Fact-Checking Commissioner Statements on Privacy NPRM

In the process of writing comments for the FCC’s privacy NPRM (Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106) I made the mistake of reading the attached statements of the commissioners and chairman. While these statements are not formal parts of the NPRM itself, they do provide some insight into the way they see the issues. The chairman’s statement in particular is interesting because it explains the motivation for some of the more dubious portions of the NPRM itself. So let’s take a look at the statements to see what issues are important to the FCC’s leadership. I’ll do this in reverse order.

O’Rielly Statement Stresses the Law

Commissioner O’Rielly’s statement is a comprehensive critique of the NPRM’s legal reasoning, and it’s a doozy. He points directly to the elephant in the room, the fact that his NPRM would be neither necessary nor lawful without the agency’s reclassification of ISP service as a telecommunication service rather than an information service. When ISPs were judged as providers of both information and telecommunication, it was possible to regulate their privacy practices in the same way that those of the top advertisers are, under FTC regulations and processes. Despite the reclassification (an error, in my view) decision, it’s still possible to regulate ISP service as part telecom and part information service. But the NPRM doesn’t do that.

Rather, the NPRM attempts to stretch the Commission’s Section 222 authority to cover everything ISPs do, including information service. O’Rielly is particularly concerned about the use of 222(a) to shoehorn ISPs’ non-telecom square peg activities into the round hole of strict privacy:

This make-believe authority in section 222(a) could cover some of the same information that the

Notice proposes to include as CPNI, as well as things like shopping records, biometric information, and information identifying personally owned property. In a footnote, the Notice acknowledges that broadband providers may not even collect such information. But this is not the first instance where this agency has engaged in regulation by speculation, and I’m sure it won’t be the last, despite how insulting and deplorable it is for a regulatory agency to be so clueless just as it prepares to impose new burdens on U.S. industry and consumers. The ignorance is stunning and raises serious questions about the competency of the Commission’s expertise in other, more justifiable areas.

Strong language, but factually correct. ISPs don’t collect shopping records, biometric information, and information identifying personally owned property today, nor are they likely to do so in the future because the transactions that relate to this kind of information are encrypted and always have been. So the NPRM engages in some fear-mongering to justify regulatory overreach.

O’Rielly also points out that the NPRM attempts to give the FCC authority over aggregated usage and customer information:

Section 222(c)(3) makes clear that carriers “may use, disclose, or permit access to aggregate customer information.” The only condition on aggregate customer information is that it must be provided to other carriers or persons on reasonable and nondiscriminatory terms or conditions upon reasonable request, and that condition was included to address competitive concerns, not privacy. Therefore, the FCC has no authority to impose additional conditions on aggregate customer information, and certainly not ones related to privacy.

This allegation is also true, and is the stuff of which lawsuits are made and won. You have to wonder why the agency persists in violating the plain language of the act under which it operates when such violations are routinely reversed by the courts.

Most significantly, O’Rielly points to the important role advertising plays in paying for the web experience:

Finally, I must raise a reality check about how ISPs may use the collected information. Unlike governmental entities using the information to potentially threaten and undo the freedom of individuals, the high crime and misdemeanor at issue here is the ultimate desire of some to want to market a commercial product to others. Simply put, they may want to try to sell you something that you would actually enjoy purchasing. It is as if we all forgot how the Internet economy actually works today. There is a trade-off—consumers receive “free” stuff offered by Internet companies while in return the companies receive other things, such as data to place targeted ads, that consumers may or may not want but, at the same time, may be completely comfortable with in the context of the overall package. Heightening the limitations on the use of information, as contemplated by this item, will impact every other pricing component of Internet access and eventually edge providers.

This is crucial because the NPRM isn’t really about privacy as much as it’s about restructuring the marketplace for Internet ads. The NPRM does nothing to protect personal privacy but it does a lot to prevent competition between ISPs and incumbent advertising networks. Internet advertisers will know just as much about you tomorrow as they know about you today if this NPRM passes.

