On March 28, 2017, the United States Congress voted to repeal regulations issued by the FCC which would have required Internet Service Providers to obtain the consent of their customers before they could sell their information. Currently, if you visit a website like Facebook, Twitter, or Google, the website collects the fact that you have visited, and what you did on that site.
It may also collect information about the site that referred you to that site, and where you went from that site. Thus, Google (or Bing) can know your search history, Facebook your friends, and Twitter, your tweets. But in order to get to any of those sites, you have to connect to the Internet, which means using Broadband Internet Access Services (BIAS) like Comcast, RCN, Verizon, AT&T, Time Warner Cable, Century Link or Cox.
One Ring to Rule Them All
These search engines only know a portion of what you do. Your BIAS knows just about everything. For all devices in the home. When you use your iPad on your WiFi, your BIAS knows. When you use your desktop or laptop computer, the connection goes through the BIAS. Your IoT devices, Fitbit, and electronic doorbell are all connected through your BIAS.
So is your thermostat, Internet connected appliances, smart television, and a host of other devices. That’s in addition to knowing your search, browsing and Internet history. Everything you have ever searched for, downloaded, uploaded, or viewed. It all passes through your BIAS.
In December of 2016, in the waning days of the Obama administration, the FCC adopted rules regarding “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.” They stated:
Without appropriate privacy protections, use or disclosure of information that our broadband providers collect about us would be at odds with our privacy interests. Through this Order, we therefore adopt rules that give broadband customers the tools they need to make informed choices about the use and sharing of their confidential information by their broadband providers, and we adopt clear, flexible, and enforceable data security and data breach notification requirements. We also revise our existing rules to provide harmonized privacy protections for voice and broadband customers—bringing privacy protections for voice telephony and other telecommunications services into the modern framework we adopt today.
Not so much anymore.
The adopted and now rescinded rules would have required BIAS’s to adopt privacy and data security practices, to be transparent about what data they were collecting, and with whom they were sharing, to allow consumers to opt out of such sharing or selling arrangements, and to require BIAS’s to provide consumers notice if their personal information (including Internet history) was breached.
The BIAS’s objected to the rule because it imposed burdens on them that were not imposed on entities that had similarly sensitive information. The FCC noted that “While we recognize that there are other participants in the Internet ecosystem that can also see and collect consumer data, the record is clear that BIAS providers’ gatekeeper position allows them to see every packet that a consumer sends and receives over the Internet while on the network, including, absent encryption, its contents. By contrast, edge providers only see a slice of any given consumers Internet traffic.”
The BIAS’s also objected and noted that consumers had tools that allowed them to protect their own privacy. Tools like end-to-end encryption, VPNs, and TOR routers or browsers. The FCC noted that “even with encryption, by virtue of providing BIAS, BIAS providers maintain access to a significant amount of private information about their customers’ online activity, including what Web sites a customer has visited, how long and during what hours of the day the customer visited various Web sites, the customer’s location, and what mobile device the customer used to access those Web sites. Moreover, research shows that encrypted web traffic can be used to infer the pages within an encrypted site that a customer visits, and that the amount of data transmitted over encrypted connections can also be used to infer the pages a customer visits.”
The regulation did more than require what is called “Fair Information Practices” for broadband providers. The law also required them to provide “reasonable security.” The two go hand in glove. Thus, broadband providers, in doing things like proxying https certificates, injecting adware, using persistent (and un-removable) tracking cookies, and collecting, storing and analyzing consumer data, would have to take reasonable steps to ensure that these practices not only did not impact consumer privacy (and provide a meaningful mechanism for opt-in or opt-out) but also ensured that the broadband providers actions did not impact the security of the customer. The regulation did not mandate any particular level of security, nor did it propose any particular technology, just that security be “reasonable.”
There are still other laws on the books that require telcos and cable providers to “protect the confidentiality” of certain customer information and requires them to get the “approval” of customers before they can use certain information, but the now defunct regulation specified HOW the companies had to protect confidentiality (through reasonable security) and set out rules on transparency and meaningful consent.
Theoretically, broadband providers (like other sites) could include in their terms of service language indicating that, by using the service, you consent to a whole range of data collection, aggregation, sale and use practices, and that these practices can be changed at any time by the broadband provider just by updating their website. The regulation would have changed that and required meaningful notice and the requirement that you opt in.
