Paying for Privacy

Keep OutYou have to give credit to the big ISPs – they are always looking for more ways to get money out of broadband and their other products. The latest innovative attempt comes from Comcast who told the FCC last week that they think they have the right to charge customers an extra fee for privacy. Comcast didn’t say that they were ready to launch this as a product, but was responding to an open investigation at the FCC over privacy.

You may recall that when AT&T announced gigabit service in Austin they charged $30 extra per month for privacy. That fee stops a user from undergoing AT&T’s ‘Internet Preferences’ – a deep-packet inspection process that tracks everything the customer does on the web.

Comcast says they have the right to charge extra for privacy and claimed that, “A bargained-for exchange of information for service is a perfectly acceptable and widely used model throughout the U.S. economy, including the Internet ecosystem, and is consistent with decades of legal precedent and policy goals related to consumer protection and privacy,”

They basically claim that other companies already charge a premium fee to customers to avoid things they don’t like. There are numerous video and music services, for example, that charge extra to avoid advertising.

But an ISP is in a different situation. These other services provide something voluntary and customers are free to buy a video service like Hulu with or without ads or not buy Hulu at all. And Hulu can only know what a customer watches and does on their site and nowhere else on the web.

But it’s mandatory to go through an ISP to reach the web and your ISP can know every keystroke you make on the web, every site you visit, everything you tell people in emails or messaging. Comcast argues that customers are free to go to another ISP if they don’t like the company’s policies. But realistically, in most markets there are no alternatives. I know my only alternative to my 100 Mbps Comcast cable modem is a DSL connection under 20 Mbps from CenturyLink, which is not fast enough for me. And if Comcast and AT&T start making money with deep packet inspections, I have a hard time thinking that CenturyLink and other ISPs won’t do the same thing.

Customers can control their privacy to a degree on the web if that’s important to them. Many people only connect to web services like Google through a proxy server that strips out their IP address and location. And there are alternatives to using the Google search engine  such as DuckDuckGo or Ixquick that don’t track people. And nobody makes you create an identity on social media sites.

But you have to put the Comcast filing at the FCC into context. The FCC has proposed that everybody has the right to privacy and that the default state for privacy should be that customers are not tracked. The FCC wants customers to opt-in to tracking, and certainly many people will elect to do that. There are plenty of people that like customized advertising and the other features that come from companies that track them. But there are plenty of people who do not want to be tracked in most cases, and almost nobody wants their ISPs to read their emails or correspondence with their doctors.

The big companies are sometimes their worse enemies because they do things without notifying their customers. Late last year, for example, Verizon admitted to using stealth cookies that could continue to track their wireless customers when they left the wireless ISP network.

This is going to be an interesting battle at the FCC and perhaps this will be the first real challenge of the new regulation under Title II rules. The FCC wants to now impose the same rules on the ISPs that have applied to years for telephone companies and voice – and which are allowed under the umbrella of Title II regulation. My bet on this issue is the FCC will prevail, but you know the big ISPs are never going to stop pushing the envelope.

What’s Next After the Net Neutrality Ruling?

Network_neutrality_poster_symbolNow that the US District Court has affirmed the net neutrality ruling in its entirety it’s worth considering where the FCC will go next. Up until now it’s been clear that they have been somewhat tentative about strongly enforcing net neutrality issues since they didn’t want to have to reverse a year of regulatory work with a negative court opinion. But there are a number of issues that the FCC is now likely to tackle.

Zero-Rating. I would think that zero-rating must be high on their list. This is the practice of offering content that doesn’t count against monthly data caps. This probably most affects the customers in the cellular world where both AT&T and T-Mobile have their own video offerings that don’t count against data caps. With the tiny data caps on wireless broadband there is no doubt that it is a major incentive for customers to watch that free content, and consequently drive ad revenues to their own carrier.

But zero-rating exists in the landline world as well. Comcast has been offering some of its content on the web to its own customers. They claim this is not zero-rating, but from a technical perspective it is. However, now that Comcast has raised the monthly data cap to 1 terabit then this might not be of much concern to the FCC right now.

Privacy. The FCC has already proposed controversial rules that apply to the ISPs and consumer privacy. In those rules the FCC proposes to give customers the option to opt-out of getting advertisement from ISPs, but more importantly consumers can opt-out of being tracked. This would put the ISPs at a distinct disadvantage compared to edge providers like Facebook or Google who are still free to track online usage.

