The FCC said before they passed the net neutrality rules that they were going to very lightly regulate broadband providers using Title II. And now, just a few weeks after the new net neutrality rules are in place, we already see the FCC wading into broadband CPNI (customer proprietary network information).
CPNI rules have been around for a few decades in the telephony world. These rules play a dual purpose of providing customer confidentiality (meaning that phone companies aren’t supposed to do things like sell lists of their customers). They also provide protection of customer calling information by requiring a customer’s explicit permission to use their data. Of course, we have to wonder if these rules ever had any teeth at all since the large telcos shared everything they had with the NSA. But I guess that is a different topic and it’s obvious that the Patriot Act trumps FCC rules.
The CPNI rules for telephone service are empowered by Section 222 of Title II. It turns out that this is one of the sections of Title II for which the FCC didn’t choose to forebear for broadband, and so now the FCC has opened an investigation into whether they should apply the same, or similar, rules for broadband customers.
It probably is necessary for them to do this, because once Title II went into effect for broadband this gave authority in this area to the FCC. Until now, customer protection for broadband has been under the jurisdiction of the Federal Trade Commission.
There clearly is some cost for complying with CPNI rules, and those costs are not insignificant, especially for smaller carriers. Today any company that sells voice service must maintain, and file with the FCC, a manual showing how they comply with CPNI rules. Further, they have to periodically show that their staff has been trained to protect customer data. If the FCC applies the same rules to ISPs, then every ISPs that sells data services is going to incur similar costs.
But one has to wonder if the FCC is going to go further with protecting customer data. In the telephone world usually the only information the carriers save is a record of long distance calls made from and to a given telephone number. Most phone companies don’t track local calls made or received. I also don’t know of any telcos that record the contents of calls, except in those circumstances when a law enforcement subpoena asks them to do so.
But ISPs know everything a customer does in the data world. They know every web site you have visited, every email you have written, everything that you do on line. They certainly know more about you than any other party on the web. And so the ISPs have possession of data about customers that most people would not want shared with anybody else. One might think that in the area of protecting customer confidentiality the FCC might make it illegal for an ISP to share this data with anybody else, or perhaps only allow sharing if a customer gives explicit permission.
I have no idea if the larger telcos use or sell this data today. There is nothing currently stopping them from doing so, but I can’t ever recall hearing of companies like Comcast or AT&T selling raw customer data or even metadata. But it’s unnerving to think that they can, and so I personally hope that the FCC CPNI rules explicitly prohibit ISPs from using our data. I further hope that if they need a customer’s permission to use their data that this is not one of those things that can be buried on page 12 of the terms of service you are required to approve in order to use your data service.
What would be even more interesting is if the FCC takes this one step further and doesn’t allow any web company to use your data without getting explicit permission to do so. I don’t have idea if they even have that authority, but it sure would be a huge shock to the industry if they tried to impose it.