The Problem with FTC Regulation

As part of the decision to kill Title II regulation, the FCC largely ceded its regulatory authority over broadband to the Federal Trade Commission. FTC regulation is exceedingly weak, meaning that broadband is largely unregulated.

A great example of this is the recent $60 million fine levied on AT&T by the FTC. This case stretched back to 2014 when the company advertised and charged a premium price for an unlimited cellular data plan. It turns out the plan was far from unlimited and once a customer reached an arbitrary amount of monthly usage, AT&T throttled download speeds to the point where the broadband was largely unusable.

This is clearly an unfair consumer practice and the FTC should be applauded for fining AT&T. Unfortunately, the authority to levy fine for bad behavior is the practical extent of the FTC’s regulatory authority.

A strong regulator would not have taken five years to resolve this issue. In today’s world, five years is forever, and AT&T has moved far past the network, the products, and the practices they used in 2014. In 2014 most of the cellular network was still 3G, moving towards 4G. It didn’t take a lot of cellular data usage to stress the network. It was a real crisis for the cellular networks when people started watching video on their phones, and the cellular companies tamped down on usage by enforcing small monthly data caps, and apparently by capping unlimited users as well.

A strong regulator would have ordered AT&T to stop the bad practice in 2014. The FTC doesn’t have that authority. The regulatory process at the FTC is to bring suit against a corporation for bad behavior. Often companies will stop bad behavior immediately to soften the size of potential fines – but they are not required to do so. The FTC suit is like any other lawsuit with discovery and testimony. Once the FTC finds the corporation guilty of bad behavior, the parties often negotiate a settlement, and it’s routine for corporations to  agrees to never undertake the same bad practices again.

A strong regulator would have ordered the whole cellular industry to stop throttling unlimited data customers. The FCC fine applied strictly to AT&T and not to any other cellular carriers. T-Mobile has advertised unlimited data plans for years that get throttled at some point, but this FTC action and the fine against AT&T has no impact on T-Mobile and the other wireless carriers. AT&T got their wrist slapped, but the FTC doesn’t have the authority to tell other cellular companies to not engage in the same bad behavior. The FCC regulates by punishing bad corporate actors and hopes that similar companies will modify their behavior.

A strong regulator would develop forward-thinking policies to head off bad behavior before it happens. One of the bulwarks of regulation is establishing policies that prohibit bad behavior and that reward corporations for good behavior. The FTC has no authority to create policy – only to police bad behavior.

Even if they wanted to regulate broadband more, the FTC doesn’t have the staffing needed to monitor all broadband companies. The agency is responsible for policing bad corporate behavior across all industries, so they only tackle the worst cases of corporate abuse, and more often than not they go after the largest corporations.

At some point, Congress will have to re-regulate broadband. Unregulated corporations inevitably abuse the public. Without regulation, broadband prices are going to go sky-high. Without regulation there will be ISP policies that unfairly punish customers. Without regulation the big ISPs will eventually engage in all of the practices that net neutrality tried to stop. Having the FTC occasionally levy a big fine against a few big ISPs will not deter bad behavior across the whole ISP sector.

What we really need is an FCC that does what it’s supposed to do. If the FCC refused to regulate broadband – the primary product under its umbrella – then the agency is reduced to babysitting spectrum auctions, and not much else of consequence.

A Corporate Call for Privacy Legislation

Over 200 of the largest companies in the country are proposing a new set of national privacy laws that would apply to large companies nationwide. They are pushing to have this considered by the upcoming Congress.

The coalition includes some of the largest companies in Silicon Valley like Apple and Oracle, but it doesn’t include the big three of Facebook, Google and Amazon. Among the other big businesses included the group are the largest banks like Bank of America and Wells Fargo, big carriers like AT&T and big retailers like Walmart.

As you might expect, a proposed law coming from the large corporations would be favorable to them. They are proposing the following:

  • Eliminate Conflicting Regulations. They want one federal set of standards. States currently have developed different standards for privacy and for issues like defining sensitive information. There are also differing standards by industry such as for medical, banking and general corporations;
  • Self-regulation. The group wants the government to define the requirements that must be met but don’t want specific methodologies or processes mandated. They argue that there is a history of government technical standards being obsolete before they are published;
  • Companies Can Determine Interface with Consumers. The big companies want to decide how much rights to give to their customers. They don’t want mandates for defining how customer data can be used or for requiring consumer consent to use data. They don’t want mandates giving consumers the right to access, change or delete their data;
  • National Standard for Breach Notification. They want federal, rather than differing state rules on how and when a corporation must notify customers if their data has been breached by hackers;
  • Put the FTC in Charge of these Issues. They want the FTC to enforce these laws rather than State Attorney Generals;
  • Wants the Laws to Only Apply to Large Corporations. They don’t want rigid new requirements on small businesses that don’t process much personal data.