Pai’s Statement is Brilliant

As one would expect, Commissioner Pai’s statement is both insightful and entertaining. He gets straight to the point:

For many years, the United States embraced a technology-neutral framework for online privacy. The Federal Trade Commission applied a unified approach to all online actors. That framework allowed the FTC to carry out “more than 150 privacy and data security enforcement actions, including actions against ISPs and against some of the biggest companies in the Internet ecosystem.” And that’s the same framework that the United States government has told the European Union is sufficiently robust to protect online consumers against predatory privacy practices.

The FCC tore apart that unified framework 13 months ago when it reclassified broadband as a public utility. So I agree with my colleagues that we do need to act, to refill the deep hole in privacy protections dug by the Commission.

What’s the best way to refill it? I can’t put it any better than Chairman Wheeler did, testifying before the House Energy and Commerce Committee’s Subcommittee on Communications and Technology in November 2015: Because consumers deserve “a uniform expectation of privacy,” the FCC “will not be regulating the edge providers differently” from Internet service providers (ISPs).

When it comes to privacy, the principle of parity makes sense. As the FTC concluded years before being evicted from this space, “any privacy framework should be technology neutral” because “ISPs are just one type of large platform provider” and “operating systems and browsers may be in a position to track all, or virtually all, of a consumer’s online activity to create highly detailed profiles.”

Pai is right: The very limited information ISPs have about our web surfing habits that other firms don’t have has no real commercial value: they know the MAC address and vendor of our home routers, they know how our accounts are set up (with them) and they know when our accounts are not active. But they don’t know which activities are performed by which people in our homes and offices, which account names we use on various sites, which purchases we make, which video titles we view, and what search terms we use at Google. So ISPs can’t be the demons of privacy violation even if they want to, because that job is already taken.

Pai destroys the central premise of the NPRM with headlines:

To paraphrase the Notice, online operators “have the commercial motivation to use and share extensive and personal information about their customers.” Any review of recent headlines makes this obvious. “Microsoft Admits Windows 10 Automatic Spying Cannot Be Stopped.” “Hidden iPhone feature tracks your every move.” “Facebook’s ad platform now guesses at your race based on your behavior.” “Google is spying on K–12 students, privacy advocates warn.” “Your Samsung TV is eavesdropping on your private conversations.” “Why is Netflix cracking down on essential privacy tools?” “Yahoo escalates the war on ad-blockers – by keeping people out of their own e-mail.”

Devastating.

So why does the NPRM persist in its folly? Politics:

Despite this digital reality, the FCC targets ISPs and only ISPs for regulation. Legal constraints can’t be the reason. In The National Broadband Plan of 2010 and in broadband deployment reports issued since, the FCC has concluded that “privacy concerns can serve as a barrier to the adoption and utilization of broadband.” And under the expansive reading of the Telecommunications Act and “virtuous cycle” theory of legal authority ascribed to by those voting for today’s Notice—a reading I do not support, to be clear—the FCC can take practically any action necessary to break down those barriers. Remember, too, that this agency hasn’t been shy about pushing legal boundaries; its deliberate indifference to the law in other contexts has been repeatedly rebuked by the courts and sharply rejected by members of both parties in Congress during the last month alone. So creating a disparate privacy regime is not the product of legal restraints. It is simply a political choice.

Pai ends by pointing out the fact that the NPRM indulges in corporate favoritism, which is hard not to accept.

Commissioner Rosenworcel is Circumspect

The Democratic commissioner statements are shorter than the Republican ones, but they’re still critical of the Chairman’s approach. While they can’t bluntly disagree – that would be uncomfortable – they do register reservations. Rosenworcel points out that the marketplace for advertising data is much larger than the NPRM admits:

First, connection is no longer merely convenient. We live in an always-on world. Our commercial and civic lives are migrating to online platforms with ferocious force and speed. The opportunity to opt out of this new digital age is limited. Its advances are too bountiful, they save us time and money, and they inform all aspects of modern life.

