Two Tales on the Privacy Front

Protecting customer data has been in the news a lot recently and today I’m going to discuss two different news stories concerning the privacy of customer data.

The first story involves a case that will be decided soon by the U.S. Supreme Court. The case, Carpenter vs. United States, is contemplating the rules of how the government can access historical cellphone call records (and one assumes all other telecom records for calls and emails).

Without discussing all of the details of the case, the short version is that police had asked MetroPCS for the complete cellphone records of sixteen people suspected of robbing cellphone stores. MetroPCS supplied the details of all of the calls to and from each suspected cellphone as well as information about the location of the cell sites servicing each phone during the duration of the calls. The legal question being asked is if this represented a warrantless search and specifically as asked by government attorneys, “Whether the government’s acquisition, pursuant to a court order issued under 18 U.S.C. 2703(d), of historical cell-site records created and maintained by a cellular-service provider violates the Fourth Amendment rights of the individual customer to whom the records pertain.”

Recently fourteen companies including Google, Apple, Facebook, and Microsoft filed an amicus brief in the case that argues that the government is relying on outdated privacy laws from the 1970s that allow for the government to ask for telephone records without a warrant. Interestingly, Verizon joined in this argument.

Most small carriers are aware of this issue by the fact that local police often ask them for call records without a warrant. I can’t recall a time when a telco hasn’t responded to such requests, but I’ve talked to many companies who are often uncomfortable with the process. The fourteen companies get similar requests for call records but also for email records, web search results and other kinds of customer information. They argue that such requests should only be made with a warrant that reflects some level of probable cause. Court experts are calling this the biggest Fourth Amendment case in years because it’s going to consider the issues involved with the search for digital records.

The second news story is a different take on privacy. The Electronic Privacy Information Center (EPIC) has asked the Federal Trade Commission (FTC) to investigate how Google tracks customers. Specifically they say that Google analyzes credit card data to understand the in-store shopping habits of customers. They then sell this data to retailers. EPIC is asking the FTC to investigate the actual practices being deployed as well as to provide some sort of mechanism for people to opt out of this kind of tracking program.

If the FCC takes up this investigation it could also be groundbreaking. This case is the first specific case that asks the government to create some boundaries for such tracking and to allow people to opt out of being tracked.

There are many other companies other than Google who are now using ‘big data’ to compile detailed profiles of people. These profiles are being marketed to vendors of products and services, but there is a great fear among privacy advocates that these same profiles can be used for nefarious purposes by governments and others. For instance, scam artists would probably love to know the identity of every household in the country that has somebody suffering from early-stage dementia.

Anybody that is getting involved in selling smart home products needs to be concerned about these issues. Recently researchers Ming Jin, Ruoxi Jia and Costas Spanos of the University of California at Berkeley examined some routine data collected by smart electric meters and were surprised at how much they were able to figure out about the occupants of a home using the data. For example, they were able to understand the patterns of when homes were occupied and unoccupied and were fairly easily able to tell when a given residence was unoccupied.

As we get more smart devices in homes the combination of the data collected by the various devices will be able to paint a detailed picture of the occupants of a home. This case could be the first step towards defining customer rights for control of their personal data.

The Big ISPs and Regulation

FCC_New_LogoLast week Chairman Ajit Pai halted the impending implementation of the new privacy rules that were to stop the big ISPs from monetizing customer data without customer permission. The Chairman’s stated reason is that he didn’t want to see different rules applied to the big ISPs than to big web companies like Facebook and Google. That argument sounds like a valid reason, but as you will see below, there is no easy path towards treating all of these companies the same.

The stay applied to FCC rules covering a wide variety of privacy issues. The rules were to require the big ISPs to get customer permission to use their data. The rules also created specific security requirements at the ISPs defining how ISPs have to protect customer data and how and when they had to disclose data breaches to customers.

