We now have an unusual regulatory world where there is more privacy protection in place for telephone customers than there is for broadband customers. One of the many things done in the Congressional Review Act (CRA) for the new budget that went into effect on April 3 was to nullify the FCC’s privacy rules for ISPs. These rules were implemented in the fall of 2016 and prohibited ISPs from using customer data without customer consent.
There have been no equivalent changes in the rules for landlines, cellular phones and cable TV subscribers. The rules for telephone privacy were established by the Telecommunications Act of 1996 and are referred to as CPNI (Customer Proprietary Network Information). These rules prohibit phone companies from using calling records unless they have customer permission. There is a good summary of a customer’s rights on this FCC web page.
Telephone companies routinely capture details of customer calling – who you call and who calls you. This is familiar to anybody who’s seen a TV crime show since one of the first things detectives routinely do is to ask to see telephone calling records for a suspect. The telephone companies can’t release this information without a warrant if a customer has elected to keep their records private. In addition to calling records these rules also require phone companies to keep other customer data secure, such as billing records, credit card numbers etc. Telephone companies are even prohibited from marketing their own products to customers if the customers opt out.
The 2016 privacy rules for broadband had implemented the same sort of privacy rules. Customers were given the choice to allow or deny access to their records. This was a far more reaching protection due to the large volume of information that an ISP has about their customers. At a minimum an ISP knows every web page you have visited since they control the DNS routing that connects you to web sites. There are numerous other things an ISP can know about a customer should they choose to look deeper into the packets to and from customers.
The new FCC Chairman Ajit Pai led the charge to kill the 2016 ISP privacy rules. Those were put into place just before the 2016 election and he had voted against the rules then. His primary argument is that the protections put barriers onto ISPs while there was nothing similar to ‘edge providers’, that is web companies like Facebook or Google. Those companies have no restrictions on what they can collect from users of their software and platform. Chairman Pai argued that the privacy rules didn’t really protect customers and just ended up putting ISPs at a disadvantage compared to Google.
It’s a valid argument, but killing ISP privacy protection is not the only way to get more parity between web companies. The European Union has taken an opposite approach and has placed restrictions on what both ISPs and edge providers can collect without customer permission.
Regulations are often squirrely and it’s not hard to find regulatory rules that make no sense or that have lasted far past their usefulness. I find it particularly odd, though, that I can tell my cellular provider to keep details of my phone calls private, but I can’t stop them from recording all of the web sites I visit. I’m sure the average citizen is far more concerned about web usage records than they are about who called them.
People who are concerned about their web privacy are taking steps to protect their information. Many people have changed to VPNs to encrypt their web usage and keep the details away from the ISP. There are alternate providers that can do DNS searches so that you ISP doesn’t know the web sites you visit. People are using web browsers that don’t track their usage. Large numbers of people are reportedly dropping off Facebook and other platforms that routinely and openly benefit from their personal data.
What’s most disconcerting about all of this is that privacy is the kind of regulation that has now become partisan. It’s not hard to envision a future Democratic FCC putting the privacy rules back in place and we might see this and similar issues yo-yo with changes in the administration. Of course, the easiest way around that is to do what my smaller ISP clients do – they don’t record customer information, so they don’t really care what the FCC says about privacy – they just provide it as another aspect of good customer service.