On Monday April 3rd , U.S. President Donald Trump signed a repeal of the rule submitted by the Federal Communications Commission (FCC) last year relating to protecting the privacy of customers of broadband and telco Services. The rule, which passed last year and was on track to enter into effect shortly, would have required internet providers such as AT&T, Verizon and Comcast to request explicit consent from their customers before selling off their web histories and personal internet behavior profiles.
Now, ISPs are left with a gap in regulatory privacy protection. Meanwhile, they have unlimited access to customer information at their fingertips. Unlike online advertisement platforms (which can be blocked by using browser security settings), ISPs have unleashed visibility into consumers personal information such as their location, device ID, browsing activity, online phone (VoIP) activity, shopping, media consumption without any ability for the consumer to protect their privacy. ISPs can pair this information with billing and mailing addresses taken from previous online orders they have about every one of their customers which creates financial risk in case this information gets into the wrong hands.
This data is a goldmine for the ISPs as it can be used for targeted advertising based on favorite media, online shopping behavior, location, etc. ISPs can then sell this information to businesses and advertising firms for obvious reasons.
A seemingly easy solution is offering users an opt-out option; however, collecting consent and honoring specific requests would require tight controls over whose data is found and where, so it can be removed as prompted. Additionally, the monetary costs required to cover the vast amounts of data collected and relatively new technologies that would need to be implemented to govern privacy would be exorbitant.
This exemption, and the restricted transparency it perpetuates with ISPs, raises some interesting questions. Apart from the obvious violation of the basic right to privacy and the inconsistency in the requirements across vertical and even within the FTC’s control, there are a number of implications:
- They have to know their data — While ISPs are formally committed to maintaining our privacy and obviously publically state that, the lack of consumer control and transparency puts in question the accountability around providing proper controls. If the consumer cannot prevent the collection of its data, can the ISP truly control it? You need to know your data in order to protect it. If the cost for complying with this new rule is so high as the ISP’s claim, what are the assurances that their current controls are sufficient for data protection?
- Data Lineage — ISPs are involved in multiple lines of business, and many of them span across wired, wireless and online channels. Multiple channels conduct various touch point with consumer data, ranging from mobile phone to media applications. Can the ISP truly separate data collected from these different channels and apply consent controls to one but not the other? How can they guarantee that information collected from a media application ad is subject to FCC consent rules is not combined with ISP information that isn’t? Can the ISPs show the lineage of the data to prove that there is true separation?
- Anonymization — The ISPs claim that the information they sell is anonymized. Meaning, it cannot be used to trace specific people. However, with the vast amounts of data and the computing power available in today’s cloud based infrastructure, how can they assure that the data cannot be made identifiable again?
- GDPR — The lack of privacy controls for ISP’s in the US comes at a blaring contrast to the new general protection regulation (GDPR) coming from the EU that adds tight requirements for data subject rights and consent. These new rules that will become active in May of 2018 apply to any business storing data of EU residents. While US ISPs may not be required to request consent by the FCC, they might find themselves having to answer to the European data protection authorities as they are bound to hold data of roaming EU resident that travel into the US
- Businesses care about privacy — Businesses are specifically concerned about the privacy of their employees, and most importantly, the confidentiality of their business. Enterprises do not want their executive’s movements tracked or their business development browsing history profiled. While individuals have limited leverage, large enterprises have much more sway and would be able to demand what individuals may not be able to get.
While the retraction of this important rule may be disappointing to privacy advocates, they can rest assured that this unchartered territory cannot be sustained for long. Consumer awareness to privacy is increasing and protecting internet users against commercial and government surveillance should be truly a bipartisan aspiration. Privacy regulations are on the rise across the world (i.e. the new GDPR, UK, Russia and China privacy regulations) and more specifically, in the US, including state-level legislation and FTC policies. Also, as stated by the FCC, “Chairman Pai believes that the best way to protect the online privacy of American consumers is through a comprehensive and uniform regulatory framework.” Next steps? The FCC must work to support a general US privacy protection regulation.