So here is where the confusion starts. The FCC clearly has no authority to regulate the web and what it calls edge-providers – companies like Facebook and Google. It would take an Act of Congress to give the FCC any authority to regulate the web – something that neither Democratic nor Republican administrations have had an appetite for.

Chairman Pai did suggest that perhaps the easiest solution is to hand ISP security issues to the Federal Trade Commission. But the new head of the FTC said this the agency would have no authority to regulate ISPs as long as Title II authority gives this authority to the FCC. So perhaps this action is an indicator that Chairman Pai intends to reverse Title II regulation. He’s said that he is against net neutrality and the FCC used the tool of Title II regulation to implement it. So killing Title II regulations would also get rid of net neutrality.

But what is not being talked about is that the FTC has never contemplated privacy rules as sweeping as the ones implemented by the FCC. The FTC already could impose these rules on Facebook, Google and everybody else on the web, but has never taken any serious steps towards doing so.

Because of that, halting the privacy rules feels like Chairman Pai is just letting the big ISPs off the hook. The big ISPs have been lobbying against these rules from the second they were passed. The ISPs are jealous of the giant revenues that the web companies are making from data mining of consumer data. And the ISPs want to protect what they’ve already been doing. It’s been well known, for example, that AT&T has been monetizing customer data. The leaks from Edward Snowden showed that AT&T has been supplying far more data to the NSA than is required by the Patriot Act. There are reports of a lucrative multi-billion dollar AT&T product line called ‘Hemisphere’ that has been selling customer phone and internet records to the federal government and to local law enforcement agencies.

What I think all of this means is that we have seen the end, for a while of any government agency trying to provide privacy protection for customers. This mainly bothers me as a consumer more than as a consultant. I work entirely with smaller ISPs and none of them have the ability to use customer data in the same way that the big companies do. This latest FCC action only immediately affects perhaps the dozen largest ISPs.

There is a big functional different between ISPs and edge-providers like Facebook. An ISP can see every keystroke a customer makes on the web, except for those that are made inside some encrypted program. But almost nobody uses encryption and so your ISP knows every web site you visit, the contents of every email you write, and every query you make to a search engine. And they know even more about you from your cellphone records – where you traveled and when.

But the difference between Facebook and the ISPs is that nobody makes you use Facebook. I really hate the way that the big companies like Facebook and Google track everything you do inside their platforms. I dropped off Facebook last year partly for this reason.  I also rarely use Google as a search engine and don’t use Gmail or Google’s Chrome web browser. I can largely avoid the big web companies, but I can’t avoid my ISP. And like most Americans I don’t have any real option but to use a big ISP for broadband access.

I’m probably like most Americans and don’t feel like I have a lot to hide. But that still does not mean that I want big companies following my every movement, my every purchase, my every email and every web site I visit. That has far too much “big brother” about it for my liking. I know today that this data is mostly being used to develop targeted marketing, but this information could also easily be used for nefarious purposes, and some of that is starting to happen.

As much as this reversal of the privacy rules bothers me as a consumer, the big picture here is that, for now, the big ISPs finally have the FCC they want. This FCC has already said it’s going to reverse or gut net neutrality. This FCC just said they aren’t going to review the AT&T and Time Warner merger. Killing the privacy rules is final proof, only a month after the new Chairman has been in charge, that the big ISPs are likely to get everything they want. And I don’t think that is a healthy thing for the industry or for consumers.

Broadband CPNI?

FCC_New_LogoA group of consumer and privacy groups has asked the FCC to begin enforcing customer privacy rules. In the industry this process is called CPNI (customer proprietary network information) when applied to telephone and cable TV.

Now that the FCC has classified broadband as a common carrier service, they have the authority to investigate and regulate broadband privacy issues. This is something that the industry needs. Until now there has been very limited regulation of broadband by the Federal Trade Commission since the FTC authority was drawn only from the Children’s Online Privacy Act. But the FCC now has much stronger authority.

