Privacy and the Internet: What the FCC Doesn’t Get
If you want to get totally confused about the nature of the Internet, you can’t do any better than to listen to and believe FCC Chairman Tom Wheeler’s remarks in last week’s Senate Judiciary Subcommittee on Privacy, Technology and the Law hearing on Internet privacy. Wheeler has a curious view of technology for a regulator: He insists that every new thing is really old.
While you may believe that the Internet is a fabulous advance over all previous forms of communication – common knowledge in the tech community – Wheeler maintains that it’s nothing more than a somewhat improved telephone network. He argued before the committee that Internet Service Providers are offering a service that’s not fundamentally different than the service offered by Public Switched Telephone Network Service (PSTN) providers.
Network Structure and Privacy Regulations
This belief underlies Wheeler’s desire to to impose the Customer Proprietary Network Information (CPNI) rules developed for the PSTN onto ISPs. As Wheeler put it, ISPs can put together packages of information about the sites and pages users visit “which should not be sold by the network. The network is just taking you to get that information. They don’t have the right to turn around and say: “Hey, I’ve got the information on who’s got cancer!” That’s wrong. They can’t do it today with a phone call. They shouldn’t be able to do it on the Internet.”
By way of background, Wheeler believes that ISPs can learn who has prostate cancer by monitoring visits to WebMD, an unencrypted web site that peddles medical information of dubious accuracy. [For some reason no one lobbying for ISP privacy regulations ever uses the example of the Mayo Clinic, an encrypted site that’s much more accurate.]
“Choice” is a Red Herring
Wheeler also invoked the “choice” red herring, arguing that consumers have no choice but to use whichever ISP they use, while they have tremendous choice in terms of search services and web sites. But this is trying to have it both ways: If I can choose to visit Mayo Clinic instead of WebMD, I prevent my ISP from knowing which medical topics I’m interested in. But if choose to visit the dubious WebMD instead, it’s open season for the ISP to harvest away. So my choice of web sites has more significance to the marketing of personal information about my medical curiosities than my choice of ISPs does. But I digress.
I’d like to recommend some reading matter for the Chairman on the differences between the Internet and the PSTN. The Internet Society (ISOC, the organization responsible for Internet standards) published a short paper in 2012 titled The Internet and the Public Switched Telephone Network: Disparities, Differences, and Distinctions that lays them bare.
What Makes the Internet Special
Fundamentally, the PSTN is a voice network that connects people to people through handsets that have no capability for processing information. The telephone handset is simply a microphone and a speaker, and all the processing machinery that’s required to transport conversations is buried inside the PSTN. While the Internet is a distributed system, the PSTN is a monolith.
Consequently, there’s a huge difference between the Internet and the PSTN with respect to the creation and operation of network services. As the ISOC paper puts it:
Supports innovation without requiring permission (by anyone)
Internet: Any person or organization can set up a new service that adheres to open and collaborative standards, and make it available to the rest of the Internet, without requiring special permission. The best example of this is the World Wide Web – which was created by a researcher in Switzerland, who made his software available for others to run, and the rest, as they say, is history.
PSTN: Only telecoms companies can define and deploy new services within their networks.
Consequently, there’s a difference between what Internet carriers know about what we do on the Internet and what PSTN carriers know about what we did on the telephone network for a very basic reason. The PSTN carrier is indistinguishable from the PSTN service provider because only the carrier can create a service. But the Internet allows anyone to create a service because Internet services are distinct from Internet carriage. The Internet takes apart the PSTN and rebuilds it partially on carriers and partially on service providers at the edge.
ISOC explains that the PSTN is a hierarchical, centralized, and highly regulated network while the Internet is decentralized, modular, and lightly unregulated one. This is a question of accessibility. The paper says:
Internet: It’s possible to connect to it, build new parts of it, and study it overall: Anyone can “get on” the Internet – not just to consume services, but also to contribute applications and services, and attach new networks.
PSTN: Limited to licensed telecoms providers, and restricted by technical complexity, as well as through geographic boundaries of regulatory regimes.
So if we believe that the Internet is just another communication network that in essence does what the PSTN did for us (only better), we have to admit that the functions of the old PSTN are no longer limited to the ISP. The Internet’s innovation is the separation of carriage and service. So if we want to apply to the CPNI rules to the Internet, we would need to apply them both to carriage providers – ISPs – and to service providers such as Google, Netflix, and WebMD.
This is because it takes the combination of carriers and services to make a network, and in today’s world some of the functions of the old network are provided by services that anyone can create. But Wheeler doesn’t get this. In his analysis, the ISP provides a service that does everything that PSTN carriers did, and the service providers are no different from people speaking into handsets.
Faulty Analysis Leads to Bad Regulation
So he wants to impose CPNI on the ISPs while giving web services a free pass to do whatever they want. This inconsistency – and its apparent basis in a failure to understand the nature of the Internet – is the basis of the controversy over applying more restrictive privacy rules to carriers than to service providers.
Embracing a faulty theory of what the Internet is and how it stands in history relative to the PSTN leads to faulty analysis of privacy risks. In Wheeler’s view, the entity best positioned to track users around the Internet is the carrier, but this belief is shattered by the increasing use of encrypted communications. ISPs can learn very little from my visits to Mayo Clinic’s site, but advertisers can learn a lot about my web visits to any site that posts their ads. This is because websites provide advertisers with identifiers about who and where I am each time I download their ads.
