It’s Time for a Grassroots Movement for Better Online Privacy

Photo: Ian McKinnell/Getty Images

Last December, the FCC adopted new rules intended to prohibit internet-service providers from selling sensitive user data — such as one’s internet-browsing history — to third parties, mostly advertisers. Those regulations lasted all of four months: This week, Congress used its authority under the Congressional Review Act to roll them back — the first move in what’s likely to be an actively deregulatory period for the FCC.

This doesn’t mean that you can just call up Comcast and request the internet-usage records for John Doe (or, as some have tried, members of Congress). The Communications Act of 1934 — specifically Section 222 of Title II — still has some regulatory power over the privacy of telecom customer information. What ISPs want to do with your data is more along the lines of what Facebook and Google do — anonymize it, bundle it with reams of other data, and sell it to advertisers looking to target certain populations and demographics. The reason this seems more insidious is that, unlike Google and Facebook, your ISP can see what you do across the entirety of the internet. If Facebook is some dude with binoculars at the top of One World Trade Center, your ISP is a satellite in space.

Still, the rollback should give anyone who uses the internet (so: everyone) pause. It’s a rarely seen, brazen admittance by the telecom industry that it would like to make money not just by providing internet service to customers, but by selling their usage records in some form as well.

In the past, the mass mobilization of internet users has managed to stop pro-corporate, anti-user deregulation in its tracks. But that mass mobilization has always been spurred and organized by the large corporations that would be most affected by deregulation. When net neutrality — the principle that ISPs are required to treat all traffic equally — was placed on the chopping block a few years ago, the biggest Silicon Valley companies flexed their muscles. Facebook, Google, and dozens of other smaller (but still rich) companies that benefit from an open, global network rallied 3.7 million users to leave comment with the FCC in support of net neutrality — and spent millions of dollars lobbying Congress and making campaign contributions. Similarly, those same companies used their might when SOPA and PIPA, ill-conceived anti-piracy bills that threatened the internet’s content ecosystem, came before Congress in early 2012.

The difference with this week’s deregulation is that Google and Facebook are not going to help users fight for stronger privacy protection. Both companies profit off of your data in the same ways that your ISP wants to. In fact, here’s an excerpt from a letter Google sent to the FCC last October, defending ISPs and complaining about the new privacy rules: “[A]lthough Google and other companies take strong measures to avoid using sensitive data for purposes like targeting ads, consumers benefit from responsible online advertising, individualized content, and product improvements based on browsing information.”

They conclude: “The FCC should not attempt to draw a categorical distinction between web browsing information and other information — particularly where such a novel and untested approach would unnecessarily increase regulatory burdens on the Internet.” Google doesn’t want regulation that affects its ad business either.

One of the most interesting (and encouraging) revelations of this week’s privacy outcry is how much it cuts across party lines. Trump supporters who spend much of their day online are as invested in a secure, open internet with robust privacy protections as liberal Democrats.

This past January, as the ISP-sympathetic, anti-regulatory FCC chairman Ajit Pai took office, I covered how online reaction from Trump-fanatic hives like /r/the_donald was mostly muted. Supporters appeared caught between unquestioning Trump fandom and an appointee who has explicitly promised to dismantle long-standing internet principles such as net neutrality.

Following this week’s approval of the rule rollback in the House, sending it to the president’s desk to be signed into law, forum lurkers had a good little laugh at how his most ardent online followers, often posting under the cloak of pseudonymity, were worried about the government rolling over for corporations when it came to internet privacy.

Even the most ardent free-marketeers are troubled by these privacy rollbacks because many internet customers have little choice in service providers. ISPs need to get permission from local governments to dig up city streets and lay cable, building out their network infrastructure, and many incumbents enjoy protection from local governments that do not allow competing ISPs to lay a similar foundation, resulting in less competition and stronger regional monopolies. For the most part, the biggest providers have an informal, unspoken agreement not to invade each others’ turf, resulting in de facto monopolies with none of the de jure protections that would come with public infrastructure ownership.

This means that most broadband providers have a captive customer base with no other viable options. If a customer’s ISP wants to monetize their browsing history, that customer often has nowhere else to go, and the potential for a privacy-conscious ISP to conquer the market by providing an alternative is nil. In other words, hoping that free-market competition will fix this situation is foolish.

Leading up to the congressional votes, the telecom industry argued that already-standing policy directives — such as the Federal Trade Commission’s consumer privacy framework, and the Obama administration’s 2012 Online Privacy Bill of Rights — were sufficient user protections.

But the ISPs weren’t wrong about everything. The telecom industry’s main complaint about the now-dead FCC rules was that the regulation did not also cover edge providers — the boring industry term for services running on the internet like Google and Facebook. This meant that while ISPs like Time Warner and Comcast had to obey the new rules, sites that arguably collect as much (if not more) data, like Facebook and Google, did not. The telecom industry thought this was unfair. Their point was that all companies should be governed by similar privacy regulations. They’re right, just in the wrong way.

