The New York Times is backing new privacy rules for Internet service providers that the Federal Communications Commission will vote on later this month, but is doing so with few facts outside reworded bullet points from the agency itself.
Earlier this month the FCC announced new regulations to govern how ISPs handle user data, including limitations on when ISPs can share or sell user data — an effort aimed at giving customers more control over their privacy and security.
FCC Chairman Tom Wheeler announced the rules as a natural extension of the FCC’s authority over telephone network’s customer information handling — jurisdiction that was expanded to cover ISPs when the FCC reclassified broadband providers as public utilities in its net neutrality rulemaking last year.
“Your ISP handles all of your network traffic. That means it has a broad view of all of your unencrypted online activity — when you are online, the websites you visit, and the apps you use,” Wheeler wrote in an op-ed the same day the rules were announced.
“If you have a mobile device, your provider can track your physical location throughout the day in real time,” he continued. “Even when data is encrypted, your broadband provider can piece together significant amounts of information about you — including private information such as a chronic medical condition or financial problems — based on your online activity.”
In a fact sheet released by the agency the same day, the FCC repeated Wheeler, stating that “[e]ven when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website.”
They weren’t the only ones to repeat the assertion with a faintly reworded nuance. The NYT Editorial Board in a ringing endorsement of the rules wrote, “even when data is encrypted, companies can still tell what websites people are visiting.”
Richard Bennett of High Tech Forum — a former network engineer whose organization seeks to inform the policy debates surrounding technology — first noticed the similarity.
“The New York Times published an editorial praising FCC Chairman Tom Wheeler’s proposal to protect America’s Internet users from the allegedly prying eyes of our Internet service providers,” Bennett said. “The editorial reiterates the claims made in Wheeler’s ‘privacy fact sheet’ in a particularly shameless way.”
The FCC fact sheet goes on to state ISPs should face different privacy regulations than the rest of the online ecosystem regulated by the Federal Trade Commission, since it’s more difficult for users to switch ISPs than move from website to website.
“Consumers can move instantaneously to a different website, search engine or application,” the sheet reads. “But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee.”
The NYT agreed, writing, “It is far easier for consumers to avoid those sites than to avoid their Internet service providers, especially since in many parts of the country people have only one or two choices for broadband.”
According to the FCC, “[c]onsumers have the right to exercise meaningful and informed control over what personal data their broadband provider uses and under what circumstances it shares their personal information with third parties or affiliated companies.”
Again, the NYT followed the FCC’s lead in wording and reasoning, albeit more concisely.
“But these rules are necessary because consumers need to have control over their personal information,” the editorial reads.
While there’s nothing abnormal about an editorial from a paper of note endorsing a public proposal, the lack of factual backup and “the alignment of the falsehoods should raise some eyebrows,” according to Bennett.
A recent report by researchers at Georgia Tech found the growing adoption of technology like encryption, which masks website browsing data in transmission, and virtual private networks, which bounce a user’s traffic across a network of proxy servers, are preventing ISPs from seeing much more data than the FCC thinks.
HTTPS encryption is expected to span 70 percent of the Web by the end of 2016, and the use of VPNs, anonymous browsers like Tor and multiple devices (the average user has six, including smartphones and tablets, through which to go online) further fragments the incomplete picture ISPs have of customers’ online habits.
While ISPs can still see the host name a user visits, like Google or ACLU.org, the provider can’t see any of the multiple searches a user might execute, which is encrypted inside the browser, or where specifically the user goes on a webpage if the site is using HTTPS encryption.
It’s true that switching service providers is more difficult than switching websites, but the statement is deceptively simple: the majority of users gravitate to the biggest names on the Web for searches, social media and shopping (Google with 75 percent, Facebook with 61 percent and Amazon with 50 percent), all of which collect and monetize far more personal user data than ISPs could hope to accumulate.
“In reality, the information that’s available to ISPs has a different character than that available to websites and massive advertising networks such as Google’s,” Bennet said. “While the web sites have deep insight into the interests, financial standing, and behaviors of their users, ISPs potentially have a wide and shallow picture of overall web activity.”
Bennet, like many in the industry, submits that because ISPs only have “complementary information rather than the killer app to end all other forms of data collection,” they would better be served by a regulatory model they previously fell under within the FTC.