Internet service providers have been up in arms over the business implications of the Federal Communications Commission’s pending privacy rules since their announcement in March, but the rules’ potential impact on sharing data to mitigate cyber attacks could threaten more than just their bottom lines.
An outline of the draft rules released by the FCC earlier this year would require internet providers like Comcast and Verizon to get permission from subscribers before collecting their data, instead of collecting data by default until a subscriber opts-out.
While the overall aim is to prevent providers from unscrupulously hoarding and monetizing subscribers’ data without their knowledge or permission, a side effect of the rules as written would prohibit one of the most common forms of data sharing providers engage in — cyber threats.
Providers regularly share with each other lists of computers infected with malware or IP addresses of servers belonging to cyber criminals as a way of preventing botnet attacks before they occur.
“So here’s the IP address of that bad guy in Romania, Russia or Ukraine or wherever it is, and if you block that, you decapitate the botnet, the botnet doesn’t get bad instructions for the bad stuff to do, so it lies dormant,” Dr. Eric Burger, computer science research professor at Georgetown University told InsideSources.
Burger heads the Security and Software Engineering Research Center at Georgetown University, which recently filed comments on the rules with the FCC.
“A literal read of the NPRM [Notice of Proposed Rulemaking] would say, ‘Oh, well that’s an IP address that the customer is communicating with, which we’re declaring as Customer Proprietary Network Information [CPNI] — you can’t share it, you can’t tell anybody about it,” Burger said. “And that’s kinda throwing the baby out with the bathwater.”
The FCC is basing its privacy NPRM on thirty-year-old rules it developed to safeguard CPNI data collected by telephone providers — “in layman’s terms, information a provider has about you by virtue of the customer-provider relationship,” FCC Wireline Competition Bureau Chief Matthew DelNero explained in March.
“When I made a phone call to order something, and then got on the mailing list of Hammacher Schlemmer, that was between me and Hammacher Schlemmer,” FCC Chairman Tom Wheeler elaborated on the rules before Congress in May. “The network delivered me there without taking my information.”
Those same rules would also bar researchers from obtaining information from providers to fix network problems or develop new strategies for improving cybersecurity. While Burger expects the FCC would eventually adopt a carveout for those purposes, he predicted providers would seek to take advantage of those carveouts and proponents of the rules to call them out on it, delaying the process further.
“If we give Verizon a cybersecurity exemption, they’re going to call everything cybersecurity,” Burger said. “And meanwhile, you’ll have people saying we can’t possibly give an exemption because then Verizon will be saying that they’re doing research on your buying habits so they can sell you stuff.”
The arguments would extend the already lengthy rulemaking process, resulting in regulations that will likely be “obsolete and wrong” by the time they take effect, according to Burger.
During a congressional hearing in May, Wheeler told lawmakers the rules would reverse the “retreat from privacy” in the communications market brought on by the advent of data monetization.
“I go to WebMD and WebMD collects information on me,” the chairman said. “I go to Weather.com and Weather.com collects information on me. I go to Facebook and Facebook collects information on on me. But only one entity collects all of that information, that I’m going to all of those different sites, and can turn around and monetize it.”
While it’s true providers have a comprehensive view of subscribers’ activity online, Burger said the nature of the internet makes that largely unavoidable.
“The internet access provider does need to know who you’re talking to, like a hospital where you’re picking up your patient records — those packets have to get to the hospital,” Burger said. “On the one hand yes, the local provider should not be looking to see your health records. I wouldn’t say it’s not their fault, but it’s like leaving your car with the engine running and the door wide open in the parking lot of the Walmart, and then getting upset that someone drove it away. Yeah they still stole your car, but you’ve got a lot of liability and culpability in that situation.”
“If those providers don’t use end-to-end encryption, however, they are being very negligent,” he added.
A Georgia Tech study out earlier this year found the growing use of anonymizing online tools like encryption and Virtual Private Networks, along with users’ growing diversification of devices like smartphones and tablets, creates a less complete picture of internet activity than the FCC believes.
“I don’t know that I would characterize it the ISPs are too clueless to figure it out,” Burger said. “If you just said, ‘Oh yeah well they have no information, this is all a bunch of hooey,’ that’s not quite true, because you do see me go to Google, you do see me go to WebMD, you do see me go to HIVsupport.org, and with enough information you can figure out this person has tuberculosis, this person has HIV, whatever, which is very sensitive private information.”
He added that while providers can piece together data on a user, so long as they’re taking steps to secure that data with tools like encryption, the threat to privacy is mitigated.
“So long as they do their part, which is use end-to-end encryption, as an ISP I have no idea if you have HIV or if you’re donating to the cause or if you’re just writing a research paper on it,” Burger said. “What that means is, the information is less valuable.”