FCC’s Shifting Privacy Proposal A Trojan Horse For Discord


Behind closed doors, the FCC is rushing to finish remaking the Internet (AP Photo/Andrew Harnik)

Here we go again.

As the FCC winds up its agenda in the face of the upcoming election and, one way or the other, a new administration, agency Chairman Tom Wheeler is determined to complete three increasingly contentious proceedings.

One deals with re-establishing rate regulations for enterprise data services—launched almost immediately after the Chairman promised not to use his newly-claimed public utility authority to re-establish rate regulation.

A second deals with an incomprehensible new technical mandate for increasingly unnecessary PayTV set-top boxes, for which Wheeler has so far only been able to muster one vote.

The third establishes new privacy requirements for ISPs—a proceeding that devolved as an unintended consequence of the public utility decision, which stripped the Federal Trade Commission of its long-standing authority to police consumer privacy issues.

In all three cases, push back on the original proposals from the public, members of Congress from both parties, other federal agencies and/or the White House has caused the Chairman’s office to radically alter its plans.

Recommended by Forbes

The current versions of each proposal have been kept secret from everyone except the Chairman and the other Commissioners, making it impossible for anyone else to know whether their concerns are being addressed or not.

But instead of issuing the rewritten proposals and opening them to comments, the Chairman’s office is releasing opaque “fact sheets” that summarize some of the changes made since the original drafts were published months ago.

Fact sheets, however, are hardly substitutes for the actual proposals, which originally ran to a hundred or more pages.

Instead, the updates simply repeat the Commission’s aspirational goals and then promise that whatever the agency actually votes on will somehow meet them.

They are, in other words, largely devoid of any, you know, facts.

The most recent example involves the struggling privacy proceeding, which the Commission is currently scheduled to vote on, one way or the other, on October 27th.

A new fact sheet issued earlier this month promises that the now-secret proposal is “in harmony with other key privacy frameworks and principles”—including that of both the FTC and the White House’s Consumer Privacy Bill of Rights.

Harmonization is a worthy goal and one urged by nearly everyone who commented on the original plan, which threatened to upend the basic principles on which the digital economy has largely been built, including the implicit exchange of free content subsidized by advertising.

Specifically, the original proposal would have replaced the default “opt-out” policy for advertising with an explicit and complicated “opt-in” requirement, one that would apply only to ISPs.

Even Google advised the agency not to impose such an onerous requirement, nor to apply it only to one set of participants in the ecosystem—participants who have so far made little use of advertising as a way to subsidize other services in any case.

And while the fact sheet now promises harmony, it instead delivers discord. The final proposal will apparently apply the new “opt-in” requirement, if only to “sensitive information.” The sample categories of sensitive information given include such hot-button areas as children’s information, health care data and social security numbers.

But the definition of sensitive data will also include “web browsing” and “app usage” history—which both the FTC and the White House, among others, consider appropriate for the long-standing opt-out regime.

The FCC’s is using the definition of “sensitive data” as a Trojan Horse, betraying the promise of anything close to harmonization with long-established and proven federal policy. Requiring opt-in for use of web browsing history or app usage history, in particular, effectively take us back to the strict opt-in regime originally proposed, whatever the Chairman wants to call it.

So whatever the proposal’s actual details, the reality is that it represents a major break with long-standing U.S. privacy policy. ISPs will be subject to much more extensive regulation, and, unlike everyone else, through specific rules enforced by the FCC. That’s anything but harmonious.

Consistency aside, perhaps the FCC believes it has good reasons for experimenting with a new approach to privacy just for ISPs. But why not just say so?

Perhaps because there are no good reasons—or any reasons at all.

Throughout the proceeding, the agency has insisted, as it reiterates in the fact sheet, that stricter treatment of ISPs is justified solely on the basis that “[p]roviders have the ability to see a tremendous amount of their customers’ personal Information that passes over that Internet connection, including their browsing habits.”

Except that, as multiple comments on the original proceeding made clear, this is simply untrue.

In reality, more and more of the information—personal or otherwise–that “passes over” the Internet connection of an ISP is encrypted by the web sites that users interact with, using technologies that include the HTTPS protocol. The result is that only those services—Google, Facebook, Amazon, Netflix, for starters–have “the ability to see” anything, including “browsing habits.”

The trend to encrypt websites and app interactions using secured protocols has been going on for a long time, though it has accelerated dramatically since the disclosures by Edward Snowden about government (not private) surveillance.

According to Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, over half of all web traffic is now secured, as invisible to ISPs as it is to the NSA. By the end of this year, that number will climb to 70%. Most email is already encrypted. Skype is encrypted, as are your interactions with Netflix and, increasingly, the videos you watch. In the next five to 10 years, Hall says, encryption will become ubiquitous.

Earlier this month, in fact, CDT published an “Issue Brief” on the wildly successful campaign to encourage the remaining websites and services to adopt encryption. Why? Well, because “[w]ithout HTTPS, ISPs and governments can spy on what your users are doing.”

For sites that haven’t made the switch, the brief emphasizes, “ISPs can do things like monitor your web traffic to build advertising profiles,” noting that finishing the complete conversion of websites to HTTPS is “easier than you may think, and getting easier every day.”

For sites that have converted to HTTPS, of course, ISPs are now largely blind to consumer information of any kind, just as the campaign promised. They can’t “monitor your web traffic,” “spy on what your users are doing,” or “build advertising profiles.”

Just ask CDT and other privacy advocates who have, for better or worse (both, it turns out), led the encryption campaign.

I noted the FCC’s backwards understanding of who has access to “sensitive” information in my own comments on the original proposal, where I wrote:

Broadband providers do not, as the [original proposal] claims, control “the most important and extensive conduits of consumer information.” This is clear from the absurdly strained efforts of some commenters to describe how packet headers and IP addresses—all the providers can see, and then only when the user is not using a mobile device or a third-party Wi-Fi network—can theoretically be transformed into “a detailed composite portrait of a user’s life.” The reality is that broadband providers have access to almost no data regarding a user’s interactions with massively popular sites such as Google, Netflix and Amazon.

There was plenty of evidence of this technical reality in comments filed with the agency, along with the self-congratulatory postings of the organizations who have led the effort.

But in addition to transparency, the FCC doesn’t seem interested in evidence these days.

If consumers, as the latest fact sheet puts it, “deserve the right to decide how information is used and shared,” why is the Chairman determined to regulate only those providers who the agency knows perfectly well don’t actually have access to it?

And why continue to claim “harmony” with FTC and White House policy when it’s clear he’s still marching to the beat of his own drum?

Hopefully those are questions the other Commissioners—the only ones who know what is actually being proposed—will ask before they vote.

My recent book, co-authored with Paul Nunes, is “Big Bang Disruption: Strategy in the Age of Devastating Innovation” (Portfolio 2014). Follow me on Twitter and Facebook for more on the accident-prone intersection of technology and policy.