A Corporate Call for Privacy Legislation

Over 200 of the largest companies in the country are proposing a new set of national privacy laws that would apply to large companies nationwide. They are pushing to have this considered by the upcoming Congress.

The coalition includes some of the largest companies in Silicon Valley like Apple and Oracle, but it doesn’t include the big three of Facebook, Google and Amazon. Among the other big businesses included the group are the largest banks like Bank of America and Wells Fargo, big carriers like AT&T and big retailers like Walmart.

As you might expect, a proposed law coming from the large corporations would be favorable to them. They are proposing the following:

  • Eliminate Conflicting Regulations. They want one federal set of standards. States currently have developed different standards for privacy and for issues like defining sensitive information. There are also differing standards by industry such as for medical, banking and general corporations;
  • Self-regulation. The group wants the government to define the requirements that must be met but don’t want specific methodologies or processes mandated. They argue that there is a history of government technical standards being obsolete before they are published;
  • Companies Can Determine Interface with Consumers. The big companies want to decide how much rights to give to their customers. They don’t want mandates for defining how customer data can be used or for requiring consumer consent to use data. They don’t want mandates giving consumers the right to access, change or delete their data;
  • National Standard for Breach Notification. They want federal, rather than differing state rules on how and when a corporation must notify customers if their data has been breached by hackers;
  • Put the FTC in Charge of these Issues. They want the FTC to enforce these laws rather than State Attorney Generals;
  • Wants the Laws to Only Apply to Large Corporations. They don’t want rigid new requirements on small businesses that don’t process much personal data.

There are several reasons big companies are pushing for legislation. There are currently different privacy standards around the country due to actions brought by various State Attorney Generals and they’d like to see one federal standard. But like most laws the primary driver behind this legislation is monetary. Corporations are seeing some huge hits to the bottom line as a result of data breaches and they hope that having national rules will provide a shield against damages – they hope that a company that is meeting federal standards would be shielded from large lawsuits after data breaches.

I look at this legislation both as a consumer and as somebody working in the small carrier industry. With my consumer hat on there are both good and bad aspects of the proposed rules. On the positive side a set of federal regulations ought to be in place for a complex issue that affects so many different industries. For example, it is hard for a corporation to know what to do about a data breach if they have to satisfy differing rules by state.

But the negatives are huge from a consumer perspective. It’s typical political obfuscation to call this a privacy law because it doesn’t provide any extra privacy for consumers. Instead it would let each corporation decide what they want to disclose to the public and how companies use consumer data. A better name for the plan might be the Data Breach Lawsuit Protections Act.

There are also pros and cons for this for small carriers. I think all of my clients would agree that we don’t need a new set of regulations and obligations for small carriers, so small carriers will favor the concept of excusing smaller companies from some aspect of regulations.

However, all ISPs are damaged if the public comes to distrust ISPs because of the behavior of the largest ISPs. Small ISPs already provide consumer privacy. I’ve never heard of a small ISP that monitors customer data, let alone one that is trying to monetize their customers’ data. Small ISPs are already affording significant privacy rights to customers compared to the practices of AT&T, Verizon or Comcast who clearly view customer data as a valuable asset to be exploited rather than something to protect. The ISP industry as a whole would benefit by having rules that foster greater customer trust.

I’m not sure, however, that many small ISPs would automatically notify customers after a data breach – it’s a hard question for every corporation to deal with. I think customers would trust us more if there were clear rules about what to do in the case of a breach. This proposed law reminds me that this is something we should already be talking about because every ISP is vulnerable to hacking. Every ISP ought to be having this conversation now to develop a policy on data breaches – and we ought to tell our customers our plans. Small ISPs shouldn’t need a law to remind us that our customers want to trust us.

Telephone versus Broadband Privacy

We now have an unusual regulatory world where there is more privacy protection in place for telephone customers than there is for broadband customers. One of the many things done in the Congressional Review Act (CRA) for the new budget that went into effect on April 3 was to nullify the FCC’s privacy rules for ISPs. These rules were implemented in the fall of 2016 and prohibited ISPs from using customer data without customer consent.

There have been no equivalent changes in the rules for landlines, cellular phones and cable TV subscribers. The rules for telephone privacy were established by the Telecommunications Act of 1996 and are referred to as CPNI (Customer Proprietary Network Information). These rules prohibit phone companies from using calling records unless they have customer permission. There is a good summary of a customer’s rights on this FCC web page.

Telephone companies routinely capture details of customer calling – who you call and who calls you. This is familiar to anybody who’s seen a TV crime show since one of the first things detectives routinely do is to ask to see telephone calling records for a suspect. The telephone companies can’t release this information without a warrant if a customer has elected to keep their records private. In addition to calling records these rules also require phone companies to keep other customer data secure, such as billing records, credit card numbers etc. Telephone companies are even prohibited from marketing their own products to customers if the customers opt out.

