The undoing of a FCC regulation that protected your internet privacy….

The undoing of a FCC regulation that protected your internet privacy….

The Congressional Review Act was passed in 1996 and then Speaker of the House, Newt Gingrich, championed the Act. The Act allows Congress to review and repeal, via a simple majority, any new regulation within 60 legislative days from the date the regulation became effective (note that legislative days are the same as calendar days). If the President approves of Congress’ repeal of the regulation then with his (in theory her) signature the repeal becomes law. In addition the Act bars the federal agency whose regulation was repealed from writing a new regulation that is the same or similar to the repealed regulation. Since no President would pass a law undoing a regulation he (or she) had just created, this Act is only of import during the beginning days of a new administration, specifically when the same party controls the presidency and majorities in both branches of Congress. It is of note that this Act has only been used once before; it was used by Republicans to repeal an ergonomics regulation created  under the Clinton administration. One final tidbit is that laws created via this Act are termed a “joint resolution of disapproval”. Sources: https://www.washingtonpost.com/news/the-fix/wp/2017/02/03/the-obscure-law-allowing-congress-to-undo-obama-regulations-on-guns-and-coal-in-a-matter-of-days/?utm_term=.c93e40b6404f; https://www.nytimes.com/2017/01/30/us/politics/congressional-review-act-obama-regulations.html?_r=0.

Senate Joint Resolution 34 (S. J. Res 34) is one such law. Specifically it repealed a regulation the Federal Communications Commission (FCC) put forth in late 2016 to protect the privacy of people’s personal information left on/gathered through the internet (https://www.congress.gov/bill/115th-congress/senate-joint-resolution/34). Before looking further into this new law, a quick word on the FCC – the FCC is the regulatory agency that oversees all radio, television, wire, satellite and cable communications conducted within the US as well as between the US and other countries (https://www.fcc.gov/about-fcc/what-we-do). In addition to the FCC, the US also has the Federal Trade Commission (FTC), which in a nutshell is focused on ensuring good business practices (https://www.ftc.gov/about-ftc). Knowing the difference between the FCC and the FTC is central to understanding what this law undid.

The FTC regulates the businesses that you interact with on-line be it through websites, apps, social media, etc… while the FCC is the one in charge with regulating all aspects, including the personal content those businesses gather, of your communications. Or at least that is how it once worked – those who supported S. J. Res 34 have argued that the FTC is sufficient in protecting a consumer’s privacy but opponents of the new law argue this is akin to the fox guarding the hen house as the sale of personal data is lucrative and that is exactly what this new law allows. It is now permissible for every single thing you do through the internet – everywhere you go (most apps, think the weather app, your map app, not to mention social media apps, around me, ride share services, etc… have location devices), everything you look at, including the content of what you are looking at (yes it is even possible that your medical information is included in this) and much more – to be gathered and sold. The data that this FCC regulation would have protected is not big data – big data is aggregated data and does not you’re your identifying information attached to it. Sources: http://www.latimes.com/opinion/editorials/la-ed-internet-privacy-20170330-story.html; https://www.eff.org/deeplinks/2017/03/congress-debates-reversing-course-decades-consumer-privacy-protections; http://thehill.com/blogs/congress-blog/technology/327848-your-private-information-is-not-for-sale; http://pppfocus.com/2017/04/09/sj-res-34-to-be-signed-by-trump-ends-internet-privacy-guidelines/; https://www.eff.org/deeplinks/2017/03/we-have-24-hours-save-online-privacy-rules.

Another way to understand the new law of the land in terms of internet privacy is to review the FCC regulation that has been undone. A brief review of the regulation can be found at: https://www.federalregister.gov/documents/2016/12/02/2016-28006/protecting-the-privacy-of-customers-of-broadband-and-other-telecommunications-services and the entire regulation can be located at: https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-39A1_Rcd.pdf. The opening points of this now repealed FCC regulation are quite poignant and highlight what has been lost:

“The intersection of privacy and technology is not new. In 1890, Samuel Warren and Louis Brandeis inaugurated the modern age of privacy protection when they warned that “numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet should be proclaimed from the house-tops.’” The new technology they had in mind? The portable camera.

In this Notice of Proposed Rulemaking (NPRM or Notice), we propose to apply the traditional privacy requirements of the Communications Act to the most significant communications technology of today: broadband Internet access service (BIAS). This is important because both consumers and Internet Service Providers (ISPs) would benefit from additional, concrete guidance explaining the privacy responsibilities created by the Communications Act.

To that end, our approach can be simply stated: First, consumers must be able to protect their privacy, which requires transparency, choice, and data security. Second, ISPs are the most important and extensive conduits of consumer information and thus have access to very sensitive and very personal information that could threaten a person’s financial security, reveal embarrassing or even harmful details of medical history, or disclose to prying eyes the intimate details of interests, physical presence, or fears. But, third, the current federal privacy regime, including the important leadership of the Federal Trade Commission (FTC) and the Administration efforts to protect consumer privacy, does not now comprehensively apply the traditional principles of privacy protection to these 21st Century telecommunications services provided by broadband networks. That is a gap that must be closed, and this NPRM proposes a way to do so by securing what Congress has commanded – the ability of every telecommunications user to protect his or her privacy.

Privacy protects important personal interests. Not just freedom from identity theft, financial loss, or other economic harms but also from concerns that intimate, personal details could become grist for the mills of public embarrassment or harassment or the basis for opaque, but harmful judgments, including discrimination. The power of modern broadband networks is that they allow consumers to reach from their homes (or cars or sidewalks) to the whole wide world instantaneously. The accompanying concern is that those broadband networks can now follow the activities of every subscriber who surfs the web, sends an email or text, or even walks down a street carrying a mobile device. Absent legally-binding principles, those networks have the commercial motivation to use and share extensive and personal information about their customers. The protection of privacy thus both protects individuals and encourages use of broadband networks, by building trust.

Today, as the FTC has explained, ISPs are “in a position to develop highly detailed and comprehensive profiles of their customers – and to do so in a manner that may be completely invisible.” This is particularly true because a consumer, once signed up for a broadband service, simply cannot avoid that network in the same manner as a consumer can instantaneously (and without penalty) switch search engines (including to ones that provide extra privacy protections), surf among competing websites, and select among diverse applications. Indeed, the whole purpose of the customer-provider relationship is that the network becomes an essential means of communications with destinations chosen by the customer; which means that, absent use of encryption, the broadband network has the technical capacity to monitor traffic transmitted between the consumer and each destination, including its content. Although the ability to monitor such traffic is not limitless, it is ubiquitous. Even when traffic is encrypted, the provider has access to, for example, what websites a customer has visited, how long and during what hours of the day the customer visited various websites, the customer’s location, and what mobile device the customer used to access those websites. Providers of BIAS (“broadband providers”) thus have the ability to capture a breadth of data that an individual streaming video provider, search engine or even e-commerce site simply does not. And they have control of a great deal of data that must be protected against data breaches. To those who say that broadband providers and edge providers must be treated the same, this NPR M proposes rules that recognize that broadband networks are not, in fact, the same as edge providers in all relevant respects. But this NPRM looks to learnings from the FTC and other privacy regimes to provide complementary guidance. ” (https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-39A1_Rcd.pdf).

Advertisements