Current CPNI rules for telephone and cable TV are focused to a large degree on billing issues and on protecting private data like social security numbers, credit card numbers or other sensitive customer information. There is also a prohibition against disclosing the details of what customers do with those services – such as the calls they make or the channels they watch. (Of course, I guess we now know that the NSA is immune from the obligation to protect telephone records).

As sensitive as privacy matters are in those areas there are larger concerns with broadband. What people do online is extremely personal and the vast majority of Americans think that details of their online life should not be recorded or sold to others.

There are a whole lot of places that the FCC could go with broadband CPNI over and above the normal protections of billing data. For example, what are the obligations of companies to notify people when there has been a data breach and customer information has been compromised? Should ISPs have to disclose to customers if they use their data for any purposes or sell it to others in any form? And if so, how much do companies have to disclose?

An ISP is in very powerful position with a customer. If they wish to record what a customer does online they know everything that the customer isn’t somehow encrypted. They are the first in line to see outgoing bits and the only one to see all of the incoming bits.

The FCC has already started some internal work on the topic and held a workshop. From there the FCC has a number of options. They can first solicit comment and ideas from the public to see what kinds of sentiments are out there. It seems for almost everything the FCC does there are two sides of opinion, and there will be those that are in favor of very strong rules and those in favor of a very light touch. But the FCC would do well to hear all of these opinions before trying to formulate specific rules.

But they do have the option to go straight to a rulemaking. They could propose specific CPNI rules and let everybody take pot shots at them. I’m suspecting that for something this new and different that they are going to want to hear all sides of the arguments first before developing rules. The FCC also might be slow-rolling this. The whole Title II regulatory process is under appeal in the courts and they might not want to go too far down any path until they feel more secure that the courts believe they have the authority to regulate broadband in this manner.

One thing that we can probably expect from the FCC is that whatever they do is going to apply to ISPs but not to what they call edge providers. That would be all of the companies like Google and Facebook that operate on the web and that are not under the Title II regulatory regime. I know that consumer groups are going to want that kind of protection because I think it’s generally assumed that it’s the edge providers – and not the ISPs – that are using and misusing people’s data today.

What is Anti-Competitive Behavior?

federal-trade-commission-ftc-logo_jpgThe Federal Trade Commission (FTC) recently clarified a long-standing policy specifically defining, for the first time in history, how it is going to judge anti-competitive behavior.

As a little background, the FTC has always been tasked with enforcing the Sherman Antitrust Act and the Clayton Act. But those laws are aimed at stopping anti-competitive behavior at the national level when a company is stifling a whole market. It has been exceedingly hard to apply those laws to a smaller market or to the actions of a large company stifling only a single tiny competitor.

In the telecom industry there are numerous cases where the large cable companies went after a small competitor, but these small companies have never had any legal recourse. I don’t think there are any examples of a small company using the law to stop anti-competitive behavior by the big cable companies. In every case I have ever worked with, the smaller company has gotten legal advice that it’s almost impossible to win an anti-competition claim against a big cable company.

And that has been a shame since there are cases where the behavior of the incumbents has been egregious. I’ve seen large cable companies cut rates significantly in a market to try to harm a new competitor while jacking up the rates in surrounding communities to make up for the losses in the one market. Those are the kinds of things that monopolies aren’t supposed to be able to do, but there has never been a mechanism for stopping this anti-competitive behavior.

I’m not a lawyer and I don’t know if the new FTC language fixes this problem, but my layman’s interpretation is that it offers hope. Here is how the FTC now defines how it will look at anti-competitive behavior:

  • The commission will be guided by public policy behind antitrust law, namely, consumer welfare.
  • An act or practice challenged by the FTC must cause or be likely to cause harm to competition or the competitive process, while taking into account related efficiencies and business justifications.
  • The commission is less likely to challenge acts or practices on the sole basis that they constitute unfair competition if the Sherman or Clayton Acts would be enough to address them.

