Lobbying groups working for the major ISPs sent a letter to the Federal Communications Commission (FCC) urging it not to adopt too-strong privacy protections rules, as that would limit the companies’ ability to innovate.
After being asked by civil liberties groups such as the EFF, ACLU, Free Press, and Public Knowledge to impose stronger privacy rules on telecom companies, the FCC decided to enforce Section 222 of Title II, which requires companies to protect the information of their customers. Section 222 is already enforced for telephone service, and many of the ISPs have to abide by it in that regard, but they don’t want it applied to broadband service.
What the civil liberties groups wanted is for the ISPs to protect their customers' data but also to only use that data for the purpose of delivering the broadband service. We’ve seen over the past few years some controversies around some of the wireless carriers coming up with so called “super cookies,” or ads being injected into their customers' browsing (usually considered a man-in-the-middle attack).
For some of these, the customers couldn’t even opt out of these intrusive measures, until there was some backlash against them online. However, even that still left the majority of customers having to first learn about the issue and then find out how to opt out of it. The “tyranny of the default” ensured that the vast majority of people were still affected. That’s why civil liberties groups asked that the collection of data happen only when there is “affirmative consent” from the customers.
The new rules would also mandate that the companies must notify their customers of data breaches, they should be held accountable for weak security protections, and the ISPs should disclose with whom they've shared their customers' data.
The ISPs argued that the FTC's privacy rules should be more than enough protection for its customers. If the FCC is going to adopt a privacy framework at all, it should just adopt the FTC's privacy rules for the sake of consistency:
“We believe it is important to maintain a consistent privacy framework for the Internet. Such an approach will protect consumers and avoid entity-based regulation that would create consumer confusion and stifle innovation. Consumers expect their data will be subject to consistent privacy standards based upon the sensitivity of the information and how it is used regardless of which entity in the Internet ecosystem uses that data," said the letter.
This is an interesting turn an events, because not too long ago, AT&T for instance wanted to fall under the FCC's jurisdiction, fearing the FTC's stronger rules. Now the ISPs are saying that they'd rather be regulated under the FTC's privacy rules than under the FCC's Section 222 framework.
The FTC itself has recognized that it doesn’t have a strong privacy framework, and it actually welcomes the FCC's pursuit of stronger privacy protections for ISPs. The FTC chair said that the “Open Internet Order makes the FCC a brawnier cop on the privacy beat, and I welcome its enhanced presence on the scene.”
The ISPs’ lobbying groups also argued that the FCC’s Section 222 rules would limit their ability to innovate, but when it comes to customer data, what that means is that they want to be able to data-mine it however they want.
This would help them make even more money, not just from monthly subscriptions, but also from ads or by selling their customers' data. Broadband service is unlike an email service, for instance, because customers already pay the companies significant amounts of money every month, which should already cover all the costs of delivering the service.
With all the latest major data breaches from companies who have tens of millions or hundreds of millions of customers, it’s ever more important to demand stronger security and privacy protections from companies that store the sensitive information of so many people.
Passing rules that say private customer information should be used only for the purpose of delivering the service itself, and that big companies are accountable in case of data breaches if they use weak security, would also be in line with actual laws (as opposed to an agency's rules) being passed in the European Union. The U.S. wouldn’t be the only one doing this. One could even say this would lead to more consistent privacy frameworks for the Internet, but in a more global way.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.