FCC proposes new broadband-privacy rules — and your ISP probably hates them

Rob Pegoraro
·Contributing Editor
image

Your Internet provider wouldn’t be able to sell information gleaned from your browsing history to advertisers. And it would have to alert you promptly if it suffered a data breach that compromised your info.

Those are just some of the rules Federal Communications Commission chairman Tom Wheeler has proposed for limiting your ISP’s ability to auction off your personal information (which I recently warned you about). But a lot would need to happen before those proposals become a reality of enforceable regulations.

Wheeler’s why

Wheeler can make these proposals because last year’s reclassification of Internet providers (ISPs) as “common carriers” not only subjected them to net-neutrality rules but also put them under the same privacy regime as phone and cable companies.

The chairman is doing this because he sees an imbalance between how much data your Internet service can collect — it can see all of your unencrypted traffic plus the domain names of encrypted sites — and how little freedom you have to ditch that company if you don’t appreciate its conduct.

“Once you subscribe to an Internet service provider — for your home or for your smartphone — you have little flexibility to change your mind or avoid that network,” Wheeler wrote in a Huffington Post essay.

image

Tom Wheeler (Photo: FCC)

Firing your residential broadband provider remains a fantasy for the millions of Americans, who have only one high-speed service option at their homes. It’s considerably easier to fire your wireless service, thanks in part to moves by the FCC — such as forcing carriers to let you take your phone number with you when you switch — but also due to the death of the traditional two-year contract.

Different levels of permission

The first part of Wheeler’s proposal — as outlined in a three-page PDF — covers who gets to see the information that your Internet provider unavoidably collects each time you click on a link, type in a Web address or receive new e-mail. They include:

• Your Internet provider needs no permission to use information about your usage to provide a working connection (duh) and to sell you upgrades to it. So if you were hoping that this proposal would do away with data caps, sorry, it won’t.

• Your Internet provider can also use your data to try to sell you other “communications-related services,” and so can its affiliates — but it must let you opt out of such marketing. On a call with reporters Thursday, a senior FCC official explained that this plank would, for example, let Verizon try to get you to sign up for Verizon Wireless.

• Your Internet provider would have to get your agreement to use your data for any other purpose, most definitely including ads matched up with your browsing history.

Wheeler would also require Internet providers to protect customer data against theft or accidental exposure. If yours failed in that task and a data breach resulted, it would have to notify the FCC within seven days of learning about the breach, and notify you in another three days. Today, no such deadlines apply nationwide.

A frosty reception

This proposal, to be voted on at the FCC’s March 31 meeting, is not enormously radical or even new.

The law giving the FCC this privacy mandate just turned 20 years old, and the commission has already put it to work in its case against Verizon Wireless for that carrier’s “supercookie” tracking of customers’ unencrypted Web traffic.

But even under the new rules, Internet providers could still sell ads targeted at their customers’ Web use–they’d just have to ask upfront. As Wheeler’s Huffington Post piece said: “This isn’t about prohibition; it’s about permission.”

Verizon and AT&T, among others, didn’t wait for Wheeler’s proposal to come out before decrying new privacy rules as yet another instance of the regulatory state strangling innovation while letting Google, Facebook and the rest of the Internet market your data to their advertisers.

(Not all ISPs joined in: For example, Dane Jasper, CEO of the Bay Area’s Sonic, endorsed Wheeler’s proposal in an e-mail as “a great step forward.”)

It’s true that search engines and social networks know a lot about me. But it’s also true that I choose to give them that information in return for free services I find useful or entertaining; that I can limit or stop my use of those sites with far less effort than it would take to dump my wired or wireless provider; and that I can download my data and then delete it from their servers.

Big-name Internet providers, meanwhile, have followed another path — seen at its worst when Verizon chose to launch that supercookie program without even telling its customers about it, much less letting them decline its surveillance. If that kind of precedent doesn’t make you trust these companies to regulate themselves, the blame is all on their end.

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.