Reply Comments on FCC Privacy

I filed reply comments with the FCC in the broadband privacy proceeding to make a single point: ISPs don’t have the NSA-like powers of code-breaking and aggregation that the NRPM attributes to them. The NPRM’s primary factual claim is that ISPs “are in a position to obtain vast amounts of personal and proprietary information about their customers.” This has to mean that ISPs can see more personal data than edge services can because the NPRM proposes to impose an opt-in regime on ISPs for the same data that edge services can collect on an opt-out basis. So the FCC argues it can’t forbear from opt-in without unreasonably compromising user security.

The “special position” claim in the privacy NPRM comes from the Open Internet order, which takes it from a comment filed by human rights NGO Access. The comment by Access is quite remarkably wrong:

To implement traffic management, ISPs often use tools with highly invasive capacities that can execute blocking, shaping, or filtering of data for unlawful political, social, and commercial purposes. These tools include deep packet inspection (DPI) technology. DPI allows ISPs – and anyone tapped into their networks – to identify and filter content while it traverses the internet, and make a copy of the traffic. DPI is the go-to mechanism governments across the world employ to invade user privacy and censor communications and content with staggering breadth and depth. In 2006, AT&T and the NSA were caught using DPI-capable technology in San Francisco to sort through all traffic flowing through a major switching station, in order to pick out specific messages based on targets like an e-mail address. Left unregulated, under paid priority schemes, ISPs will be incentivized to increase use of DPI to scour internet traffic in search of content to prioritize or degrade, down to the level of individual subscribers.

So in essence Access claims that ISPs have NSA power and must be highly regulated lest we lose all semblance of privacy and security. In the OIO, these concerns motivated a ban on the hypothetical practice of paid prioritization, and in the privacy context they motivate opt-in.

But what policy choice do you have to make if the facts don’t support the claim that ISPs have NSA powers? It would seem to me that the FCC is clearly right about one thing: the degree of regulatory heavy-handedness should be proportional to the power wielded by the regulated firm. And when we assess that power we have to consider what’s practical as well as the incentives driving the firm. The FCC certainly appears to do this when it discusses incentives and capabilities, but in this case (as in the OIO), the agency’s assessment is simply wrong.

The NSA spy program Access brings to the attention of the FCC was known as Stellar Wind. This program involved the NSA collecting packet streams from several ISPs – AT&T and Verizon were named – but the data collection was primarily from their transit business, not their residential ISP business. The ISPs didn’t use any DPI to find email for the NSA, they simply dumped whatever they were carrying and let the NSA decrypt it and sort it out. The scary thing about Stellar Wind is that it gave the NSA access to something like 85% of of North American Internet traffic. To put it in simple terms, it was the aggregation of data combined with the code-breaking that allowed NSA to find email.

ISPs are not in the same position in relation to the Internet as the NSA was while the Stellar Wind program was in effect. In reality, the vantage point that ISPs really have is inferior to that of the large edge services. Here’s how I explain this in my FCC comments:

The reality of the Internet is that each edge service or application has the unfettered ability to see the data it exchanges with each of its customers. Google, Facebook, Amazon, and Netflix see customer-generated messages in plain text, after decryption. Similarly, these firms have unfettered access to the information they send to their customers before encrypting it.

There is a gap in the edge view of the Internet insofar as each edge service only sees information from its own customers. But this gap is reduced for advertising networks that are able to populate third party pages with ads. When an edge service operates both its own application and an advertising network – as many do – the gap becomes extremely small.

The ISP also has a limited view of the Internet for three reasons:

  1. Each ISP can only see information generated or received by its own customers;
  2. Most of this customer data handled by the ISP is encrypted; and
  3. The data the ISP can see is devoid of context.

The first limitation is shared by ISPs, edge services, and advertising networks insofar as each can only view data exchanges involving its own customers. But this factor argues for regulating ISPs less heavily than the large edge and ad companies because the number of users each ISP has is much smaller than the corresponding number in the edge and ad space. The largest wireline ISP, Comcast, has 23 million customers. Netflix has 81 million customers worldwide; Amazon had 244 million users in 2014; Facebook has 1.59 billion customers; Google has seven different services with over a billion users each. There is no dearth of advertising-relevant data for edge services to capture and use. For ISPs to catch up in terms of user counts, each would need to grow by one to two orders of magnitude, signing up more Internet users than the planet contains.

I don’t argue that the large edge services should be regulated more strictly; the FTC has struck the right balance. But I do argue that ISPs and edge services should be on a level playing field (and would be if the FCC had its facts straight):

Like the game of Telephone, the facts of Stellar Wind are distorted by the Hepting/EFF lawsuit, further twisted by the Wired article, misrepresented by Access, misconstrued by the FCC’s Open Internet Order and confused again by the FCC’s Privacy NPRM. ISPs do not have the surveillance advantage over edge services and advertising networks the NPRM attributes to them.

Consequently, the privacy NPRM lacks a coherent factual foundation for the claim that ISPs must be regulated differently than edge services because of their unique vantage point in the Internet.

In reality, edge services, browsers, operating systems, advertising networks, and transit networks all have better and more comprehensive knowledge of user interactions with edge services than ordinary ISPs do. As this is the case, the FCC’s decision to impose Section 222 with a new set of rules deeply at odds with the FTC Privacy Framework is irrational.

The more prudent course is to forbear from imposing the Section 222 opt-in provision on Internet service providers and to generally harmonize ISP privacy regulations with the FTC framework. Opt-in is appropriate for sensitive information but not for generic interactions.

Will the FCC see the light and choose a less discriminatory approach? I’m hopeful, but they probably won’t.