Before Federal Communciations Commission Chairman Tom Wheeler called for the vote to adopt strict new privacy rules for internet providers in October, he gave a real-world example of how something as innocuous as a smart refigerator can invade the owner’s privacy — and unintentionally demonstrated why the FCC’s new rules won’t protect it.
“Last week while I was visiting Consumer Reports’ famous testing lab, I looked at a smart refrigerator that collects information about what’s inside and shares it over the internet,” Wheeler said during the agency’s October open meeting. “Now even when that data only goes to the refigerator owner’s mobile device, it is known by AT&T or Comcast or whoever — the internet service provider (ISP) who has been hired by that consumer to deliver that information.”
“So the ISP knows what goes in and out of a refrigerator,” Wheeler said. “It is the consumer’s information. It is not the information of the network the consumer hires to deliver that information … Internet providers shouldn’t be able to sell something that’s yours without your permission.”
It’s hard to argue with the chairman’s logic — according to a September report from Pew Research, “91 percent of adults agree or strongly agree that consumers have lost control of how personal information is collected and used by companies.” Additionally, “[s]ome 74 percent say it is ‘very important’ to them that they be in control of who can get information about them, and 65 percent say it is ‘very important’ to them to control what information is collected about them” (though interestingly, a Pew report from January found 47 percent don’t mind having their shopping habits tracked, so long as they get a choice and benefit out of the deal).
In that context, the FCC’s rules requiring ISPs to get permission from users before collecting and monetizing their data are not just idealistic, they’re appropriate — and likely should have been the standard adopted across all regulatory agencies in the internet’s nascent stage, long before users became aware of just how much personal information they were giving away for free Gmail, Facebook and shipping from Amazon.
But that never happened — Americans and government were too late to the privacy frontier already won by Silicon Valley’s big data behemoths, and while Wheeler’s law and order approach to make up ground across the network is admirable, his jurisdiction doesn’t reach the network’s edge, where the biggest offenders — Google, Facebook and his smart fridge manufacturer — reside.
That’s big data country — a wild west where the Federal Trade Commission is the only sheriff in a town too big for any law enforcment strategy other than punishment after the crime has already been committed, and where edge providers only have to offer users the ability to opt-out of all but the most senstive data collection.
“What new FCC rules create is a hodgepodge of regulations, now being differentially enforced by an agency that has neither the experience nor expertise to realistically protect the consumer in the short term,” Eric Burger, director at Georgetown University’s Security and Software Engineering Research Center, told InsideSources.
“A glaring example of this is Chairman Wheeler’s statement, ‘Who would have ever imagined that what you have in your refrigerator would be information available to AT&T, Comcast, or whoever your network provider is?’ His statement was made as if the ISP here is being nefarious. However, this statement is a glaring example of the edge provider failing at providing any semblance of consumer privacy.”
Though edge providers have gotten better in recent years, roughly half of all web traffic is still unencrypted, leaving the browsing history of users traveling to those websites not only visible to ISPs, but to hackers and other forms of cybercriminals with more nefarious intentions then selling targeted advertising.
Burger was one of many to file comments with the FCC urging the agency to copy the FTC’s privacy framework instead of establishing hardline rules, which he described as another example of “fixing something that was not broken, with the result being a broken system.”
While Burger expects the cost of service to go up for consumers under the guise of regulatory compliance, others have argued the limits on data monetization will drive up prices for consumers and unfairly benefit the other half of the online ecosystem not subject to the new rules.
Democrats in Congress, at the FCC, and even one of the agency’s Republican commissioners have since suggested raising the FTC’s privacy standard to match the FCC’s, acknowledging that without parity, there can be no privacy or market uniformity — an outcome Burger thinks is unlikely.
My expectation is under these circumstances no one will do anything, and as a result consumer privacy will suffer,” he said. “It is intuitively obvious why everyone should be held to the same privacy regulations. However, what defies common sense is why vastly different agencies with different histories — in this case the FCC being expert in spectrum management and wireline competition and the FTC being expert in consumer protection — would be able to apply consumer protection regulations in a uniform manner.”