The FCC proposed some new privacy protections for broadband customers that would allow them to opt-out of various tracking that ISPs employ to improve their services, and it would make consent for collecting customer data that isn’t necessary for delivering broadband services opt in.
The Need For Basic Privacy Protections
After seeing an increased interest from ISPs and wireless carriers to adopt things such as “supercookies” and other tracking mechanisms that would be injected into their customers' Web streams, in the past few years the FCC has taken it upon itself to set some privacy ground rules. In many of those cases, the ISPs never told the customers about the tracking, nor did they allow their customers to opt-out of it, and the FCC wants to change that.
FCC chairman Tom Wheeler said in a statement that ISPs have too much visibility into their customers' online activities, and he doesn’t want them to misuse that information beyond what the customers would expect them to do with it (such as using the data to improve their service):
“Our ISPs handle all of our network traffic. That means an ISP has a broad view of all of its customers’ unencrypted online activity — when we are online, the websites we visit, and the apps we use. If we have mobile devices… our providers can track our physical location throughout the day in real time. Even when data is encrypted, our broadband providers can piece together significant amounts of information about us — including private information such as a chronic medical condition or financial problems — based on our online activity,” said Wheeler in an official statement.
Wheeler also believes that “When consumers sign up for Internet service, they shouldn’t have to sign away their right to privacy.” Although he admitted that many websites today track and store the same kind of information about their customers, he also thinks we have a choice in using those websites. We do not such choice when looking for an ISP.
A group of ISPs and carriers prevented the new HTTP/2 standard from remaining encrypted by default, as originally proposed. However, both Google and Mozilla have decided to only ever serve encrypted traffic over the HTTP/2 protocol in their browsers, which essentially makes encrypted traffic the default when using HTTP/2 anyway.
However, the vast majority of websites out there still use unencrypted HTTP/1.1, which gives ISPs an opportunity to see what their customers are doing. As Wheeler mentioned in the above statement, the ISPs can still derive certain information from encrypted connections.
The New Rules
The FCC proposed that the the use and sharing of customer information be split into three different categories:
Information that is necessary to deliver broadband services can still be obtained without customer consent.ISPs and their affiliates would still be able to market “communications-related” services, but customers would be able to opt-outAll other uses would require explicit opt-in consent from the customers
The new rules also say that if the broadband provider is collecting information about its customers, then it’s also the provider's responsibility to keep it secure. If companies are liable in some way for losing their customers’ data to data breaches, then the incentive is much higher to both collect less sensitive information and also to ensure that they invest significant resources in protecting whatever data they do collect.
Wheeler also wanted to make it clear that these new privacy rules apply only to the ISPs. They don’t apply to “edge services” such as Twitter or Uber, nor do they apply to government surveillance. The rules also don’t prohibit ISPs from sharing customer information -- they require only that the ISPs obtain customers’ consent before doing so.
Wheeler said that this should work similarly to how mobile apps request permission to use our location and that consumers should always have that kind of control about how their data is shared from the first instance of using a service.
The new rules seem to offer a baseline of privacy protection for consumers. Although ISPs are probably not going to like being restricted in how they collect or share their customers' data, in the long term it may be in their interest, as well.
When pressed, consumers eventually take matters in their own hands. The same thing could happen with tracking. The more it’s done in a way in which consumers feel they have no say over it, the more tools that completely block any kind of tracking (even that which could be considered “useful” for improving certain services) are going to be in higher demand.
For now, the FCC’s new privacy rules will be open to the public (as well as to ISPs) for consultation, before the agency decides what the final language will say. The FCC is also seeking additional comments on how to achieve its pro-consumer and pro-privacy goals.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.