Last year the FCC also started to look at the ‘super-cookies’ that Verizon was using to track customers across the web. This privacy ruling (which is now on a lot more secure footing based upon the net neutrality order) could end the supercookies and many other ways that ISPs might track customer web behavior. Interestingly, both Verizon and AT&T have been bidding on buying Yahoo and this potential privacy ruling puts a big question mark on how valuable that acquisition might be if customers can all opt out from being tracked. I think Verizon and AT&T (and Comcast) all are eyeing the gigantic ad revenues being gained by web companies and this ruling is going to make it a challenge for them to make big headway in that arena.

Lifeline. I think that the net neutrality ruling also makes it easier for the FCC to defend their new plans to provide a subsidy to low-income data customers in the same manner they have always done for voice customers. Now that data is also regulated under Title II it fits right in to the existing Lifeline framework.

Data Caps. At some point I expect the FCC to tackle data caps. It’s been made clear by many in the industry that there are no network reasons for these caps, even in the cellular world. The cellular data plans in most of the rest of the world are either unlimited or have extremely high data caps.

The FCC said in establishing net neutrality that they would not regulate broadband rates. And in the strictest sense if they tackle data caps they would not be. The regulatory rate process is one where carriers must justify that rates aren’t too high or too low and has always been used, as much as anything, to avoid obvious subsidies.

But data caps – while they can drive a lot of revenues for ISPs – are not strictly a rate issue, and in facts, the ISPs hop through a lot of verbal hoops to say that data caps are not about driving revenues. And so I think the FCC can regulate data caps as an unnecessary network practice. It’s been said recently that AT&T is again selectively enforcing its 150 monthly gigabit cap, and so expect the public outcry to soon reach the FCC again, like happened last year with Comcast.

The Real Impact of Network Neutrality

Network_neutrality_poster_symbolThe federal appeals court for Washington DC just upheld the FCC’s net neutrality order in its entirety. There was a lot of speculation that the court might pick and choose among the order’s many different sections or that they might like the order but dislike some of the procedural aspects of reaching the order. And while there was one dissenting option, the court accepted the whole FCC order, without change.

There will be a lot of articles telling you in detail what the court said. But I thought this might be a good time to pause and look to see what net neutrality has meant so far and how it has impacted customers and ISPs.

ISP Investments. Probably the biggest threat we heard from the ISPs is that the net neutrality order would squelch investment in broadband. But it’s hard to see that it’s done so. It’s been clear for years that AT&T and Verizon are looking for ways to walk away from the more costly parts of their copper networks. But Verizon is now building FiOS in Boston after many years of no new fiber construction. And while few believe that AT&T is spending as much money on fiber as they are claiming, they are telling the world that they will be building a lot more fiber. And other large ISPs like CenturyLink are building new fiber at a breakneck pace.

We also see all of the big cable companies talking about their upgrades to DOCSIS 3.1. Earlier this year the CEO of Comcast was asked at the INTX show in Boston where the company had curtailed capital spending and he couldn’t cite an example. Finally, I see small telcos and coops building as much fiber as they can get funded all over the country. So it doesn’t seem like net neutrality has had any negative impact on fiber investments.

Privacy. The FCC has started to pull the ISPs under the same privacy rules for broadband that have been in place for telephone for years. The ISPs obviously don’t like this, but consumers seem to be largely in favor of requiring an ISP to ask for permission before marketing to you or selling your information to others.

The FCC is also now looking at restricting the ways that ISPs can use the data gathered from customers from web activity for marketing purposes.

Data Caps. The FCC has not explicitly made any rulings against data caps, but they’ve made it clear that they don’t like them. This threat (along with a flood of consumer complaints at the FCC) seems to have been enough to get Comcast to raise its data caps from 300 GB per month to 1 TB. It appears that AT&T is now enforcing its data caps and we’ll have to see if the FCC is going to use Title II authority to control the practice. It will be really interesting if the FCC tackles wireless data caps. It has to an embarrassment for them that the wireless carriers have been able to sell some of the most expensive broadband in the world under their watch.

Content Bundling and Restrictions. Just as the net neutrality rules were passed there were all sorts of rumors of ISPs making deals with companies like Facebook to bundle their content with broadband in ways that would have given those companies priority access to customers. That practice quickly disappeared from the landline broadband business, but there are still several cases of providers using zero-rating to give their own content priority over other content. My guess is that this court ruling is going to give the FCC the justification to go after such practices.

