Endpoint

4/18/2017
10:30 AM
Dennis Dayman
Dennis Dayman
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Implications Behind Proposed Internet Privacy Rules

The FCC's overreach needed to be undone to protect the FTC's authority over privacy.

If we want to protect privacy, we must be clear about why it's important, how we can prevent confusion, and who is protecting consumers. Privacy is at risk in unprecedented ways if we don't put checks and balances on it from time to time. Sadly, the legal system is lagging behind the pace of innovation, as the last major privacy law was passed in 1986.

The true privacy mission also needs to prevent business practices that are deceptive or unfair to consumers, and include things that enhance informed consumer choice and public understanding of the competitive process, all without unduly burdening legitimate business activity. This is where the Federal Trade Commission (FTC) comes in.

You may be more familiar with the FTC's work than you think. The FTC deals with issues that touch the economic life of every American, and it's the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy. It has moved much faster than our congressional leaders in putting consumer protections in place.

Why Am I Telling You This?
Last year, the Federal Communications Commission (FCC) pushed through, on a party-line vote, privacy regulations designed to benefit one group of favored companies over another group of disfavored companies. The rules would have required home Internet and mobile broadband providers to get consumers' opt-in consent before selling or sharing Web browsing history, app usage history, and other private information with advertisers and other companies. The rules, although well-intentioned, were at odds with the existing and proven privacy framework put forth by the FTC.

The FCC wanted to reclassify the Internet as a service under Title II of the Telecommunications Act, a provision that lets the FCC set rates and ensures equal access to traditional phone service, such as what you have at home. This was not permissible under US law. In making this move, the FCC stripped the FTC of the current jurisdiction it had over Internet privacy and data sharing practices.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

As one of the leading voices in email protection and chairman of the Email Experience Council, I believe the FCC should never have been allowed to declare "information services" a Title II service. But the FCC passed its own regulations, which subjected Internet service providers to onerous and unnecessary restrictions, and exempted edge providers.

Once the FCC declared the Internet a common carrier service, it removed all authority of the FTC to regulate. The privacy rules the FCC had in place are geared toward phone services, not the Internet. The rules didn't fit, so it attempted to write Internet-specific regulations.

These actions had to be undone to restore authority over privacy and data sharing to the FTC. This solution needed to happen to undo the fruits of regulatory overreach and absurdity.

What Happens Now?
First, the legislation that's been repealed isn't active today, and never has been. There'll be no change in whether an ISP is "allowed to sell your information." You still have privacy protections. How, you ask?

When Trump signed the Congressional Review Act, the FCC can't re-create the rules until Congress authorizes it to. Getting that legislation through Congress is pretty unlikely for the next couple of years. This will allow the FTC to regain the control and authority it has always had to protect consumers and regulate Internet service as it has done successfully for years.

There are some technical things consumers should understand to protect themselves.

If you use encryption (HTTPS), as many browsers and applications do, ISPs can track which websites you visit but not specific pages or what you do there. However, most advertisers already have this information and have since the dawn of the Internet. The websites you visit tell them when you buy things on Amazon or eBay, if you're reading this story, when you're on Facebook, etc.

What's even more interesting is that if someone wants to track which websites you visit, it's probably a lot easier to buy that information from a tiny, low-margin service provider in a lax jurisdiction or that is under FCC regulation than to do so from a large domestic ISP.

It's also important to know that ISPs already self-regulate on opt-in for what the FCC tried to define as the most sensitive uses. These include Web browsing, app usage history, geo-location data, financial and health information, and the content of communications. As a user of their services, you opted in when the service was purchased.

What's Next?
The changes, if allowed to go through, would have also stifled the industry's use of data that is used by anti-spammers and security vendors, data used to prevent viruses and malware, and many other security-related things, thus making you less safe as a user of the Internet.

Another important point: Congress is looking at a complete rewrite of the Communications Act. Everything is up for grabs if this happens.

The FCC has said it will work with the FTC to ensure that consumers' online privacy is protected through a consistent, comprehensive framework. The FCC knows that the best way to achieve those results would be to return jurisdiction over broadband providers' privacy practices to the FTC, with its decades of experience and expertise in this area.

Consumers must continue to educate themselves and their families about how their information can be used and how they can control it. Simply reading the privacy policies of sites and applications you use is a start.

If you're really worried about your information not being kept private, your best option is to use a virtual private network, which anonymizes Internet activity by routing it through another system and shielding it from your ISP. However, most ISPs are open about how you can opt out of any data use, and they give you control to do so.

Knowing how to protect your information identity is a must in the 21st century. Here are some tips from the FTC on doing it effectively.

Related Content:

Dennis Dayman is the chief privacy and security officer at Return Path. He has more than 20 years of experience combating spam and in security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations, and technical solutions. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
4/19/2017 | 9:11:54 AM
Re: 192.168.0.1
Very intуresting and detailed post. Thanks for sharing
dritchie
50%
50%
dritchie,
User Rank: Strategist
4/18/2017 | 3:31:53 PM
Re: Some bold claims here
Not only that, but the original poster works for a company that seems to try to help companies deliver unwanted commercial email (i.e. SPAM), so limiting the ability of providers to sell him information hurts his bottom line.
dritchie
50%
50%
dritchie,
User Rank: Strategist
4/18/2017 | 3:28:40 PM
Re: Some bold claims here
Not only that, but the poster works for a company that seems to try to help companies deliver unwanted commercial email (i.e. SPAM).
guy_montag
100%
0%
guy_montag,
User Rank: Apprentice
4/18/2017 | 11:10:24 AM
Some bold claims here
The author makes some bold claims here but doesnt make a very good case for them. Whats the FTC's track record in actually protecting privacy? How do common carrier privacy protections "stiffle antispam and malware detection" any more than TLS does? How would the FTC be less susceptible to regulatory capture than the FCC? Regultory capture is imo, the strongest case against FCC action but this article doesnt even mention it.

The only arguments here seems to be "the ftc does a great job, take my word for it" and also that adverstisers "already know everything" so who cares? That undercuts the whole part about the glories of self-regulating ISP's and the past work of the FTC. Never mind the fact that those that do deep packet inspection are ripe targets for attack even if they dont voluntarily sell the data to third parties.

The article also ignores the major impetetus for the Title II classification, namely, net neutrality. Pretending common carrier reclassification was just about privacy is silly at best, disengenuous at worst.

All in all, this article doesnt pass the laugh test. Isps are local monopolies, comcast is not google, and vpn's wont protect you. 
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.