Second, the number of parties participating in our digital age connections and transactions has multiplied exponentially. It used to be that the lone communications relationship was between a customer and his or her carrier. No more. Today you can dial a call, write an e-mail, post an update to a social network, read a news site, store your family photographs in the cloud, and you should assume that service providers, advertising networks, and companies specializing in analytics have access to your personal information—and lots of it, for a long time. Our digital footprints are hardly in sand; they are effectively in wet cement.

Third, the monetization of data is big business. The cost of data storage has declined dramatically. The market incentives to keep our data and slice and dice it to inform economic activity are enormous. They are only going to grow.

[Emphasis added.] Consequently, there are so many parties involved in making money by selling personal information already that strictly regulating ISP data collection and storage is not going to make a tinker’s damn in terms of protecting consumer privacy. That horse has already left the barn and no amount of corporate favoritism is bringing her back.

In the end, Rosenworcel tries to put the best face on the NPRM:

Though these questions range far and wide, it is important to be clear about what this rulemaking does not do. The Section 222 privacy provisions involve carriers. They do not apply to the manufacturers of wireless phones. They do not apply to the developers of operating systems or websites.

Let’s be honest. Consumers can be confused by these distinctions. But the scope of this proceeding and Section 222 itself is limited. So I hope as we progress we think about how consumers can better understand the way their data is collected, what rules apply, and how they can protect themselves. I believe doing this well requires harmonization—within the Communications Act—and with other federal partners with privacy interests. Because in the broadband age, consumers should not have to be network engineers to understand who is collecting their data and they should not have to be lawyers to determine if their information is protected.

But note that she gives a shout out to the FTC and to the kind of technology-neutral harmonization that the Republicans champion. So this statement stops far short of a ringing endorsement of the Chairman’s bull in the china shop, scorched earth approach to protecting advertising incumbents – the exponentially multiplying players – from competition.

Commissioner Clyburn Doesn’t Rock the Boat

Commissioner Clyburn stood up to the chairman on Lifeline, only to be smacked down by Congress for dealing with the Republican commissioners. So she flies beneath the radar, offering a mostly factually challenged statement of support for the chairman’s plan:

As a consumer of [web] services, I want the ability to determine when and how my ISP uses my personal information, and I am not alone. According to a Pew Research survey, 93 percent of consumers say that being in control of who can access information about them is important, 90 percent say that controlling what information is collected about them is important and 88 percent believe it is important that they not have someone watch or listen to them without their permission.

So today’s Notice of Proposed Rulemaking is both timely and relevant. It seeks comment on proposals that would allow consumers to be in control of their information, and ensure transparency, consumer choice, data breach notifications and safeguards for security.

Of course, the Pew survey didn’t focus on ISP data collection practices, it asked about data collection as a whole, the vast majority of which does not require ISP participation. So it’s simply incorrect to take that survey as vindication for one-sided regulations that leave consumers as exposed to advertisers as they are today.

Giving consumers control over the use of the information websites collect on them may be a laudable goal – although it sounds better in speeches than it looks in practice – this NPRM does not address that issue.

The Imaginary World of Chairman Wheeler

Wheeler begins, as he usually does, with some history about the CPNI rules, claiming that they protect consumer information from misuse, which they really don’t. Consumers can consent to telephone networks selling information about their calling habits, but once they’ve done so all bets are off. So opt-in doesn’t really protect anyone any better than opt-out does. You would need to know where your calling history is sold before you can protect yourself from misuse.

The chairman throws caution to the wind in equating broadband carriers with website operators:

Section 222 of the Communications Act expressly grants the Commission the authority it has used to protect the privacy of customer information that phone companies collect. Today, with this Notice of Proposed Rulemaking or NPRM, we start down a path that will provide clear guidance to Internet Service Providers (ISPs) and their customers about how the privacy requirements of the Communications Act apply to the most significant communications technology of today: broadband Internet access service. If anything, privacy issues are even more important when consumers use broadband connections to reach the Internet. And, when consumers sign up for Internet service, they shouldn’t have to sign away their right to privacy.