In the absence of this regulation, broadband consumers could resort to the general privacy and security requirements of the FTC – that actors not be “unfair” or “deceptive,” but if the administration has no stomach for enforcing specific privacy and security regulations against broadband providers, it’s unlikely that the FTC will use its authority to regulate those previously covered by the FCC regs.
Consumers could also try to hold broadband providers’ feet to the fire through privacy and security litigation – essentially alleging a breach of the providers’ voluntary privacy and data security policies. There are many problems with such a lawsuit.
First, courts are mixed about whether privacy policies are legally enforceable “contracts” that confer rights on consumers, or simply policy statements of desired intent. Courts are also mixed about whether, even if they are contracts, consumers can enforce them in the absence of “reliance,” – that is, that a consumer read, understood and relied to their detriment upon the privacy policy in, for example, providing the broadband provider with their personal data (or browsing history.)
Since a contract is a “meeting of the minds,” how can you hold a company to a promise you never read? (Of course, they can hold you to it, but that’s another kettle of fish.)
Second, Courts have been reluctant to find a cause of action for simple privacy violations or breaches. They have routinely found that the threat of identity theft or fraud, or the mere exposure of personal information insufficient to establish actual monetary damages. So everyone now knows that you surf for websites involving itchy, scaly skin. So, what’s your demonstrable economic harm?
Third, you can only sue when you KNOW about a violation. Since the repealed regulations mandated data breach notification, broadband providers now would only be required to provide notification of a breach of specific Personally Identifiable Information (PII) mostly under state law or, in the case of telephone companies, of Consumer Proprietary Network Information (CPNI). Browsing history, consumer preferences, websites visited, use of IoT devices, and similar information simply aren’t currently covered. If the company need not tell you of a breach, you would have no reason to sue for security violations.
Fourth, most broadband contracts have mandatory arbitration clauses, which the Supreme Court has found to be enforceable. Under these clauses, a consumer injured by a broadband provider’s privacy or security “violations” could not sue, but would have to file for arbitration – typically before an arbitrator who is acceptable to both parties.
Since a plaintiff would likely only have one case subject to arbitration, and a broadband provider may have thousands, arbitrators who want to get selected by broadband providers have a perverse incentive to rule on behalf of those who select them most often – the broadband provider.
Fifth, the arbitration policies also typically require waiver of the right to participate in class action litigation or class action arbitration. So if a broadband provider’s actions result in the exposure of the browsing history of tens of thousands, each individual would have to request an arbitration – which may result in little economic recover to each.
As one judge noted “The realistic alternative to a class action is not 17 million individual suits, but zero individual suits, as only a lunatic or a fanatic sues for $30.” So, if as in most privacy and security breach litigation, a broadband provider causes a modest injury to a large number of individuals, they have little to worry about, since those individuals must arbitrate individually.
Failure of broadband providers to have both fair information practices and reasonable security practices will be bad for the Internet as a whole. Broadband providers are the first line of defense for security – as they touch tens of millions of individual consumers.
The data they collect can not only be used for behavioral based advertising, but behavioral based pricing as well. If your surfing history indicates a preference for luxury goods, your search for “toothpaste” might be directed toward high end “luxury” toothpaste brands, rather than, say Pathmark’s generic toothpaste. What’s more insidious is that your search for Pathmark’s generic toothpaste price may show YOU a price that’s 40 percent higher than that of your decidedly more blue collar neighbor. The broadband provider is the last mile and gets to decide what you see and what you don’t see on EVERY website.
So What Can You Do To Protect Your Privacy?
The short answer is – not much. The longer answer is, depend on how much time, energy and performance degradation you are willing to tolerate. You can purchase a decent high speed VPN service for a few hundred dollars a year, and log in through a TOR browser. You can use browsers and other services that force HTTPS secure services.
Or you can tie two Dixie™ cups together with a string, and try to send data over that ad hoc network. In theory, you could select your broadband provider based upon their privacy and data security practices, but in reality, most areas of the country are served at best by 3-5 wired broadband providers, and they provide very little actual detail about their privacy practices, other than the pablum of “we protect your data” or “your privacy is important to us” or “we would never sell your data without your consent.” Of course, they don’t need to “sell” your data, if they simply use it to facilitate advertising (data wasn’t sold, advertising was), and you “consented” by using the service.
So for now, we can only hope that (1) competition will breed better security and privacy practices; (2) people will pick broadband providers based on privacy and security; (3) the FTC will step into the void left by the repeal of the regulations; and (4) my VPN works. My money is on the VPN.