There are several reasons big companies are pushing for legislation. There are currently different privacy standards around the country due to actions brought by various State Attorney Generals and they’d like to see one federal standard. But like most laws the primary driver behind this legislation is monetary. Corporations are seeing some huge hits to the bottom line as a result of data breaches and they hope that having national rules will provide a shield against damages – they hope that a company that is meeting federal standards would be shielded from large lawsuits after data breaches.

I look at this legislation both as a consumer and as somebody working in the small carrier industry. With my consumer hat on there are both good and bad aspects of the proposed rules. On the positive side a set of federal regulations ought to be in place for a complex issue that affects so many different industries. For example, it is hard for a corporation to know what to do about a data breach if they have to satisfy differing rules by state.

But the negatives are huge from a consumer perspective. It’s typical political obfuscation to call this a privacy law because it doesn’t provide any extra privacy for consumers. Instead it would let each corporation decide what they want to disclose to the public and how companies use consumer data. A better name for the plan might be the Data Breach Lawsuit Protections Act.

There are also pros and cons for this for small carriers. I think all of my clients would agree that we don’t need a new set of regulations and obligations for small carriers, so small carriers will favor the concept of excusing smaller companies from some aspect of regulations.

However, all ISPs are damaged if the public comes to distrust ISPs because of the behavior of the largest ISPs. Small ISPs already provide consumer privacy. I’ve never heard of a small ISP that monitors customer data, let alone one that is trying to monetize their customers’ data. Small ISPs are already affording significant privacy rights to customers compared to the practices of AT&T, Verizon or Comcast who clearly view customer data as a valuable asset to be exploited rather than something to protect. The ISP industry as a whole would benefit by having rules that foster greater customer trust.

I’m not sure, however, that many small ISPs would automatically notify customers after a data breach – it’s a hard question for every corporation to deal with. I think customers would trust us more if there were clear rules about what to do in the case of a breach. This proposed law reminds me that this is something we should already be talking about because every ISP is vulnerable to hacking. Every ISP ought to be having this conversation now to develop a policy on data breaches – and we ought to tell our customers our plans. Small ISPs shouldn’t need a law to remind us that our customers want to trust us.

Killing FTC Regulation?

NCTA, the lobbying group for the big cable companies filed a pleading with the Federal Trade Commission (FTC) asking the agency to not get involved with regulating the broadband industry. When the FCC killed net neutrality, Chairman Ajit Pai promised that it was okay for the FCC to step away from broadband regulation since the FTC was going to take over much of the regulatory role. Now, a month after net neutrality went into effect we have the big cable ISPs arguing that the FTC should have a limited role in regulation broadband. The NTCA comments were filed in a docket that asks how the FTC should handle the regulatory role handed to them by the FCC.

Pai’s claim was weak from the outset because of the nature of the way that the FTC regulates. They basically pursue corporations of all kinds that violate federal trade rules or who abuse the general public. For example, the FTC went after AT&T for throttling customers who had purchased unlimited data plans. However, FTC rulings don’t carry the same weight as FCC orders. Rulings are specific to the company under investigation. Rulings might lead other companies to modify their behavior, but an FTC order doesn’t create a legal precedent that automatically applies to all carriers. In contrast, FCC rulings can be made to apply to the whole industry and rulings can change the regulations for every ISP.

The NCTA petition asks the FTC to not pursue complaints about regulatory complaints against ISPs. For example, they argue that the agency shouldn’t be singling out ISPs for unique regulatory burdens, but should instead pursue the large Internet providers like Facebook and Google. The NCTA claims that market forces will prevent bad behavior by ISP and will punish a carrier that abuses its customers. They claim there is sufficient competition for cable broadband, such as from DSL, that customers will leave an ISP that is behaving poorly. In a world where they have demolished DSL and where cable is a virtual monopoly in most markets they really made that argument! We have a long history in the industry that says otherwise, and even when regulated by the FCC there are long laundry lists of ways that carriers have mistreated their customers.

One of the more interesting requests is that the ISPs want the FTC to preempt state and local rules that try to regulate them. I am sure this is due to vigorous activity at the state level currently to create rules for net neutrality and privacy regulations. They want the FTC to issue guidelines to state Attorney Generals and state consumer protection agencies to remind them that broadband is regulated only at the federal level. It’s an interesting argument to make after the FCC has punted on regulating broadband and when this filing is asking the FTC to do the same. The ISPs want the FTC to leave them alone while asking the agency to act as the watchdog to stop others from trying to regulate the industry.