It’s almost certain that the big ISPs will appeal this ruling to the Supreme Court. But an appeal of a positive appeal ruling is a hard thing to win and the Supreme Court would have to decide that the appeals court of Washington DC made a major error in its findings before they would even accept the case, let alone overturn the ruling. I think the court victory gives the FCC the go-ahead to fully implement the net neutrality order.

 

Is This an Activist FCC?

FCC_New_LogoSince I have been in the industry there have been fourteen different Chairmen at the FCC. And during that time those have been split pretty evenly between democrats and republicans. We had Chairmen who had the reputation of leaning towards the public such as Reed Hundt and those that have favored the large businesses in the industry like Michael Powell. But you can find FCC decisions under each of Chairman that are in favor of the public or in favor of carriers, radio and television stations that the FCC regulates.

When you read the press about the current FCC (the Tom Wheeler FCC) the public impression is that it is pro-competition and pro-public. And there are plenty of rulings that back that up such as:

  • Net neutrality that regulates broadband ISPs and stops them from various practices that would restrict internet choice.
  • The current proposal for privacy rules that would let people restrict how ISPs can use their personal data.
  • Opposed the Comcast / Time Warner merger.
  • Reset the definition of broadband to 25 Mbps down / 3 Mbps up.
  • The decision last year that said that restrictions on municipal broadband were anti-competitive.
  • Opposed the AT&T / T-Mobile merger.
  • Slashed prison calling rates to make it easier for families to stay in contact with those in prison.

Every one of these orders favors the public over the big companies that are regulated by the FCC. And there are other orders beyond this list.  It’s not hard to see why this FCC has built the reputation of being pro-competition and anti-big business. And yet there are some major decisions that have been clearly in favor of the big companies regulated by the FCC.

Probably the biggest of these was the decision to award over $6 billion to the largest telcos to upgrade rural broadband. In establishing the Connect America fund the FCC gave almost all of the money to AT&T, Frontier, and CenturyLink and is only requiring them to upgrade rural broadband over a six year period to speeds of 10 Mbps / 1 Mbps. Those speeds are already becoming obsolete today and are the equivalent of somebody still sitting on a 1 Mbps DSL connection in 2005. Those speeds will provide Internet access, but a household on those speeds can’t do the same things that those of us with faster connections can do. And by the end of the six years these speeds are going to be completely out of date and inadequate.

And just last week this FCC put a rule in its Lifeline order that can be seen as nothing but a giveaway to cellular companies. The FCC is going to allow the $10 per month Lifeline subsidy for low income households to go to a cellular plan operating on the 3G network and with a monthly data cap of only ½ gigabit. The stated purpose of the Lifeline plan is to close the ‘homework gap’ and yet this one provision will probably end up sending a billion dollars a year to the cellular providers to pay for data plans that won’t meet the stated goal of the Lifeline program.

I remember when Chairman Wheeler was announced that industry insiders assumed that he was going to be in favor of the large carriers and cable companies since he had spent his career representing them. But he immediately quieted this criticism by making a number of pro-competitive and anti-carrier rulings.

When I look at the whole record I have a hard time seeing this FCC as activist. They certainly lean towards promoting things that a democratic White House would favor, as you would expect from a democratic FCC Chairman. But at the same time this FCC has handed billions of dollars to big carriers, and in doing so has greatly harmed the public. One can just imagine how far the Connect America Funds could have gone if that money was instead given out over six years as matching funds to build rural fiber systems. That much seed money would have brought a fiber solution to millions rather than stick them with another decade of poor DSL.

But in retrospect, when I look back at all of the various FCC Chairmen I can see that they have presided over decisions on both ends of the spectrum, and that probably comes with the job. The FCC is in charge of regulating very complex industries that change rapidly and which are controlled by large and powerful companies. I’m glad it’s not me sitting in that chair.

FCC Looks at Consumer Data Security

FCC_New_LogoThe FCC will be voting on March 31 to release a Notice of Proposed Rulemaking (NPRM) concerning customer rights concerning their data on the Internet. More specifically, the NPRM is looking at the relationship between a customer and their ISP. It’s been assumed FCC Chairman Tom Wheeler already has the votes to get this passed.

