The Fight Begins As FCC Takes Huge New Step to Protect Privacy

The FCC voted today to propose rules that would finally apply telecommunications privacy protections to the internet. We urge adoption of these privacy protections, with clear language to ensure that consumers have meaningful control over their privacy in ways that can’t be undermined by carriers.

This long-overdue step is not only consistent with the law, it’s pretty clearly required by it. Nevertheless, the agency’s action is provoking fierce opposition (and bogus arguments) from giant broadband carriers like Verizon, Comcast, and AT&T, which don’t want the FCC to enforce the law. With today’s action the FCC’s proposal will be opened for public comment, after which the agency’s five members will vote on whether the protections will actually go into effect.

The FCC and its chairman Tom Wheeler are to be praised for taking this step, which, like the victory for network neutrality before it, promises to be a huge milestone—in this case, in the preservation and restoration of our right to communicate privately. Too often, regulatory agencies become captive to the desires of the industries they’re supposed to regulate, so it’s reassuring to see an agency resolutely press forward with its mission in the face of howls and screams from industry, which is salivating at the prospect of eavesdropping on internet communications in a way that they’ve never been allowed to do when it comes to telephone calls.

Americans have a right to a communications infrastructure that protects privacy. They may choose to use that infrastructure to do business with companies like Google and Facebook that offer free services in exchange for a certain amount of monitoring (and that monitoring is problematic in many ways), but that same privacy-invading business model must not be permitted to penetrate the very wires over which we communicate. Unlike with online services, we cannot choose to avoid broadband carriers if we want to connect to the internet. And broadband connectivity is not an ad-supported service—we pay our ISPs.

For now the question is whether the FCC will go far enough, or whether its proposal will be weakened under pressure from industry and its allies in Congress. Here’s what we’d like to see in the FCC’s final rules:

• A sufficiently broad definition of the information that is protected. As I discussed in greater detail here, the law requires companies to protect the confidentiality of “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service.” Such information is called “CPNI.” The question is how that general description will be defined in the regulations as they apply specifically to broadband internet.
• Meaningful choice. Information collected about a customer by the carriers by virtue of the service they provide—CPNI—should not be shared except with the full opt-in consent of that customer. That consent should be meaningful, i.e. truly optional and not buried in a 42-page click-through agreement written in dense legalese.
• Access. Consumers should be able to access CPNI to see what data, if any, a carrier is holding about them and their internet usage.
• Transparency. Internet carriers need to make crystal clear how they will use any information they collect about customers.
• No “Pay for privacy.” A big danger is that customers will be forced to pay for privacy protections that under the law should be their right. That may initially take the form of “special discounts” for those who agree to give up their privacy, but will quickly become equivalent to extra charges for those who wish to preserve that privacy. The result will be that the underprivileged (and disproportionately minority) population that lacks the discretionary income to devote to privacy will lose a right given to more affluent Americans. The FCC needs to include protections that prohibit carriers from forcing customers to pay extra for their privacy.
• No spying on content. Many of the rules under discussion would cover communications metadata (who and what a person is communicating with), but the FCC must also ban any eavesdropping on the content of customer communications (what a person is actually saying) under all circumstances. No customer should be allowed to agree to a discount in return for letting the phone company listen in on their phone calls, and there’s one simple reason for this: even if the customer agrees, the other people that customer is talking with have not agreed to have their calls listened to, and would have no way to know that monitoring is taking place. The same should apply to the internet: if I’m having an online chat with you, my privacy should not be violated just because you’ve made a deal with the carrier. That would be a profound violation of privacy that is not permitted in other contexts.

Discussions of these elements of privacy protection can be found in excellent white papers produced by the New America Foundation and Public Knowledge, among other places.

The good news is that most or all of these elements appear to be mentioned in the FCC’s new proposal as issues on which the commission would like to hear feedback. Now the process of submitting comments to the FCC begins—something that any American can do—to press the agency to actually include good rules that cover these important protections. More on that to come…