So let’s recap: Internet-service providers that can see all of your web activity will not support stronger privacy controls. Edge providers that harvest and monetize your data will not support stronger privacy controls. The free market will not conjure a pro-consumer alternative to these models, and Congress has shown neither the expertise nor the investment to do so.

Which means there’s one option left, if we want to ensure an internet free of the nightmare of surveillance: A true grassroots movement in support of online privacy. It’s time to start considering the internet ecosystem we know as something in need of legal protection from government malfeasance and corporate greed. This is the rare issue that people on the left and right can agree on — yet, it gets little public support from those up top. It’s important that we figure out what to fight for, instead of drumming up support when bad legislation makes its way to the president’s desk.

The first step is to determine what, precisely, we users of the internet want. In 2004, then-FCC chairman Michael Powell outlined his four internet freedoms. These are the freedom to access any legal content they want, the freedom to run any application they want, the freedom to access the network using any device that they want, and the freedom to obtain information about their service plans. These are a good start, but are insufficient in a culture now inundated with social media. These points are the bare minimum that we work with now.

In a 2015 talk at the Fremtidens Internet conference in Denmark, developer Maciej Ceglowski outlined six privacy rights that web surfers deserve in the age of tracking cookies and programmatic-ad buys.

The right to download: you should be able to obtain the information that has been collected about you. You should be able to know how companies harvesting your data are tracking you. A few years ago, Facebook users became worried after they came to believe that the service was collecting status messages that users typed out, even if they didn’t actually publish them.

The right to delete: you should be able to delete said information from those services. This means a hard delete that actually wipes it from storage, rather than a soft delete that just makes the data inaccessible. (A fun economic fact is that one of the reasons that companies collect and retain so much data is that it’s actually cheaper to buy new physical storage than to truly erase data.)

Limits on behavioral data: the number of signals that companies collect on any given web page is shockingly high. They can measure everything from how long you watch a video to where your mouse hovers to which of your friends’ profiles you’re most interested in, and then behave accordingly. That behavioral data currently lasts forever. Ceglowski rightfully believes it should expire, and be wiped from the server after 90 days.

The right to go offline: Internet of Things devices like smart TVs shouldn’t need to have internet access in order to perform basic functions. They need to have hardwired switches that completely turn off their wireless capabilities.

Less invasive ad-tracking: Ad-tracking, Ceglowski argues, should only be based on the content the ad is placed against, and what the site you are visiting knows about you. “This ban would eliminate much of the advertising ecosystem, which is one of the best things about it,” he said.

Lastly, there should be legitimate consequences for violating these principles, ones that should make companies fearful of violating them, rather than blithely spending their way through insufficient fines.

There are a number of ways these rights and responsibilities could be implemented. Here at Select All in January, cybersecurity expert Bruce Schneier proposed a federal “Department of Technology Policy” that would, among other things, ensure security, enforce regulations, and protect consumers. He wrote :

We need government to ensure companies follow good security practices: testing, patching, secure defaults — and we need to be able to hold companies liable when they fail to do these things. We need government to mandate strong personal data protections, and limitations on data collection and use. We need to ensure that responsible security research is legal and well-funded. We need to enforce transparency in design, some sort of code escrow in case a company goes out of business, and interoperability between devices of different manufacturers, to counterbalance the monopolistic effects of interconnected technologies. Individuals need the right to take their data with them. And internet-enabled devices should retain some minimal functionality if disconnected from the internet.

Codifying privacy rights is important, but there are other actions that we can take as well. On a state-government level, 20 states have laws, written at the behest of large telecom providers, that prevent municipalities from offering their own broadband option, snuffing out competition before it can even exist. Those laws should be repealed (the FCC tried to challenge a few of them and failed because it has no authority to overturn state law).

These are solid, justifiable, actionable things that anyone concerned with privacy, on the left or the right, should be asking for. Companies and Congress will say that more regulation will be too heavy a regulatory burden, yet they already contend with much stricter privacy laws in the European Union. They will also claim that they need all of this data in order to customize your experience — they are lying. The deck is stacked against consumers. It’s time to ask for clear, actionable privacy laws, and break up broadband monopolies.

It is, admittedly, easy to let this issue slide as a minor one compared to the many others facing Americans today. But the internet is now essential to many of your day-to-day functions — not just how you talk with friends, but where you shop, manage your finances, search for a job, and find out what’s happening in the world. It can seem weird, in a moment when toxicity online feels like it’s at an all-time high, to think of the internet as something worth fighting for, but it is. It’s time to protect it.

It’s Time for a Grassroots Movement for Online Privacy