Tag Archives: customer privacy

Video Camera Ethics

I have a number of clients that now offer security products, many which come with video cameras that can be used at the front door or elsewhere at a customer location. There are a lot of discussions nationwide about the ethics involved with providing video cameras. Today’s blog discusses topics you should consider if you offer, or plan to offer video cameras.

ISP Access to Video. If an ISP provides customer video cameras, there are numerous concerns if your employees are able to access and watch customer video feeds. Your company could be subject to large legal liabilities if it ever came to light that any of your employees are watching customer videos. It’s incredibly tempting for employees to spy on their exes or watch their neighbors, and your ISP would be financially liable, and possibly even criminally liable if you enable violations of customer privacy.

Most, but not all customers are going to want you to record video. They will want to look at past events such as a burglary. Customers might just want to glance back through home activity every evening. But customers also are going to want privacy so that they are the only ones who can watch video, so you’ll have to come up with some method that assures that privacy. This is not as easy as it sounds, because typically any kind of archive that is available to customers also is probably accessible by your employees.

If you can develop a system that guarantees the desired privacy you will have a marketing advantage while also reducing your liabilities.

Spying on Neighbors. One of the most discussed topics in the home security industry is the ability of cameras to inadvertently watch activity at neighbors. For example, a front door camera can usually be placed so that it only sees people who approach the front door but can alternately be angled to see everything in front of the house including the neighbors across the street.

Setting cameras to see the whole street raises a number of ethical issues. You’re first inviting customers to watch their neighbors if you provide a wider view of the front of the home. You also are creating a video camera recording of events that happen beyond the boundary of the customer’s premise. It’s not hard to imagine seeing every passing car and every pedestrian that passes in front of a home. There are incidents in the news of homeowners accusing innocent bypassers of bad behavior simple because they capture video of them walking past their home often.

Law Enforcement. There are many law-enforcement issues in the gray area. There are a few specific laws that give law enforcement the ability to subpoena telephone call records or to wiretap phone calls or internet connections. There are not yet many such laws that have been updated to include video camera recordings.

For example, is an ISP obligated to turn over video from indoor cameras to law enforcement, particularly if the customer doesn’t approve it? There is probably some precedent to allow law enforcement to look at past recordings with a subpoena, but it’s a legal gray area to talk about giving live access to indoor cameras to law enforcement. To what degree would an ISP be violating customer privacy if they grant law enforcement access and there is no clear law authorizing video camera access?

There are also local police departments with programs where homeowners give law enforcement the passwords to allow them to view live feeds from outdoor and front door cameras. This essentially gives law enforcement the ability to watch the street or watch a neighbor without a subpoena.

I’m sure that over time that some of these issues will be clarified through legislation or regulatory rulings. But for now, there are a lot of gray areas. If you are going to offer a video camera service. you might want to determine your policies up-front rather than waiting for the inevitable issues to confront you.

The California Consumer Protection Act (CCPA)

In June 2018 California enacted a new privacy law that adopts some of the requirements of the European Union’s privacy regulations that recently went into effect. The California law goes into effect on January 1, 2020 and will affect a lot of US companies, including many not located in California. The law applies to any company that collects and processes personal information of California residents. For now, small companies that have revenues of less than $25 million per year along with non-profit entities are exempt.

The law defines personal information much more broadly than any other US privacy legislation. Personal information is defined as, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Using information that just identifies an address is a big expansion of privacy rules since prior rules only considered personal information of residents. The law includes a list of examples of personal data such as Social Security numbers, credit card numbers, and drivers’ license numbers, but goes a lot further and covers things like information captured and tracked by marketing cookies that capture information like IP addresses or information about computers or phones. While the law excludes information that is publicly available, essentially any information a company collects about customers is considered as private.

The new law provides specific rights to consumers:

Disclosure: A business must notify customers about its data collection practices. Companies must disclose the personal information that is being collected, describe how it’s being collected and used, and disclose if that data is being disclosed or sold to anybody else. This is to be provided in a publicly posted privacy notice and also needs to be made available to consumers upon request.

Opt-Out. Customers must be provided an easy-to-understand process for opting out of having their data sold to third parties. Consumers under 16 must opt-in to having data sold. Parents must provide consent for children under the age of 13. Companies must provide a “Do Not Sell My Personal Information” button on their main home page.