I think this pleading was inevitable since the big ISPs are trying to take full advantage of the FCC walking away from broadband regulation. The ISPs view this as an opportunity to kill regulation everywhere. At best the FTC would be a weak regulator of broadband, but the ISPs don’t want any scrutiny of the way they treat their customers.

The history of telecom regulation has always been in what I call waves. Over time the amount of regulations build up to a point where companies can make a valid claim of being over-regulated. Over-regulation can then be relieved either by Congress or by a business-friendly FCC who loosens regulatory constraints. But when regulations get too lax the big carriers inevitably break enough rules that attracts an increase of new regulation.

We are certainly hitting the bottom of a trough of a regulatory wave as regulations are being eliminated or ignored. Over time the large monopolies in the industry will do what monopolies always do. They will take advantage of this period of light regulation and will abuse customers in various ways and invite new regulations. My bet is that customer privacy will be the issue that will start the climb back to the top of the regulatory wave. The ISPs argument that market forces will force good behavior on their part is pretty laughable to anybody who has watched the big carriers over the years.

Can the FTC Regulate Broadband?

When the FCC wrote themselves out of the regulation of broadband, one of the primary arguments made by Chairman Ajit Pai was that the Federal Trade Commission (FTC) would still be empowered to step in to stop any ISP abuses of broadband customers. The FTC has the general mandate to stop large corporations from engaging in unfair or abusive practices and Pai’s argument was made that ISPs are no different than other large corporations and that FTC oversight is sufficient.

There are several reasons why this argument is full of holes and the FTC cannot be an adequate replacement for the FCC. First, the FTC is not structured to regulate monopolies. We are now watching cable companies become a virtual broadband monopoly for residential service in most markets. The FCC loves to point out that there is still usually a telco DSL option, but when Comcast increases minimum broadband speeds to 150 Mbps while DSL is at a small fraction of that speed, then cable broadband and DSL are no longer equivalent services. The cable companies are winning the broadband war and becoming broadband monopolies as DSL disappears from the conversation.

One of the natural roles of government is to regulate monopolies. FERC heavily regulates local electric companies. The FCC was originally created to deal with the monopoly power that the old Ma Bell held over 95% of the country’s telephony needs. The government regulates industries where a few players hold all of the power like airlines and banks.

The government has always dealt with monopolies in one of two ways – regulate them to curtail abuse of monopoly power or else break up the monopolies up to create competition. The government forced the divestiture of the Bell System when it became apparent that their continued existence was a natural barrier to competition. It seems ironic that the FCC would wash its hands of regulating broadband at the point in time when cable companies are becoming classic monopolies.

The other primary reason that the FTC cannot regulate broadband is that they regulate purely by exception. The agency is empowered to pursue specific abuses by a specific corporation and can require and fine a given company for bad behavior. This puts the FTC in the role of corporate policeman – they can go after an ISP for a bad business practice but that doesn’t directly prohibit other ISPs from engaging in the same behavior. The FTC’s powers are pale compared to the ability of a regulatory agency like the FCC to make a ruling that instantly applies to every ISP in the industry. Ajit Pai’s argument that the FTC can take the FCC’s place is faulty because policing is not regulating.

As weak as the FTC’s power is over regulating broadband there is a chance they will lose even that ability. The FTC sued AT&T in 2014 because the company throttled data usage by unlimited customers to try to get them to drop their unlimited data plans. AT&T challenged that lawsuit and argued that the FTC had no authority over the company. Recall that this was at a time when the FCC still claimed jurisdiction over broadband issues.

The US District Court of Northern California recently ruled against AT&T in favor of the FTC. AT&T has until May 29 to appeal that ruling to the Supreme Court. If the company appeals, it will be to directly ask the Supreme Court if the FTC has jurisdiction over them. A ruling in AT&T’s favor would remove the last vestige of broadband regulation and would make broadband a completely unregulated industry.

It’s not hard to imagine how a truly unfettered broadband industry would react over time if not regulated. We will see big price increases, data caps, the free use and abuse of customer personal data and a violation of all of the principles of net neutrality. This would push broadband in the wrong direction by making it too expensive for many households while degrading the online experience for all broadband customers. The Internet as we know it can be broken if the ISPs are allowed to ignore customers and answer only to Wall Street.

We are already near to this point even if the AT&T suit against the FTC doesn’t conclude with an AT&T victory at the Supreme Court. After the FCC washed their hand of broadband regulation we now have the only regulation of the industry being the FTC which can tackle bad behavior at a single ISP on a single topic. Mass bad behavior by all of the big ISPs will quickly swamp the FTC, and within a few years the higher prices and bad ISP behavior will likely become the industry norm.

