Broadband Privacy Rules – 5 Myths
By Mark Rasch
Attorney and Cybersecurity Expert
With the repeal of the FCC rules on broadband privacy and security, there’s been a lot of misinformation floating around the web. Here’s my attempt to clarify some of the issues.
- The Rules Gave Preferential Treatment to Edge Providers Like Google
One of the reasons given to justify the repeal of the FCC broadband privacy and security rules was that they only applied to Internet Service Providers (ISPs) and broadband providers regulated (or not) by the Federal Communications Commission (FCC).
Other entities, like Google, Twitter, Facebook, Bing, or others who collect, store, analyze and sell aggregated data are not covered by the rule. This then puts the broadband providers at a disadvantage – the data flowing through their networks, where they pay for the infrastructure, the routers, the pipes, and the data connections, cannot be used by them, but only by the edge providers. Indeed, by being able to scan the contents of things like emails, and deliver ads based on this content, Google and other email providers can be more invasive of privacy than Comcast, Verizon, or Cox. So why not level the playing field?
The problem is that edge providers are subject to regulation by the FCC, which --at least under previous administrations -- has been aggressive about using the “unfair” and “deceptive” trade practice laws and regulations to police both privacy and data security.
Essentially, the FTC asserts, if you collect personal information – especially sensitive personal information – about someone, you have a duty to use reasonable efforts to protect its security, and to use the data in a responsible way. This means both abiding by whatever privacy and security promises you have made to consumers (deceptive practice), and having reasonable privacy and security practices to begin with (unfair practices).
However, the FTC does not have jurisdiction over certain other regulated entities, like airlines (regulated by the FAA) certain practices by drug companies or nutrition supplements regulated (or not) by the FDA, and common carriers regulated (or not) by the FCC. Thus, AT&T sued the FTC to ensure that it would not be required to comply with the unfair and deceptive trade practice rules as they applied to data privacy and data security.
This created a gap – the FTC could not, and the FCC would not regulate these common carriers privacy and data security practices. So, rather than being at a disadvantage relative to edge providers, common carriers were in a preferred position. The rules were intended to reverse that.
- Edge Providers Are No Different Than Broadband Providers
So what? If Google knows everything about you, what’s the harm if AT&T does too? There are a lot of differences between your broadband provider and, say Google.
Even if you are a heavy user of the Google ecosphere – using Google maps, Gmail, Google hangouts, Google search, Google News, Google colonoscopy, they only know a certain amount about you. You can also choose to hide or mask what Google knows by using a different service or provider for particular activity.
Plus, there’s that FTC thing. Your broadband provider can know everything, not just about you, but about your stuff. Every Internet connected device will transmit its data through the broadband provider. Your fitbit, Nest, Echo, doorbell, security camera, everything transmits its data through the provider.
Any unencrypted data can be examined – down to the deep packet level. Even just source and destination information reveals a tremendous amount about you and your activities. It’s not just the volume of data that’s different – it’s the ubiquity of that data. And you frequently can’t escape.
Many people have few choices of broadband providers in their area. Many others are locked in to multi year contracts obligating them to continue with a particular providers. Oh, and there’s that money thing. I can’t remember the last time I wrote a check to Google (well, I can, because I pay them for storage, but that’s not the point).
But I write huge checks every month to my broadband provider. With my carrier, I pay them for a service. With search, I am the service. It’s like getting ads on HBO – I pay for cable and HBO so I DON’T have to get ads. That’s the Faustian bargain. Do you really think your broadband prices will go down if you let your provider use your personal information? Me neither?
- Broadband Providers Will Now Sell Your Browser History
Ok, here’s a mixed blessing. Most of the broadband providers have reacted to the repeal of the broadband privacy and security rules by trying to reassure the consuming public that they have “no plans” to sell your data.
Maybe not. But that’s not necessarily a good thing. You see, they won’t sell your individual or aggregated data because they want to own it and control it. That’s what gives them power and value. They want to slice and dice it, aggregate it, analyze it (and you) and then sell SERVICES based on the data.
And those “services” need not be only advertisements. The service can be things like preferential pricing (preferential to the seller, not the consumer), location based marketing, and other services. So, instead of offering your personal data to marketers so they can sell you something, they will offer marketers a targeted ad service – your data goes nowhere, but your privacy goes out the window.
Some years ago, I battled with the College Board – the purveyors of the SAT exam, who claimed not to share with colleges any of the pages and pages of personal information they collected about students; they would only share a name and email address. So, if a College was looking for a female applicant interested in engineering whose parents are upper middle class, who wanted a small rural college, and had math school grades above 90%, the College Board wouldn’t share the student’s preferences – they would just send a name and address. A distinction without a difference.
Which means you have to read privacy policies carefully. Even if a provider has a policy that says we won’t “sell” or “share” your data, you have to remember that those words do not mean to them what you think they mean. And now, if they are unfair or deceptive, well, there’s no real regulator.
- Without These Rules, There’s No Privacy or Security
The fact that the FCC can no longer regulate the privacy or security practices of broadband providers, and the FTC can’t either doesn’t mean that there are NO restrictions on their privacy practices.
Many courts have held (and a few have rejected) that privacy policies are binding contracts, and these privacy policies of broadband providers typically provide that the provider will take “reasonable” efforts to protect privacy and security.
In the wake of the repeal of the privacy rules by Congress, several state legislatures have stepped into the fray, proposing state rules regulating privacy and security practices of broadband providers in their area – but they may or may not survive a challenge that the FCC has “primary jurisdiction” over these entities, and that the supremacy clause of the constitution precludes state regulation.
But you can always sue in the unlikely event that you learn of a privacy or security violation. But, of course, you can’t sue because you have waived the right to sue in your “contract” with them.
- There’s Nothing You Can Do
Hey, it’s a free market. As Lily Tomlin’s phone operator Ernestine used to say, “We don’t care, we don’t have to…. We’re the phone company.”
So you can try to pick a provider that genuinely respects privacy and provides transparency about security. You can also try – and I mean try – to protect your privacy by using a reliable VPN that also agrees not to log or collect data, and that will protect your privacy. A TOR browser can help too, as can services like Internet background noise generators.
As for security, you can secure your own devices, but you can’t secure the data your ISP collects – so the best you can do is minimize what’s collected. Oh, and you can lobby the FCC and your member of Congress. Or move to Europe – they have strong laws on data privacy there.