Blog: US Privacy Gap Widens

2017-04-13 - 9 minutes read

By Daniel Weitzner

TL;DR After Congressional action repealing the FCC’s Broadband Internet Access Provider privacy rule, where can ISP users can now look for privacy protection? As I’ll explain below, FCC privacy protection for Internet users is largely eliminated, remaining FCC rules are very narrow, FTC privacy protection is not available because of another court case, wiretapping law is unlikely to provide much protection, and class action lawsuits are unreliable as consumer protection. Major ISPs promise to abide by existing privacy policies but as of now there is no government body to oversee those promises and no one to enforce against a breach of those commitments.

Stepping back, there are two ways to look at this issue: first, as a question of different regulatory treatment of different industry segments; second, as a question of how to protect consumer interests such as privacy. The emphasis on the ‘asymmetric privacy regulation’ (ie. Congresswoman Marsha Blackburn) leads to a number of questions about whether different companies are treated fairly with respect to each other. This is a classic question the FCC considers because it has, over its history, mostly been a place for big companies to fight out their competitive positions. Same call it the forum for the rich vs the wealthy.

The FTC, on the other hand, has generally looked at how to be fair to consumers. At the FCC, big commercial entities fight about rules and the FCC arbitrates. At the FTC, independent enforcement officials investigate unfair or deceptive treatment of consumers. These are very different world views and have very different relationships with individual consumers.

By looking at this issue through the lens of fairness to different industries, it’s easy to lose track of how consumer privacy rights are handled. So let me map out the various avenues for privacy protection and which are available or not after the Congressional Review Act repeal of the FCC broadband privacy rule

As an ISP user/consumer/citizen, what are my avenues for seeking redress against privacy intrusions by my ISP? There are 6 sources of legal authority:

  1. FCC Broadband privacy rule
  2. FCC Customer Proprietary Network Information rules
  3. FTC Enforcement against Unfair and Deceptive Practices
  4. Wiretap Act protection against interception
  5. Electronic Communications Privacy Act protection against improper disclosure of communications
  6. Class action law suits on various theories

Let’s look at each of these:

  1. FCC Broadband privacy rule was struck down by Congress using a unusual law called the Congressional Review Act. When a rule is repealed by the CRA, not only is the rule removed from the books, but also the agency issuing the rule (the FCC) is precluded from EVER re-issuing a rule with the same scope unless Congress gives explicit permission to do so. This is why many people have pointed to a permanent gap in FCC privacy protection for Internet access users.
  1. FCC Customer Proprietary Network Information rules are very narrow, mostly just covering required notice to telephone customers and idiosyncratic, rules about exchange of customer data that is mostly relevant to balancing the competitive landscape between what used to be called local phone companies and their long distance competitors. Also, the CPNI rules contain a significant exception for ‘aggregate data’ which would likely cover lots of the marketing/profiling practices ISPs could be interested in.
  1. FTC privacy protection — the oversight mechanism covering Internet edge companies (Google, Amazon, Facebook, etc) and all other commercial entities — is out of the picture because of (a) the so-called common carrier exception kicked in by the FCC’s Title II reclassification, and (b) a court case. AT&T v. FTC, in which a federal appeals court found that the FTC cannot enforce consumer fairness requirements against AT&T at all because some of the services it provides are common carrier (Title II) services. This sweeping ruling that means even if the FCC reclassifies broadband Internet access service out of Title II, if those carriers provide any common carrier service, then they cannot fall under FTC regulation at all.
  1. To the extent that users worry that ISPs might actually intercept their communications in real time, it is possible that Federal Wiretap law might apply. (Orin Kerr has a great piece on this topic.) Whether or not ISPs are prevented from intercepting the actual contents or even full URLs of communications and selling or profiling based on all of the contents is besides the point. We know that so much can be learned just from the traffic patterns of users that content interception more or less irrelevant to the degree of privacy intrusion. ISPs are allowed to look at IP address logs under the Wiretap Act. And, we also know that with the spread of https as the default web protocol, ISPs won’t be able to see URL or other web traffic anyway because it will be encrypted end-to-end. At least that’s something. 🙂
  1. Does the Electronic Communications Privacy Act (ECPA) protect users? ECPA contains broad prohibitions against disclosing the contents of electronic communications (email. web content, chat, cloud data) without either warrant (in the case of disclosure to the government) or consent (in the case of disclosure to private entities). ECPA does not prohibit a communications provider from looking at data it holds in temporary storage. So ECPA will help with the privacy of the contents of user information but not at all with respect to whatever email/web/IP logs an ISP might have.
  1. There is the possibility of class action law suits, but these are unpredictable, and should not be viewed as standing the place of clear privacy protections in law.

So, after all that, users are right to feel that their privacy rights as to their ISPs are highly uncertain. I consider what the Republicans in Congress have done to be equivalent to the health care debate’s ‘repeal without replace’ model. It’s just irresponsible legislating and only seems to pay attention to the interests of a small number of large ISPs.

Some in the industry have suggested that the FTC is a better single source of privacy protection than the combination of the FCC and the FTC. To be clear, I have great respect for the FTC as a privacy/consumer protection agency. When President Obama proposed the Consumer Privacy Bill of Rights, which I worked on, we called for a new piece of law that would allow ISPs to ‘opt-in’ to FTC privacy rules. But ISPs were not enthusiastic about that deal then so I have a hard time believing they will really push for it now, And absent industry agreement, it’s hard to see how this Republican congress will enact any pro-consumer privacy rules.

To his credit, FCC Chairman Pai has said (WaPo Op-Ed) that the FCC intends to start afresh and create new privacy rules. Given the Congressional preclusion of Title II privacy rules, it seems likely that he could only do this by reclassifying broadband service back to Title I or getting Congress to give the FCC new statutory authority. Neither path is smooth and they could still run into that AT&T case (see #4).