Carriers Pushing Weak Arguments Against FCC Privacy Protection

Broadband internet providers are salivating at the prospect of selling information about how their customers use the internet, but the FCC is moving to apply longstanding telecommunications privacy rules to protect our privacy. As I wrote about Monday, this is an exciting opportunity to achieve a strong and important protection for our privacy—but it’s facing resistance from the telecom giants.

The industry and its allies are arguing against privacy protections using several notably weak arguments.

One line of attack on the FCC’s duty to protect privacy is to point to the prevalence of consumers who use encryption, and how encryption can hide some data about a customer’s use of the internet from ISPs. An industry-funded paper (summarized in this powerpoint) released this week details the use of such encryption. It points out that when a customer connects to a web site that uses HTTPS (as opposed to plain unencrypted HTTP), the ISP can’t see the exact pages within a site that a customer is reading, or the content of the pages that download. If a customer is using a Virtual Private Network (VPN), then the ISP can’t see either the customer’s content or the parties with whom he or she is communicating. As a result, an increasing amount of internet traffic cannot be read by ISPs.

There are multiple problems with this as an argument against network-level privacy protections:

• To argue that ISPs should be able to spy on their customers unless those customers use encryption throws the burden of protecting privacy onto the customers when the law clearly places it on carriers. It also attempts to normalize surveillance by arguing that it should be the default, when the default should be privacy.
• Essentially this argument says, “because the ISPs can’t see everything, we don’t need to protect anything.” Weak.
• Regardless of how many people use encryption, the law clearly states that the FCC is required to protect privacy (in particular section 222 of the Communications Act, as I discussed in my prior post). One can use a cipher when handwriting a letter, as correspondents have done for centuries—but that doesn’t mean the Postal Service isn’t barred from opening people’s envelopes.
• Even where the web site to which a customer connects uses HTTPS, the ISP can still see what web site the customer is connecting to, whether that be a political, medical, or sexually oriented web site, or anything else. Metadata is a very powerful form of information—often viewed by law enforcement, for example, as more valuable than content itself.
• Many web pages do not use HTTPS. Perhaps someday all sites will, but in the meantime internet users deserve privacy regardless of how that evolves, and they deserve it right away without having to wait.
• VPNs can be a powerful means of protecting privacy, but many users do not know what they are or how to use them, or even that they exist. To protect their privacy, individuals who want to communicate and access the world’s information shouldn’t have to engage in a technological arms race with the companies they are paying. Many users cannot, and no user should have to pay extra to shield their activities from a prying ISP by buying a VPN service, when they are already paying for internet services that Congress has already clearly stated must protect privacy.
• Reliance on VPNs would therefore just create or widen a “privacy digital divide” in which the underprivileged suffer further disadvantage by losing their privacy.
• When you use a VPN, many details about your internet usage become invisible to middlemen such as your ISP—but the party operating the VPN then gains access to all that information. Whether that is an employer or another 3rd party service, all the privacy concerns facing internet users just get shifted to that new party—which, unlike the carriers, is not subject to privacy protections that have been written into law.
• Even when you use a VPN, your ISP can see how much data you are sending and receiving, and at what times. While not as revealing as content or metadata, that could still tell the ISP who stays up all night, who is home all the time and who travels a lot, who observes the Sabbath, who watches a lot of television, and no doubt much other personal information that could be cleverly gleaned. Congress specified that carriers must protect information that relates to, among other things, “the quantity…and amount of use of a telecommunications service.”

The suggestion that “everyone should just use encryption” is akin to the infamous suggestion by President Reagan’s interior secretary in 1987 that instead of asking for regulations to address ozone depletion and heightened levels of dangerous ultraviolet radiation, people should just wear hats, sunglasses and sun creams to protect themselves. Of course doing so can be a good idea, but it was sensible government action that has largely solved the ozone depletion problem.

“Unfair or deceptive”
Another industry argument is that the FTC already regulates privacy of internet companies, and so we should let them do it for the sake of “consistency,” and the FCC should not enforce the law. (The industry sent a letter to the FCC making this argument, followed up by a more detailed proposal along the same lines). As the letter states,

We believe it is important to maintain a consistent privacy framework for the Internet. Such an approach will protect consumers and avoid entity-based regulation that would create consumer confusion and stifle innovation. Consumers expect their data will be subject to consistent privacy standards based upon the sensitivity of the information and how it is used regardless of which entity in the Internet ecosystem uses that data.

“You are using that thinner, cheaper fencing over there,” argues the fox to the farmer, “so for consistency’s sake you should also use it around the henhouse. The hens expect consistent fencing. No need for that strong protective fence here.”

The FTC actually has very limited statutory authority to enforce adequate privacy standards. Indeed, we have called for Congress to give them such authority so that they might function like the independent privacy commissioners that most other advanced-industrial democracies possess. The FTC’s primary authority is its mandate to enforce Congress’s prohibition on “unfair or deceptive acts or practices.” What this means for privacy is that a company can’t say it’s doing one thing, yet do another. But if the company tells its customers that their privacy will be completely stripped bare, then the FTC has little authority to act based on the substantial privacy invasions. Meanwhile, as everybody knows, a wide array of online companies, including an entire ecosystem of shady advertising companies operating largely invisibly to consumers, are engaging in vast invasions of Americans’ privacy on a daily basis, and there’s little the FTC can do about it because their regulatory approach is based on a “notice and choice” regime that is widely recognized as inadequate.

It is true that some scholars have argued that the FTC is creating an emerging “common law” of privacy that constitutes the “foundations” for a “robust privacy regulatory regime.” But the telecom industry does not want regulation to be left to the FTC because that agency’s regime is so robust, but precisely because it is not. Indeed, the industry seems to want regulation specifically limited to the FTC’s limited “unfair or deceptive” mandate:

To achieve parity across the Internet ecosystem, any FCC framework for Internet service providers should be reflective of the deception and unfairness standard, consistent with the existing protections consumers receive when they engage with other companies in the Internet ecosystem.

Broadband providers—companies that provide internet connectivity— want to lump themselves together with companies that use the internet to provide services. They want to be subject to the same light regulatory regime as the online services, and to have credibility when they cry that proper common carrier rules constitute “regulating the internet!” There is a fundamental difference between internet services and destinations that people choose to use online, and can abandon, and the internet infrastructure itself. There are many invasions of privacy online, but the situation will get far worse if such invasions get baked into the very structure of the internet.