Information Removal: Customers must be provided the ability to have businesses delete their personal information, and companies must let customers know they have this right. If a customer chooses this option a business must not only delete the information from their own records but must ensure that the records are deleted by any third-party contractors that have been provided with the personal information.

No Discrimination: Businesses cannot discriminate against customer who elect to keep their data private. Businesses can’t charge an extra fee for a customer electing a privacy option. Interestingly though, businesses can offer an incentive for customers to make their data available, such as offering a discount for allowing the business to use the data.

In the same manner that recently happened in Europe, US companies that are covered by this law have a lot of things to put into place by the first of next year. Most companies won’t find it hard to make the needed disclosures and notices, but putting processes in place that delete customer data, including data that was passed on to somebody else can be a huge challenge. One of the hardest requirements to meet will be the one that requires companies to make all reasonable efforts to protect against data breaches.

The penalties for not complying with the law are high. A company can be charged up to $2,500 for every violation and up to $7,500 for each intentional violation (such as not deleting data after assuring a customer it was done). Companies can avoid fines by coming into compliance within 30 days of being notified by an attorney general of a violation.

The law also opens companies to litigation from customers. The law gives consumers the right to bring lawsuits if their data is disclosed due to negligence of the business. Consumers can file individual or class action lawsuits and can recover between $100 and $750 in damages per incident. This law will almost certainly spur a class-action lawsuit every time there is a big data breach.

I’ve reported on this law for a few reasons. California often leads the country on new legislation and it’s likely that some version of this law will spread elsewhere across the country. For instance, as I was writing this blog the state of Maine passes legislation that is even more stringent in a few areas. There is also a bipartisan effort in Congress looking at privacy rules and this law is certain to influence that effort.

This law doesn’t just apply to web-vendors. Parts of this law apply to anybody that collects sensitive customer data from the Internet such as ISPs and utilities. It’s a warning to every business to take steps to protect against breaches of customer information.

Is it Time for ‘Do Not Track’?

Josh Hawley, the freshman Republican Senator from Missouri has introduced legislation that would allow consumers to opt out of being tracked on the web. He envisions this as the first major step towards Internet privacy legislation.

You may recall a voluntary version of do not track rules in the US about a decade ago. Many web sites had a Do Not Track button and some big companies like Twitter honored the consumer request to not be tracked. But over time, since there were no penalties for tracking, most web companies began tracking customers and the Do Not Track buttons disappeared from web sites. There are still a few web businesses like Mozilla that offer some protection through their browser. A lot of people now use ad blockers which can cut down on some tracking cookies, but which don’t really stop much of the tracking.

It’s not surprising that the voluntary methods got nowhere since there are gigantic dollars involved now in web advertising. It was recently announced by IAB and PwC that the digital advertising market hit $107.5 billion in 2018, up from $88.3 billion in 2017. Web and cellphones advertising is becoming the preferred way to reach younger consumers. The online advertising market is heavily reliant on targeted advertising that is aimed directly at the most likely consumers for any particular ad – and that requires tracking customers to build profiles of each one of us.

Sen. Hawley proposes the establishment of a ‘Do Not Track’ list that would be the equivalent of the FCC’s ‘Do Not Call’ list. There would be substantial fines for companies that violate the list. The bill suggests fines that create a major incentive to comply – it suggests the minimum fine should be $100,000 with the maximum fine being as much as $1,000 per day per person who is improperly tracked.

There are currently no rules governing how Internet companies track us. Without rules, the big web companies basically track everything they can about us. There are a number of practices that Sen. Hawley points out as being particularly troublesome:
• Google has admitted that Android phones track users even when customers turn off location tracking.
• Facebook tracks people who aren’t part of its platform and creates ‘shadow profiles’ of non-Facebook consumers.
• It’s a widespread industry practice to place cookies and other tracking tools on web site visitors as a way to track customer web browsing. Such data is widely traded on the open data market.

The European Union has struggled with the same problem and introduced an updated version of similar rules that went into effect in May 2018. That legislation gives consumers the chance to opt out of cookies and tracking on every web site visited. Companies that violate the EU rules can be fined the greater of 4% of worldwide revenues from the previous year or 20 million euros.

