Solving the Privacy Problem

As we inch toward the FCC’s October 27th Open Meeting that will decide the fates of video streaming and Internet advertising markets, speculation abounds about Chairman Wheeler’s course. In a more perfect world we’d have the texts of both orders in hand, but we live in this one, where all we have is this sketchy “fact sheet.”

Privacy Order Speculation

Brian Fung speculates that the advertising, um, privacy order will permit ISPs to track IP addresses but not browsing histories:

The vote could finalize a proposal that would force Internet providers, such as Verizon or Comcast, to get consumers’ explicit consent before using or sharing personal data such as their Web browsing history, app usage history, geolocation information and the content of their emails and online messages.

This approach would not be terribly consistent with the FTC approach that requires opt-in only for sensitive information such as health conditions and personal location. Browsing history isn’t inherently sensitive, nor is it unique knowledge of ISPs since the sites know it as well. All of this information is available to browsers, operating systems, and home routers as well, so keeping it out of the hands of ISPs doesn’t actually preserve anyone’s anonymity.

Fung touts the fact that ISPs will be able to continue some programs they’ve already suspended:

Notably, the proposal does not seek to ban Internet providers’ offering of a discount to consumers in exchange for their personal data, as companies such as AT&T have done (until recently).

But that’s not much of a plus except on mobile networks, where it’s not really a practice anyhow.

Battling Op-Eds: Pallone

House Energy and Commerce Ranking Member Pallone urged the FCC to enact strict privacy controls in a Huffington Post blog on consumer attitudes and uncertainties:

The optimal solution would be to adopt strong privacy rules for both ISPs and websites, but unfortunately, this is easier said than done. Today, the FCC can adopt rules of the road to protect people’s privacy only when it comes to ISPs. Websites, on the other hand, are overseen by the Federal Trade Commission (FTC). Unlike the FCC, the FTC must follow an arduous process that makes it virtually impossible to adopt similar rules. Moreover, a recent court decision has thrown the legal landscape into chaos by potentially undermining the FTC’s already limited ability to protect consumers without the FCC’s help.

This is terribly inconsistent because only Congress can remedy the inconsistencies resulting from the Ninth Circuit’s order. And even worse, “strong privacy rules” are horrible for the advertising markets that support the web, so the post isn’t helpful.

Battling Op-Eds: Waxman

Former Chairman Waxman gets to the heart of the issue in his The Hill op-ed:

This disparate treatment could result in tangible competitive and consumer harm.  An ISP might find it practically impossible to market its own digital services to existing customers because of new restrictions, while non-ISP service providers are permitted to do so without any constraint. This is especially problematic given a recent survey by the Progressive Policy Institute finding that over 90 percent of online users expect their data to be treated the same by different parties across the Internet. That survey also found that by a seven-to-one margin, consumers believe their online privacy should be protected based on the sensitivity of their online data rather than by the type of Internet company that uses their data.

Consumers endorse the FTC approach, where protection depends on the data, not on who collects it.

The Pew Survey

Advocates of strong privacy controls over ISPs but weak ones for web services like to cite the Sept. 21st Pew Research survey on privacy. This part is most commonly mentioned:

Some 74% say it is “very important” to them that they be in control of who can get information about them, and 65% say it is “very important” to them to control what information is collected about them. Personal control matters a lot to people. If the traditional American view of privacy is the “right to be left alone,” the 21st-century refinement of that idea is the right to control their identity and information. They understand that modern life won’t allow them to be “left alone” and untracked, but they do want to have a say in how their personal information is used.

But what does that mean? My guess is that we’re OK with reputable firms collecting and selling some of our info, but not with fly-by-night operators. But who remembers all the privacy agreements we’ve accepted without reading them because we were eager for some content? I certainly don’t.

Privacy Managers

It’s common these days for people to use password managers to keep track of login credentials for all the sites we visit. If you use one, you only have to remember one password and despite having unique passwords for all the sites you visit that no one can guess. These tools are popular because the information they protect is sensitive: credit card numbers and shopping history.

Given that password managers are widely used, why don’t we also have “privacy managers” to keep track of the privacy agreements we’ve accepted and maybe even to read them for tricky conditions? The program could even rate them for us. It seems common sense that we get apps for things that are broadly important to us.

So maybe the solution to the FCC’s privacy dilemma is to enact some standards that would actually make it easier for consumers to make those privacy choices that we want to make for all the sites we visit. That’s where the problem lies, after all.

A Standards-Based Solution

The kind of standards I have in mind are machine readable privacy agreements in a standard format and automatic reminders of the agreements we’ve accepted. That sort of rule could be applied across the board to ISPs and web sites alike and be genuinely empowering.

But it will take an act of Congress – or cooperation between the FCC and the FTC – to operationalize. So why don’t we do that?