How the FCC’s ISP Privacy Rule has an Eye toward the Past, Not toward the Present or the Future
When is a privacy rule not about privacy? The Federal Communications Commission (FCC) recently finalized proposed rules regarding what Internet Service Providers (ISPs) must do regarding consumer information. The rules are controversial, and will certainly face tests in federal court.
The FCC believes that ISPs know too much about their customers, and that the ISPs can connect customer data with the customers’ Internet browsing habits. The fear is that ISPs will be able to put a comprehensive picture together of their customers and either sell the data to marketers, or otherwise use the data improperly.
If the FCC’s assumptions are incorrect, though, the rules upon which those assumptions are based are similarly flawed.
Technology, along with advances in encryption, mean that ISPs have significantly less access to consumer data than they did even a few years ago. Ten years ago, for example, consumers primarily browsed the web from personal, home computers. Today, they access the Internet from many types of devices such as home computers, laptops, tablets, and smartphones. Ten years ago, consumers accessed the Internet at home using landline telephone or cable wires. Today, they access the Internet from many different locations such as their homes, Starbucks, libraries, or even on the go (such as in Uber rides). Today, consumers access the Internet through traditional landline or cable connections, Wi-Fi hotspots, or through mobile broadband. Years ago, encrypting Internet traffic was not common. Since then, various forms have been developed and implemented across the Internet. The combination of changes—how people access and consume the Internet, along with pervasive encryption—has already addressed many of the concerns the FCC discussed in its now final rule.
Years ago, ISPs both provided last mile service—connecting consumers to the internet—and provided Domain Name System (DNS) lookup. That is to say, ISPs provided two of the core functions required for browsing the Internet: the service and looking up the numerical address of a particular website. As technology advanced, ISPs handed off the DNS functions to third parties, focusing on last mile services.
Hyper Text Transfer Protocol Secure (HTTPS) encryption is a key component preventing ISPs from accessing customers’ Internet browsing habits. Between 49 to 65 percent of Internet traffic is currently encrypted. One of the largest Internet traffic sources in North America is Netflix. Since it transitioned to HTTPS in 2015, the volume of encrypted traffic rose from almost 30 percent to nearly 65 percent. Additionally experts estimate that by the end of this year, before the FCC’s rule will go into effect, 70 percent of all Internet traffic will be encrypted.
HTTPS encryption means that ISPs cannot “see” where a particular Internet user is browsing. An unencrypted request will transmit the full “body of the request, [and] the full URL, query string, and various HTTP headers about the client and request” whereas HTTPS “encrypts nearly all information sent between a client and a web service.” According to researchers at Georgia Tech,
“[T]he recent and rapid shift to HTTPS and other forms of encryption is perhaps the clearest and simplest way to explain why ISPs today and in the future do not have ‘comprehensive’ access to users’ Internet activities. HTTPS blocks the possibility of ISP access to the content of users’ activities – the technology called ‘deep packet inspection’ does not work on encrypted communications. HTTPS also blocks the possibility of ISP access to detailed URLs, which can reveal granular details of a user’s search or other online activities.”
When speaking of consumer data, and the “danger” (if it is even that) of one entity storing massive volumes of personal data in one place, the largest “danger” comes in the form of edge service providers. Edge service providers include search engines such as Google, social media giants, such as Twitter, webmail services such as Gmail, and web browsers shared across platforms; these forms of services are not regulated by the FCC. Jurisdictions for privacy violations falls to the FTC, and is exercised based on specific privacy violations.
Think of all the information consumers voluntarily hand over to social media sites and search engines: their names, home towns and email addresses, at a minimum. Consumers may have email accounts, payment accounts, and personal calendars with these companies. Consumers may identify their social and familial circles, post and tag photographs, check into locations, or otherwise authorize the social media’s app to access their location information.
Comparing the information an ISP can gather about a consumer to that of a search engine, easily shows which entity has greater access to sensitive data, assuming a particular consumer has an account with a search engine that provides the consumer an email address, cloud storage, and a calendar. These functions can also sync with the consumer’s smartphone. For example, if the consumer searches for “toy drones” using his home computer, the ISP will only know very little about the consumer. Perhaps only that he went to the search engine’s landing page.
None of this is to say that personal information voluntarily shared is bad. It is rather to create a comparison, asking where the real threat for misuse of private data lies. Placing regulations on ISPs that represent yesteryear’s threats is hardly a way to protect today’s consumers.
The FCC seems to recognize treating ISPs differently from edge providers creates an inherent competitive advantage for edge providers. The rule appears to lay the groundwork for regulating edge service providers. This is a particular problem, given that the Federal Trade Commission already has the jurisdiction, and experience, protecting consumer privacy. What is more, since society’s adoption of the Internet, companies and innovators alike have created solutions for various “privacy problems.” More rules constraining ISPs is not the solution to protect a consumer’s privacy, especially when the reasoning behind the FCC’s proposed rule is antiquated.
The proposed rule represents the privacy threats posed years ago, not the privacy threats of today or the future. A privacy rule is not about consumer privacy when it is designed to harm one industry while benefiting another industry. A privacy rule is not about consumer privacy when it does not address actual threats to an individual’s confidential information.