California’s Net Neutrality Bill

On the last day possible, Jerry Brown, the Governor of California passed SB 822, a state net neutrality bill into law. Within hours the US Justice Department filed a lawsuit against the California legislation.

As bill is relatively short and straightforward. The law applies to both landline and mobile broadband. The prohibitions against ISP behavior are detailed more clearly than in the old FCC net neutrality rules. Specifically, the California net neutrality law:

  • Prohibits ISPs from blocking lawful content;
  • Prohibits ISPs from impairing or degrading lawful Internet traffic except as is necessary for reasonable network management;
  • Prohibits ISPs from requiring compensation, monetary or otherwise, from edge providers (companies like Netflix or Facebook) for delivering Internet traffic or content;
  • Prohibits paid prioritization;
  • Prohibits zero-rating;
  • Prohibits interference with end user’s ability to select content, applications, services or devices;
  • Prohibits ISPs from offering any product that evades any of the above prohibitions;
  • Requires the full and accurate public disclosure of network management practices, performance, and clearly-worded terms of service.

As you would expect, the big ISPs in the state like AT&T and Comcast vehemently opposed the legislation and almost derailed its passage. Interestingly, the big edge providers like Google, Facebook and Netflix have remained quiet on the new law.

This is already shaping up to be one of the most interesting legal fights we’ve ever seen concerning the FCC. Chairman Pai and the other Republican FCC Commissioners immediately declared that the new law is invalid and that states can’t override FCC policy. The lawsuit filed by the Justice department says that California is “attempting to subvert the Federal Government’s deregulatory approach” to the Internet.

That’s where it gets interesting, because the FCC didn’t deregulate broadband. They instead took themselves out of the picture as a broadband regulator by cancelling Title II regulation of broadband, and passing regulation to the Federal Trade Commission.

The FCC could have chosen a different path, which would have been to continue to regulate broadband, but choosing to not require any specific regulatory requirements. That’s the tactic the agency has taken in the past when it decided to end some telephone regulations. The FCC still has the legal authority to re-regulate those telephone issues, but exercises its authority to not regulate – and maintaining the authority to authority is the key issue in this case. The FCC deliberately killed Title II regulation to make it harder for future a FCC to regulate broadband – but in doing so they literally wrote the agency out of the broadband regulation business.

The courts will have to decide if the federal government has any basis for overriding the California law. The FCC created a legal void when they walked away from regulating broadband. In regulatory terms broadband is not deregulated – it is not regulated, and while perhaps a subtle language difference, it’s a huge distinction.

The legal question is not if California is challenging the FCC’s authority to deregulate broadband, because the FCC themselves say they no longer have any authority over broadband. The courts will have to instead decide if a state can step into a regulatory void when the federal government walks away from regulating an industry. There are numerous lawyers saying that California has a strong legal position.

This is such a major decision that I’m guessing it’s going to have to eventually get resolved by the Supreme Court – and that’s going to take a while. The FCC created this situation by abrogating their responsibility to regulate broadband. It’s nearly unthinkable that one of the major industries in the country, operated mostly by a small number of giant companies should not be regulated. But the regulatory mess we have with broadband ultimately lies with Congress which has not passed an update to the telecom rules since 1996, when dial-up was our portal to the Internet.

The FTC and Net Neutrality

One of the lynchpins of the FCC’s plans to reverse net neutrality is their assertion that the Federal Trade Commission (FTC) is ready to step in and protect consumers from any abuse by the big ISPs. FCC Chairman Ajit Pai argues that the FTC should always have been the go-to agency for privacy issues and issues like broadband rates. However, it’s possible, and perhaps even likely that the FTC will be legally unable to take on that role.

There is an open lawsuit that challenges whether the FTC has any authority over big ISPs like AT&T. The FTC sued AT&T and levied a $100 million fine on the company for abuses of their unlimited cellular data plans. AT&T stopped selling unlimited data plans in 2011. But the company had sold millions of limited plans that had promised that customers could keep the plans for life. This is about the time that customers could actually begin using large amounts of cellular data due to the burgeoning OTT video market, and AT&T started to pressure customers to drop the grandfathered unlimited plans. AT&T eventually took steps to throttle unlimited data users and even went so far as to block customers from using Facetime, the Apple product that lets customers video chat.

AT&T immediately appealed the FTC decision using the argument that Section 5 of the original FTC charter precluded the agency from regulating ‘common carriers’. The original Telecommunications Act of 1934, which established the FCC, had defined common carrier to be a company that provide public telecommunications facilities – which has been taken to mean facility-based telecom providers. Originally the common carrier definition meant the old Ma Bell and other regulated telephone companies, but over the years the FCC has expanded that definition to include other telecom facility-based providers including cellular carriers and long-haul fiber owners.

In February of 2016 the appeals court agreed with AT&T and said that the FTC had no jurisdiction to regulate a common carrier, even for “non-common carrier activities”. This means that the FTC could not regulate AT&T for its telecom business, but also couldn’t regulate other endeavor that the company might undertake, such as AT&T’s actions as the owner of DirecTV or their future actions as a programmer after a merger with Time Warner.

The FTC appealed that decision and the case is still open. The agency pointed out that the ruling created a huge enforcement gap. At the time it of the FTC appeal it was assumed that the FCC would continue to regulate telecom-related issues for common carriers, but the FTC pointed out that the ruling meant that nobody was regulating non-common carrier activities of common carriers like AT&T.