It’s the second bullet point that I think holds out hope. It’s clear that the actions of large companies can cause harm to competition and the competitive process, and this makes it clear that the FTC feels they have the right to oversee such practices. As that second bullet also notes, sometimes small competitors get crushed inadvertently when a large company implements a nationwide practice for efficiency or business reasons. The FTC is not likely to tackle those cases, but should be open to investigating cases where a large company specifically goes after a small company in one market.

The timing of this is interesting for our industry. For many years the place to take a complaint against a large cable company would have been the FTC since the FCC didn’t regulate the cable companies as carriers. The FCC has regulated cable practices and requirements for being a cable company, but not issues like anti-competitive behavior.

But recently, with the changes coming from the net neutrality rule, the FCC has turned the cable companies into carriers under its jurisdiction. The FCC has always heard complaints from small telephone carriers against the larger telcos, so perhaps now the FCC might also be willing to entertain complaints from small cable providers against the larger cable companies.

It would be ironic that now the FTC is willing to perhaps hear such anti-competition claims that they might no longer hold the jurisdiction over the cable market. Those two agencies are certainly engaged currently in an arm-wrestling match over this issue and it might take a while to figure out which agency would be the one to take an anti-competition claim.

Deceptive Billing Practices

shockIn case you haven’t looked close at your cable bill lately, there are likely a number of mysterious charges on it that look to be for something other than cable TV service. There was a day not too many years ago when a cable bill was simple. The bill would list the cable package you purchased as well as some sort of local franchise tax. There also might have been some line-item purchases if you bought pay-per-view movies or watched wrestling or other pay-per-view events.

But cable bills have gotten a lot more complicated because cable companies have been slyly introducing new charges on their bills in an effort to disguise the actual price of their basic cable packages. Here are a few of the charges I have heard about or seen on recent cable bills:

  • Broadcast TV Fee. This is a new fee where cable companies are putting some of the increases that they are having to pay for access to the broadcast networks of ABC, CBS, Fox and NBC. You can sympathize some with the cable operators on this fee since a decade ago cable companies got to carry these networks for free. But the network owners finally woke up to the fact that they could charge retransmission fees and since then the rates for carrying these networks has grown to roughly $2 per network, per customer, per month. But still, these fees ought to be part of basic cable, which is the smallest package that includes the core channels and that must be then carried with every other cable package.
  • Sports Programming Fees. It’s debatable whether sports programming or local retransmission fees have grown the most over the last decade. Certainly there was a day when there was only ESPN and a handful of other minor sports channels. But now cable systems are packed full of sports channels and each of them raises rates significantly every year to pass on the fees they pay to sports leagues to carry their content. The problem with starting a new fee to cover some of the increases in sports programming is that it clearly foists the cost of sports programming on everybody, when surveys show that a majority of customers are not very interested in sports outside of maybe the NFL.
  • Public Access Fee. In many cities the cable companies are required to carry channels that cover local government meetings and other local events. Other than having to reserve a slot on the cable system there is normally not much actual cost associated with these channels. So it’s incredibly cynical for a cable company to invent a fee to charge people to watch a channel that the cable company has agreed to carry, and for which they have very little cost.
  • Regulatory Recovery Fee. This one has me scratching my head since most cable companies are lightly regulated and pay very few taxes other than franchise fees, which they already put directly onto people’s bills. This fee seems to be pure deception to make people think they are paying taxes, when instead this is a fee that the cable company pockets.

Additionally, cable companies have recently really jacked up the cost of both settop boxes and cable modems. Interestingly, the actual cost of settop box cost at $80 – $100 has dropped over the last decade and continues to drop. It’s the same with cable modems. It’s hard to justify paying a monthly fee of up to $9 for a cable modem box that probably costs $80. Customers can theoretically opt out of both of these charges, but the large cable companies make it really hard to do so.