The fact that only a few companies own the wires of the broadband network makes this industry a natural monopoly just like electricity, water and natural gas delivery. Nobody likes to be regulated and I can’t even fully believe I am advocating for more regulation. Even before the FCC withdrew from broadband regulation it was one of the mostly lightly regulated monopoly industries in the country. Big ISPs have always fought against being regulated, but I don’t think even they thought that all broadband regulation would be removed in one fell swoop. We are going to have to somehow put regulations back in place or watch our industry go down a very ugly path.

States and Net Neutrality

We now know how states are going to react to the end of net neutrality. There are several different responses so far. First, a coalition of 23 states filed a lawsuit challenging the FCC’s ability to eliminate net neutrality and Title II regulation of broadband. The lawsuit is mostly driven by blue states, but there are red states included like Mississippi and Kentucky.

The lawsuit argues that the FCC has exceeded its authority in eliminating net neutrality. The lawsuit makes several claims:

  • The suit claims that under the Administrative Procedure Act (ACA) the FCC can’t make “arbitrary and capricious” changes to existing policies. The FCC has defended net neutrality for over a decade and the claim is that the FCC’s ruling fails to provide enough justification for abandoning the existing policy.
  • The suit claims that the FCC ignored the significant public record filed in the case that details the potential harm to consumers from ending net neutrality.
  • The suit claims that the FCC exceeded its authority by reclassifying broadband service as a Title I information service rather than as a Title II telecommunications service.
  • Finally, the suit claims that the FCC ruling improperly preempts state and local laws.

Like with past challenges of major FCC rulings, one would expect this suit to go through at least several levels of courts, perhaps even to the supreme court. It’s likely that the loser of the first ruling will appeal. This process is likely to take a year or longer. Generally, the first court to hear the case will determine quickly if some or all of the FCC’s ruling net neutrality order will be stayed until resolution of the lawsuit.

I lamented in a recent blog how partisan this and other FCCs have gotten. It would be a positive thing for FCC regulation in general if the courts put some cap on the ability of the FCC to create new policy without considering existing policies and the public record about the harm that can be caused by a shift in policy. Otherwise we face having this and future FCCs constantly changing the rules every time we get a new administration – and that’s not healthy for the industry.

A second tactic being used by states is to implement a state law that effectively implements net neutrality at the state level. The states of New York, New Jersey and Montana have passed laws that basically mimic the old FCC net neutrality rules at the state level. It’s an interesting tactic and will trigger a lawsuit about state rights if challenged (and I have to imagine that somebody will challenge these laws). I’ve read a few lawyers who opine that this tactic has some legs since the FCC largely walked away from regulating broadband, and in doing so might have accidentally opened up the door for the states to regulate the issue. If these laws hold up that would mean a hodgepodge of net neutrality rules by state – something that benefits nobody.

Another tactic being taken is for states, and even a few cities, to pass laws that change the purchasing rules so that any carrier that bids for government telecom business must adhere to net neutrality. This is an interesting tactic and I haven’t seen anybody that thinks this is not allowed. Governments have wide latitude in deciding the rules for purchasing goods and services and there are already many similar restrictions that states put onto purchasing. The only problem with this tactic is going to be if eventually all of the major carriers violate the old net neutrality rules. That could leave a state with poor or no good choice of telecom providers.

As usual, California is taking a slightly different tactic. They want to require that carriers must adhere to net neutrality if they use state-owned telecom facilities or facilities that were funded by the state. Over the years California has built fiber of its own and also given out grants for carriers to build broadband networks. This includes a recently announced grant program that is likely to go largely to Frontier and CenturyLink. If this law is upheld it could cause major problems for carriers that have taken state money in the past.

It’s likely that there are going to be numerous lawsuits challenging different aspects of the various attempts by states to protect net neutrality. And there are likely to also be new tactics tried by states during the coming year to further muddy the picture. It’s not unusual for the courts to finally decide the legitimacy of major FCC decisions. But there are so many different tactics being used here that we are likely to get conflicting rulings from different courts. It’s clearly going to take some time for this to all settle out.

One interesting aspect of all of this is how the FCC will react if their cancellation of net neutrality is put on hold by the courts. If that happens it means that some or all of net neutrality will still be the law of the land. The FCC always has the option to enforce or not enforce the rules, so you’d suspect that they wouldn’t do much about ISPs that violate the spirit of the rules. But more importantly, the FCC is walking away from regulating broadband as part of killing Title II regulation. They are actively shuttling some regulatory authority to the FTC for issues like privacy. It seems to me that this wouldn’t be allowed until the end of the various lawsuits. I think the one thing we can count on is that this is going to be a messy regulatory year for broadband.