The premise of the NPRM is that an ISP knows more about what a customer does than anybody else. They know what web sites you connect to and for how long, and even if you encrypt everything they know a lot about you. Most people don’t realize that an ISP has total knowledge of everything a customer does that is not encrypted. If they care to do so an ISP can record every keystroke made online.

And so the NPRM will be asking what rights customers should have as far as allowing their ISP to use or monetize the knowledge they gain about customers. The proposed rules are going to apply the same sorts of privacy rights to broadband that have been in place for telephone service. The privacy rules would not apply to social media sites, browsers or search engines, just to ISPs. The FCC’s reasoning is that customers voluntarily give their data to these edge series but they have not done so freely to their ISP.

The NPRM starts with the premise that consumers ought to have control over how their data is used by their ISP. Telephone customers have had similar rights for years. Here are the primary areas that will be covered by the NPRM:

Transparency. The FCC wants ISPs to inform people about the information they collect about them. They want ISPs to further tell customers how they use this data and if and how the data might be sold to others. And the FCC wants all of this written in plain English (good luck with that!)

Security. The FCC believes that ISPs have the responsibility to protect customer data. The NPRM wants to require ISPs to take reasonable steps to protect customer data.

  • This would mean new rules for ISPs. They would have to institute training practices for employees, adopt strong customer authorization practices, identify to the FCC the senior manager(s) responsible for data security, and take responsibility of customer data when it’s shared with a third party.
  • There would also be new rules about data breaches. Customers would have to be notified of data breaches within 10 days of discovery. The ISP would need to notify the FCC within 7 days of any breach. ISPs would have to notify the FBI and the US Secret Service of any breach of more than 5,000 customers.

Choice. The NPRM suggest that customers be given a choice to say what kind of data their ISP may use and under what conditions it can be shared with others. The FCC wants to categorize customer data into three categories:

  • First is the data that an ISP must have in order to serve customers. This would be things like name, address and other data needed to bill a customer. And because the product is broadband the FCC believes that an ISP has the inherent right to do things like measure your total data usage and other related network information.
  • Second, the FCC thinks that an ISP ought to be able to use a customer’s data to market other telecom products to them. But, like with telephone service, the FCC thinks customers should have the right to opt-out of ISP marketing activity.
  • Third, the FCC is then suggesting that customers would need to opt-in to give an ISP the right to use their data for any other purposes.

The FCC wants these to be rules about customer permission and protection of data and they are not prohibiting ISPs from gathering and using data as long as the customer approve of it. As is usual with this kind of NPRM we can expect a lot of comments both for and against the proposal. What I find most unusual about this NPRM is that it largely assumes that the FCC is going to prevail in its order to regulate broadband under Title II rules. If that gets order gets overturned then protection of customer data would probably revert back to the FTC.

Broadband CPNI?

FCC_New_LogoA group of consumer and privacy groups has asked the FCC to begin enforcing customer privacy rules. In the industry this process is called CPNI (customer proprietary network information) when applied to telephone and cable TV.

Now that the FCC has classified broadband as a common carrier service, they have the authority to investigate and regulate broadband privacy issues. This is something that the industry needs. Until now there has been very limited regulation of broadband by the Federal Trade Commission since the FTC authority was drawn only from the Children’s Online Privacy Act. But the FCC now has much stronger authority.

Current CPNI rules for telephone and cable TV are focused to a large degree on billing issues and on protecting private data like social security numbers, credit card numbers or other sensitive customer information. There is also a prohibition against disclosing the details of what customers do with those services – such as the calls they make or the channels they watch. (Of course, I guess we now know that the NSA is immune from the obligation to protect telephone records).

As sensitive as privacy matters are in those areas there are larger concerns with broadband. What people do online is extremely personal and the vast majority of Americans think that details of their online life should not be recorded or sold to others.

There are a whole lot of places that the FCC could go with broadband CPNI over and above the normal protections of billing data. For example, what are the obligations of companies to notify people when there has been a data breach and customer information has been compromised? Should ISPs have to disclose to customers if they use their data for any purposes or sell it to others in any form? And if so, how much do companies have to disclose?

An ISP is in very powerful position with a customer. If they wish to record what a customer does online they know everything that the customer isn’t somehow encrypted. They are the first in line to see outgoing bits and the only one to see all of the incoming bits.