The idea of misnamed fees has been around for a while and started with telephone service. Starting back in 1984 the FCC allowed the telcos to migrate some of the charges that they used to bill to long distance companies for using the local loop to homes to a fee directly assessed on customers. Since then, telcos have had a separate fee called a Subscriber Line Charge, or an Access Fee, or sometimes an FCC Fee on their bills. But this was never a tax, as most customers assume, and the telco simply pockets this money as part of local rates. When the cable companies got into the voice business they largely copied this same fee, even though they never had to make the same shift of access revenues that created the charge. The FCC ought to do away with this fee entirely and require it be added to local rates where it belongs.

I think perhaps one of the reasons that the cable companies are so against Title II regulation is that these kinds of billing practices then come under FCC scrutiny. It’s hard to think of these various fees as anything other than outright deception and fraud. The companies that charge them are trying to be able to say in advertising that their rates are competitive, when in fact, by the time you add on the various ‘fees’, the actual cost for their products are much higher than what they advertise. I’m also surprised that the FTC has not gone after these fees since they are clearly intended to deceive the general public about what they are buying.

You might sympathize with the cable companies a little in that they have been bombarded year after year with huge increases in the cost of programming. But my sympathy for them evaporates once I look at the facts. When their programming costs go up each year they always raise their rates considerably more than the increased cost of programming and they use rate increases to increase their profit margin. Additionally, for the largest cable companies, part of those rate increases are for programming they own, such as the local sports networks.

We all know that the cost of cable is going to drive a lot of households to find a cheaper alternative, and when that happens the cable companies have to shoulder a lot of the blame. People might not understand the line items on their bill, but they know that the size of the check they write each year gets a lot bigger, and that is all that really matters.

The FTC and Technology

federal-trade-commission-ftc-logo_jpgLast week I wrote about how the Federal Trade Commission was going to start watching the Internet of Things. I will admit that this is maybe only the second or third time in my career that I can recall the FTC being involved in anything related to telecom. So I did some digging and I think we are going to be hearing about them a lot more. The FTC is turning into one of the primary watchdogs of technology.

The FTC was created by President Woodrow Wilson in 1914 to fight against big trusts. In those days large corporations like Standard Oil and America Tobacco held monopoly power in their industries. The Sherman Act was passed as a way to battle the largest monopolies, but Congress wanted a second mechanism to control the worst practices of all corporations. The FTC was created 100 years ago to protect consumers against the practices of large corporations.

The FTC got their powers expanded in 1938 when Congress gave them explicit authority to combat “unfair methods of competition”. Since then the agency became increasingly active in protecting the public against unfair trade practices.

It is not surprising to see the FTC getting involved with technology since it is becoming the primary way that companies interface with people. The FTC has been engaged for years in a few areas that involve the telecom industry. For instance, they have been the watchdog for years for issues like deceptive advertising, poor billing practices, and violations of customer privacy.

As an example, there have been a number of FTC actions over the years with AT&T. Not that I particularly want to single out AT&T, because the FTC has been engaged with all of the large carriers over the years. However, just last year the FTC got AT&T to refund $80 million to wireless customers who had been crammed with fraudulent third party charges. In 2009, the FTC faulted the company for denying phones to people based upon having poor credit since they had not explained the policy to the public. And now the FTC is going after AT&T for fraudulent advertising since their unlimited mobile data plans are not actually unlimited.

One area of FTC focus for the last few years has been the security of customer data. For example, they have fined a number of companies that had security breaches that released customer credit card and other personal information if those companies had not taken reasonable precautions to protect the data.

While companies sometimes fight the FTC, the more normal response is for the agency and a company to come to a mutually acceptable change in behavior through a consent decree. Following are a few cases related to our industry that were not amicably resolved and that instead resulted in suits by the FTC to stop bad corporate behavior:

