Battle of the Broadbands: Privacy is dead. Long live privacy!

Battle of the Broadbands: Privacy is dead. Long live privacy!

PHOTO: Political cartoon from 1914 after the passage of the Federal Trade Act declaring "unfair or deceptive acts or practices in or affecting commerce" unlawful. It has been used in the last decade by the Federal Trade Commission to prosecute privacy cases against the biggest Internet companies.



As the volatile news month of March came to a close, it was hard to miss the latest gut punch: the Republicans in Congress just killed Internet privacy. And in case there was any doubt, the law they signed killed it for good. Americans who heard or read about it were breathless at the effrontery.

“It totally wipes out privacy protections for consumers on the Internet,” said Democratic Rep. Anna Eshoo of Menlo Park, Calif., on the House floor, whose remarks were widely quoted. “I don’t want anyone to take my information and sell it to someone and make a ton of money off of it just because they can get their mitts on it.”

So now, because congressional Republicans are greedy, the fact that you bought a dildo online is going to be sold to the highest bidder.

Congress just voted to let Internet providers sell your browsing history (Tech Crunch)

Congress just killed your internet privacy protections (CNN)

Your browsing history may be up for sale soon. Here’s what you need to know (The Guardian)

And then just as expected, on Tuesday April 4, by signing S.J. Res. 34 into law, President Donald Trump poured salt on our wounds, stuck Internet privacy in a coffin, and buried it.

The President’s detractors are likely not surprised; it’s just another TKO to the many institutions and freedoms they hold dear. Trump wanting to kill privacy, not a stretch for Trump haters. He brought in billionaires to run his cabinet, he obviously wants to treat the U.S. Treasury as his private piggy bank, so of course he wants to profit from consumers’ online browsing as well.

But what about all the Republicans in Congress who voted to kill privacy? What in the name of all that is holy were they actually thinking? And is there any way at all that they – and President Trump – might have a valid reason for voting the way they did?

Let's backtrack for a moment and talk about what happened.

Several headlines mentioned an “Obama-era” rule. And what does that mean? Well, most people would conclude that the public was enjoying awesome privacy freedoms all through President Obama’s two terms, at least. One would think. The truth is that the rule was just passed by the FCC on December 2, 2016. And most of it was not going to take effect until the end of 2017.

To be sure, privacy advocates have been concerned for years about a lack of protection. And with good reason. Up until February 2015, the Federal Trade Commission was the cop on the beat for all internet companies, enforcing a mere two sentences from a law dating back to 1914. But to be fair, the agency has gone after the biggest and the baddest – landing an epic penalty against Google in 2012 at $22.5 million for misrepresenting its handling of private information for users of the Safari browser. And there are many other cases.

Current law for Google, Facebook and Twitter:
“Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”
The Federal Trade Commission has prosecuted and fined Internet providers including Google, Facebook and Twitter for privacy violations, as well as ending a “history sniffing” operation by online advertiser Epic Marketplace, Inc.*
This law encompassed the heart of U.S. privacy protection for all Internet companies including broadband “BIAS” providers (ISPs), falling under the Federal Trade Act of 1914, until February 26, 2015.

There was certainly a need for more protections, many could agree. What happened in 2015, essentially moved Internet service providers away from FTC jurisdiction and under the boot of the FCC. By classifying ISPs as “common carriers,” a term dating back to the Interstate Commerce Act of 1887 (and even further back to Egypt, they say), the FCC took control over part, though not all, of the Internet. Call it the battle of the bureaucrats. It seems to be more of a frenemy relationship.

After the reclassification of ISPs as utilities (common carriers), the FTC thought it could still exert control in the courts over companies when they were engaging in non-common carrier activities. But in August 2016, in FTC vs. AT & T Mobility LLC, the 9th Circuit Court of Appeals (the same panel that denied Trump’s travel ban, incidentally) ruled against the FTC, effectively declawing the agency when it comes to ISPs or telecom, and ruling that the agency had no authority to punish the company for data throttling – the practice of slowing down data speeds for unlimited data customers when a certain monthly limit has been reached.

And then came the FCC rule, passed after the election, that was eventually nullified by Congress. What the rule did was replace a few mere sentences of existing U.S. code –- a mighty thin veil between us and the fat cats -- with 73 pages of regulations sewing up every possible loophole that an internet service provider might pursue when it comes to personally identifiable information, inclusion of dynamic ISPs as sensitive information, and data breaches. But the most important change of all was requiring “opt-in,” or an affirmative consent, to ISPs sharing most data including browsing history, rather than the traditionally allowed “opt-out” that dates back to the telephone era of privacy enforcement. For Republicans and Libertarians, the new regulations were unnecessary and cumbersome. And for the ISP providers, they were unfair – especially because non-ISP giants like Google and Facebook remained outside of the jurisdiction of these new rules (more on that later).

Unfair means higher costs and lower profits for the ISPs than for their content-heavy counterparts (Google and Facebook). Consumers are much more likely to stay in the default position of allowing their information to be shared, if they have to contact their provider to opt out. But if they must be asked for their consent at crucial junctures, it’s almost certain that many more consumers will choose not to give permission.

The FTC actually made an effort to simplify the new rules, recommending that the FCC designated all content as sensitive, rather than multiple categories that might require actually looking at the content to determine which content was actually sensitive. But the FCC did not take the recommendations.