The FCC has already started some internal work on the topic and held a workshop. From there the FCC has a number of options. They can first solicit comment and ideas from the public to see what kinds of sentiments are out there. It seems for almost everything the FCC does there are two sides of opinion, and there will be those that are in favor of very strong rules and those in favor of a very light touch. But the FCC would do well to hear all of these opinions before trying to formulate specific rules.

But they do have the option to go straight to a rulemaking. They could propose specific CPNI rules and let everybody take pot shots at them. I’m suspecting that for something this new and different that they are going to want to hear all sides of the arguments first before developing rules. The FCC also might be slow-rolling this. The whole Title II regulatory process is under appeal in the courts and they might not want to go too far down any path until they feel more secure that the courts believe they have the authority to regulate broadband in this manner.

One thing that we can probably expect from the FCC is that whatever they do is going to apply to ISPs but not to what they call edge providers. That would be all of the companies like Google and Facebook that operate on the web and that are not under the Title II regulatory regime. I know that consumer groups are going to want that kind of protection because I think it’s generally assumed that it’s the edge providers – and not the ISPs – that are using and misusing people’s data today.

The Security / Privacy Battle

SpyVsSpyEvery time there is some traumatic terrorism event like what just happened in Paris there is a renewed call by governments for better surveillance and security measures. And every time that happens, the advocates of privacy sound a loud warning. What I find most interesting about this back and forth between the two sides is that it’s not events or even public policies that are driving the battle between security and privacy, but technology.

Just during the last decade there has been a number of technologies that have assaulted our privacy – encryption, big data, cloud computing, and advertising spyware. And we are fast approaching new threats from drones and from Internet of Things sensors everywhere.

The real battle between security and privacy happens when we introduce new innovations that can invade our privacy followed by countermeasures against those new technologies. There are plenty of politicians on both sides of the privacy issue who think that creating new laws is the way to protect privacy. But there are no laws that are going to flexible enough to keep up with the new threats we are constantly seeing in the real world.

Consider the traditional privacy laws. There have been wire-tapping laws on the books for decades which are now completely obsolete. The FBI convinced the FCC a few decades ago to create a set of laws called CALEA that gives the FBI the right to subpoena ISPs and get the records of suspected law breakers. ISPs and telcos spend a lot of money to stay compliant with these rules and yet I can’t think of one of my clients that has actually gotten a CALEA request from the FBI. ISPs do often get requests from local law enforcement asking for calling records under older wire-tapping laws, but not a peep out of the CALEA folks.

And this is because those laws were obsolete before the ink was dry on them. The CALEA rules were written not long after we had migrated from dial-up to DSL and there was no such thing as the dark web and disposable cell phones and all of the other ways that serious criminals use to avoid law enforcement.

What typically happens with a new technology is that it gives one side – the police or the bad guys – a temporary advantage. But there is always a technological counterpunch as somebody on the other side figures out how to defeat and neutralize each new technological development.

Edward Snowden showed us that law enforcement sometimes is so desperate for an edge that they collect data illegally in violation of the basic rights granted to US citizens by the fourth amendment. But even that is only a temporary edge. There are now numerous groups developing strategies to counteract widespread government surveillance.

There have been numerous attempts to pass surveillance and security laws starting with the Patriot Act. But industry experts say that most of the laws that try to give the government more power are ineffective, again because technology moves a lot faster than legislative bodies.

So what we see is a cat and mouse game. The NSA spies on us and so companies like Apple develop encryption that makes it hard or impossible for the NSA to gather anything useful. And there are more and more web services that either automatically encrypt or which offer that as an option.

It seems that the privacy advocates are winning the long term fight, and this is because there are ways around almost any tool the government or big business can use to spy on people. I’ve read several articles recently that talk about how even in China people are finding ways to bypass the strict security of the Great Firewall of China. But the fight is a long way from over because there are always going to be tools that come out that can be used to spy on people and there will then be ways to defeat those measures. We are likely to see this battle for decades to come.

Some Regulatory Shorts

FCC_New_LogoAs to be expected our regulators stay busy regulating. Not all of their decisions have widespread impact, but it’s always worth keeping an eye on what’s going on.

WiFi Blocking: The FCC continues to come down on hard on those in the hospitality industry that would stop people from using their own hot spots in or near hotels or other gathering places. You might recall, last year the FCC fined Marriott for blocking access to guests using their cellphones for WiFi. Marriott is one of those chains that charges extra for WiFi and so they were operating jammers that interfered with the ability of a smart phone to act as a hotspot.

