Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Dennis Dayman
Dennis Dayman
Connect Directly
E-Mail vvv

The Implications Behind Proposed Internet Privacy Rules

The FCC's overreach needed to be undone to protect the FTC's authority over privacy.

If we want to protect privacy, we must be clear about why it's important, how we can prevent confusion, and who is protecting consumers. Privacy is at risk in unprecedented ways if we don't put checks and balances on it from time to time. Sadly, the legal system is lagging behind the pace of innovation, as the last major privacy law was passed in 1986.

The true privacy mission also needs to prevent business practices that are deceptive or unfair to consumers, and include things that enhance informed consumer choice and public understanding of the competitive process, all without unduly burdening legitimate business activity. This is where the Federal Trade Commission (FTC) comes in.

You may be more familiar with the FTC's work than you think. The FTC deals with issues that touch the economic life of every American, and it's the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy. It has moved much faster than our congressional leaders in putting consumer protections in place.

Why Am I Telling You This?
Last year, the Federal Communications Commission (FCC) pushed through, on a party-line vote, privacy regulations designed to benefit one group of favored companies over another group of disfavored companies. The rules would have required home Internet and mobile broadband providers to get consumers' opt-in consent before selling or sharing Web browsing history, app usage history, and other private information with advertisers and other companies. The rules, although well-intentioned, were at odds with the existing and proven privacy framework put forth by the FTC.

The FCC wanted to reclassify the Internet as a service under Title II of the Telecommunications Act, a provision that lets the FCC set rates and ensures equal access to traditional phone service, such as what you have at home. This was not permissible under US law. In making this move, the FCC stripped the FTC of the current jurisdiction it had over Internet privacy and data sharing practices.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

As one of the leading voices in email protection and chairman of the Email Experience Council, I believe the FCC should never have been allowed to declare "information services" a Title II service. But the FCC passed its own regulations, which subjected Internet service providers to onerous and unnecessary restrictions, and exempted edge providers.

Once the FCC declared the Internet a common carrier service, it removed all authority of the FTC to regulate. The privacy rules the FCC had in place are geared toward phone services, not the Internet. The rules didn't fit, so it attempted to write Internet-specific regulations.

These actions had to be undone to restore authority over privacy and data sharing to the FTC. This solution needed to happen to undo the fruits of regulatory overreach and absurdity.

What Happens Now?
First, the legislation that's been repealed isn't active today, and never has been. There'll be no change in whether an ISP is "allowed to sell your information." You still have privacy protections. How, you ask?

When Trump signed the Congressional Review Act, the FCC can't re-create the rules until Congress authorizes it to. Getting that legislation through Congress is pretty unlikely for the next couple of years. This will allow the FTC to regain the control and authority it has always had to protect consumers and regulate Internet service as it has done successfully for years.

There are some technical things consumers should understand to protect themselves.

If you use encryption (HTTPS), as many browsers and applications do, ISPs can track which websites you visit but not specific pages or what you do there. However, most advertisers already have this information and have since the dawn of the Internet. The websites you visit tell them when you buy things on Amazon or eBay, if you're reading this story, when you're on Facebook, etc.

What's even more interesting is that if someone wants to track which websites you visit, it's probably a lot easier to buy that information from a tiny, low-margin service provider in a lax jurisdiction or that is under FCC regulation than to do so from a large domestic ISP.

It's also important to know that ISPs already self-regulate on opt-in for what the FCC tried to define as the most sensitive uses. These include Web browsing, app usage history, geo-location data, financial and health information, and the content of communications. As a user of their services, you opted in when the service was purchased.

What's Next?
The changes, if allowed to go through, would have also stifled the industry's use of data that is used by anti-spammers and security vendors, data used to prevent viruses and malware, and many other security-related things, thus making you less safe as a user of the Internet.

Another important point: Congress is looking at a complete rewrite of the Communications Act. Everything is up for grabs if this happens.

The FCC has said it will work with the FTC to ensure that consumers' online privacy is protected through a consistent, comprehensive framework. The FCC knows that the best way to achieve those results would be to return jurisdiction over broadband providers' privacy practices to the FTC, with its decades of experience and expertise in this area.

Consumers must continue to educate themselves and their families about how their information can be used and how they can control it. Simply reading the privacy policies of sites and applications you use is a start.

If you're really worried about your information not being kept private, your best option is to use a virtual private network, which anonymizes Internet activity by routing it through another system and shielding it from your ISP. However, most ISPs are open about how you can opt out of any data use, and they give you control to do so.

Knowing how to protect your information identity is a must in the 21st century. Here are some tips from the FTC on doing it effectively.

Related Content:

Dennis Dayman is the chief privacy and security officer at Return Path. He has more than 20 years of experience combating spam and in security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations, and technical solutions. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
4/18/2017 | 3:31:53 PM
Re: Some bold claims here
Not only that, but the original poster works for a company that seems to try to help companies deliver unwanted commercial email (i.e. SPAM), so limiting the ability of providers to sell him information hurts his bottom line.
User Rank: Strategist
4/18/2017 | 3:28:40 PM
Re: Some bold claims here
Not only that, but the poster works for a company that seems to try to help companies deliver unwanted commercial email (i.e. SPAM).
User Rank: Apprentice
4/18/2017 | 11:10:24 AM
Some bold claims here
The author makes some bold claims here but doesnt make a very good case for them. Whats the FTC's track record in actually protecting privacy? How do common carrier privacy protections "stiffle antispam and malware detection" any more than TLS does? How would the FTC be less susceptible to regulatory capture than the FCC? Regultory capture is imo, the strongest case against FCC action but this article doesnt even mention it.

The only arguments here seems to be "the ftc does a great job, take my word for it" and also that adverstisers "already know everything" so who cares? That undercuts the whole part about the glories of self-regulating ISP's and the past work of the FTC. Never mind the fact that those that do deep packet inspection are ripe targets for attack even if they dont voluntarily sell the data to third parties.

The article also ignores the major impetetus for the Title II classification, namely, net neutrality. Pretending common carrier reclassification was just about privacy is silly at best, disengenuous at worst.

All in all, this article doesnt pass the laugh test. Isps are local monopolies, comcast is not google, and vpn's wont protect you. 
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...