In fact, consumers do sign away the right to privacy when they access the advertising-supported websites that comprise most of the Internet. This NPRM does nothing to change that, which is good. We willingly allow websites to track us because we want the services they offer, and if we didn’t have this ability the Internet would be worth very little. But the issue that this NPRM addresses is the structure of the market for advertising-relevant personal information. It doesn’t stop the exponentially multiplying market for this information and it doesn’t discipline prices or get us a better deal. In fact, it makes things worse for consumers.

Wheeler mangles the nature of choice to justify his approach:

Most of us understand that the social media we join and the websites we visit collect our personal information, and use it for advertising purposes. Seldom, however, do we stop to realize that our ISP is also collecting information about us. What’s more, we can choose not to visit a website or not to sign up for a social network, or we can choose to drop one and switch to another in milliseconds. But broadband service is different. Once we subscribe to an ISP—for our home or for our smartphone—most of us have little flexibility to change our mind or avoid that network rapidly.

This is downright hokey. If we seldom realize that ISPs collect information on us that’s because they seldom do. If they did, we would read about it all over the web as we have every time an ISP has experimented with the practice: Phorm and Nebuad were hounded out of the Internet advertising space by CDT and other advocacy groups for merely suggesting they could cooperate with ISPs to collect behavioral data.

But the biggest whopper in the paragraph above is the “ease of switching” deception. In theory, we can switch from Facebook to Google+ in one click of the mouse, but in practice we don’t. That’s because a social network is only a social network when it becomes the virtual home of the people with whom we want to socialize. So it’s really not just a matter of one person making one solitary choice, it’s an issue of hundreds of people making the choice to switch social networks at the same time. It appears that Chairman Wheeler does not have the first clue about Facebook. Similarly, while it’s easy in principle for us to switch search services, shopping services, and video streaming services, few of us do because the experience is not the same.

Secondly, the Chairman’s claim that switching ISPs is some onerous burden overlooks the fact that most of us in the US use multiple ISPs each day: a wired ISP at home, another one at work, and the wireless ISP that provides us with mobile broadband. So the claim that it’s easier to switch web services and social networks than to switch ISPs is the polar opposite of the truth. It’s actually embarrassing to all of us for an FCC Chairman to make such a ridiculous claim.

The rest of the chairman’s statement is self-congratulatory, but I hope the victory celebration is premature. It includes the following outlandish claim:

To be clear, this is not regulating what we often refer to as the edge – meaning the online applications and services that you access over the Internet, like Twitter and Uber. It is narrowly focused on the personal information collected by broadband providers as a function of providing you with broadband connectivity, not the privacy practices of the websites and other online services that you choose to visit.

While the NPRM is focused on the practices of ISPs, it is not limited to information collected as a function of providing broadband. In fact, that information would be very limited: the MAC address of your home router, the volume of data you use, and the periods when your connection is not in use.

What the NPRM actually does is impose a completely different set of regulations on information that is already collected by web services from a subset of that information that might someday be collected by ISPs if they were allowed to do so. Rather than propose a bargain of some sort for that sort of data collection, the NPRM simply bans it without an opt-in.

If the NPRM’s approach were reasonable, it would be possible for the Chairman to advocate for it truthfully, but he doesn’t make the effort. Perhaps the most disturbing part of the Chairman’s statement is its failure to realize that consumers can control the information ISPs can theoretically collect simply by using that website choice: If we’re concerned about ISPs examining our interactions with WebMD.com, an unencrypted site, we can get health information from MayoClinic.org, a site that encrypts with TLS (AKA HTTPS). TLS encryption blocks ISP visibility and the better sites use it. Mayo Clinic also provides better information than WebMD does.

So why do we need this NPRM? I’ll post my comments next time so we can examine that question. Hint: we need privacy protection, just not this kind.