Broadband Regulation in Limbo

The recent ruling earlier this week by the US Court of Appeals for the 9th Circuit highlights the current weak state of regulations over broadband. The case is one that’s been around for years and stems from AT&T’s attempt to drive customers off of their original unlimited cellphone data plans. AT&T began throttling unlimited customers when they reached some unpublished threshold of data use, in some cases as small as 2 GB in a month. AT&T then lied to the FCC about the practice when they inquired. This case allows the FTC suit against AT&T to continue.

The ruling demonstrates that the FTC has some limited jurisdiction over common carriers like AT&T. However, the clincher came when the court ruled that the FTC only has jurisdiction over issues where the carriers aren’t engaging in common-carrier services. This particular case involves AT&T not delivering a product they promised to customers and thus falls under FTC jurisdiction. But the court made it clear that future cases that involve direct common carrier functions, such as abuse of net neutrality would not fall under the FTC.

This case clarifies the limited FTCs jurisdiction over ISPs and contradicts the FCC’s statements that the FTC is going to be able to step in and take their place on most matters involving broadband. The court has made it clear that is not the case. FCC Chairman Ajit Pai praised this court ruling and cited it as a good example of how the transition of jurisdiction to the FTC is going to work as promised. But in looking at the details of the ruling, that is not true.

This court ruling makes it clear that there is no regulatory body now in charge of direct common carrier issues. For instance, if Netflix and one of the ISPs get into a big fight about paid prioritization there would be nowhere for Netflix to turn. The FCC would refuse to hear the case. The FTC wouldn’t be able to take the case since it involves a common carrier issue. And while a court might take the case, they would have no basis on which to make a ruling. As long as the ISP didn’t break any other kinds of laws, such as reneging on a contract, a court would have no legal basis on which to rule for or against the ISPs behavior.

That means not only that broadband is now unregulated, it also means that there is no place for some body to complain against abuse by ISPs until the point where that abuse violates some existing law. That is the purest definition of limbo that I can think of for the industry.

To make matters worse, even this jumbled state of regulation is likely to more muddled soon by the courts involved in the various net neutrality suits. Numerous states have sued the FCC for various reasons, and if past practice holds, the courts are liable to put some or all of the FCC’s net neutrality decision on hold.

It’s hard to fathom what that might mean. For example, if the courts were to put the FCC’s decision to cancel Title II regulation on hold, then that would mean that Title II regulation would still be the law of the land until the net neutrality lawsuits are finally settled. But this FCC has made it clear that they don’t want to regulate broadband and they would likely ignore such a ruling in practice. The Commission has always had the authority to pick and choose cases it will accept and I’m picturing that they would refuse to accept cases that relied on their Title II regulation authority.

That would be even muddier for the industry than today’s situation. Back to the Netflix example, if Title II regulation was back in effect and yet the FCC refused to pursue a complaint from Netflix, then Netflix would likely be precluded from trying to take the issue to court. The Netflix complaint would just sit unanswered at the FCC, giving Netflix no possible remedy, or even a hearing about their issues.

The real issue that is gumming up broadband regulation is not the end of Title II regulation. The move to Title II regulation just became effective with the recent net neutrality decision and the FCCs before that had no problem tackling broadband issues. The real problem is that this FCC is washing their hands of broadband regulation, and supposedly tossed that authority to the FTC – something the court just made clear can’t work in the majority of cases.

This FCC has shown that there is a flaw in their mandate from Congress in that they feel they are not obligated to regulate broadband. So I guess the only fix will be if Congress makes the FCC’s jurisdiction, or lack of jurisdiction clear. Otherwise, we couldn’t even trust a future FCC to reverse course, because it’s now clear that the decision to regulate or not regulate broadband is up to the FCC and nobody else. The absolute worst long-term outcome would be future FCCs regulating or not regulating depending upon changes in the administration.

My guess is that AT&T and the other big ISPs are going to eventually come to regret where they have pushed this FCC. There are going to be future disputes between carriers and the ISPs are going to find that the FCC can not help them just like they can’t help anybody complaining against them. That’s a void that is going to serve this industry poorly.

FCC and FTC Divvy up Broadband Regulation

The FCC voted last Thursday to reverse the Net Neutrality order that had been put into place by the previous Tom Wheeler FCC. This action eliminates the use of Title II to regulate broadband. In order to get rid of Title II authority the FCC believes it has to relinquish some of its regulatory role today and to move certain regulatory functions to the Federal Trade Commission. To effectuate this shift the two Commissions have agreed to a Memorandum of Understanding (MOU) that defines the ongoing regulatory and enforcement responsibility of each agency related to broadband.