FCC Rule adopted December 2, 2016, and canceled by Congress and President Trump:
Among other things, would have required ISPs to request opt-in permission at crucial junctures. Broadband and telecoms contended this was unfair because Google and Facebook have no such requirements, and are only required to offer an opt-out. The rule also designated identifying characteristics of customers’ web presence as sensitive information — including dynamic IP addresses.

The FCC panel, headed by then chair Tom Wheeler, voted 3-2 to adopt the regulations. One of the dissenting commissioners was Ajit Pai, who it has been widely reported is against net neutrality (the essential concept that the web site you are reading right now is being given the same speed as content giants. Because even slightly slower speeds can be death to web traffic). But according to Forbes magazine, it is not net neutrality that Pai is against, but unfairness in regulations.

In his dissent last year, Pai argued that now that the rule was passed, Congress should act to bring the FTC's regulations in harmony with the FCCs, so that there was no unfair competition between the ISPs and the information providers (Google and Facebook). While many in the privacy community have doubted his sincerity, it does seem he takes the idea of fairness very seriously.

The FCC rule itself asserts that ISPs have much greater potential to harm customers because of their near-universal access to all web traffic traversed by a customer, whereas Google and Facebook only see some of that traffic. However, in his dissent, Pai argued that many consumers spend their entire day on one of those two sites. Somewhere in the ruling, the FCC addressed this idea, saying customers have a choice not to use Facebook and Google. And if you read this post on Medium, you might actually have a reason not to.

Ajit Pai

Ajit Pai

Pai is a former Verizon lawyer with many years in government. And he is now the chairman of the FCC under President Trump – leading to much hand wringing in the privacy community. We might even see the FCC moving to reclassify ISPs as information service providers once again.

When the news came out of the Congressional vote, led by Marsha Blackburn, a Republican from Tennessee, the Verge published a list of members of Congress who receive money from ISPs. And yes, there seemed to be a correlation. Could it actually be, though, that it wasn't privacy itself they were killing, but an unfair and cumbersome rule? At least, even if we don't know the answer to that, with all the information we have available right now, we can watch the situation with more awareness of the issues at stake.

Alarm bells also rang with the idea that Congressional Republicans were using a seldom-used joint resolution to kill the rule. This type of resolution is allowed by the Congressional Review Act that came out of the Contract with America, spearheaded by Newt Gingrich in 1996. It has only been used one other time. It's designed to keep tabs on bureaucratic regulations.

Once a rule is repealed, the CRA prohibits reissuing the rule in "substantially the same form... unless ... the new rule is specifically authorized by a law enacted after the date of the joint resolution disapproving the original rule." So privacy is not dead, just the 73-page iteration of it from last December. The Electronic Frontier Foundation would beg to differ, calling some of the three main points of this article "myths." Decide for yourself.

Interesting to note, also, that Google and Facebook (through the president of their Internet Association lobbying group) have voiced their support for making ISPs common carriers (putting them under FCC jurisdiction and the stricter rule). Bear in mind, Google and Facebook have no requirement to specifically keep your browsing history safe, except the threat of FTC enforcement through case law, which has already been used in the past. Obviously, that's a much more lenient protocol for the search giant.

And there are also contributions from Google to members of congress. It turns out that Anna Eshoo did receive $10,000 from the tech giant in 2016. So things are not always what they seem.

As we are all aware, the ISPs have achieved monopoly status, and like the content companies, they exist to maximize shareholder profit. But perhaps there's something to the cancellation of this rule. Or perhaps it's just the latest cannon barrage in the battle of the bureaucrats. The battle of the broadbands. Either way, net neutrality and an open Internet are important. All large companies are trying to gain an edge over the little guy. So we must be on our guard.

So back to the dildo: is someone going to be able to look up the fact that you bought it online, similar to your arrest records or mug shot? That is highly unlikely. As the current law states, ISPs are barred from sharing or selling information for marketing purposes, if that information is tied to your identity. As was the case in the telephone era, information can only be shared "in aggregate." One of the issues that the new FCC rule was addressing is the idea that information which is shared with marketers still contains identifiable information encoded into it, and could conceivably be coupled with your identity by a sneaky marketing company. However, this is illegal, and should be prosecuted by the FCC when it's practiced by ISPs, and by the FTC when it's practiced by content providers such as Google and Facebook.

And in this latest battle, we are not left without remedy. You can do what the law allows you to do: opt out. Go to your ISP web site and search for their privacy statement. Make sure you’re looking at the one for your internet service, not their website where they service your account. Look for the option to opt out. And do it. Do the same thing with your wireless provider. Also, download the Opera browser (headquartered in Norway), which gives you built-in private browsing. There. Privacy is still there. In your hands. You’re welcome.

Current law for broadband/Internet service providers:
“…except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories. Information shared for marketing must not be personally identifiable (must be aggregate).
On February 26, 2015, in the FCC’s Open Internet Order, all internet service providers are classified as common carriers. As such, they must follow U.S. Code Title 47 (section 222). However, if customers want privacy, they must opt out of their providers’ marketing programs.
A brief history of privacy

A brief history of privacy

House intel chair saw 'dozens' of reports on Trump surveillance

House intel chair saw 'dozens' of reports on Trump surveillance