If you’ve been browsing through tech publications, you might see articles like this one mentioning that the U.S. Congress has just voted to allow ISPs to sell customer information to advertisers. The panic that later ensued spread through social media, with many people pointing fingers across political lines and some even claiming that this is the end of privacy on the Web (as if such a thing ever existed).
The going narrative since Congress ended its session is that repealing the FCC rules will allow Internet service providers to use all of your data – including your browsing and search history – as they see fit to sell it to the highest bidder. Is there some truth to this or are we entering panic mode without first examining the facts?
In the spirit of full transparency and disclosure, the Congressional session’s conclusion can be found on this page. In case that link stops working, you can also find it here in the clerical section of the House of Representatives’ website.
The talk of the day is that Congress has voted to repeal rules proposed by the FCC back on the 27th of October of 2016. These rules, according to Reuters and even the FCC themselves, make it so that ISPs would be required to notify customers of the types of information they collect and how it is being used.
Since these rules have been removed, there has been a lot of talk about how it is now perfectly fine for your Internet provider to grab your entire search history and sell it to another company.
Looking a Little Deeper
After reading this, you are hopefully asking yourself, “Why did you provide a direct link to the Congressional repeal but nothing on the FCC proposal?” If you haven’t, you should.
Most media organizations looked at the FCC’s own press release (linked earlier) and based their reporting on that. Granted, it usually isn’t necessary to wade through legislation and amendments to get a story through, but it never hurts to dig a little further.
Unfortunately, you’ll be pressed to find any publicly-available reference to the text itself, and you can’t just go out and look for it unless you know the docket number that the FCC filed its proposal under. And even the FCC’s own press release includes no such reference.
A few hours and some cups of coffee later, I found WC docket number 16-106 which contains FCC 16-39 filed on the 1st of April, 2016. As opposed to legislation approved by Congress, agencies have a significant amount of autonomy regarding new regulations. Their system is a little different than what you’ll find in Capitol Hill, making these regulations a little difficult to find after they’ve been buried under the piles of other regulations that have come up since then.
Looking at FCC 16-39 uncovers a 147-page document full of rules and proposed amendments to the U.S. Code and the Communications Act of 1934. It’s a lot more complex than some simple customer protection rules. Some of the provisions include the requirement for broadband providers both large and small to notify their customers of data breaches they may experience. Although some of the text insinuates that this requirement should only apply to breaches to customer data held by the ISP, it makes no clarification as to whether the ISP is also responsible for customer data held elsewhere or not.
To put things more simply, after looking through the actual text of the rule proposal, Congress has repealed something much more complex than some small rules for customer protection.
Addressing the Panic
Of course, when all is said and done, the original issue hasn’t disappeared: among the FCC rules repealed were provisions that would restrict ISPs from selling off a person’s data without their consent.
The next question we should ask ourselves is, “Well, is there already something in place to stop this?”
The answer to this can be found in Title 47, Subchapter A, Part 8, §8.3 of the Code of Federal Regulations. The digitized version of this little paragraph can be found here. Within this tiny sliver of text you will find transparency rules already in place that make ISPs publicly “disclose accurate information regarding the network management practices, performance, and commercial terms of their services.”
Regarding data breach notifications, the FCC themselves admit in their own document that 47 out of the 50 states already have similar rules in place that (as opposed to these federal regulations) do not present a barrier to entry for smaller ISPs.
Under the Wiretap Act (18 USC § 2511), it is already illegal for ISPs to divulge your private information to third parties without first having your consent.
All of this already establishes the basis for the position that the FCC rules were not only unnecessary, but also added more burdens to smaller providers to an already enormous list of rules. We could go further (e.g. Section 201(b) of the Communications Act), but that would just be redundant. The point is that there is really very little reason to panic with regards to the Congressional repeal.
If we really want the Internet to be free and open, perhaps it wouldn’t hurt for us to look outside our fences and see what other countries are doing. It is no coincidence that the countries with the highest freedom of choice for their customers and highest connection speeds also happen to have the least amount of telecommunications regulations. Because almost anyone can enter the market, almost anyone does, making larger ISPs feel constant pressure from smaller ones and giving them the incentive to add value to their subscribers rather than sit comfortably in an established regional quasi-monopoly as they do in the U.S.
Do you think we need more protections for customer privacy? Or should we address the issues that are making it difficult for small companies to get a foothold in the broadband market? Tell us your thoughts in a comment!