Congress Gives the FCC a Privacy Mulligan
President Trump signed the Congressional Review Act resolution voiding the Obama FCC’s privacy regulations and directing the agency to try again. Contrary to what you may have read, the CRA doesn’t signal some durable new status quo that enables ISPs to rape and pillage your browsing history for fun and profit.
That belief is so widespread that hapless suckers have donated nearly $300,000 to two different GoFundMe campaigns that promise to buy and publish web surfing histories of members of Congress who voted for the resolution. These campaigns are scams because the information is not for sale, never has been for sale, and never will be for sale. Even the trolliest of the Internet’s policy bloggers are saying so. GoFundMe should shut down these campaigns and return the money.
A Firestorm of Delusion
It’s not hard to figure out why credulous people have been so eager to set money on fire. They’ve read that ISPs are gatekeepers to the Internet with special powers to see everything we do online. And that’s mainstream media; advocates are saying they track your every move online and sell that information to the highest bidder, that we’ll never have any privacy ever again as long as we live because ISPs are free to sell browsing history and other sensitive data without consumer consent.
Gee, that sounds pretty bad. But what really happened, you ask. Not that much really. Congress simply voided a single regulation:
“Resolved … That Congress disapproves the rule submitted by the Federal Communications Commission relating to “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (81 Fed. Reg. 87274 (December 2, 2016)), and such rule shall have no force or effect.
The FCC will now draft a replacement regulation only constrained by the law and the requirement that it’s not substantially similar to the old regulation. The new rules will harmonize the FCC’s approach to privacy with the FTC privacy framework. The FTC approach governed ISPs until February, 2015 as a matter of law and has continued to apply as a matter of promise since then.
Internet privacy has been an active issue for ten years, so it’s rather surprising that the mainstream press is still so confused about it. Certainly the FCC beat reporters understand the finer points. The problem that has emerged in the last couple of weeks is editorial boards weighing in on the issue without a lick of comprehension. It appears that the editorial writers are listening to the advocates rather than the beat writers.
The New York Times is Watching You
Editorial writers cover a range of topics, so we don’t really expect them to be experts. Still, it’s disappointing to read the New York Times say things as ridiculous as this:
Telecom companies know a lot about what people do online because they are the gatekeepers through which people connect to the internet. And as people link household devices like thermostats, light bulbs and security cameras to the internet, these companies will have even more intimate knowledge about their customers. By comparison, people can more easily evade tracking by businesses like Google and Facebook by not using those services or by deleting the cookies those websites leave on their computers and phones.
This gives ISPs more power than they really have and at the same time gives Google and Facebook much less. While each ISP is a “gatekeeper” to the set of Internet users it serves at any particular time, most don’t even have full-time jobs: they work for us at home, or in the car, or at work, or at the coffee shop. And most of the knowledge they have is unusable because 70% of Internet traffic is encrypted. Home networks are typically beyond their scope unless we use the actual gateway devices they offer.
The New York Times claim that we can choose not to use Google’s and Facebook’s services is nonsense as well. If you read the Times, Google and Facebook know what pages you read on the Times site via their trackers. Its privacy editorial is tracked by 44 networks who set 30 cookies and Google/DoubleClick and Facebook are among them. The editorial writers don’t even know what their employer is doing.
The LA Times is REALLY Watching You
As insane as the surveillance of the NYT’s privacy editorial is, the LA Times makes the New Yorkers look like slackers. Their editorial has a better grasp of the underlying facts, but errs in insisting that Congress should be involved in detailed definition of what’s sensitive data and what’s not:
If the problem is unequal regulation, one solution would have been for Congress to give the FTC the power to regulate the privacy practices of all businesses online, from broadband providers to Facebook game developers. That wouldn’t be ideal, given the FTC’s permissive approach to data about consumers’ browsing habits and mobile app usage. But at least the rule would be applied comprehensively.
Republicans aren’t heading in that direction, however. In fact, even as they hold up the FTC as the model for online privacy protection, they’ve been trying to weaken the agency’s power to crack down on bad privacy practices online. Their cavalier attitude about privacy puts them at odds with their constituents, who have consistently told pollsters that they are deeply worried about their privacy online. President Trump should listen to the grass roots on this one and veto SJ Res 34.
OK, reasonable people can argue, but the feigned concern for consumer privacy is shattered by the tracking choices the paper makes every day.
LAT ran an op-ed by the Democratic FCC and FTC commissioners that was tracked by 128 networks who set 199 cookies. Of all the websites I’ve examined with Ghostery, nobody comes even close to the Los Angeles Times. To practice that level of tracking while demanding a more tracker-free Internet is simply breathtaking. It’s really easy: simply tell two thirds of your tracker networks to take a hike and you don’t be much worse than a seedy troll blog, LAT.
We’re a Long Way from Reasonable Discourse
Internet behavioral data is collected from websites and stored in both cookies and centralized databases. Cookies are relatively ephemeral, but they’re not secure because they can be accessed by viruses. That’s technically a vulnerability, but the information in cookies isn’t particularly damaging because it tends to be encrypted.
The databases are where the heavy lifting goes on. Firms with big processing capability assemble histories and mine them for advertising opportunities. That’s not particularly damaging either because it’s ultimately used for nothing more nefarious than offering us coupons.
Things only get weird when these databases are hacked by intelligence services and criminals who want to steal our identities or blackmail us to work against our neighbors. So the regulations we need for Internet privacy should deal more with protecting collected information than with limiting what can be collected and how long it’s retained.
“Don’t collect what you can’t protect” seems like a reasonable approach. Given that the current discourse is all about collection, we probably won’t have the conversation we need to have for a long time.
And in the meantime we’re going to hear nothing but nonsense about gatekeepers, “sensitive” browsing histories, and how hard it is to switch ISPs (as if we don’t do that several times more often than we switch social networks and search providers; like several times a day.)