When the Federal Communications Commission (FCC) voted last Thursday (Oct. 27) to accept new privacy rules for ISPs, the move was heralded by many as an important step forward in U.S. privacy protections. But a closer look at the particulars shows a decision that has so many exceptions — and and that makes it easy for ISPs to hide customer permission deep within lengthy terms and conditions documents — it amounts to a big backward step for privacy, one that will likely embolden any ISPs that was inclined to violate privacy anyway.
The FCC made changes to the privacy requirements of Section 222 of the Communications Act for broadband ISPs. On the bright side, here’s part of a statement of FCC Commissioner Mignon Clyburn, who voted for these changes: “Why has this Commission, received more than a quarter of a million filings, of which the vast majority show support for the adoption of strong privacy rules? Because consumers care deeply about their privacy — and so should we. Ninety-one percent of Americans believe, consumers have lost control of how their personal information is collected, and used by companies. That’s ninety-one percent. With news seemingly breaking every week, about a cyberattack, massive data breaches, and companies collecting and selling customer data to government agencies, that number should come as no surprise to anyone. So when faced with the question, of should I support requiring companies to give consumers more notice, more choice, and more transparency, you hear no double speak from me. Simply put, additional consent here means, that consumers will have more of a say, in how their personal information is used — and I for one, think that is a good thing.”
I applaud the sentiment, but what came forth from the commission will do little to nothing to advance privacy. Yes, ISPs must now get explicit permission from consumers to release their data, but nowhere is there a prohibition on such permission being hidden in a 29-page T&C form that requires a one-click acceptance to begin the ISP service.
In short, it’s either “accept this agreement” or get ISP service elsewhere — which will be hard to do if every major ISP insists on similar language. If the FCC wanted to truly protect privacy, it would have prohibited ISPs from including this opt-in as part of the agreement to provide services — it should have given consumers the right to reject such data sharing and still retain the right to have broadband service. Alas, that didn’t happen.
Here’s how the FCC described the core changes regarding opt-in: “ISPs are required to obtain affirmative ‘opt-in’ consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.”
Let me offer a simple layman’s definition of “knowing and affirmative opt-in.” Ten seconds after the consumer signs, ask him about the particulars of the agreement. For example, “Did you just agree that your ISP can sell your email patterns to your bank, your insurance company and your ex-spouse’s lawyer?” If the answers all amount to, “I have no idea. I just clicked the box so I can stream movies,” that was not a knowing and affirmative opt-in.
The FCC also created a box of data requiring customers to opt out, should they not want their data shared. “ISPs would be allowed to use and share non-sensitive information unless a customer ‘opts-out.’ All other individually identifiable customer information — for example, email address or service tier information — would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.”
The problem with the opt-out area is that there is no requirement for it to be easy to find and to use. And with no such requirement, just how well hidden do you expect your typical ISP to make it?
The FCC also pointed out that these changes don’t even impact a lot of the most germane Internet companies. “The rules do not apply to the privacy practices of web sites and other ‘edge services’ over which the Federal Trade Commission has authority. The scope of the rules do not include other services of a broadband provider, such as the operation of a social media website, or issues such as government surveillance, encryption or law enforcement.”
That little exception was enough to prompt FCC Commissioner Ajit Pai to dissent from the decision.
“Privacy rules for ISPs are important and necessary, but it is obvious that the more substantial threat for consumers are not the ISPs,” Pai said, according to a report in the Consumerist. “Citing recent news stories about Yahoo, Google, Apple, Twitter, and others, Pai complained that regulating ISPs more stringently than those providers ‘does not make any sense,’ concluding ‘the cold reality that Americans should remember is this: nothing in these rules will stop edge providers from harvesting and monetizing your data. So if the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulations of all companies in the internet ecosystem at the new baseline the FCC has set. And that means the ball is now squarely in the FTC’s court.”
Pai, while overstating the privacy protections the FCC has delivered, does raise an important issue. But the FCC kicking the ball over to the Federal Trade Commission — another government commission that is no stranger to toothless regulations — isn’t going to help.
If the U.S. government doesn’t like these practices, then it should ban them. If it wants them to happen only when consumers fully understand them and willingly give their permission, then that permission must be separated from T&C documents, must be short (say fewer than 40 words long) and must be written in plain English. Better yet, ban it entirely unless the customer phones in and requests it on a recorded line.
This all said, I think few Americans have fully absorbed how much of their most intimate data is already out there, for sale to any advertiser. If the data is retained somewhere, it can be stolen. Therefore, the opt-in would have to remind consumers that agreeing to this data being retained might also make it available to identity thieves and terrorists.
Will these new FCC rules make even an incremental improvement in privacy? To be honest, I doubt it. But that’s not the biggest problem here. With the FCC’s blessing to bury opt-out inside lengthy T&C documents and hide them behind a checkmark, many ISPs are going to be emboldened to push the privacy limit even further. Yes, this incremental move could end up making much worse the problem the FCC ostensibly was trying to solve.
This story, "The FCC’s new privacy rules are toothless" was originally published by Computerworld.