Tag Archives: Internet privacy

Big ISPs Fighting Privacy

Old padlock with the key in the keyhole lying on a wooden board

One of the quietest regulatory battles is happening at statehouses rather than with regulators. The large ISPs and big Silicon Valley companies have joined forces to kill any legislation that would create Internet privacy.

The privacy battle got started in 2016 when the FCC passed new privacy rules that required ISPs to get permission from customers before selling their personal data or browsing history. Those new rules would have gone into effect in April of 2017. But Congress intervened to kill the new privacy rules before they went into effect. In an effort led by Senator Jeff Flake, Congress added language to the Congressional Review Act, the bill used to approve the federal government budget, that rolled back the FCC’s new rules and that also prohibited the agency from introducing new rules that were ‘substantially similar’.

Since that time there have been numerous attempts in state legislatures to provide privacy rights for citizens. According to Michael Gaynor of Motherboard there have been over 70 bills in state legislatures in the last year that have attempted to introduce consumer privacy – and all have failed.

That’s an amazing statistic considering the public sentiment for putting curbs on ISPs being able to use customer data. A Pew Research poll from earlier this year showed that over two-thirds of people support stronger privacy rules.

The legislative failures have all come due to intense lobbying from ISPs. The big telcos and cable companies have always had a strong presence in statehouses and have contributed to campaign funds for key legislators for years. The lobbying effort has paid off many times in the past, but not always. The lobbying effort for the privacy issue has been particular effective since the big Silicon Valley companies like Google and Facebook have joined forces with the big ISPs.

Those two sets of companies are rarely on the same side on issues, but they all have a vested interest in monetizing customer data. The big web companies like Facebook and Google make most of their money by leveraging customer data. The big ISPs are newer to this business line, but they all have acquired data firms over the last two years to help them compete with Google for advertising dollars.

It’s not talked about a lot, but Silicon Valley firms now spend more money on lobbying in DC than the big ISPs. These companies are newer to lobbying at the state level, but the privacy issue has drawn them into local lobbying in a big way.

The privacy laws passed by the last FCC are similar to those in effect in Europe. Web users there get the choice to opt out of being tracked by online companies and ISPs. Interestingly, a lot of people in Europe elect to make their data available to the web companies. Many people like the personalized advertising and other benefits that comes along with the surveillance. It turns out that many people, particularly Millennials don’t mind being tracked, and are not opting out. Apparently, though, that’s not good enough for the big web companies who want to track everybody online.

There are still ways for consumers who don’t want to be tracked to reduce their web presence. People can use VPNs to bypass their ISP, although there is still a risk of the VPN provider harvesting their data. There are several companies working on creating an encrypted DNS service that hides web searches from ISPs. Numerous people (like me) have dropped services like Facebook that are openly tracking everything done inside the platform. Search engines like Duck Duck Go, which don’t record web searches are growing in popularity.

Of course, one of the best ways to cut down on surveillance is to change service to a small ISP. Small telcos, WISPs, fiber overbuilders and municipal ISPs don’t track and monetize customer data. Unfortunately, most people don’t have an option other than a big ISP. I always advice my clients, who are all small ISPs to emphasize that they don’t spy on their customers – it’s a strong selling point to people who care about privacy.

Can the States Regulate Internet Privacy

Since Congress and the FCC have taken steps to remove restrictions on ISPs using customer data, a number of states and even some cities have taken legislative steps to reintroduce some sort of privacy restrictions on ISPs. This is bound to end up in the courts at some point to determine where the authority lies to regulate ISPs.

Congress just voted in March to end restrictions on the ways that ISPs can use customer data, leading to a widespread fear that ISPs could profit from selling customer browsing history. Since then all of the large telcos and cable companies have made public statements that they would not sell customer information in this way, but many of these companies have histories that would indicate otherwise.

Interestingly, a new bill has been introduced in Congress called the BROWSER Act of 2017 that would add back some of the restrictions imposed on ISPs and would also make those restrictions apply to edge providers like Google and Facebook. The bill would give the authority to enforce the privacy rules to the Federal Trade Commission rather than the FCC. The bill was introduced by Rep. Marsha Blackburn who was also one of the architects of the earlier removal of ISP restrictions. This bill doesn’t seem to be getting much traction and there is a lot of speculation that the bill was mostly offered to save face for Congress for taking away ISP privacy restrictions.

Now states have jumped in to fill the void. Interestingly the states looking into this are from both sides of the political spectrum which makes it clear that privacy is an issue that worries everybody. Here is a summary of a few of the state legislative efforts:

Connecticut. The proposed law would require consumer buy-in before any “telecommunication company, certified telecommunications provider, certified competitive video service provider or Internet service provider” could profit from selling such data.

Illinois. The privacy measures proposed would allow consumers to be able to ask what information about them is being shared. The bills would also require customer approval before apps can track and record location information on cellphones.

Massachusetts. The proposed legislation would require customer buy-in for sharing private information. It would also prohibit ISPs from charging more to customers who don’t want to share their personal information (something AT&T has done with their fiber product).

Minnesota. The proposed law would stop ISPs from even recording and saving customer information without their approval.

Montana. The proposed law there would prohibit any ISPs that share customer data from getting any state contracts.

New York. The proposed law would prohibit ISPs from sharing customer information without customer buy-in.

Washington. One proposed bill would require written permission from customers to share their data. The bill would also prohibit ISPs from denying service to customers that don’t want to share their private information.

Wisconsin. The proposed bill essentially requires the same restrictions on privacy that were included in the repealed FCC rules.

This has even made it down to the City level. For example, Seattle just issued new rules for the three cable providers with a city franchise telling them not to collect or sell customer data without explicit customer permission or else face losing their franchise.

A lot of these laws will not pass this year since the new laws were introduced late into the legislative sessions for most states. But it’s clear from the laws that have been proposed that this is a topic with significant bipartisan support. One would expect a lot of laws to be introduced and enacted in legislative sessions that will occur later this year or early next year.

There is no doubt that at some point this is going to result in lawsuits to resolve the conflict between federal and state rules. An issue of this magnitude will almost certainly will end up at the Supreme Court at some point. But as we have seen in the past, during the period of these kinds of legislative and legal fights the status of any rules is muddy. And that generally means that ISPs are likely to continue with the status quo until the laws become clear. That likely means that ISPs won’t openly be selling customer data for a few years, although one would think that the large ones have already been collecting data for future use.