Today, we will file our official comments in the Commission’s privacy proceeding. The fundamental message will be that the FCC should follow the FTC’s lead and adopt a notice and consent framework for privacy that is entirely consistent with the FTC framework that has governed since the inception of the Internet. That is contrary to the FCC’s current proposal neatly summarized by FCC Chairman Wheeler at a recent hearing: “For decades, the Commission has steadfastly protected consumers against misuse of their information by [telephone companies] …. It only makes sense that consumers should enjoy similar privacy protections in the world of broadband.” The problem with the FCC’s current approach is that it doesn’t reflect the reality of how the internet actually works.
That “misperception” is captured by a wrong-headed conclusion in the NPRM that ISPs are uniquely in a position to develop highly detailed and comprehensive profiles of their customers. It is just not true. In a prior blog, I talked about Prof. Peter Swire’s paper commissioned to help educate the FCC on the different data collection capabilities of all the platforms operating in the internet ecosystem. [Not] surprisingly, that paper was neither cited nor referenced in the NPRM.
So, it shouldn’t be a shock that a recent Future of Privacy Forum blog post explained that the FCC’s proposed rules reflect “a fundamental misunderstanding of the current online advertising ecosystem, which is fully capable of tracking individual behavior across the Internet as well as between devices.” The post visually illustrates how a consumer’s visit to a single website (WebMD.com) actually results in information being shared with, and received from, 24 third party sites. Once these connections are established, these ad networks are then able to track the consumer and link data about that consumer as she/he browses the internet. If the connection is to a party that has personal information about you (e.g., a social media or email platform), that third party can easily append this new web browsing information back to your personal profile of your internet activity. If the connection is made via a mobile device, the unique device advertising id allows the third party to add to or build a similar profile of the internet activity specific to that device. So, when the Chairman testified that when you make a decision to access Google, WebMD or Facebook that “only one entity collects all of that information,” he was just flat out wrong.
Although ISPs are one type of company involved in that flow of online information (the ISP “connected” you to WebMD.com), the inescapable fact is that information about your web browsing activity is collected, used and exchanged by countless online companies (websites, apps, operating systems etc…) for marketing purposes. Go to WebMD and your browsing data is accessed by 24 different companies, add in The Weather Channel, Facebook and CNN and that number leaps to 119. Edge providers, not ISPs, are the clear market leaders in tracking consumers and monetizing consumer online data. Google and Facebook alone account for more than 54% of digital advertising revenues and 67% of the mobile advertising market. In short, the data to which ISPs have access, compared to other players in the ecosystem, is neither unique nor “proprietary” even as contemplated by Title II.
I suppose the federal government could have stepped in a long ago time ago and subjected the entire internet to a heavy-handed, Title II-like regulatory construct, but it made a conscious decision not to do so. Instead, the government adopted a light touch framework under the leadership of the FTC. That approach has long focused on potentially harmful uses of consumer data, specifically sensitive information, or information shared with third parties. The FTC rules of engagement have applied to the entire internet ecosystem evenly and been effective for decades. As a result of that approach, consumers worldwide enjoy ad-supported free services and the entire Internet ecosystem has flourished with the United States in a leadership position. Companies, like AT&T, have simply argued in this proceeding that the FCC should continue to follow that same successful framework so that all providers in the internet ecosystem can continue to operate under the same rules regardless of which part of the ecosystem a company resides.
Some have argued that the FCC has a statutory duty to create privacy rules under Section 222, and that the criticism of its NPRM is not justified. That misses the entire point of the criticism. The problem with the FCC’s approach is that the agency appears poised to abandon the carefully crafted privacy framework created by the FTC, which has been the agency entrusted to protect and enforce privacy on the Internet exclusively for the past 20 years. Moreover, if adopted, the FCC’s proposed rules would restrict how an ISP uses online data, but they will do nothing to actually promote or protect consumer privacy on the internet. Indeed, all that will happen as a result of these rules will be a false sense of security by consumers, less competition for the advertising juggernauts at work in the internet today, and possibly a regulatory market barrier to ad-supported internet services that have proven to be so popular with consumers when offered by the ISP’s more-favored tech company counterparts.
Ironically, the FCC is once again moving in the opposite direction of their European counterparts who recently proposed an update of EU audiovisual rules and online platforms to create a horizontally-consistent approach for all players and consumers. The European Commission launched a wider undertaking to achieve a consistently applied privacy regime, aimed at reinforcing trust and security in all digital services in the EU, with a focus on ensuring a high level of protection and predictability for citizens, and comparable treatment for all market players. The EU Commission is moving towards rules that help to make the digital world into a seamless and “level playing field” for all, which seems to make much more sense than the direction the FCC is headed. But then the EU, like the Electronic Privacy Information Center in this country, appears to understand that regulating privacy the way the FCC wants to regulate privacy is merely a head-fake to confuse consumers.
In reality, the FCC is doing exactly what many privacy advocates from the EU and US have asserted about the US government for years, especially during negotiation of the Privacy Shield – protecting American edge providers from competition and scrutiny over their privacy practices. It certainly won’t be lost on Europeans that the FCC is denigrating the efficacy of the FTC notice and consent framework in the United States while other US officials are reassuring their EU counterparts that the FTC framework is entirely adequate for Privacy Shield.
The Commission’s scheme will have other far-reaching consequences as well. If enacted, the proposed rules will actually be harmful and confusing to consumers. While the FCC will falsely trumpet how these new rules actually provide internet privacy protections to consumers, the reality will be that all of the information these rules are designed to “protect” will remain freely accessible on the same terms as before to the edge providers, data brokers, and manufacturers of their operating systems, browsers, and mobile apps. In addition, the rules could also deprive consumers of being able to choose less expensive ad-supported broadband services that consumers find so valuable in so many different areas. In addition, these rules will actually harm investment by infrastructure providers as noted by Moody’s when these proposals were first announced.
As the FCC appears to have already made up its mind about most if not all of these rules, these concerns will probably fall upon deaf ears. It’s striking that the Swire paper was neither referenced nor cited in the NPRM. They seem to not want to hear what they don’t want to understand. People outside the US, however, will be paying attention and I will predict today that the result will be more regulation for US companies abroad and more expensive broadband for US consumers domestically.