‘Sorry, ISPs Are Trying to Do What?’ What to Know About Congress’s New Internet-Privacy Rollback

By
Photo: Spencer Platt/Getty Images

The House of Representatives voted today, 215–205, to use the Congressional Review Act to nullify an FCC rule, adopted late last year, which required internet-service providers to get permission from customers to sell data gathered from their internet use to third parties. The Senate approved a similar measure last week, and President Trump will soon accept the rollback.

You may have heard about this because privacy advocates like the Electronic Frontier Foundation (and virtual private network services smelling blood and profit opportunity) have sounded the alarm, noting that rolling back these rules would theoretically allow internet-service providers to share potentially sensitive data without the knowledge of consumers. The telecom industry, for its part, has strongly pushed back against not only these regulations but also the EFF and others’ characterization of them, using a mishmash of arguments about federal authority and fairness regarding “edge providers” — that is, big websites and service providers like Google and Facebook.

At the very least, in no uncertain terms, the government is rolling back privacy regulations meant to protect consumers against invasive data mining. The question is, what does this mean for you?

What is going on here?
Last December, before President Trump was inaugurated into office, the FCC adopted a policy with the catchy name “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.” Among other measures, this required broadband providers to get customer consent, also known as “opt-in,” before those customers’ internet-usage data — including browsing history and geolocation information — could be shared with third parties. Congress is now exercising its authority under the Congressional Review Act, which allows it to reject policies adopted by regulatory agencies, to toss this rule out.

I’ve heard this means ISPs can just sell my entire online history to advertisers. Is that true?
There are a few things to clear up here: First and foremost, the rules being nullified were adopted last fall. They are not long-standing privacy regulations being disabled amid the Trump regime — though the fact that the party of small government is in control of Congress and the White House surely helps. The telecom industry’s position is that its responsibility regarding your data is already regulated under Section 222 of Title 47 of the U.S. Code (though those regulations have more to do with proprietary networking data than user browsing history). All of which is to say that the hypothetical doomsday scenario — that ISPs will sell your whole browsing history, tied to your name and identity, to whoever wants it, the minute this vote is completed in Congress — will not come to fruition.

Rather, it indicates that ISPs would like to do what Google and Facebook, not covered by the new FCC rules, are already doing: sell anonymized profiles based on data those companies gather to third parties for ad targeting. Even if you’re comfortable with the amount of data that Google and Facebook are collecting on you and repackaging for sale — and you may not even be aware of it — the idea of ISPs doing the same thing is likely to be even more discomfiting: Google can only track you across sites that it owns or has contributed code to; your ISP can track your entire internet-browsing history.

What is the telecom industry’s stance on customer privacy?
Several broadband providers contacted for this story said that they supported their trade organization’s stance in support of the CRA rollback, but insisted they’re transparent with their customers about how data is handled. Thomas Larsen of Mediacom said that the FCC’s 2016 rules are a “smoke and mirrors policy that pretended to address a consumer issue,” while also adding that, “Cable operators have grown up in a world where the sharing of personally identifiable consumer information is not allowed, and we have no intention of sharing that information moving forward.”

Rich Young, from Verizon, stated in part that, “Verizon has several advertising and marketing programs, and customers are able to make choices about participating in these programs,” and directed me to their privacy policy. (You know, the long block of legalese that everyone definitely reads before signing up for online services.)

Other major broadband providers directed me to statements from trade organizations like NCTA, CTIA, and US Telecom. The latter said in its statement that, “Consumers deserve a single, clear framework for how their private online information is protected and consistent standards for how — or if — data can be shared by companies.”

What’s their argument for rolling back privacy regs?
In a conference call with the media today, NCTA experts defended the industry group’s stance in support of tossing out the FCC regulations. (A clerical note: NCTA formerly stood for National Cable & Telecommunications Association, but is now known as the Internet & Television Association. But it is still known as the NCTA in short.)

Their arguments were twofold (and, if I’m being honest, lackluster). First, they reached back five years to 2012, when President Obama named the Federal Trade Commission, and not the Federal Communications Commission, the government body in charge of determining consumer online-privacy rights. In other words, the NCTA does not believe that the FCC has jurisdiction on this issue, despite the fact that they are the body with the authority to regulate ISP practices.

Secondly, the telecom industry believes that it’s being unfairly targeted (boo-hoo), while Google, Facebook, and other enormous, data-hoovering advertising companies are being ignored. The NCTA believes that it needs to “hit the reset button” on privacy regulations, working partially off of FCC guidance from the middle of 2015. The trade org’s attitude is that any privacy regulations that don’t address edge providers like Facebook and Google are insufficient. Which, okay, sure — but that doesn’t seem like a great argument for rolling back those regulations entirely.

(Asked on a conference call whether or not the NCTA would support similar privacy rules that also covered edge providers, the NCTA’s representatives hedged.)

Are ISPs and edge providers equivalent?
There’s no doubt Facebook and Google, whose businesses are founded on selling targeted ads based on your browsing history, are presiding over privacy minefields. But the equation of broadband providers and edge providers ignores the fact that ISPs often have monopolies that edge providers do not. Thanks to decades of consolidation and a high cost of entry, the telecom industry is not a particularly competitive field; people can use the internet without using Facebook, but consumers often have little to no choice in who their actual internet provider is. Given the lack of regional competition in the telecom industry, I asked the NCTA why consumers should trust companies that know they have a captive user base. “We operate in ways that promote transparency and try to provide consumers with options for informed choice. That was true before there were FCC rules and that will be true after FCC rules go away,” said James Assey, the NCTA’s executive vice-president.

It is, as far as we know, true that an internet-service provider has yet to exploit its customers’ data in a particularly craven and greedy manner. It is also true that ISPs are pushing back on regulations that ensure it stays this way, and that a lack of industry competition means consumers can’t express their dissatisfaction by leaving a given ISP. And it’s clear where the industry is headed: Last August, in a regulatory filing, Comcast proposed discounted internet rates in exchange for collecting more user data.

But maybe we’re wrong and the telecom industry is really committed to consumer privacy. With any luck, it’ll follow through on its stated preference for comprehensive, uniform privacy regulations requiring both edge providers and ISPs to handle consumer data responsibly. Then again, Time Warner told you it’d be there between noon and two.

Is there anything I can do to avoid being tracked by my ISP?
Your best option is to use a virtual private network, which anonymizes your internet activity by routing it through another hub. There are hundreds of VPN subscription services out there, or — if you’re technically minded — you can roll your own. That said, your VPN might also log or track where you’re connecting to — unless you own the pipes, you’re always trusting someone else with your browsing habits. If you use a VPN, make sure its privacy policy is satisfactory.

What to Know About Congress’s New Internet-Privacy Rollback