Interestingly, a lot of consumers won’t opt out of the tracking. I have a friend that employs a staff of programmers in their early 20s and they like the convenience of being tracked. They enjoy having specialized ads aimed directly at them and they think that enhances their web experience. This younger generation grew up with the web and they buy into the idea that the online world is not private. There are certainly older consumers who also like to get relevant web advertising. The purpose of the proposed legislation is not to end the tracking of customers, but rather to allow people to opt out. Perhaps over time, most people will value the benefits of being tracked more than their privacy. Web sites are certainly going to offer inducements to customers who agree to be tracked.

This legislation is only the first step towards a comprehensive set of privacy rules. For example, there are numerous other ways that information is gathered about us, like with the IoT devices in our homes. Many merchants and credit card companies are selling information about our buying habits.  Limiting privacy rules to opting out of web sites is a start, but data gathering from numerous sources is becoming an industry unto itself.

Net Neutrality – Time to Reassure Your Customers

The recent net neutrality decision by the FCC has created an amazing amount of fear for broadband subscribers who are worried that they will be losing access to popular aspects of the Internet. There is also general confusion in the public from numerous rumors circulating on social media – some potentially true and many others false.

And I think this worry and confusion creates a good opportunity for smaller ISPs to let customers know that you will continue to uphold net neutrality, even if it is no longer required. This is an easy pledge for small ISPs to make because it’s difficult for small ISPs to violate net neutrality rules even if they want to. The net neutrality rules were aimed at the largest ISPs, the ones that have enough market power to put pressure on web content providers, or ones that might implement intrusive requirements on customers.

It’s also a good time to tell customers of plans to continue to protect their privacy – something that the public probably associates with the net neutrality headlines. While the two topics are not the same, I am sure that many people equate net neutrality and privacy.

In the short run I recommend contacting customers and making a big splash about the topic. Perhaps send a heartfelt email or even mail a paper letter to customers that pledges a continuation of net neutrality and respect for customer privacy.

Small ISPs that are competing directly with the big ISPs also ought to consider making this one of the highlights of any sales or marketing campaign. This is a differentiation from the big ISPs that customers will value that really doesn’t cost a small ISP anything. It should be easy to promise not to block Internet traffic, throttle customer broadband speeds or force paid prioritization of Internet traffic. It also should be easy to pledge to not share customer data.

If the current reversal of the net neutrality rules lasts for a while (something I am doubtful about) this could get a little more complicated. I am positive, for example, that at some point over the next few years that bigger ISPs or data brokers are going to offer to pay small ISPs for access to customer data. Small ISPs ought to reject such offers because the benefit of maintaining customer privacy is worth more than payments from selling customer data.

I also suspect that small ISPs will eventually get offers to take part in programs or products that would violate net neutrality rules. You might be offered software that will create bundles of Internet products, like the ones likely offered by the big ISPs. You might be offered cheaper backhaul bandwidth that includes some blocking and prioritization of traffic. Again, my guess is that maintaining a totally open Internet product is worth more than can be gained by implementing such future products.

The big ISPs are unwittingly handing their competitors a chance to take the high road and it would be silly not to take advantage of this opportunity. I know that if I had an option to buy broadband from a small ISP I would jump at the opportunity as long as they were making this pledge. I currently have broadband from Charter. They haven’t said what they might have in mind due to the end of net neutrality, but I find it impossible to believe that they won’t copy things done by the other big ISPs that prove to be profitable. As a consumer my real fear about the end of net neutrality is that the public won’t be told what their ISP is doing. For example, you might experience slowdowns of some kinds of web traffic and not know that you were being throttled. The big ISPs are already quietly monetizing customer data.

Even if some of the net neutrality rules should be put back in place I think any marketing advantage from the topic will still favor small ISPs. Small ISPs will be able to claim for many years that you never lobbied to end net neutrality and you never violated customer trust, even after the net neutrality rules were killed.

What the New Administration Means for Small ISPs

white-houseI’ve seen a dozen articles in the last week speculating what the change in administration means to the telecom industry. The articles range from predictions of doom and gloom (mostly from a consumer perspective) to near glee (from the giant telcos). But my audience and clients are primarily small telcos, ISPs, cable companies and municipalities, so I’ve been thinking about what this change means for small carriers.

There has been a lot of speculation about a big spending program to build infrastructure. But nobody has any idea if this might include money for broadband infrastructure. And even if it does, might that money go to a wide number of broadband providers or just to the big companies like the CAF II funds? So until we find out more details, any talk about infrastructure is pure speculation. I’m sure details will start solidifying in the first quarter after the new administration is in place.

