A Briefing on Internet Privacy Legislation (2017)

On March 28, 2017, Congress voted to overturn Obama-era internet privacy laws that were scheduled to go into effect later this year. As one of their first orders of business under President Trump, Congress targeted the FCC rule that required Internet Service Providers (ISPs) to “protect the privacy of their customers…[ensuring] broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs (emphasis ours).”

The goal of the Obama-era legislation was to provide customers with the information and tools needed to make informed decisions about the use and sharing of personal information. In many cases, that meant having some power in restricting an ISP from collecting browsing history data and selling that information on the open market (mainly to advertisers).

In order to understand the new legislation, it is worth taking a look at how the now-repealed Obama-era regulations were structured, essentially on three tiers:

Opt-in

Internet Service Providers were “required to obtain affirmative ‘opt-in’ consent from consumers to use and share sensitive information.” Sensitive information that could not be collected or shared without a customer’s approval included “precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications. ”

Opt-out

ISPs “would be allowed to use and share non-sensitive information (our emphasis) unless a customer ‘opts-out.’” Email addresses or other “service tier” information was considered non-sensitive, and “use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations. ”

Exceptions to Consent Requirements

Exceptions existed when pertaining to basic services related to a consumer opening and maintaining an account with the broadband service, including “the provision of broadband service or billing and collection.”

The rules also included transparency requirements, rules that required broadband services to utilize “reasonable data security practices,” and data breach notification requirements that “[encouraged] ISPs to to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information. ”

How the New Law Changes Internet Privacy

The new law signed by President Trump effectively rolls back or eliminates these regulations on ISPs. The new administration labeled the Obama-era rules as overreaching and inhibitive to the competitiveness of companies like Verizon, AT&T, and Comcast. As such, the new law is designed to remove barriers prohibiting telecommunications companies from tracking and selling its customers’ personal information. Lawmakers argue that this will level the playing field between ISPs and companies like Google and Facebook, who, under the old set of regulations, would have arguably had a leg-up in collecting consumer data.
The obvious consequences of the repeal will be minimal, explains Jules Polonetsky, CEO of the Future of Privacy Forum and noted privacy expert, in an interview with NPR. He posits that targeted ads are, and will remain, the predominant online business model, so users will notice few changes to their browsing experience. The vast majority of websites are already sharing data with advertisers for the purpose of targeting ads.

The difference, according to Polonetsky, is that ISPs will now be able to help advertisers in ways they were unable to before. Search and social media data was previously only available to the portals that have the data; ISPs did not have access because it was encrypted. In a world where audiences are dispersed across devices and formats, it was arguably difficult for big advertisers to link a user’s identity. Polonetsky argues that the new law gives now gives ISPs “cross-device tracking capabilities,” allowing ISPs a new way to compete for ad dollars

Partisan Divide on the Issue

The vote was largely split along party lines, with House Republicans joining their counterparts in the Senate in voting for the repeal. An affirmative voter believed that the regulations were excessive and unnecessary, placing broadband companies at a significant disadvantage against other internet companies not regulated by the FCC. Representative Marsha Blackburn (R, Tennessee) who introduced the legislation to the House and championed the result, stated her belief that the Federal Trade Commission should enforce broadband privacy as they do for Google or Netflix, stating that “…This is the way to rein in an agency that was overreaching.” Broadband companies insisted they would honor their existing voluntary privacy policies.

Democrats and other negative voters expressed disappointment at the result, believing that consumers should have a voice regarding the use of their personal information. Democratic legislators noted concern that broadband companies, if not properly regulated by government in an industry with so few consumer choices, could expose sensitive, personal information such as browsing histories to advertisers or other parties without any say from their customers.

What are Consumers’ Privacy Options Now, and What Comes Next?

Consumers have a variety of options to protect their personal information. Running a virtual private network (VPN) is a powerful possibility – VPNs allow users to connect to the internet via a VPN-run server, encrypting all data transferred between a browsing device and the server. This method is popular with corporations, and typically cost at least $5-$10 per month for private citizens. Browsers like Tor are another popular choice, “protecting [users] by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.”

Certain ad networks offer opt-out options from ad targeting via a triangular “I” icon. Jules Polonetsky points out that mobile devices allow or disallow certain information to be used: “My iPhone lets me clear my ad ID if I don’t want apps to be able to track me or work with their ad network partners to track me…Apple now lets you wipe [the ad ID supplied by the operating system] out, Google lets you reset it…use of location, similarly.” He also recommends turning on a browser’s do-not-track feature, though none of these options offers absolute security.

Now that President Trump has signed the repeal into law, the natural question for customers is what comes next. Some ISPs, like Comcast and Verizon AT&T, have gone on record as saying they would voluntarily not sell its customers’ individual browsing information, though the latter uses two advertising programs to “aggregate insights [of personal data] that might be useful for advertisers and other businesses.” Recent court cases, including a suit brought against Vizio by the FTC and the state of New Jersey, have ruled in favor of consumers with regard to data collection without knowledge or consent. Polonetsky believes that, ultimately, “the willingness of the FCC and the FTC to use their authority effectively is what will determine whether the consumers are protected.” As legislators turn their attention to net neutrality, the privacy debate remains contentious, and will remain so for the foreseeable future.

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.

Leave a Reply