The Big ISPs and Regulation

FCC_New_LogoLast week Chairman Ajit Pai halted the impending implementation of the new privacy rules that were to stop the big ISPs from monetizing customer data without customer permission. The Chairman’s stated reason is that he didn’t want to see different rules applied to the big ISPs than to big web companies like Facebook and Google. That argument sounds like a valid reason, but as you will see below, there is no easy path towards treating all of these companies the same.

The stay applied to FCC rules covering a wide variety of privacy issues. The rules were to require the big ISPs to get customer permission to use their data. The rules also created specific security requirements at the ISPs defining how ISPs have to protect customer data and how and when they had to disclose data breaches to customers.

So here is where the confusion starts. The FCC clearly has no authority to regulate the web and what it calls edge-providers – companies like Facebook and Google. It would take an Act of Congress to give the FCC any authority to regulate the web – something that neither Democratic nor Republican administrations have had an appetite for.

Chairman Pai did suggest that perhaps the easiest solution is to hand ISP security issues to the Federal Trade Commission. But the new head of the FTC said this the agency would have no authority to regulate ISPs as long as Title II authority gives this authority to the FCC. So perhaps this action is an indicator that Chairman Pai intends to reverse Title II regulation. He’s said that he is against net neutrality and the FCC used the tool of Title II regulation to implement it. So killing Title II regulations would also get rid of net neutrality.

But what is not being talked about is that the FTC has never contemplated privacy rules as sweeping as the ones implemented by the FCC. The FTC already could impose these rules on Facebook, Google and everybody else on the web, but has never taken any serious steps towards doing so.

Because of that, halting the privacy rules feels like Chairman Pai is just letting the big ISPs off the hook. The big ISPs have been lobbying against these rules from the second they were passed. The ISPs are jealous of the giant revenues that the web companies are making from data mining of consumer data. And the ISPs want to protect what they’ve already been doing. It’s been well known, for example, that AT&T has been monetizing customer data. The leaks from Edward Snowden showed that AT&T has been supplying far more data to the NSA than is required by the Patriot Act. There are reports of a lucrative multi-billion dollar AT&T product line called ‘Hemisphere’ that has been selling customer phone and internet records to the federal government and to local law enforcement agencies.

What I think all of this means is that we have seen the end, for a while of any government agency trying to provide privacy protection for customers. This mainly bothers me as a consumer more than as a consultant. I work entirely with smaller ISPs and none of them have the ability to use customer data in the same way that the big companies do. This latest FCC action only immediately affects perhaps the dozen largest ISPs.

There is a big functional different between ISPs and edge-providers like Facebook. An ISP can see every keystroke a customer makes on the web, except for those that are made inside some encrypted program. But almost nobody uses encryption and so your ISP knows every web site you visit, the contents of every email you write, and every query you make to a search engine. And they know even more about you from your cellphone records – where you traveled and when.

But the difference between Facebook and the ISPs is that nobody makes you use Facebook. I really hate the way that the big companies like Facebook and Google track everything you do inside their platforms. I dropped off Facebook last year partly for this reason.  I also rarely use Google as a search engine and don’t use Gmail or Google’s Chrome web browser. I can largely avoid the big web companies, but I can’t avoid my ISP. And like most Americans I don’t have any real option but to use a big ISP for broadband access.

I’m probably like most Americans and don’t feel like I have a lot to hide. But that still does not mean that I want big companies following my every movement, my every purchase, my every email and every web site I visit. That has far too much “big brother” about it for my liking. I know today that this data is mostly being used to develop targeted marketing, but this information could also easily be used for nefarious purposes, and some of that is starting to happen.

As much as this reversal of the privacy rules bothers me as a consumer, the big picture here is that, for now, the big ISPs finally have the FCC they want. This FCC has already said it’s going to reverse or gut net neutrality. This FCC just said they aren’t going to review the AT&T and Time Warner merger. Killing the privacy rules is final proof, only a month after the new Chairman has been in charge, that the big ISPs are likely to get everything they want. And I don’t think that is a healthy thing for the industry or for consumers.

The Future of Privacy

Magnifying glassThe FCC is considering new privacy rules for ISPs. The FCC is considering treating ISPs in the same way they have historically treated telcos. Telco customers have had the ability for years to opt out of having the telephone company use their data for other purposes. Most people don’t even remember this, but when you bought your last landline the telco was supposed to ask you if they can use your contact info for marketing their own products or if they can sell your information to outside companies.

But a telco doesn’t know much about you other than your phone number and who you call. Telcos have never really ‘mined’ telephone calling data and that was what made Edward Snowden’s revelations about the NSA so startling. The NSA demonstrated the ability to draw conclusions about people according to who they call.

But the data that an ISP collects from you as a customer can tell them almost everything about you. They know everything you do on the web – your social network connections, what you search for and buy online, and what you write in every email or messaging system. And – if they wanted to – your ISP could know truly private things about you, such as what illnesses you might have, if you are happy or unhappy in your relationships, or if you do anything that would embarrass you (like looking at pornography).

So the FCC wants to give customers the right to tell their ISP to not examine or use their personal data. Under the FCC’s proposed rules customers can opt out of ISP surveillance completely, or can allow their ISP to use their data in some less intrusive manner, yet to be defined.

