Why we need the FTC to police ISP privacy practices

The move to scrap the FCC's rules for ISPs leaves the industry without any federal oversight and puts internet privacy at risk.

federal trade commission building ftc
Carol Highsmith

Critics of the recently scrapped federal privacy regulation for internet service providers (ISPs) argued that the rules were overreaching, and that broadband providers should be held to the same privacy framework as application and content providers.

The only catch is, they can't.

Terrell McSweeny, a commissioner at the Federal Trade Commission (FTC), laments that her agency lacks the same oversight authority over ISPs that it exerts in the general consumer internet space, where it has brought privacy cases against the likes of Google and Facebook.

Then, when Congress moved last month to nullify a privacy rule for ISPs advanced by the FCC, it effectively stripped the market of federal oversight, McSweeny argued at a recent event on privacy policy.

"The [FTC] cannot fill that gap because it does not have jurisdiction over the security and privacy practices of broadband, cable and wireless carriers," McSweeny said. "So what we have at the moment, in my opinion, is the rapid implementation of a no-cops-on-the-beat approach to privacy and data security in which control over who gets our sensitive information rests in the hands of very few large companies, which are the gatekeepers for our connections to modern life."

An uneven playing field?

The FCC's privacy rules had required ISPs to secure permission from subscribers before sharing browsing histories and other potentially sensitive information with third parties. Broadband providers and other critics complained that the regulation would subject the industry to stricter oversight than the Web firms they sometimes vie with for advertising revenue.

[ Related: Privacy advocates plan to fight Congress' repeal of ISP privacy rules ]

McSweeny is skeptical of that argument -- that the rules created an uneven playing field that put the Verizons of the world at an unfair disadvantage against the like of Google and Facebook, or the so-called edge providers.

"Right now the edge is under FTC jurisdiction, with requirements to follow our guidelines," she said. "Now the ISPs are under no requirements, so we've sort of doubled down on difference in the name of consistency, which I find inconsistent."

The path forward

The heads of the FCC and FTC, both opponents of the privacy regulation, have argued that the rule was fundamentally misguided, and that ISPs were never intending to sell users' Web histories for advertising dollars.

"That's simply not how online advertising works. And doing so would violate ISPs' privacy promises," FCC Chairman Ajit Pai and acting FTC Chairman Maureen Olhausen wrote in an op-ed in the Washington Post.

Pai and Olhausen argued that the FTC is the best positioned agency to enforce privacy complaints against broadband providers, citing its extensive enforcement history in that area in the general consumer space.

In 2015, as part of its push to enact net neutrality rules, the FCC asserted jurisdiction over the ISP space, effectively sidelining the FTC. Pai and Olhausen said that they are working to reverse that action, and aim to "restore the FTC's authority to police ISPs' privacy practices."

"We need to put the nation's most experienced and expert privacy cop back on the beat, and we need to end the uncertainty and confusion that was created in 2015 when the FCC intruded in this space," they said.

In the meantime, many states have been evaluating privacy regulations that could fill in the gap, while some members of the U.S. Congress have indicated that they plan to work toward privacy legislation at the federal level.

This story, "Why we need the FTC to police ISP privacy practices" was originally published by CIO.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)