It’s Good to Be a Browser
But the best place to be in the Internet to track users is in the browser. The browser deals in clear text and can track and record all my activity without even needing to pay for a computer to track me: I give them access to my computer and they use it take me where I want to go, when I want to go there.
The browser knows if I read the pages I visit because it sees me scrolling and tracks my mouse clicks. It knows when I forward links to the pages I read to others. And it knows which paragraphs I re-read. The browser “is just taking you to get that information” and it knows more about what you’re doing than the network operator does.
Does the browser “have the right to turn around and say ‘Hey, I’ve got the information on who’s got cancer!’”? It seems to me that a browser maker whose business model is based on selling this kind of information is in the same boat as a carrier who does it, not that any do.
Conclusion: Wheeler Doesn’t Get the Internet
So the most charitable analysis of Chairman Wheeler’s many inconsistencies is they all betray the same misunderstanding about the nature of the Internet.
And by the way, prostate cancer is no big deal for old men like the chairman and myself. My healthcare provider stops testing men for prostate cancer at age 65 because it doesn’t matter. Any man who lives long enough will develop a slow-growing prostate cancer, but it’s not going to kill us. The fast-growing prostate cancers than younger men get are a whole different story, and they bear swift and immediate medical attention. And no, smoking pot and drinking smoothies won’t make them go away.
So even if the chairman of the FCC insists on distorting the Internet, he needs to come up with better examples of privacy freakouts than old men looking up prostate cancer on WebMD. But he really needs to have an engineer explain the notions of decentralization and modularity to him before he wrecks an important part of the Internet with improper regulation.
I’m a technologist who has been writing TCP applications for 31 years. Really. Wheeler is more right protecting users than you are. In absence of HTTPS, the ISPs do have the ability to track/sell just as Wheeler describes, in ways that shouldn’t be allowed. Regular people DO use WebMD instead of Mayo. I’ll cheer when universal HTTPS makes this moot, but until it does, it’s a viable and reasonable regulation.
Wheeler ignores the fact that the browser, OS, and Google know much more about what you do online than an ISP ever can. It’s the inconsistency that bothers me.
I can run my browser in ‘private’ or ‘incognito’ mode, and I can use duckduckgo instead of google. I don’t have ‘share info with my vendor’ set on the OS. If they peek after that, I can probably sue them. I can’t reasonably change my ISP. You are wanting perfection in an imperfect world, and the ISPs are a place where the FCC can (and should) provide reasonable regulation. If the ISP does deep packet inspection and I’m not encrypted with TLS (or TOR), I am out of luck and options. Restricting ISPs ability to exploit this access provides benefit for the 99% users who aren’t savvy enough to work around privacy leakage.
Running your browser in incognito doesn’t hide a great deal of information, and hides nothing from the browser itself. Similarly, you can prevent the OS from sharing information with others but not with using it itself. You certainly can change your ISP, and you probably switch ISPs several times a day: at home, at work, in the coffee shop, over the cell network, etc.
Most, if not all, of the information the ISP has about you is held by others as well. All who have common data should be bound by common rules.
Isn’t that fair?
If my browser or OS have been infiltrated, I’m doomed in any event. That’s not a regulatory concern. I have very little control of the ISP at my home, or with my phone, and they are (and should be) subject to Title II regulation. They are a choke point that have better views of my traffic than any other single points. While others may have “much” of the information, the ISP has all of the endpoints involved, and all of the non-encrypted traffic.
The FCC in particular doesn’t have power over anything but the means of transmission, and I don’t see why the FCC chair should be particularly concerned about things not under his remit. The FTC is probably the best vehicle for site regulation if we want to go there.
“Fairness” has little to do with the issues. Practicality has a great deal. The FCC has existing authority to work the ISP issues and nothing more. Reaching a consensus on broader regulatory environment is likely to be very much harder than using that which is already authorized.
It’s not so much a matter of infiltration as the motivations and business model of the firm that created your browser. The browser is, of course, a choke point in its own right, and it has a better view of the web than the ISP does. Best of all, the browser sees unencrypted data all the time.
As far as the legal questions go, it seems to me that the FCC has the ability to harmonize its regulations with those that the FTC imposes on the rest of the Internet. And yes, fairness does matter unless you have an irrational hatred of your ISP and an equally irrational love for the advertising networks.
“you certainly can change your ISP” hahahahahahah. Good one Mr. Bennett.
I switch ISPs several times a day, but I switch social networks…never. Is your experience different from the norm?
“You certainly can change your ISP, and you probably switch ISPs several times a day: at home, at work, in the coffee shop, over the cell network, etc.”
These are two different things.
I am talking about the first part. No you can’t easily change who your ISP is. If we could, then 95% of the problems we are raging over with the FCC would be non existent because the competitive market would fix that. But there is no competitive market, as we discussed.
5G will make the market for last-mile residential broadband a lot more competitive. That’s the thing about tech, the status quo doesn’t last that long.
It would be best to offer some of your own words when sharing a link, Disqus sees you as a spammer when you don’t.
You may be interested in discussions around Chrome’s leakage while in incognito mode. “GPUs don’t respect process boundaries – physical memory is NOT zeroed when it is passed to a new process. When you close an incognito window, all GPU assets (framebuffer, textures, etc) are left sitting in VRAM. Later, another application can create a new buffer on the GPU and find it filled with the previous incognito window contents.”