Reply comments were filed this week regarding the FCC’s proposed privacy rules for Internet service providers (ISPs) in a proceeding (WC Docket 16-106) Chairman Tom Wheeler intends to conclude this year. However, his proposal has sparked tremendous controversy, illustrated by the fact that almost a quarter of a million public comments have been filed in the last thirty days, with the vast majority opposing his approach. The proposal has drawn their ire because it would impose much stricter privacy rules on ISPs than the Federal Trade Commission imposes on edge providers. 

The proposed ISP privacy rules would work by separating the use and sharing of customer information into three categories, and according to the Commission, provide clear guidance for both ISPs and customers about the transparency, choice and security requirements for that information. The three categories include:

Consent Inherent in Customer Decision to Purchase ISP’s Services - customer data necessary to provide broadband services and for marketing the type of broadband service purchased by a customer would require no additional customer consent beyond the creation of the customer-broadband provider relationship.

Opt-out - broadband providers would be allowed to use customer data for the purposes of marketing other communications-related services and to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services unless the customer affirmatively opts out.

Opt-in - all other uses and sharing of consumer data would require express, affirmative “opt-in” consent from customers.

Critics of the proposal have argued that it creates inconsistent standards across the Internet, would harm and confuse consumers, and undermine innovation, while providing no appreciable benefits. Perhaps most importantly for ISPs, it would severely limit their opportunities for millions of dollars of customer advertising revenues that would continue to be available to edge providers.  

While we agree with these criticisms, others believe there is a case to be made that, ISPs as the gatekeepers to customers accessing the Internet, have a unique requirement to be more careful with customer information. The case is best made by the FCC itself: 

ISPs are “in a position to develop highly detailed and comprehensive profiles of their customers – and to do so in a manner that may be completely invisible.” This is particularly true because a consumer, once signed up for a broadband service, simply cannot avoid that network in the same manner as a consumer can instantaneously (and without penalty) switch search engines (including to ones that provide extra privacy protections), surf among competing websites, and select among diverse applications.  Indeed, the whole purpose of the customer-provider relationship is that the network becomes an essential means of communications with destinations chosen by the customer; which means that, absent use of encryption, the broadband network has the technical capacity to monitor traffic transmitted between the consumer and each destination, including its content…

Providers of BIAS (“broadband providers”) thus have the ability to capture a breadth of data that an individual streaming video provider, search engine or even ecommerce site simply does not.  And they have control of a great deal of data that must be protected against data breaches. To those who say that broadband providers and edge providers must be treated the same, this NPRM proposes rules that recognize that broadband networks are not, in fact, the same as edge providers in all relevant respects (WC Docket 16-106, released April 1, 2016, at para. 4).

The Attorney General of New York Eric Schneiderman echoes these sentiments:

The proposed rule addresses an issue consumers rarely consider: the information [broadband] providers collect about them.  Consumers cannot avoid a [broadband] provider the way consumers can avoid (without penalty), or otherwise freely and easily choose between, search engines or other websites, or Smartphone applications.  Indeed, as the gateway to the Internet, [broadband] providers are able to collect an unprecedented breadth of electronic personal information including not only a consumer’s name, address and financial information but also every website he or she visited, the links clicked on those websites, geo-location information, and the content of electronic communications,”  (The Hill, June 30, 2016, online article).

While these concerns are surely valid, the feeling here is that the proposed rules are overkill that will lead to customer confusion with little obvious benefit. Undoubtedly, there will be ISPs that abuse customer data, just as there are bad apples among edge providers and companies in every field. The Commission’s privacy approach assumes all ISPs are guilty of data misuse just as they are guilty of damaging the “open Internet,” and thus requiring net neutrality rules.  In fact, the FCC already has all the power it needs under section 208 to respond to complaints about future ISP bad actors. Wouldn’t it make more sense to treat all Internet players the same, especially for a public that may not distinguish between a Verizon and a Google the way the Commission always seems to?

By Andy Regitsky, CCMI