The FCC continued with that theme and recently fined M.C. Dean $718,000 for blocking WiFi at the Baltimore Convention Center. They also fined Hilton Worldwide $25,000 for “apparent obstruction of an investigation” in the case. In August the FCC fined Smart City Holdings $750,000 for using technology at 28 convention centers that blocked cellphone and wireless routers from acting as hotspots.

As somebody who travels and who generally finds hotel WiFi to be inadequate, this is a welcome move. But it’s even more so for groups that rent space in a convention center. Some of those locations charge 6 digits for use of a convention center’s WiFi system, and the FCC is telling the hospitality industry that it is never okay to block WiFi.

Do Not Track Requests: The FCC voted earlier this month to not require web sites to honor Do Not Track requests. The group Consumer Watchdog had petitioned the FCC asking them to force companies to honor such requests. Today web sites can voluntarily honor privacy requests, but only a handful of large web sites do so. The group had hoped that since the FCC had elected to regulate privacy practices for ISPs as part of the net neutrality rules that they might carry this forward to the web.

But the FCC declined to make such a ruling. They said that they are not in the business of regulating ‘edge providers’, meaning the companies that offer web content. I keep an eye on privacy and use web sites that don’t track people whenever I can like the Duck Duck Go search engine. But I am leery about the FCC getting into the business of regulating the behavior of web service providers. When you look at some of the consequences of such actions it’s not necessarily good for anybody. Even in England, which we always assume is a lot like us, the government has proscribed a large list of web content that is off limits unless people opt into them. I personally am glad the FCC doesn’t want to cross that line. I think back to all of the wasted effort they spent on the ‘seven dirty words’ on TV and radio and don’t think we need a repeat of that.

The FCC and Privacy. In what seems like an extreme order, the FCC just fined Cox Communications $595,000 for a security breach that exposed the records of 61 customers. That’s almost $10,000 per customer.

This is the first such privacy ruling by the FCC since this was always under the purview of the Federal Trade Commission until the FCC asserted primary responsibility for regulating ISPs as common carriers. I find the order to be puzzling. The breach was apparently due to a hacker. Cox self-reported the breach and said that they had processes in place that found the breach quickly and that limited it from happening to a larger number of customers. To me that sounds like what companies are supposed to do and I’m not sure that any company these days can be completed immune from hackers. I know we won’t know the details of exactly what Cox did wrong, but it doesn’t feel like this is a case where the punishment fits the crime.

One only has compare this to the way that the very massive data breaches have been handled for companies like Target, J.P. Morgan Chase and a number of other banks, and even from several branches of the federal government. None of them got significant fines and the general thinking is that the market itself provides a lot of punishment in lost business and in the cost of dealing with the data breach. The size of the FCC fine seems out of line, and because of that every ISP ought to be reviewing the way you store and protect customer data. You can’t afford not to, and perhaps that is the message the FCC was making.

 

US and Europe at Odds over Privacy

Scales-Of-Justice-12987500-300x300A few weeks ago I wrote about the various battles currently raging that are going to determine the nature of the future Internet. None of these battles are larger than the battle between spying and surveillance, and citizens and countries that want to protect their citizens from being spied upon.

Recently, we’ve seen this battle manifest in several ways. First, countries like Russia and Thailand are headed down a path to create their own fire-walled Internet. Like the Chinese Great Firewall, these networks aim to retain control of all data originating within a country.

But even where the solution is not this dramatic we see the same battle. For instance, Facebook is currently embroiled in this fight in Europe. Facebook might have been singled out in this fight because they already have a bad reputation with European regulators. That reputation is probably deserved since Facebook makes most of their money from their use of customer data.

But this fight is different. The Advocate-General of the European Court of Justice (their equivalent of the Supreme Court) just ruled against Facebook in a ruling that could affect every US Internet company doing business in Europe. The ruling has to do with the ‘safe harbor’ arrangement that has been used as the basis for transferring European customer data back to US servers. The safe harbor rules come from trade rules negotiated between the US and the European Union in 2003. These rules explicitly allow what Facebook (and almost everybody else) is doing with customer data.

The Advocate-General has ruled that the EU was incorrect in negotiating the safe harbor rules. He says that they contradict some of the fundamental laws of the EU including the Charter of Fundamental Rights, the equivalent to our Constitution. He says the safe harbor rules violate the basic rights of citizens to privacy. He explicitly says that this is due to NSA spying, and that by letting Facebook and others take European data out of the country they are making it available to the NSA.