The Federal Trade Commission will renew investigating ISPs as they do other large businesses in the country. They will investigate complaints made against the companies for practices that the agency deems to be unfair or deceptive. The agency has undertaken this kind of investigation in the past and has cited and fined a few big ISPs for various deceptive pricing and billing practices. In this role the FTC could elect to tackle topics that were part of net neutrality such as anticompetitive blocking of Internet traffic, throttling customer broadband or paid prioritization practices. While the three legs of net neutrality would not explicitly be part of the FTCs responsibilities, they should be free to investigate practices that harm the public. The FTC would also take back jurisdiction over ISP privacy practices.

It appears that dropping the Title II regulatory regime allows the FTC to again regulate ISPs. Since the FCC approved Title II regulation, the big ISPs have argued that the FTC is prohibited by its charter to regulate common carriers. But since broadband providers are no longer considered to be common carriers it would seem to open the door to the FTC again.

The big difference in a shift to FTC regulation is that anything they do is done retroactively. They look at consumer complaints and then prosecute the worst abuses they find in multiple industries. But their rules often come years after abuse by companies and their rulings only generally affect one company at a time. Other ISPs might shift behavior due to an FTC enforcement action, but they are not required to do so. This is a drastic change from having a set of proactive regulations in rules in place that define acceptable ISP behavior.

The FCC will be giving up most regulatory oversight of broadband. There are still a few broadband rules that fall under FCC jurisdiction. For example, there are still rules in place that require ISPs to disclose information about their products, data speeds, etc., to customers. The FCC will still be monitoring and regulating these notices. There are also regulations that will remain in place because they were put in place by laws that can’t be reversed by the FCC. As an example, the FCC will still oversee CALEA compliance, where ISPs are required to provide access to broadband records to law enforcement.

Probably the biggest regulatory gray area left is cellular broadband. While broadband in general is now largely unregulated there are still numerous regulations about cellular service that remain in place. We’ll have to see how the FCC deals with any conflicts between old cellular rules and their desire to unregulated broadband.

To a large extent there will be little regulation of broadband and it is now an unregulated business line. This is a bit ironic in that broadband has grown to become the most important telecommunications product, while the many regulations on the waning product lines of telephone and cable TV still remain in place.

The FCC acknowledges that its technical staff best understands the ISP industry and has promised in the MOU to make FCC staff available to the FTC as needed. It will be interesting to see how that works in practice since some of the FTC investigations drag on for years. I foresee budgetary issues making major collaboration impractical.

The bottom line is that this MOU makes it clear that broadband is largely deregulated. The FTC can step in and punish ISPs that engage in fraudulent and unfair practices. But otherwise nobody will be monitoring or enforcing any regulations on broadband.

Broadband Regulation is in Limbo

We have reached a point in the industry where it’s unclear who regulates broadband. I think a good argument can be made that nobody is regulating broadband issues related to the big ISPs.

Perhaps the best evidence of this is a case that is now in Ninth Circuit Court of Appeals in San Francisco. This case involves a 2014 complaint against AT&T by the Federal Trade Commission based on the way that AT&T throttled unlimited wireless data customers. The issue got a lot of press at the time when AT&T started restricting data usage in 2011 for customers when they hit some arbitrary (and unpublished) data threshold in a month. Customers got shuttled back to 3G and even 2G data speeds and basically lost the ability to use their data plans. The press and the FTC saw this as an attempt by AT&T to drive customers off their grandfathered unlimited data plans (which were clearly not unlimited).

AT&T had argued at the FTC that they needed to throttle customers who use too much data as a way to manage and protect the integrity of their networks. The FTC didn’t buy this argument ruled against AT&T. As they almost always do the company appealed the decision. The District Court in California affirmed the lower court ruling and AT&T appealed again, which is the current case in front of the Ninth Circuit. AT&T is making some interesting claims in the case and is arguing that the Federal Trade Commission rules don’t allow the FTC to regulate common carriers.

There are FTC rules called the ‘common carrier exemption’ that were established in Part 5 of the original FTC Act that created the agency. These exemptions are in place to recognize that telecom common carriers are regulated instead by the FCC. There are similar carve-outs in the FTC rules for other industries that are regulated in part by other federal agencies.

The common carrier exemption doesn’t relieve AT&T and other telecom carriers from all FTC regulation – it just means that the FTC can’t intercede in areas where the FCC has clear jurisdiction. But any practices of telecom carriers that are not specifically regulated by the FCC then fall under FTC regulations since the agency is tasked in general with regulating all large corporations.

