The Implications Behind Proposed Internet Privacy RulesThe FCC's overreach needed to be undone to protect the FTC's authority over privacy.
If we want to protect privacy, we must be clear about why it's important, how we can prevent confusion, and who is protecting consumers. Privacy is at risk in unprecedented ways if we don't put checks and balances on it from time to time. Sadly, the legal system is lagging behind the pace of innovation, as the last major privacy law was passed in 1986.
The true privacy mission also needs to prevent business practices that are deceptive or unfair to consumers, and include things that enhance informed consumer choice and public understanding of the competitive process, all without unduly burdening legitimate business activity. This is where the Federal Trade Commission (FTC) comes in.
You may be more familiar with the FTC's work than you think. The FTC deals with issues that touch the economic life of every American, and it's the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy. It has moved much faster than our congressional leaders in putting consumer protections in place.
Why Am I Telling You This?
Last year, the Federal Communications Commission (FCC) pushed through, on a party-line vote, privacy regulations designed to benefit one group of favored companies over another group of disfavored companies. The rules would have required home Internet and mobile broadband providers to get consumers' opt-in consent before selling or sharing Web browsing history, app usage history, and other private information with advertisers and other companies. The rules, although well-intentioned, were at odds with the existing and proven privacy framework put forth by the FTC.
The FCC wanted to reclassify the Internet as a service under Title II of the Telecommunications Act, a provision that lets the FCC set rates and ensures equal access to traditional phone service, such as what you have at home. This was not permissible under US law. In making this move, the FCC stripped the FTC of the current jurisdiction it had over Internet privacy and data sharing practices.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]
As one of the leading voices in email protection and chairman of the Email Experience Council, I believe the FCC should never have been allowed to declare "information services" a Title II service. But the FCC passed its own regulations, which subjected Internet service providers to onerous and unnecessary restrictions, and exempted edge providers.
Once the FCC declared the Internet a common carrier service, it removed all authority of the FTC to regulate. The privacy rules the FCC had in place are geared toward phone services, not the Internet. The rules didn't fit, so it attempted to write Internet-specific regulations.
These actions had to be undone to restore authority over privacy and data sharing to the FTC. This solution needed to happen to undo the fruits of regulatory overreach and absurdity.
What Happens Now?
First, the legislation that's been repealed isn't active today, and never has been. There'll be no change in whether an ISP is "allowed to sell your information." You still have privacy protections. How, you ask?
When Trump signed the Congressional Review Act, the FCC can't re-create the rules until Congress authorizes it to. Getting that legislation through Congress is pretty unlikely for the next couple of years. This will allow the FTC to regain the control and authority it has always had to protect consumers and regulate Internet service as it has done successfully for years.
There are some technical things consumers should understand to protect themselves.
If you use encryption (HTTPS), as many browsers and applications do, ISPs can track which websites you visit but not specific pages or what you do there. However, most advertisers already have this information and have since the dawn of the Internet. The websites you visit tell them when you buy things on Amazon or eBay, if you're reading this story, when you're on Facebook, etc.
What's even more interesting is that if someone wants to track which websites you visit, it's probably a lot easier to buy that information from a tiny, low-margin service provider in a lax jurisdiction or that is under FCC regulation than to do so from a large domestic ISP.
It's also important to know that ISPs already self-regulate on opt-in for what the FCC tried to define as the most sensitive uses. These include Web browsing, app usage history, geo-location data, financial and health information, and the content of communications. As a user of their services, you opted in when the service was purchased.
The changes, if allowed to go through, would have also stifled the industry's use of data that is used by anti-spammers and security vendors, data used to prevent viruses and malware, and many other security-related things, thus making you less safe as a user of the Internet.
Another important point: Congress is looking at a complete rewrite of the Communications Act. Everything is up for grabs if this happens.
The FCC has said it will work with the FTC to ensure that consumers' online privacy is protected through a consistent, comprehensive framework. The FCC knows that the best way to achieve those results would be to return jurisdiction over broadband providers' privacy practices to the FTC, with its decades of experience and expertise in this area.
Consumers must continue to educate themselves and their families about how their information can be used and how they can control it. Simply reading the privacy policies of sites and applications you use is a start.
If you're really worried about your information not being kept private, your best option is to use a virtual private network, which anonymizes Internet activity by routing it through another system and shielding it from your ISP. However, most ISPs are open about how you can opt out of any data use, and they give you control to do so.
Knowing how to protect your information identity is a must in the 21st century. Here are some tips from the FTC on doing it effectively.
Dennis Dayman is the chief privacy and security officer at Return Path. He has more than 20 years of experience combating spam and in security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations, and technical solutions. View Full Bio