Your Broadband Provider Wants to Violate Your Privacy. Now the FCC May Step In.

Last year Free Press and our allies won one of the biggest FCC victories in the Internet era: the reclassification of Internet service providers as common carriers under Title II of the Communications Act.

That win was possible only because millions of people demanded it — as did thousands of social justice organizations, technology advocates, public interest groups and businesses. All urged the FCC to return to the law of Title II as a foundation for strong Net Neutrality rules. Now, a major victory in the privacy battle may be within reach, with rules built on that same solid legal foundation.

The FCC’s reclassification decision clarified the application to broadband of a powerful pro-privacy provision in the Communications Act: Section 222. This law requires strict safeguards on how ISPs use and share their customers’ private information. Section 222 protects both so-called metadata about who we’re talking to — known as “customer proprietary information” (CPNI) — as well as other kinds of private information, like the content of our messages.

Today, ISPs like Comcast and Verizon have access to virtually all of the unencrypted traffic their users produce when accessing the Internet. As it stands, your ISP has a record of nearly every site you visit on a whim, the TV shows you binge-watch, and the online sources you consult to make important life decisions. It has a record of sites you visit for news and information and for all manner of political and civic discourse.

In their paper on the FCC’s privacy authority, our allies at the Open Technology Institute listed some of the harms ISPs’ unrestricted access to this information can have. These cable and phone companies could build a comprehensive profile of you, knowing whether you’ve been laid off or sought medical treatment, and then sell that information to data brokers, online advertisers and other nefarious entities — further enriching the companies at the expense of your privacy.

This level of access to your personal information rivals the reach of content providers like Facebook and search engines like Google, and may even surpass it. Everything you see and say on the Internet passes through the hands of your ISP. And unlike the sites you choose to visit, you have little choice when it comes to choosing a broadband provider. These companies have become online gatekeepers and the situation is only getting worse.

Our privacy is governed by an insufficient patchwork of laws. The brawniest regulator is the Federal Trade Commission. The FTC is authorized to bring civil suits against companies for using unfair or deceptive practices when handling private customer information. Unfortunately, the FTC can’t proactively lay down forward-looking rules or protect customers from ISPs intent on violating users’ privacy. However, the FCC can.

The Commission is now able to craft rules that would prevent this kind of abuse. Section 222 of the Communications Act requires telecommunications carriers to “protect the confidentiality of proprietary [network] information.” Before the FCC adopted the 2015 Open Internet Order, this rule protected the users of telephone services from having their private information shared or sold to advertisers without their consent or used in ways unrelated to providing phone service.

But it wasn’t at all clear that this law protected Internet users’ privacy too. Putting broadband back under Title II goes a long way toward answering that question, and that’s a good thing. Still, just what CPNI means in the world of broadband providers — and how the FCC should go about implementing the law — is an open question. Last year the FCC issued an enforcement advisory noting that “absent privacy protections, a broadband provider’s use of personal and proprietary information could be at odds with its customers’ interests” and that the FCC may adopt rules that are “tailored to broadband providers.”

Cable companies have made it clear they’re clamoring to dig into their users’ data and mine it for every cent it’s worth. In a Feb. 11 letter to FCC Chairman Tom Wheeler, industry trade associations ask that companies be subject to only the barest minimum of privacy protections. In the letter, the trade groups all but promise that they’ll see the FCC in court if it attempts to protect consumers. Broadband providers have telegraphed their intention to fight the principle that their customers’ private information shouldn’t be traded away without their consent.

Free Press, along with almost 60 other organizations, has urged the FCC to adopt rules that protect Internet users from having their data mined without their affirmative consent. This coalition is also calling on the agency to mandate that ISPs provide notice of any data breaches, and to disclose to customers how their private data is being used.

The FCC protected the free and open Internet by returning to its strongest legal authority. It’s now up to the agency to use that same rebuilt muscle to protect people from ISPs that would trade away private information to enrich themselves.

There have been reports that the FCC is moving in the right direction, and we expect the agency to propose new rules soon. Internet users will need to stand up to the ISPs to win this fight.

Original photo by Flickr user Josh Hallett