The 2016 privacy rules for broadband had implemented the same sort of privacy rules. Customers were given the choice to allow or deny access to their records. This was a far more reaching protection due to the large volume of information that an ISP has about their customers. At a minimum an ISP knows every web page you have visited since they control the DNS routing that connects you to web sites. There are numerous other things an ISP can know about a customer should they choose to look deeper into the packets to and from customers.

The new FCC Chairman Ajit Pai led the charge to kill the 2016 ISP privacy rules. Those were put into place just before the 2016 election and he had voted against the rules then. His primary argument is that the protections put barriers onto ISPs while there was nothing similar to ‘edge providers’, that is web companies like Facebook or Google. Those companies have no restrictions on what they can collect from users of their software and platform. Chairman Pai argued that the privacy rules didn’t really protect customers and just ended up putting ISPs at a disadvantage compared to Google.

It’s a valid argument, but killing ISP privacy protection is not the only way to get more parity between web companies. The European Union has taken an opposite approach and has placed restrictions on what both ISPs and edge providers can collect without customer permission.

Regulations are often squirrely and it’s not hard to find regulatory rules that make no sense or that have lasted far past their usefulness. I find it particularly odd, though, that I can tell my cellular provider to keep details of my phone calls private, but I can’t stop them from recording all of the web sites I visit. I’m sure the average citizen is far more concerned about web usage records than they are about who called them.

People who are concerned about their web privacy are taking steps to protect their information. Many people have changed to VPNs to encrypt their web usage and keep the details away from the ISP. There are alternate providers that can do DNS searches so that you ISP doesn’t know the web sites you visit. People are using web browsers that don’t track their usage. Large numbers of people are reportedly dropping off Facebook and other platforms that routinely and openly benefit from their personal data.

What’s most disconcerting about all of this is that privacy is the kind of regulation that has now become partisan. It’s not hard to envision a future Democratic FCC putting the privacy rules back in place and we might see this and similar issues yo-yo with changes in the administration. Of course, the easiest way around that is to do what my smaller ISP clients do – they don’t record customer information, so they don’t really care what the FCC says about privacy – they just provide it as another aspect of good customer service.

The Big ISPs and Regulation

FCC_New_LogoLast week Chairman Ajit Pai halted the impending implementation of the new privacy rules that were to stop the big ISPs from monetizing customer data without customer permission. The Chairman’s stated reason is that he didn’t want to see different rules applied to the big ISPs than to big web companies like Facebook and Google. That argument sounds like a valid reason, but as you will see below, there is no easy path towards treating all of these companies the same.

The stay applied to FCC rules covering a wide variety of privacy issues. The rules were to require the big ISPs to get customer permission to use their data. The rules also created specific security requirements at the ISPs defining how ISPs have to protect customer data and how and when they had to disclose data breaches to customers.

So here is where the confusion starts. The FCC clearly has no authority to regulate the web and what it calls edge-providers – companies like Facebook and Google. It would take an Act of Congress to give the FCC any authority to regulate the web – something that neither Democratic nor Republican administrations have had an appetite for.

Chairman Pai did suggest that perhaps the easiest solution is to hand ISP security issues to the Federal Trade Commission. But the new head of the FTC said this the agency would have no authority to regulate ISPs as long as Title II authority gives this authority to the FCC. So perhaps this action is an indicator that Chairman Pai intends to reverse Title II regulation. He’s said that he is against net neutrality and the FCC used the tool of Title II regulation to implement it. So killing Title II regulations would also get rid of net neutrality.

But what is not being talked about is that the FTC has never contemplated privacy rules as sweeping as the ones implemented by the FCC. The FTC already could impose these rules on Facebook, Google and everybody else on the web, but has never taken any serious steps towards doing so.

Because of that, halting the privacy rules feels like Chairman Pai is just letting the big ISPs off the hook. The big ISPs have been lobbying against these rules from the second they were passed. The ISPs are jealous of the giant revenues that the web companies are making from data mining of consumer data. And the ISPs want to protect what they’ve already been doing. It’s been well known, for example, that AT&T has been monetizing customer data. The leaks from Edward Snowden showed that AT&T has been supplying far more data to the NSA than is required by the Patriot Act. There are reports of a lucrative multi-billion dollar AT&T product line called ‘Hemisphere’ that has been selling customer phone and internet records to the federal government and to local law enforcement agencies.

What I think all of this means is that we have seen the end, for a while of any government agency trying to provide privacy protection for customers. This mainly bothers me as a consumer more than as a consultant. I work entirely with smaller ISPs and none of them have the ability to use customer data in the same way that the big companies do. This latest FCC action only immediately affects perhaps the dozen largest ISPs.

