A dual-track effort to derail—if not permanently eliminate—new federal privacy rules that would limit Internet Service Providers’ commercial use of sensitive customer data is gaining steam.
On Wednesday, March 1, the Trump administration’s Federal Communications Commission voted to delay implementation of new broadband privacy rules for ISPs. This happened on the eve of stringent new privacy rules taking effect.
The rules approved by the FCC last October under former President Obama require the likes of Comcast, Verizon, AT&T and Time Warner to get customers’ explicit consent before using or sharing behavioral data, including browsing history, location and other sensitive information.
Related: Don’t expect Trump to leave internet rules, regulations intact
Then on Tuesday, March 7, Sen. Jeff Flake, R-Arizona, went one big step further. Flake formally proposed using a rare legislative tool, called the Congressional Review Act (CRA), as a means to permanently halt the FCC from ever imposing any meaningful limits to ISPs’ commercial use of consumers’ behavioral profiles.
John M. Simpson, Consumer Watchdog privacy project director
“It’s already very likely that the Republican FCC will substantially water down privacy rules for ISPs, and they are, in fact, getting ready to do that,” says John M. Simpson, privacy project director for the advocacy group, Consumer Watchdog. “But that may all be moot because earlier this week a CRA was filed that would simply abolish the rule completely.”
Should Congress succeed in using the CRA mechanism to abolish the privacy rules approved last fall, the Trump FCC—and presumably all future commissions—would, in effect, be barred from adapting any form of privacy rules for ISPs, whatsoever, Simpson says.
“It would just leave it like the Wild Wild West where there’s no regulations at all,” Simpson says.
Dash for cash
This is all happening because ISPs are all too eager to participate in the hundreds of billions of dollars in online advertising revenue reaped by Google, Facebook, Twitter and other so-called “edge providers” who voraciously collect and then sell behavior profiling data generated by patrons of their respective services.
Concerns about how ISPs tend to hold monopoly stakes in many geographic areas—and collect even more extensive behavioral profiling data than any single edge provider can amass alone—were alleviated last fall when the Obama FCC stepped forward with its European-like privacy rules for ISPs.
No going back
Now the Trump FCC is preparing to water down the rules approved by the Obama FCC. What’s more, Congress, led by Sen. Flake, is positioning itself to leap ahead by using an obscure legislative mechanism, the CRA, to nail the coffin permanently shut.
For consumers, this represents a stunning reversal, says Katie McInnis, staff attorney for Consumers Union, the policy and mobilization arm of Consumer Reports.
“Internet service providers are using their all-access pass to consumers’ online lives to boost their profits, selling this personal information to the highest bidders,” McInnis says. “This move to eliminate these rules makes it clear that Congress values big industry more than consumers, who overwhelmingly support these protections.”
Simpson concurs. “The thing that is so depressing is that these rules were very good for both business and consumers,” he says. “The internet is built on trust, and if consumers can’t trust their ISPs it just undermines the whole system.”
Edge providers like Google and Facebook already lead the way in collecting massive amounts of data about how consumers use their web browsers and computing devices. They intensively mine this data to support ad campaigns based on behavior profiling. Advertising might seem benign enough. But privacy advocates worry that ISPs won’t be able to resist pursuing even more aggressive monetization models to exploit the disadvantaged.
Poor especially at risk
Machine learning and big data mining techniques are now routinely used in commerce. And it is possible for ISPs to create detailed behavior profiles for each individual internet user. Such profiles have proven to be very effective in conducting predatory marketing campaigns that most often target the poor.
For example, behavior profiles can help insurance companies discriminate while issuing policies and banks while approving loans. Behavior profiles can be used to promote gambling, porn and drug abuse. And they can tilt hiring decisions, or be used by politicians and ideologues to manipulate public discourse.
ISPs appear to be eager to cash in. For example, in 2014 Verizon was found to be silently modifying its users’ web traffic by injecting a cookie-like tracker that enabled third-party advertisers and websites to assemble a deep, permanent profile of visitors’ web browsing habits without their consent, according to the Electronic Frontier Foundation.
No privacy rules for Comcast, Verizon, AT&T et al. “means further overreaching by ISPs, which opens the doors to all kind of abuses that shouldn’t happen,” Simpson notes. “The kind of profiling that will be done, and what ISPs will do with those profiles, is completely inappropriate.”
Laura M. Moy, deputy director of the Center on Privacy & Technology at Georgetown University Law Center, notes the the FCC is required by law to have strong privacy protections in place for internet customers. “But if the FCC nevertheless refuses to do that, consumers may find that their internet providers are using, selling, and sharing information that consumers consider to be very private, without permission and perhaps without transparency as well,” Moy says.