Should our internet communications get less privacy protection than our phone calls? Telephone companies have not been allowed to compile and sell lists of all the parties you've called (friends, businesses, doctors, or anyone else). We don’t let phone companies transcribe the content of your conversations, perform keyword analysis, and then use or sell it. When an American calls a suicide hotline, an outreach service for gay teens, or a cancer doctor, he or she doesn't have to worry that the phone company will sell that information to others.
And why don't phone companies sell such data? It's not tradition, or politeness (that information could be worth a lot of money), or even fear of angering customers (most of whom would probably never learn of it, and if they did, might be powerless do anything about it). The reason is that they are prohibited by law from doing so. Specifically, by Section 222 of the Communications Act. That law says that “every telecommunications carrier has a duty to protect the confidentiality” of the information they get from providing service to you, such as call details, and can't just use it for any purpose they want.
This law has never applied to the internet because in 2002 the FCC, dominated by regulators who didn't want to do their job and actually regulate, and acting in the face of the plain statutory definition of the term, decided that broadband internet service providers were not “telecommunications carriers,” and that therefore they were not subject to Section 222 privacy rules that apply to such carriers (or any other part of Title II of the Communications Act).
That all changed last year, when the FCC, acting on well-founded fears that absent protection of the law carriers would violate network neutrality, reclassified broadband internet as telecommunications service subject to Title II rules governing “common carriers.” When it did that, however, it held off from immediately applying many of the provisions of Title II to broadband carriers, including the privacy protections for consumers that are contained in Section 222.
But now, word is that the FCC will soon propose a rulemaking applying these privacy rules to internet broadband services. This is a really exciting development—one that could potentially represent one of the biggest steps forward in the protection of online privacy we’ve seen in a long time.
The catch is that the broadband carriers are going to fight it. That’s why the ACLU has joined with public-interest allies in Washington to start pushing the FCC not to falter. It’s not completely clear how the provisions of Section 222, which were written broadly but with telephone service in mind, will translate to internet service, and the danger is that under corporate-driven political pressure, the commission will propose something weak.
A straightforward application of existing statutes
Broadband carriers are resisting this sensible protection for privacy, but what the industry wants is for the government not to apply the law as it’s clearly written. Applying privacy protections to internet service providers is not some exercise in creative regulation; it’s the obvious outcome of a plain reading of the law.
First, Congress has defined telecommunications services in a way that clearly covers broadband internet: “the offering of telecommunications for a fee directly to the public,” where “telecommunications” means “the transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received.” Although the Bush-era FCC resisted the plain meaning of that definition, it obviously applies to broadband carriers. Indeed, that’s what the FCC acknowledged when it reclassified those carriers under Title II last year in the culmination of the network neutrality battle.
Second, under the law, telecommunications carriers are subject to Section 222, which states that “every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to…customers.” It imposes limits on what it terms “customer proprietary network information,” or CPNI, which basically means information about how you use the telecommunications service. Specifically CPNI is defined as:
information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship
It seems obvious that this would include information about how customers use the internet, including the web sites they visit, whom they communicate with, the applications they use, the amount of data they exchange, and many other kinds of information that would be a gold mine to advertisers but which internet users expect their carriers to keep private. And the law is clear that carriers are required to do so:
a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.
If Verizon or Comcast (or whatever other company you may use) were not your ISP, they wouldn’t have access to this information about you; they only have it “by virtue of the carrier-customer relationship.” Unless you specifically agree otherwise, they are only allowed to use or disclose CPNI for the purpose of providing the telecom service you’re paying for.
Unfortunately, the broadband carriers have already begun to engage in the kinds of privacy invasions that Congress intended to prevent—and they appear to be hungry for more of the revenue that such invasions promises to bring them (more on that in a future post).
Internet services should be straightforward: we pay them money, they provide us with internet connections, transport our bits to and from whoever we connect to, and get out of the way. Their making money on the side by spying on our online activities should not be part of the bargain.