There is a big functional different between ISPs and edge-providers like Facebook. An ISP can see every keystroke a customer makes on the web, except for those that are made inside some encrypted program. But almost nobody uses encryption and so your ISP knows every web site you visit, the contents of every email you write, and every query you make to a search engine. And they know even more about you from your cellphone records – where you traveled and when.

But the difference between Facebook and the ISPs is that nobody makes you use Facebook. I really hate the way that the big companies like Facebook and Google track everything you do inside their platforms. I dropped off Facebook last year partly for this reason.  I also rarely use Google as a search engine and don’t use Gmail or Google’s Chrome web browser. I can largely avoid the big web companies, but I can’t avoid my ISP. And like most Americans I don’t have any real option but to use a big ISP for broadband access.

I’m probably like most Americans and don’t feel like I have a lot to hide. But that still does not mean that I want big companies following my every movement, my every purchase, my every email and every web site I visit. That has far too much “big brother” about it for my liking. I know today that this data is mostly being used to develop targeted marketing, but this information could also easily be used for nefarious purposes, and some of that is starting to happen.

As much as this reversal of the privacy rules bothers me as a consumer, the big picture here is that, for now, the big ISPs finally have the FCC they want. This FCC has already said it’s going to reverse or gut net neutrality. This FCC just said they aren’t going to review the AT&T and Time Warner merger. Killing the privacy rules is final proof, only a month after the new Chairman has been in charge, that the big ISPs are likely to get everything they want. And I don’t think that is a healthy thing for the industry or for consumers.

The New FCC Broadband Privacy Rules

FCC_New_LogoThe FCC passed new privacy rules last week and the new rules are largely aimed at Comcast, AT&T, Verizon and other large ISPs. Most small ISPs do not participate today in the practices that the new rules are aimed at stopping. For the most part the rules won’t affect smaller companies much other than having more annual pieces of paper to file at the FCC saying that you follow the rules – and you probably already do.

The rules are aimed at protecting customers from abuse by ISPs, who by definition have the most access to a customer’s data. An ISP knows every web site visited, every web purchase made, every email and every instant message sent.

This is probably the FCC’s biggest use so far of its new Title II authority over broadband. The FCC knows this is going to be challenged in court, so the new rules don’t go into effect for a year, giving the lawsuits a chance to resolve.

I’m not going to repeat all of the specifics of how this works, but rather concentrate on what it means to the industry as a whole:

Customers have a right of privacy. The new rules create a new right that a customer’s data – where they search on the web, what they say in emails and texts – all belong to them. Each customer now has the right to decide if the ISP can use it. Today an ISP knows everything a customer does on the web that is not encrypted, and even with encryption they know the web sites visited. But the FCC now makes it clear that this customers can keep this personal information private if they so desire.

ISPs need to ask for permission to use customer data. The new rules compel ISPs to explicitly ask for permission to use customer data. I suspect ISPs are not going to be allowed to bury this choice inside a terms of service.

I would expect that big ISPs are going try to entice people to be able to use their data. They might offer lower prices or entice people by forwarding coupons to them from around the web for things they are interested in. But at the end of the day it’s the customer’s choice to allow or not allow their ISP to use the data. And there might be nuances. ISPs might ask to track where customers go on the web but not read emails. The rules would allow options for the ISP.

ISPs must say what they do with customer data. If somebody gives an ISP permission to use their data the ISP must disclose how they are going to use it. Are they using it only for their own marketing efforts or are they going to sell it to others? Right now, consumers don’t know what information is being collected by their ISPs, nor what’s being done with it.

ISPs will have to protect customer data. The new rules also place more responsibility on ISPs to protect customer data from hackers. This is perhaps the one area of the new rules that will have the most impact on smaller ISPs. ISPs must use best industry practices and also notify customers when there has been a data breach. And they must notify the FBI if a breach involves more than 5,000 customers.

This does not affect edge providers. The new rules only apply to ISPs. They do not apply to ‘edge providers’ like social media sites or search engines. Those companies are still allowed to use customer data in any manner they want since customers come to them voluntarily. So Facebook and Google are still free to use customer data since people use those sites voluntarily. This is the killer for the giant ISPs because they see how much money the edge providers make from using customer data from advertising and other uses. But it’s not clear if the FCC has any authority over edge providers.

Another big gap is the Internet of Things. As we saw in the recent giant denial of service attack, the devices used in the Internet of Things – thermostats, cameras, smart appliances, etc. – are not well protected. IoT companies also are capable of gathering a lot of information about customers. This will become a much bigger issue as people start using devices that include artificial intelligence like the Amazon Echo. It would be natural for the FCC to declare that IoT providers are also ISPs of a sort and regulate them that way. I expect that nothing will be done with IoT until this set of rules makes it through the court challenges.