Internet Privacy: Just the Facts

In my last post, I reported on a press call by Senator Markey and a group of activists in support of the FCC’s Internet Privacy NPRM. I found the call extremely unhelpful because of significant factual gaps and errors in the story the activists told, but my account may not have been all that clear. So I’d like to focus on some of the specific claims the boosters made and why they aren’t factual.

The General Claim

At a high level, the promoters of the privacy NPRM claim these new regulations will protect user privacy. This can only be true if the regulated firms have information that none of the Internet’s incumbent advertising information brokers already collect and sell. The comments I filed with the FCC on the issue explain why this is not the case. The chart I made for the FCC comments shows this reasonably well.

Privacy Taxonomy

Privacy Taxonomy

In this chart, “CII” is information known to websites and advertising networks as well as to ISPs, and “CNNI” is information visible to web services but not to ISPs.

The bottom line is that advertising networks have access to more of our personal information than ISPs have because the data they see is unencrypted and extremely detailed.  So no, the NPRM is not going to prevent a single meaningful bit of information about our web surfing behavior from circulating. What it will do is limit the number of firms that can sell this information to advertisers from 12 to 2: Facebook and Google will still collect this information from the beacons and ads they place all over the web but ISPs will not be allowed to compete with them.

The Sensitivity Canard

Laura Moy, an attorney who works for the Open Technology Institute, claims that users will only be required by the FCC to give affirmative consent to ISPs to collect “sensitive information.” The FCC makes the same claim. But the FCC has decided to classify nearly every website visit and application launch as a “sensitive event.” As I explained in the previous post:

Laura Moy, an activist affiliated with the predictably pro-advertiser Open Technology Institute, regards each bit of information seen by the ISPs as “communication” that warrants strict protection, even though that very same data would be considered non-sensitive data after it’s stored in website data centers. Consequently, Moy (and the FCC) seek to enact differential sensitivity classifications depending on how a given advertising merchant comes to possess the very same information.

And as Giuseppe Macri explained in Inside Sources, the FCC considers virtually all behavior sensitive:

“Our advocacy on this issue has been that all of it is sensitive,” Moy said, describing how seemingly innocuous metadata can be compiled over a broad view (which some argue providers have, though experts dispute this point) to create a detailed profile on a subscriber.

Macri cites the Peter Swire report that carefully distinguishes what ISPs can see and what they can’t see because of encryption. In the past, privacy advocates have recommended that users and websites concerned about privacy should encrypt their data. But since they do this for most web traffic now, the story that those who claim to speak for privacy rights have simply changed their story. They now maintain that encryption has no effect since it doesn’t prevent ISPs from seeing that users visit Google and Mayo Clinic, for example, even though it does prevent them from seeing search terms and actual pages visited.

Is the fact that a web user does Google searches significant information, let alone sensitive information?

Influencing Retail Sales

Obviously not. But if a user goes to Google and then goes to a medical site and then goes to doctor’s site, it might be possible to know that the user is ill. It might also mean that the user has decided to go to the doctor for a checkup, or the user is scheduling a family member for a doctor visit, or it might mean that the user is curious about an ailment that may afflict a friend. This sequence of events is not enough to determine, say, that the user has a terminal disease and will soon be shopping for coffins and funeral plots.

But what if the user goes to Google, Mayo Clinic, and Walgreen’s? That would simply tell us the user is in the market for an over-the-counter drug and doesn’t have a serious illness.

This would be a good time to pitch drug stores to the user, but the ISP doesn’t have a monopoly on this information. Walgreen’s, Google, and Facebook would know this too, and they would also know if the user shops Walgreen’s for NyQuil while the ISP would not.

Uneven Regulation

Which parties hold the most sensitive information and which are most heavily regulated?

In the first scenario, where a doctor appointment is booked, Google knows about the booking if the user searches for the doctor’s web site by entering the doctor’s or hospital’s name in a search. Google also knows the details of the appointment if the user is on Google Calendar or Gmail. So Google will often know more than the ISP because the act of making the appointment is encrypted, as are the Calendar and Gmail use.

Google is permitted to sell this information – to offer the user up in a group of people who have gone to a doctor for treatment of the disease for which this user searched –  without restriction. The ISP can’t do that because it can’t know these details, and even it did it couldn’t because Google is governed by the FTC privacy framework and the ISP is governed by the much more strict FCC framework. So we have uneven and inconsistent regulation.

Expansive Concept of Privacy

In the second case, where the user is shopping for over-the-counter drugs, Google is freely able to sell its view of the user to advertisers without depersonalization or user permission. If the proposed regulation were consistent, the ISP would also be able to sell this shopping information, but under the FCC’s proposed rules it can’t.

The FCC considers a visit to a web site – all visits to all sites – to be sensitive information. This is clearly absurd, as members of Congress realize. This is why Ranking Member Pallone proposes to change the FTC Act so that it would apply the same standards to Google that the FCC proposes to apply to the ISPs.

Moy refuses to admit the inconsistency. This refusal is, at best, a failure of analysis. If a given fact – that a group of users has searched Walgreen’s after visiting Google and Mayo Clinic – is sensitive in the hands of one party, it is sensitive in the hands of all parties.

It’s reasonably simple to craft regulations for ISPs and Internet behavior that are consistent regardless of the status of the firm collecting and selling this information.

If the FCC examines a number of such scenarios in detail, I’m confident it can come to a sober, fair, and rational conclusion. All that it needs to do in this proceeding is to harmonize its rules with those of the FTC, taking into account the nature of the information, not the status of the data broker.

This isn’t really difficult.