It’s an interesting concept, because your ISP is the only entity online that knows everything about you. One would certainly hope that any such rules would apply equally to cellphone ISPs in the same manner as wireline ISPs.

These kind of privacy rules would certainly put the brakes on the money that ISPs can make from mining data about their customers. We recently saw AT&T introduce the idea of charging more to customers to avoid deep data mining – making the default condition one of being monitored.

But the FCC is not going to put these same restrictions on what they call edge providers – meaning every service on the web. Facebook or Google would be free to use whatever they know about you, with the reasoning being that people use these services voluntarily.

There is another big privacy issue looming in the near future – and that’s the surveillance that is coming from the Internet of Things. There is an amazing amount of data that can be gleaned from monitors in our home. Health monitors are going to record details about you that you don’t even know about yourself. Various monitors around the home in the form of smart locks, smart cars, motion detectors, sleep monitors, etc. are going to monitor details about you (and the other people in your home) and how you live. Those details can then be sold to data companies that will combine data from multiple sources to paint a detailed picture of what you do and when you do it. Supposedly this will be done in order to personalize advertising for you, but it’s hard to believe that companies won’t take this a lot further and use this data in unsavory ways.

Already today there are data depositories buying raw data from a number of web sources that can paint a pretty good picture of who you are. Even without the ISPs being part of the data-gathering chain it’s likely that privacy is going to become largely a thing of the past.

There are a lot of people that don’t want to be watched so closely and I think we are going to see a new industry that strives to protect you from detailed monitoring. But when I see how extensive the data collection already is today, I fear that really removing yourself from data surveillance is going to be expensive and not available to most people.

I suspect my feelings towards privacy are typical. It makes me uneasy to have companies monitoring me and I find personalized advertising to be creepy. But as our world comes to rely more and more on devices that make our lives easier, it’s not hard to see that our current feelings about privacy are probably going to become quaint anachronisms of the past.

Some Regulatory Shorts

FCC_New_LogoAs to be expected our regulators stay busy regulating. Not all of their decisions have widespread impact, but it’s always worth keeping an eye on what’s going on.

WiFi Blocking: The FCC continues to come down on hard on those in the hospitality industry that would stop people from using their own hot spots in or near hotels or other gathering places. You might recall, last year the FCC fined Marriott for blocking access to guests using their cellphones for WiFi. Marriott is one of those chains that charges extra for WiFi and so they were operating jammers that interfered with the ability of a smart phone to act as a hotspot.

The FCC continued with that theme and recently fined M.C. Dean $718,000 for blocking WiFi at the Baltimore Convention Center. They also fined Hilton Worldwide $25,000 for “apparent obstruction of an investigation” in the case. In August the FCC fined Smart City Holdings $750,000 for using technology at 28 convention centers that blocked cellphone and wireless routers from acting as hotspots.

As somebody who travels and who generally finds hotel WiFi to be inadequate, this is a welcome move. But it’s even more so for groups that rent space in a convention center. Some of those locations charge 6 digits for use of a convention center’s WiFi system, and the FCC is telling the hospitality industry that it is never okay to block WiFi.

Do Not Track Requests: The FCC voted earlier this month to not require web sites to honor Do Not Track requests. The group Consumer Watchdog had petitioned the FCC asking them to force companies to honor such requests. Today web sites can voluntarily honor privacy requests, but only a handful of large web sites do so. The group had hoped that since the FCC had elected to regulate privacy practices for ISPs as part of the net neutrality rules that they might carry this forward to the web.

But the FCC declined to make such a ruling. They said that they are not in the business of regulating ‘edge providers’, meaning the companies that offer web content. I keep an eye on privacy and use web sites that don’t track people whenever I can like the Duck Duck Go search engine. But I am leery about the FCC getting into the business of regulating the behavior of web service providers. When you look at some of the consequences of such actions it’s not necessarily good for anybody. Even in England, which we always assume is a lot like us, the government has proscribed a large list of web content that is off limits unless people opt into them. I personally am glad the FCC doesn’t want to cross that line. I think back to all of the wasted effort they spent on the ‘seven dirty words’ on TV and radio and don’t think we need a repeat of that.

The FCC and Privacy. In what seems like an extreme order, the FCC just fined Cox Communications $595,000 for a security breach that exposed the records of 61 customers. That’s almost $10,000 per customer.

This is the first such privacy ruling by the FCC since this was always under the purview of the Federal Trade Commission until the FCC asserted primary responsibility for regulating ISPs as common carriers. I find the order to be puzzling. The breach was apparently due to a hacker. Cox self-reported the breach and said that they had processes in place that found the breach quickly and that limited it from happening to a larger number of customers. To me that sounds like what companies are supposed to do and I’m not sure that any company these days can be completed immune from hackers. I know we won’t know the details of exactly what Cox did wrong, but it doesn’t feel like this is a case where the punishment fits the crime.

One only has compare this to the way that the very massive data breaches have been handled for companies like Target, J.P. Morgan Chase and a number of other banks, and even from several branches of the federal government. None of them got significant fines and the general thinking is that the market itself provides a lot of punishment in lost business and in the cost of dealing with the data breach. The size of the FCC fine seems out of line, and because of that every ISP ought to be reviewing the way you store and protect customer data. You can’t afford not to, and perhaps that is the message the FCC was making.