  • Amazon. Last year the FTC sued Amazon to get them to stop the practice where children could rack up huge bills on cell phones by purchasing add-ons for computer games without parental approval. There were even game apps for pre-school age kids who clearly cannot yet read that allowed a player to buy extra features of the game by hitting a button.
  • Snapchat. Last year the FTC sued Snapchat because they told customers that their data on the network was private and protected, while it wasn’t.
  • Dish Network. In 2012 the FTC sued Dish Network for making telemarketing calls in violation of the Do Not Call rules.
  • Robocalling. In 2009 the FTC sued to stop numerous companies who were using robocalls to sell fraudulent products.
  • Data Brokers. The FTC sued LeapLab of Arizona for selling consumer data that included details like bank account numbers.
  • Spam. The FTC took legal steps to shut down Triple Fiber Networks (3FN.net) which hosted huge quantities of spam emails.
  • Intel. In 2009 the FTC sued Intel for using its monopoly power to artificially inflate the cost of computer chips.

As privacy and data security become even more important, we will probably see the FTC become very active in our industry. Interestingly, most of the FTC’s work is done quietly and without press. It contacts companies against which there are multiple public complaints. They generally investigate the complaints and try to get companies to change their bad behavior. And most companies agree to make changes. But the FTC has the ability to levy large fines and will do so for companies who repeat bad behavior or who violate a prior consent decree.

The FTC to Monitor the Internet of Things

federal-trade-commission-ftc-logo_jpgLast week the Federal Trade Commission Chairwoman Edith Ramirez announced that the FTC’s latest initiative was to watch the Internet of things for privacy violations. They are already concerned that IoT devices are subject to easy hacking, and also that they are being used to gather data on us.

In a report issued last week the FTC Staff, and approved by 4 to 1 by the Commissioners, the FTC made specific recommendations in the areas of privacy, data collection and customer notification and choice. They also discussed the need for federal legislation to give them more power to police the IoT.

The FTC broadly defined the Internet of Things to include any device, other than computers and smartphones, which transmits information about the owner of the device over an internet connection.

The report makes specific recommendations about security and recommended that manufacturers of IoT devices should:

  • Assess the security risk for every device they make;
  • Minimize the data they collect and retain;
  • Test security before they ship product;
  • Implement measures to keep unauthorized users from accessing a device or data stored on their own networks;
  • Monitor devices throughout the product life cycle and provide patches to cover known risks;
  • Develop a defense to be ready to react to security breaches.

It’s good to see the government espousing these kinds of concerns. You might recall that HP tested ten popular IoT devices last year and found an average of ten security flaws on each device. My fear is that if the industry doesn’t self-police itself (or get prodded by regulators to do so) then someday we are headed for a perfect storm where hackers will do something terrible, like hack and kill hundreds of people with pacemakers. If something really dreadful happens because the industry doesn’t care about security then the world could quickly turn against the IoT. The IoT industry has the potential for huge growth, but one really terrible security breach on devices could badly sour people on the devices.

The report also made recommendations about storing and misusing customer data. The FTC has already been engaged in monitoring company’s use of data. For example, late last year the FTC reached an agreement with SnapChat to stop misrepresenting that data on their network was completely private. SnapChat has changed their advertising and also agreed to hire an independent privacy monitor for the next twenty years.

For now the report recommends that companies limit the data they collect, and absent legislation that is probably as strong of a warning as the FTC can issue. The report is specifically very concerned about customers not knowing what data is being collected about them from an IoT device. They think it is fundamental that customers be informed about the data they are giving up in order to make an informed decision about using any specific device. While any IoT device will have this concern, the sharing of data from things like health monitors is more troubling than the data gathered from a smart refrigerator or smart washing machine.

The report also voice a concern that the IoT device manufacturers would become the target of hackers and that the kind of information that could be stolen, such as detailed health records, are more troubling than stealing things like credit card numbers.

There is some industry concern, echoed by the dissenting Commissioner in adopting the report that the FTC needs to balance the desires to monitor the industry against too much regulation that might stifle innovation and investment in the field. But as a customer I would already vote in favor of what the FTC has started here. The risks to the industry are far greater from allowing companies to be lax with security and play free with customer data. I am going to be a lot more likely to use a device from a company that I think is being truthful with me and careful on both counts.