While most privacy advocates are cheering the Federal Communications Commission’s Thursday vote on hardline privacy rules for internet providers, others are pointing out as long as mergers like AT&T’s recent proposal to acquire Time Warner are allowed to go through, the rules won’t make any difference.
That’s according to privacy advocates and Silicon Valley players like Tim Sparapani, senior policy fellow at California-based tech policy lobbying firm CALinnovates, who says regulators have yet to catch up with how corporations are blurring the lines between services and technologies.
“[There’s] this weird thing that’s about to happen where we have companies like AT&T buying Time Warner and Verizon buying Yahoo and owning the Huffington Post, where consumer data is going to come in at various different moments from all these different companies and is going to be subjected to radically different privacy regimes based on how it was collected, even though it’ll be the same corporate conglomerate,” Sparapani said.
“And nothing in this rule resolves that question,” he added.
That’s because of the jurisdictional dividing line between internet service providers (ISPs) like AT&T and Verizon and edge providers such as Yahoo and Facebook — a line the FCC drew when it reclassified ISPs as common carriers, a form of public utilities subject to stricter regulatory oversight, with its net neutrality rules passed last year.
The rules pulled ISPs out from under the jurisdiction of the Federal Trade Commission, which still enforces privacy over edge providers, and leaves the FCC as the only privacy cop on the ISP beat due to an outdated law barring the FTC from regulating common carriers.
If adopted, the FCC’s rules would compel ISPs to get permission from subscribers before collecting almost any data about them beyond their name and address, giving users control over whether their provider sees where they go online or how they use apps on smartphones — the most sensitive and valuable data for selling targeted ads and improving products.
The rules won’t apply to the other half of the online ecosystem where the FTC only requires edge providers to give users the ability to opt-out of all but the most sensitive data collection, meaning all an ISP has to do to circumvent the rules is buy an edge provider.
“I think this rule is flawed because it doesn’t meet the tech neutrality test,” Sparapani said. “We have a whole series of technologies which are converging. We have a whole series of companies which are becoming vertically and horizontally integrated in ways that the ’96 telecom act never could have considered.”
Tom Wheeler, chairman of the FCC, based his privacy proposal on similar rules in the 1996 Telecommunications Act limiting how common carriers (at the time just telephone companies) can use customer proprietary network information (CPNI), sensitive information a provider has access to simply by virtue of providing service, like telephone numbers, dialed calls and the duration of conversations.
“That rule imagines a siloed universe where phone companies are phone companies, internet companies … are going to be internet companies, and this idea of edge providers was this really new thing,” Sparapani said. “And now we have a rule being proposed by the FCC which perpetuates the same idea that we can differentiate companies based on one type of technology, when in fact, we have companies buying and selling and merging up and down.”
While many have lobbied the FCC to copy the FTC’s formula simply for the sake of parity and clarity, Electronic Privacy Information Center (EPIC) President Marc Rotenberg said the agency has a poor track record of enforcing its own watered-down (by FCC standards) rules.
“When companies change their practices, the FTC remains silent,” Rotenberg said recalling WhatsApp’s pledge not to share data with Facebook when the social media giant acquired it in 2014. Earlier this summer the encrypted messaging platform went back on its privacy pledge by making the verified phone numbers — essentially the key for the WhatsApp user account — available to Facebook.
“We said to the FTC it’s entirely contrary to the representation that they made,” Rotenberg said. “Same thing by the way with Google and DoubleClick. Google acquires DoubleClick, says we’ll keep the user profile separate from the advertising profile, again the companies changed their business practices.
Like others, EPIC proposed a unified privacy standard while the FCC was hearing comment on its privacy pitch, but it is willing to support Thursday’s rules as a step in the right direction.
Those rules will be necessary to fill an important gap, left open by a recent federal court decision striking down the FTC’s attempt to fine AT&T for misleading customers about its unlimited data plans — a move the court said it could no longer make because of the common carrier exemption.
Absent FCC rules, the ruling has the potential to leave edge providers that also offer internet connectivity, like Google with Google Fiber, in a no man’s land of privacy enforcement.
“The FCC has created a vacuum and the FCC has to do something,” said Berin Szoka, president of the right-leaning tech policy think tank TechFreedom. “So the debate here is not about whether the FCC acts, its about how.”