Endpoint

4/18/2017
10:30 AM
Dennis Dayman
Dennis Dayman
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Implications Behind Proposed Internet Privacy Rules

The FCC's overreach needed to be undone to protect the FTC's authority over privacy.

If we want to protect privacy, we must be clear about why it's important, how we can prevent confusion, and who is protecting consumers. Privacy is at risk in unprecedented ways if we don't put checks and balances on it from time to time. Sadly, the legal system is lagging behind the pace of innovation, as the last major privacy law was passed in 1986.

The true privacy mission also needs to prevent business practices that are deceptive or unfair to consumers, and include things that enhance informed consumer choice and public understanding of the competitive process, all without unduly burdening legitimate business activity. This is where the Federal Trade Commission (FTC) comes in.

You may be more familiar with the FTC's work than you think. The FTC deals with issues that touch the economic life of every American, and it's the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy. It has moved much faster than our congressional leaders in putting consumer protections in place.

Why Am I Telling You This?
Last year, the Federal Communications Commission (FCC) pushed through, on a party-line vote, privacy regulations designed to benefit one group of favored companies over another group of disfavored companies. The rules would have required home Internet and mobile broadband providers to get consumers' opt-in consent before selling or sharing Web browsing history, app usage history, and other private information with advertisers and other companies. The rules, although well-intentioned, were at odds with the existing and proven privacy framework put forth by the FTC.

The FCC wanted to reclassify the Internet as a service under Title II of the Telecommunications Act, a provision that lets the FCC set rates and ensures equal access to traditional phone service, such as what you have at home. This was not permissible under US law. In making this move, the FCC stripped the FTC of the current jurisdiction it had over Internet privacy and data sharing practices.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

As one of the leading voices in email protection and chairman of the Email Experience Council, I believe the FCC should never have been allowed to declare "information services" a Title II service. But the FCC passed its own regulations, which subjected Internet service providers to onerous and unnecessary restrictions, and exempted edge providers.

Once the FCC declared the Internet a common carrier service, it removed all authority of the FTC to regulate. The privacy rules the FCC had in place are geared toward phone services, not the Internet. The rules didn't fit, so it attempted to write Internet-specific regulations.

These actions had to be undone to restore authority over privacy and data sharing to the FTC. This solution needed to happen to undo the fruits of regulatory overreach and absurdity.

What Happens Now?
First, the legislation that's been repealed isn't active today, and never has been. There'll be no change in whether an ISP is "allowed to sell your information." You still have privacy protections. How, you ask?

When Trump signed the Congressional Review Act, the FCC can't re-create the rules until Congress authorizes it to. Getting that legislation through Congress is pretty unlikely for the next couple of years. This will allow the FTC to regain the control and authority it has always had to protect consumers and regulate Internet service as it has done successfully for years.

There are some technical things consumers should understand to protect themselves.

If you use encryption (HTTPS), as many browsers and applications do, ISPs can track which websites you visit but not specific pages or what you do there. However, most advertisers already have this information and have since the dawn of the Internet. The websites you visit tell them when you buy things on Amazon or eBay, if you're reading this story, when you're on Facebook, etc.

What's even more interesting is that if someone wants to track which websites you visit, it's probably a lot easier to buy that information from a tiny, low-margin service provider in a lax jurisdiction or that is under FCC regulation than to do so from a large domestic ISP.

It's also important to know that ISPs already self-regulate on opt-in for what the FCC tried to define as the most sensitive uses. These include Web browsing, app usage history, geo-location data, financial and health information, and the content of communications. As a user of their services, you opted in when the service was purchased.

What's Next?
The changes, if allowed to go through, would have also stifled the industry's use of data that is used by anti-spammers and security vendors, data used to prevent viruses and malware, and many other security-related things, thus making you less safe as a user of the Internet.

Another important point: Congress is looking at a complete rewrite of the Communications Act. Everything is up for grabs if this happens.

The FCC has said it will work with the FTC to ensure that consumers' online privacy is protected through a consistent, comprehensive framework. The FCC knows that the best way to achieve those results would be to return jurisdiction over broadband providers' privacy practices to the FTC, with its decades of experience and expertise in this area.

Consumers must continue to educate themselves and their families about how their information can be used and how they can control it. Simply reading the privacy policies of sites and applications you use is a start.

If you're really worried about your information not being kept private, your best option is to use a virtual private network, which anonymizes Internet activity by routing it through another system and shielding it from your ISP. However, most ISPs are open about how you can opt out of any data use, and they give you control to do so.

Knowing how to protect your information identity is a must in the 21st century. Here are some tips from the FTC on doing it effectively.

Related Content:

Dennis Dayman is the chief privacy and security officer at Return Path. He has more than 20 years of experience combating spam and in security/privacy issues, data governance issues, and improving email delivery through industry policy, ISP relations, and technical solutions. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
4/19/2017 | 9:11:54 AM
Re: 192.168.0.1
Very intуresting and detailed post. Thanks for sharing
dritchie
50%
50%
dritchie,
User Rank: Strategist
4/18/2017 | 3:31:53 PM
Re: Some bold claims here
Not only that, but the original poster works for a company that seems to try to help companies deliver unwanted commercial email (i.e. SPAM), so limiting the ability of providers to sell him information hurts his bottom line.
dritchie
50%
50%
dritchie,
User Rank: Strategist
4/18/2017 | 3:28:40 PM
Re: Some bold claims here
Not only that, but the poster works for a company that seems to try to help companies deliver unwanted commercial email (i.e. SPAM).
guy_montag
100%
0%
guy_montag,
User Rank: Apprentice
4/18/2017 | 11:10:24 AM
Some bold claims here
The author makes some bold claims here but doesnt make a very good case for them. Whats the FTC's track record in actually protecting privacy? How do common carrier privacy protections "stiffle antispam and malware detection" any more than TLS does? How would the FTC be less susceptible to regulatory capture than the FCC? Regultory capture is imo, the strongest case against FCC action but this article doesnt even mention it.

The only arguments here seems to be "the ftc does a great job, take my word for it" and also that adverstisers "already know everything" so who cares? That undercuts the whole part about the glories of self-regulating ISP's and the past work of the FTC. Never mind the fact that those that do deep packet inspection are ripe targets for attack even if they dont voluntarily sell the data to third parties.

The article also ignores the major impetetus for the Title II classification, namely, net neutrality. Pretending common carrier reclassification was just about privacy is silly at best, disengenuous at worst.

All in all, this article doesnt pass the laugh test. Isps are local monopolies, comcast is not google, and vpn's wont protect you. 
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9015
PUBLISHED: 2019-02-22
A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files. The exploitation point is in the "column management" function. The path added to the column is not verified. When a column is deleted by an attacker, the correspond...
CVE-2019-9016
PUBLISHED: 2019-02-22
An XSS vulnerability was discovered in MOPCMS through 2018-11-30. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[name] parameter in a mod=column request, as demonstrated by the /mopcms/X0AZgf(index).php?mod=column&ac=list&menuid=28&am...
CVE-2018-20784
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.
CVE-2019-9003
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.
CVE-2019-9004
PUBLISHED: 2019-02-22
In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of the LWM2M server afte...