Experts Disagree on FCC's Readiness To Regulate Privacy
One big area of contention as the FCC moves forward on an NPRM on ISP privacy rules, set for a vote Thursday, is how well the FCC is positioned to take on the issue, especially relative to the FTC. The FCC has had long-standing rules on carrier protection of customer proprietary network information (CPNI), but critics questioned the level of FCC expertise on the highly technical issues of privacy.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
In remarks last week at a Free State Foundation conference, FTC Commissioner Maureen Ohlhausen questioned the FCC’s need to get involved in privacy rules. “The FTC has been at the forefront on these issues,” Ohlhausen said (see 1603230049). “We have staff who are very knowledgeable.” She questioned the wisdom of walling off the FTC from oversight of ISP privacy.
Doug Brake, telecom policy analyst at the Information Technology and Innovation Foundation, said enacting privacy rules is a mistake, as was the FCC’s decision last year to reclassify broadband under Title II of the Communications Act. “CPNI in the telephone context is entirely different from broadband networking data,” Brake told is. “It is a far more complex system, with more types of information flowing through more actors with very different business models than the telephone system in 1996,” the year Congress approved the Telecom Act. “Mark this down as another area where Title II is ill-suited for the dynamics of today’s Internet,” he said.
The FCC can add experts, Brake said. “The key difference is between static regulation and case law developed through ex post enforcement,” he said. “No amount of expertise can predict all the dynamics of this young industry, the beneficial uses to which data can be put, or the ways in which an opt-in requirement could stifle innovation.”
“The FCC lacks expertise across the board regarding the inner workings of the Internet,” said Richard Bennett, free market blogger and network architect.
Social and economic policy issues will be more difficult for the FCC to get a handle on than technical issues, said Fred Campbell, executive director of Tech Knowledge and former chief of the FCC Wireless Bureau. Campbell blames the FCC’s overly narrow focus. “The FCC can’t properly evaluate the potential economic and social impacts of its proposal because the FCC has steadfastly refused to regulate Internet services provided by any Internet companies other than ISPs,” he said. “As a result, the FCC hasn’t developed any institutional knowledge of the ways data collection drives the economics of the Internet or the social impact it has on consumers.”
"Embarking upon the general regulation of privacy will lead the FCC into an enormous legal quagmire,” said Robert McDowell, former FCC commissioners now at Wiley Rein. “Having the commission attempt to grow its jurisdiction into this area will be good for lawyers because it will create tremendous uncertainty and conflict among industry players. Front and center in the policy debate will be the apparent asymmetry of privacy regulation between ISPs and edge providers. This tension will produce a tremendous amount of regulatory and legislative advocacy plus litigation."
But privacy advocates said the FCC ​has enough institutional knowledge on privacy to move forward on rules. “The FCC has the technical expertise to deal with contemporary data practices of ISPs,” said Jeff Chester, executive director of the Center for Digital Democracy. “It’s both an extension of the work they already do regarding set-top boxes and with enforcement.”
Mayer's Hiring Critical
With the hiring of Stanford University online tracking expert Jonathan Mayer last year as chief technologist of the Enforcement Bureau, the FCC is “perhaps in the best position of any agency to understand and respond to the growing threat to privacy by ISPs,” Chester said. “Ensuring enforcement of any new rules will be relatively easy, both with FCC’s own expertise and a privacy crowd-sourcing role from academics and privacy advocates.”
John Simpson, Consumer Watchdog privacy project director, said the FTC has only Section 5 authority to act when a company engages in an “unfair and deceptive” practice or does something contrary to what it claims are its practices. “That was what happened to Google when they were caught hacking around the privacy settings on Apple’s Safari browser,” Simpson said. The FCC has broad authority to act under Section 222 of the Communications Act, he said. “They have proven quite capable in the world of telephones and have effectively protected CPNI,” he said. “I have no doubt they have the expertise and will be able to enforce privacy rules that apply to ISPs when the rules are implemented.”
Long FCC History on CPNI
The FCC has been regulating CPNI for decades and has extensive knowledge of broadband networks, said Eric Null, senior staff attorney at the Institute for Public Representation at Georgetown Law School. The FCC “has already shown its ability to understand the issues and take action with, most recently, its Verizon supercookie consent decree,” he said (see 1603070032). “Further, the FCC already has staff who are experts regarding broadband networks.” The FCC also isn’t alone on the issue and is committed to continuing discussion and collaboration with the FTC on privacy issues, Null said.
“What expertise does the FCC really need to regulate privacy?” asked Berin Szoka, president of TechFreedom, a critic of the net neutrality rules. “They've already made clear that they will simply outsource their decision about which cases to bring, and how to settle them, to outside activist groups. How much expertise does it really take to regulate based on the creep factor?” Even at the FTC, the weighing that occurs happens behind closed doors and doesn’t really involve the agency’s economists, Szoka said. “So while the FTC is, in principle, far and away the better regulator, it's hard to see how the FTC's expertise, at least the Bureau of Consumer Protection's expertise, informs its decisionmaking about bringing, and settling, the cases that it so proudly points to as its ‘common law of consent decrees.’"
Jules Polonetsky, executive director of the Future of Privacy Forum, said at a recent ITIF event protecting privacy presents an increasingly complicated set of issues. “We used to live in a world of cookies,” he said. “Now we live in a world of device identifiers and cookies and multiple screens.” Polonetsky is former chief privacy officer at AOL. It used to be easy to tell people they should just clear their cookies, Polonetsky said. “That doesn’t have the effect that it once did,” he said. There’s a “jumble of conflicting technologies and conflicting standards,” he said. Whatever the FCC does it must coordinate with the FTC because systems are tied together. A standardized approach will be difficult “when the different actors in the room are all living with a very … disparate set of standards,” he said.