AT&T is making an interesting argument in this appeals case. They argue since they are now deemed to be a common carrier for their data business under the Title II rules implemented in the net neutrality order that they should be free of all FTC oversight.

But there is an interesting twist to this case because the current FCC filed an amicus brief in the appeal saying that they think that the FTC has jurisdiction over some aspects of the broadband business such as privacy and data security issues. It is this FCC position that creates uncertainty about who actually regulates broadband.

We know this current FCC wants to reverse the net neutrality order, and so they are unwilling right now to tackle any major issues that arise from those rules. In this particular case AT&T’s throttling of customers occurred before the net neutrality decision and at that time the FCC would not have been regulating cellular broadband practices.

But now that the FCC is considered to be a common carrier it’s pretty clear that the topic is something that the FCC has jurisdiction of today. But we have an FCC that is extremely reluctant to take on this issue because it would give legitimacy to the net neutrality rules they want to eliminate.

The FCC’s position in this case leads me to the conclusion that, for all practical purposes, companies like AT&T aren’t regulated at all for broadband issues. The prior FCC made broadband a common carrier service and gave themselves the obligation to regulate broadband and to tackle issues like the one in this case. But the new FCC doesn’t want to assert that authority and even goes so far as to argue that many broadband related issues ought to be regulated by the FTC.

This particular case gets a little further muddled by the timing since AT&T’s practices predate Title II regulation – but the issue at the heart of the case is who regulates the big ISPs. The answer seems to be nobody. The FCC won’t tackle the issue and AT&T may be right that the FTC is now prohibited from doing so. This has to be a huge challenge for a court because they are now being asked who is responsible for regulating the case in front of them. That opens up all sorts of possible problems. For example, what happens if the court rules that the FCC must decide this particular case but the agency refuses to do so? And of course, while this wrangling between agencies and the courts is being settled it seems that nobody is regulating AT&T and other broadband providers.

Two Tales on the Privacy Front

Protecting customer data has been in the news a lot recently and today I’m going to discuss two different news stories concerning the privacy of customer data.

The first story involves a case that will be decided soon by the U.S. Supreme Court. The case, Carpenter vs. United States, is contemplating the rules of how the government can access historical cellphone call records (and one assumes all other telecom records for calls and emails).

Without discussing all of the details of the case, the short version is that police had asked MetroPCS for the complete cellphone records of sixteen people suspected of robbing cellphone stores. MetroPCS supplied the details of all of the calls to and from each suspected cellphone as well as information about the location of the cell sites servicing each phone during the duration of the calls. The legal question being asked is if this represented a warrantless search and specifically as asked by government attorneys, “Whether the government’s acquisition, pursuant to a court order issued under 18 U.S.C. 2703(d), of historical cell-site records created and maintained by a cellular-service provider violates the Fourth Amendment rights of the individual customer to whom the records pertain.”

Recently fourteen companies including Google, Apple, Facebook, and Microsoft filed an amicus brief in the case that argues that the government is relying on outdated privacy laws from the 1970s that allow for the government to ask for telephone records without a warrant. Interestingly, Verizon joined in this argument.

Most small carriers are aware of this issue by the fact that local police often ask them for call records without a warrant. I can’t recall a time when a telco hasn’t responded to such requests, but I’ve talked to many companies who are often uncomfortable with the process. The fourteen companies get similar requests for call records but also for email records, web search results and other kinds of customer information. They argue that such requests should only be made with a warrant that reflects some level of probable cause. Court experts are calling this the biggest Fourth Amendment case in years because it’s going to consider the issues involved with the search for digital records.

The second news story is a different take on privacy. The Electronic Privacy Information Center (EPIC) has asked the Federal Trade Commission (FTC) to investigate how Google tracks customers. Specifically they say that Google analyzes credit card data to understand the in-store shopping habits of customers. They then sell this data to retailers. EPIC is asking the FTC to investigate the actual practices being deployed as well as to provide some sort of mechanism for people to opt out of this kind of tracking program.

If the FCC takes up this investigation it could also be groundbreaking. This case is the first specific case that asks the government to create some boundaries for such tracking and to allow people to opt out of being tracked.

There are many other companies other than Google who are now using ‘big data’ to compile detailed profiles of people. These profiles are being marketed to vendors of products and services, but there is a great fear among privacy advocates that these same profiles can be used for nefarious purposes by governments and others. For instance, scam artists would probably love to know the identity of every household in the country that has somebody suffering from early-stage dementia.