This ruling is still not cast in concrete since the Court of Justice still has to accept or reject the recommendations from the Advocate-General. However, they accept these recommendations most of the time. If this is upheld it is going to create a huge dilemma for the US. Either the NSA will have to back off from looking at data from the US companies, or else US companies won’t be able to bring that data out of Europe.

For companies like Facebook this could be fatal. There are some commercial web services that could be hosted in Europe to operate for Europeans. But social media like Facebook operate by sharing their data with everybody. It would be extremely odd on Facebook if an American couldn’t friend somebody from Europe or perhaps be unable to post pictures of their vacation while they were still in Europe. And this might put a real hitch in American companies like Google and Amazon doing business in Europe.

Such a final ruling would send US and EU negotiators back to the table, but in new negotiations safe harbor rules would no longer be an option. This ruling could bring about a fundamental change in the worldwide web. And this comes at a time when Facebook, of all companies, is talking about bringing the rest of the human race onto the web. But perhaps, as a consequence of NSA and surveillance by other companies, each country or region might end up with a local web, and the worldwide web will be a thing of the past.

A New ‘Do Not Track’ Policy

EFFThe Electronic Frontier Foundation (EFF) released a new version of ‘Do Not Track’ which is supposed to provide stronger protection for Internet users. This is something that consumer advocates have been pushing for a long time, so the question is: what does this new standard provide for the average Internet user?

To confuse matters a bit, the EFF is not the only group working on this issue. The W3C group that controls the standards for most Internet protocols is also working on its own version of Do Not Track. But regardless of which of these efforts becomes the new standard there are serious questions about how effective this might be in the marketplace.

Neither of these groups can impose Do Not Track rules on Internet companies, and so compliance with any new standard is voluntary and one has to wonder who is going to implement it. There is a current Do Not Track standard that very few in the industry are following. For instance, the search engine I normally use, DuckDuckGo, follows the current standard and doesn’t track what people search for on the web. You can count on two hands the other companies that currently publicly agree not to track their users.

This is another one of the big tug-of-wars going on in the industry. There are a lot of people who don’t like the idea of web companies tracking their every move and then selling that data to others. A lot of people find targeted ads creepy and feel like the big web companies are spying on them.

And to a large degree they are. Companies like Google and Facebook and many others make a lot of money from advertising and from selling data about their customers to others. These companies feel that if you come to their site that you have waived privacy for what you do on their platform. Big data is perhaps the biggest money maker on the web, and having flocks of people opt out of being tracked would significantly reduce revenues for a lot of web companies.

Here are a few of the major points of the new policy. Honoring a DNT request means:

  • Not collecting information from the user and not placing tracking cookies except with specific permission;
  • Not retaining details of the interaction with the user except in those few cases where data retention is required by law;
  • Information needed to complete a transaction, such as address or credit card number are only retained until the transaction is complete;
  • Users can be given the option to have web sites remember their data. This might be convenient for places where somebody shops regularly;
  • While these rules aren’t binding, existing law says that if a company says they will not track you they must live up to that commitment.

It will be interesting to see if this new round of Do Not Track gets any more industry buy-in than the last version. There certainly is a significant portion of Internet users who would opt out of being tracked if that was possible. However, there is a good chance that a lot of the industry will only give lip service to any voluntary guidelines. They might not send specific ads to somebody who says they don’t want to be tracked but would likely otherwise track them like everybody else.

It would require a change of law to make this mandatory. There certainly are a number of consumer privacy laws that have been enacted, such as the laws that protect medical records. It probably requires an action by Congress to make these protections mandatory. I find it unlikely that big companies like Facebook and Google and many others are going to voluntarily offer this to users. Offering it costs money and the loss of adverting and data revenues would cause a big hit to the bottom line of these companies. They are already seeing big hits from ad blocking revenues and this could be even a bigger hit.

To some degree consumers who really care about their privacy have options. They can use web sites today that promise to not track them. But almost all ecommerce is tracked and today there are not many places you can go on the web that aren’t tracked. Certainly almost all social media sites are tracked. I know I get anywhere from 50 to 200 tracking cookies on my computer each day from fairly light browsing, so there are a lot of companies out there trying to find out more about us.