One thing that every prediction I have seen agrees on is that we are going to see reduced regulation. This might come about due to having a republican majority at the FCC. Every major decision during the Wheeler regime has been passed with a 3-2 democratic vote. So it would be easy to see a new FCC reverse everything that Wheeler got passed. There is also speculation that Congress might pass a new Telecom Act which would direct the FCCC to cut regulations.

So what does less regulation mean for smaller ISPs? When looking at every regulation that has passed over the last decade I come to the conclusion that, from a regulatory perspective, this will have very little effect on smaller service providers. Almost everything that has been passed has been aimed at curbing the practices of the giant telcos and cable companies.

Smaller carriers would see some benefit due to reduced paperwork. For instance, competitive voice providers have had to provide an option to customers for battery backup. That sort of requirement might disappear. There was undoubtably going to be some new paperwork involved with the new privacy rules that will likely be canceled. My clients all find some of the federal paperwork to be annoying and unneeded and perhaps some of that will go away.

But the big changes over the last decade didn’t really impact small companies at all. I have to laugh to think of one of my clients somehow creating a product package that violates net neutrality. It’s silly to think that small ISPs might might somehow profit from using their customers’ data. If those big initiatives get reversed it will mean almost nothing to small companies since none were engaging in the activities that these new regulations are trying to fix.

There is one downside for small ISPs to reduced regulation. A lot of small carriers compete against the giant telcos and cable companies. Anything that takes away restrictions on the giant companies probably gives them even more of a competitive edge than they have today. So I guess my biggest concern is what an unfettered Comcast or AT&T will be able to do to crush smaller competition.

There are aspects of Title II regulation that help the small carriers compete against the big ones. My favorite, which is due to be implemented soon, is the requirement that ISPs tell their customers the truth about their broadband products. This will be done in the format similar to the label on foods where the ISPs have to disclose actual speeds, latency, prices, etc. about their products. I think that will give small carriers a way to show that they are better than the big companies. If Title II regulation goes away then the good parts go away along with the bad parts.

I’ve always thought that net neutrality was focused on reining in the big companies from developing products that nobody else can compete with. The big carriers have wanted to make exclusive deals with content providers and social media networks that would give them a leg up over anybody they compete against.

So my message to small ISPs is not to worry too much. If the FCC reverses everything done in the last ten years you are not going to see much practical change in your regulatory processes or costs. The only real worry is what an unregulated Comcast or AT&T might look like. And who knows? Maybe you’ll get some federal dollars to expand your broadband network – we’ll just to wait and see about that one.

Cable Companies under Regulatory Siege?

FCC_New_LogoEarlier this year Michael Powell (the head of the National Cable Television Association) complained that the FCC has launched a regulatory assault again cable companies – and in some ways he is probably right. Some of the regulations ordered or contemplated are clearly aimed at cable companies – yet much of the new regulation was aimed at somebody else but still affects the cable companies.

Consider all of the changes affecting the cable companies right now:

  • Net neutrality has meant that cable companies and other ISPs can’t make lucrative deals with content providers to bundle content as part of broadband access.
  • But the biggest change from the net neutrality order is the advent of Title II regulation of the internet. This is resulting in a raft of new regulations for broadband. All of a sudden the FCC is looking at data caps. The agency has demanded that all ISPs disclose all of the details of their broadband connections to customers. Cable companies are suddenly covered by customer privacy regulations – the biggest being that they probably can’t use the information they gather as an ISP without a customer’s approval.
  • The cable companies have become huge sellers of broadband transport and data pipes to businesses. The FCC is about to make major changes in the special access market and that is likely going to lower prices for these products. Special access rates are incredibly high and cable companies and CLECs have made a living out of selling services to businesses at a discount from the published special access rates. The result is that businesses pay a gigantic premium for dedicated broadband connections, and everybody expects the FCC to lower rates across the market.
  • The FCC’s move to somehow eliminate settop boxes is aimed right at the cable companies. To a large extent the industry brought this on themselves as they’ve raised rates to rent a settop box from $5 to $10 or more in most markets. But the idea that there can be some sort of generic solution that can work on every type of network sounds idealistic, at best.
  • The FCC seems to want to allow anybody to carry video content on the Internet without saddling the new providers with the same rules that govern cable companies. So cable companies, for now, are stuck with rules that force them to offer certain kinds of tiers of service while OTT providers can cook up any creative package they can cobble together.