Anybody that is getting involved in selling smart home products needs to be concerned about these issues. Recently researchers Ming Jin, Ruoxi Jia and Costas Spanos of the University of California at Berkeley examined some routine data collected by smart electric meters and were surprised at how much they were able to figure out about the occupants of a home using the data. For example, they were able to understand the patterns of when homes were occupied and unoccupied and were fairly easily able to tell when a given residence was unoccupied.

As we get more smart devices in homes the combination of the data collected by the various devices will be able to paint a detailed picture of the occupants of a home. This case could be the first step towards defining customer rights for control of their personal data.

The Big ISPs and Regulation

FCC_New_LogoLast week Chairman Ajit Pai halted the impending implementation of the new privacy rules that were to stop the big ISPs from monetizing customer data without customer permission. The Chairman’s stated reason is that he didn’t want to see different rules applied to the big ISPs than to big web companies like Facebook and Google. That argument sounds like a valid reason, but as you will see below, there is no easy path towards treating all of these companies the same.

The stay applied to FCC rules covering a wide variety of privacy issues. The rules were to require the big ISPs to get customer permission to use their data. The rules also created specific security requirements at the ISPs defining how ISPs have to protect customer data and how and when they had to disclose data breaches to customers.

So here is where the confusion starts. The FCC clearly has no authority to regulate the web and what it calls edge-providers – companies like Facebook and Google. It would take an Act of Congress to give the FCC any authority to regulate the web – something that neither Democratic nor Republican administrations have had an appetite for.

Chairman Pai did suggest that perhaps the easiest solution is to hand ISP security issues to the Federal Trade Commission. But the new head of the FTC said this the agency would have no authority to regulate ISPs as long as Title II authority gives this authority to the FCC. So perhaps this action is an indicator that Chairman Pai intends to reverse Title II regulation. He’s said that he is against net neutrality and the FCC used the tool of Title II regulation to implement it. So killing Title II regulations would also get rid of net neutrality.

But what is not being talked about is that the FTC has never contemplated privacy rules as sweeping as the ones implemented by the FCC. The FTC already could impose these rules on Facebook, Google and everybody else on the web, but has never taken any serious steps towards doing so.

Because of that, halting the privacy rules feels like Chairman Pai is just letting the big ISPs off the hook. The big ISPs have been lobbying against these rules from the second they were passed. The ISPs are jealous of the giant revenues that the web companies are making from data mining of consumer data. And the ISPs want to protect what they’ve already been doing. It’s been well known, for example, that AT&T has been monetizing customer data. The leaks from Edward Snowden showed that AT&T has been supplying far more data to the NSA than is required by the Patriot Act. There are reports of a lucrative multi-billion dollar AT&T product line called ‘Hemisphere’ that has been selling customer phone and internet records to the federal government and to local law enforcement agencies.

What I think all of this means is that we have seen the end, for a while of any government agency trying to provide privacy protection for customers. This mainly bothers me as a consumer more than as a consultant. I work entirely with smaller ISPs and none of them have the ability to use customer data in the same way that the big companies do. This latest FCC action only immediately affects perhaps the dozen largest ISPs.

There is a big functional different between ISPs and edge-providers like Facebook. An ISP can see every keystroke a customer makes on the web, except for those that are made inside some encrypted program. But almost nobody uses encryption and so your ISP knows every web site you visit, the contents of every email you write, and every query you make to a search engine. And they know even more about you from your cellphone records – where you traveled and when.

But the difference between Facebook and the ISPs is that nobody makes you use Facebook. I really hate the way that the big companies like Facebook and Google track everything you do inside their platforms. I dropped off Facebook last year partly for this reason.  I also rarely use Google as a search engine and don’t use Gmail or Google’s Chrome web browser. I can largely avoid the big web companies, but I can’t avoid my ISP. And like most Americans I don’t have any real option but to use a big ISP for broadband access.

I’m probably like most Americans and don’t feel like I have a lot to hide. But that still does not mean that I want big companies following my every movement, my every purchase, my every email and every web site I visit. That has far too much “big brother” about it for my liking. I know today that this data is mostly being used to develop targeted marketing, but this information could also easily be used for nefarious purposes, and some of that is starting to happen.

As much as this reversal of the privacy rules bothers me as a consumer, the big picture here is that, for now, the big ISPs finally have the FCC they want. This FCC has already said it’s going to reverse or gut net neutrality. This FCC just said they aren’t going to review the AT&T and Time Warner merger. Killing the privacy rules is final proof, only a month after the new Chairman has been in charge, that the big ISPs are likely to get everything they want. And I don’t think that is a healthy thing for the industry or for consumers.