stringent regulations would unfairly target one group in a much larger Internet ecosystem. That day, FCC Chairman Tom Wheeler circulated a draft NPRM on ISP privacy for a March 31 vote, which observers expect to be contentious (see 1603100037).
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Katharina Kopp, Center for Democracy and Technology's privacy and data project director, said the FCC's rulemaking is an important and rare opportunity, but it should look at the entire broadband ecosystem. Where it can't reach all players, it should make recommendations to Congress and other agencies, she added: The FCC should clarify the definition of customer proprietary network information (CPNI) in the Internet context, provide consumers with choice about the uses of data and how the information protected, and provide regulatory flexibility for companies.
While users can't change the collection of Internet CPNI data, Kopp said that "the rules need to give individuals control over the uses that are unrelated to the service that they signed up for." She said opt out should be required for marketing products and services that customers signed up for and that consumers be given an opt-in choice for non-communications related products and services. The reason why is that ISPs still act as critical gatekeepers in the ecosystem and still capture a lot of consumer information, including metadata, she said. Such rules would need to ensure customer trust and autonomy and a sense of fairness, she added.
Peter Swire, a Georgia Institute of Technology professor, said his new research, which he presented last week (see 1602290047), refutes conventional wisdom that ISPs have comprehensive visibility and unique insight into consumers. One reason they don't have such insight is due to increasing usage of encryption, particularly HTTPS, and VPNs, which blocks an ISP's visibility into content, he said. In 2014, about 13 percent of Internet backbone data was encrypted, but that had risen to 49 percent in February and is projected to increase to 70 percent by the end of the year, he said, factoring in encrypted video streaming.
Other reasons ISPs have limited insight is due to the users themselves. Individuals on average use up to six devices to connect to the Internet and they hop around the Internet, using more than one ISP during the course of a day, said Swire, who was privacy czar in the Clinton administration. ISPs don't have a comprehensive or unique visibility in users’ online activity, he said. While he said he's not saying they don't see anything and have a lot of capabilities, they're not the "bogeyman" others have characterized them to be.
Former FTC Chairman Jon Leibovitz said Swire's research shows why the FCC should develop a broadband privacy regime consistent with the FTC's enforcement-based approach, one that isn't prescriptive. "You don’t need to do that to protect consumer privacy, and overregulation itself as we know can choke off the very innovation that benefits consumers in a highly dynamic and competitive online marketplace," said Leibovitz, an antitrust lawyer with Davis Polk. "By setting out prescriptive broadband privacy rules, the FCC would be abandoning a norm and also a best practice of consistent privacy enforcement across the internet ecosystem."
DLA Piper privacy attorney Jim Halpert said Swire's research showed ISPs are "tiny players in a huge market" and FCC rules aimed at giving consumers an opt-in choice would put ISPs at a disadvantage compared with data brokers and many other players who wouldn't be subject to the rule. ISPs may "sort of hunker down" and be "disincentivized" from innovating on consumer choices, he said, cautioning he doesn't mean a rule isn't a good idea.
Halpert said the choice is between having an FTC-like framework vs. the 1996 CPNI statute that was designed to not only protect consumer privacy but, more importantly, to encourage competition. He said the CPNI statute isn't a very good fit for regulating privacy in the Internet ecosystem "and it would really be bizarre to pluck 10 or 15 percent of that market." Imposing opt-in requirements could discourage new smaller entrants, who may not have the infrastructure to comply with regulations, he said. “But imposing status-based regulation simply because one is an ISP strikes me as a kind of blunderbuss approach and probably the wrong approach" for consumers and competition, he said.
Debra Berlyn, president of Consumer Policy Solutions, said she has been trying to get older Americans to get online, but a survey her group commissioned last year found that concern over safety, security and privacy is a significant obstacle. She said more education and awareness need to be promoted as well as simple consumer privacy tools. She also said the FCC and FTC need to work together to develop a comprehensive privacy protection plan.