Almost immediately after this court ruling the formerly unthinkable happened and the FCC now wants to walk away from regulating broadband – the most important of the common carrier activities of AT&T and other ISPs. In doing so, the FCC argues that the FTC will be able to take over the regulation of issues like privacy, billing abuses, excessive rates, etc. However, the 2016 court ruling says that the FTC has no jurisdiction over any of the actions of a common carrier like AT&T.

The fact that the FCC is walking away from its responsibilities does not somehow create the right for the FTC to step in and regulate common carriers. This means that after the FCC reverses Title II authority that there might be no agency in the federal government able to regulate any consumer activities of common carriers like AT&T, even in areas that are not telecom related. It would free up AT&T and other common carriers to subject customers to enormous abuses with nobody able to step in to protect customers. AT&T and other common carriers could inflict unimaginable abuses on customers without consequence, up perhaps to the point of outright fraud, at which point the Justice Department could probably intervene.

To make matters worse, the FTC is not sure that they can really regulate companies like AT&T even should they win the appeal of the AT&T lawsuit. FTC Commissioner Terrell McSweeny says in this opinion piece that the FTC is ill-equipped to regulate companies like AT&T. He says the agency is underfunded for such activities and doesn’t have a staff that has the technical expertise to understand complex telecom issues – exactly the kind of expertise that resides at the FCC.

https://qz.com/1144994/the-fcc-plans-to-kill-the-open-internet-dont-count-on-the-ftc-to-save-it/

 

McSweeny further says that even if the FTC is able to take on this role that the agency doesn’t really regulate companies. Instead, the agency punishes companies for consumer abuses, many years after transgressions. That is not the same thing as proactively establishing rules to regulate corporations. He says that the FTC could not really preclude AT&T from abusing customers, and at best could occasionally fine them for the worst of such abuses, many years after they occurred.

Sadly, we have an FCC that is aware of the regulatory gap and which is still willing to walk away from regulating broadband. It’s not hard to imagine what a company like AT&T might do with zero constraints. It’s likely that we’ll see huge price increases, unsavory practices like stringent data caps, constant violations of customer privacy through the mining of customer data, etc. The only constraint against such practices would be competitive pressures, but the other big ISPs in the market would also be unregulated and it’s not hard to imagine that cable companies would match AT&T abuses rather than compete against them.

The New FCC Broadband Privacy Rules

FCC_New_LogoThe FCC passed new privacy rules last week and the new rules are largely aimed at Comcast, AT&T, Verizon and other large ISPs. Most small ISPs do not participate today in the practices that the new rules are aimed at stopping. For the most part the rules won’t affect smaller companies much other than having more annual pieces of paper to file at the FCC saying that you follow the rules – and you probably already do.

The rules are aimed at protecting customers from abuse by ISPs, who by definition have the most access to a customer’s data. An ISP knows every web site visited, every web purchase made, every email and every instant message sent.

This is probably the FCC’s biggest use so far of its new Title II authority over broadband. The FCC knows this is going to be challenged in court, so the new rules don’t go into effect for a year, giving the lawsuits a chance to resolve.

I’m not going to repeat all of the specifics of how this works, but rather concentrate on what it means to the industry as a whole:

Customers have a right of privacy. The new rules create a new right that a customer’s data – where they search on the web, what they say in emails and texts – all belong to them. Each customer now has the right to decide if the ISP can use it. Today an ISP knows everything a customer does on the web that is not encrypted, and even with encryption they know the web sites visited. But the FCC now makes it clear that this customers can keep this personal information private if they so desire.

ISPs need to ask for permission to use customer data. The new rules compel ISPs to explicitly ask for permission to use customer data. I suspect ISPs are not going to be allowed to bury this choice inside a terms of service.

I would expect that big ISPs are going try to entice people to be able to use their data. They might offer lower prices or entice people by forwarding coupons to them from around the web for things they are interested in. But at the end of the day it’s the customer’s choice to allow or not allow their ISP to use the data. And there might be nuances. ISPs might ask to track where customers go on the web but not read emails. The rules would allow options for the ISP.

ISPs must say what they do with customer data. If somebody gives an ISP permission to use their data the ISP must disclose how they are going to use it. Are they using it only for their own marketing efforts or are they going to sell it to others? Right now, consumers don’t know what information is being collected by their ISPs, nor what’s being done with it.

ISPs will have to protect customer data. The new rules also place more responsibility on ISPs to protect customer data from hackers. This is perhaps the one area of the new rules that will have the most impact on smaller ISPs. ISPs must use best industry practices and also notify customers when there has been a data breach. And they must notify the FBI if a breach involves more than 5,000 customers.

This does not affect edge providers. The new rules only apply to ISPs. They do not apply to ‘edge providers’ like social media sites or search engines. Those companies are still allowed to use customer data in any manner they want since customers come to them voluntarily. So Facebook and Google are still free to use customer data since people use those sites voluntarily. This is the killer for the giant ISPs because they see how much money the edge providers make from using customer data from advertising and other uses. But it’s not clear if the FCC has any authority over edge providers.

Another big gap is the Internet of Things. As we saw in the recent giant denial of service attack, the devices used in the Internet of Things – thermostats, cameras, smart appliances, etc. – are not well protected. IoT companies also are capable of gathering a lot of information about customers. This will become a much bigger issue as people start using devices that include artificial intelligence like the Amazon Echo. It would be natural for the FCC to declare that IoT providers are also ISPs of a sort and regulate them that way. I expect that nothing will be done with IoT until this set of rules makes it through the court challenges.