As a telecom guy I find this all to be somewhat ironic. I remember when I first read through the Telecommunications Act of 1996 that my first reaction was that the FCC had let the cable companies completely off the hook. The big telcos were being forced to unbundle their networks to offer voice loops and DSL connections while the cable companies had no corresponding obligation to unbundle for cable modem connections. In the decade following the Act, most state Commissions also excused cable companies from most forms of voice regulation. The cable companies were able to somehow characterize the voice on their networks as VoIP and got out of most voice regulations – but from a customer perspective the cable voice product was indistinguishable from telco voice products. It’s one of the first times that the FCC made an exception for a product based upon the technology used to deliver it – a trend that has since led to some very odd regulatory rulings.

So now it seems that the wheel has turned and the cable companies are being brought back into the regulatory arena with everybody else. I think Powell is right and those in charge of a cable company must feel like they are under regulatory siege. But except for the settop box issue, which is an odd set of regulations clearly aimed at the cable companies – the other regulations can mostly be described as leveling the playing field – something that the cable companies have always said should apply to municipal broadband providers.

But from a regulatory perspective the protections provided to consumers ought to be the same across all broadband technologies. It makes a lot of sense to finally require cable companies to provide privacy protection and to disclose the details and terms of the products they are selling. I have to laugh once in a while about regulation. Five years ago a colleague of mine said he could foresee the end of telecom regulation. But I countered by saying that regulators like to regulate, and sure enough it seems like we have as many – or more! –  regulations today as ever.

ISP Liability for Customer Behavior

Scales-Of-Justice-12987500-300x300A few weeks ago a judge ordered Cox Communications to pay a $25 million settlement to BMG, the music rights company. This come from a trial last year where a jury decided that Cox was guilty of allowing their customers to pirate BMG music over the web. This ruling is a dangerous precedent in that it holds an ISP liable for behavior of its subscribers – something that should scare all ISPs.

The case has some unusual facts. BMG hired Rightscorp to monitor the Internet for illegal file downloads of BMG music. Rightscorps sent numeous infringement notices to Cox that it wanted forwarded on to customers. These notices told customers that they had done an illegal download of BMG copyrighted material and gave customers the ability to immediately resolve the issue by sending $30 to Rightscorp.

Cox thought these notices smacked of extortion and refused to forward the notices directly to customers. Instead Cox decided to use the same policy as most large ISPs called a three strikes test, meaning that they will disconnect a customer that has been given several notices about illegal downloads. But the suspicion has always been that the big ISPs are somewhat spotty about enforcing copyright violations and don’t want to turn off paying customers.

Cox ended up blocking 1.8 million notices that Rightscorp was trying to directly send to Cox customers, and Cox largely did nothing with those notices. Cox was found guilty by a jury, and the judge set the high penalty because Cox had not done enough to enforce the copyrights of BMG.

Cox was relying on a legal strategy called ‘safe harbor’ where they would have no liability as long as they were using a reasonable set of procedures to stop music piracy. But the judge quickly pierced the safe harbor protection by saying that Cox did not do as much as they should have done to protect BMG.

This case was certainly complicated by the unsavory tactics of Rightcorps. What’s to say that all of those customers actually had violated copyright? But the bottom line is that Cox was held responsible for the supposed music piracy of their customers. That ruling that has to concern every ISP, because this is bound to open up the floodgates of similar suits and similar tactics. And who knows where this stops? Customers can engage in all sorts of illegal activities other than copyright violations.

It’s really hard for an ISP to know what to do following this decision. One strategy would be to just pass on every notice of copyright infringement. The problem with that idea is there is likely to a bunch of scammers that will copy the tactics of Rightscorps but with no real claims against customers. ISPs don’t want to get into the middle of potential scams.

ISPs could also develop and enforce tighter policies against customers that repeatedly download pirated material. The danger of that approach is that the ISP could end up ‘convicting’ a customer with no real proof that they violated copyright. This has been one of the factors that have made ISPs uneasy about getting tough on this.

Finally, I guess ISPs could do deep packet inspection to see what their customers are doing. But most ISPs don’t want to do that. And even if ISPs try this, the FCC is contemplating customer privacy rules where customers can opt out of being tracked or followed by the ISP.

So Cox and other ISPs face a dilemma. We know that the biggest ISPs have all been involved in this issue. I would love to hear from any smaller ISPs who have been involved in copyright issues and that might want to share their experience.