The public outrage over the Trump administration’s decision this month to roll back rules that put limits on what Internet service providers can do with their customers’ data seems to be dying down, but an important question still doesn’t have a clear answer: what actually changed?
The rules, which required that ISPs obtain explicit opt-in consent from customers before “using or sharing” information about their browsing, hadn’t gone into effect yet, and some ISPs already admit in their privacy policies to using and sharing anonymous, aggregated browsing data. But it’s hard to deny that the move reflects a fundamental shift away from the Obama administration’s approach to Internet privacy. The future of online privacy is much more complicated than this particular fight, though, and where we are headed is far from determined.
The most tangible change since Congress and President Trump removed the ISP privacy rules is that the future of ISP privacy regulation is more uncertain. Now we’re in a sort of “limbo situation,” says Joel Reidenberg, a professor at Fordham University School of Law. The FCC can still technically police privacy violations, but it’s not clear which practices are and aren’t allowed, and no one is sure how the Trump administration plans to replace the rules.
How did we get here? Under Obama, the FCC changed the way ISPs are regulated, designating broadband Internet a “telecommunications” instead of a “communications” service and opening the door for so-called net neutrality rules.
One consequence of the change was that the FTC, the government’s main consumer privacy cop, lost its authority to regulate ISPs. Now that responsibility is the FCC’s, and that’s why last October it passed the now-ditched privacy rules, which raised the bar for consumer privacy protection in the U.S. by requiring that ISPs get opt-in consent to use and share information about Web browsing.
Opponents to these rules, including new FCC chair Ajit Pai, argued that they would reduce revenue and stifle innovation, and that ISPs should not be regulated differently from Internet companies like Google and Facebook, which are still under the jurisdiction of the more flexible FTC.
Pai and Maureen Ohlhausen, acting chair of the FTC, recently took to the pages of the Washington Post to “set the record straight” about the decision to repeal the privacy rules, which they said amounted to “government picking winners and losers in the marketplace.” The argument advanced by privacy advocates that ISPs have more access to personal data than companies like Google and Facebook is “not true,” they wrote.
It’s true that many Internet companies use various methods to extensively track users across the Web, combining that information with the data users give them to create advertising profiles. Comparing the customer data that ISPs can access directly with what companies like Google and Facebook can access is comparing apples and oranges, though, says Nick Feamster, a professor of computer science at Princeton University. Your ISP does have a unique view into what you do on the Internet.
A growing number of websites use encryption, which allows your ISP only to see that you landed on a certain site, not pages you visit once you are there. But ISPs can also see the traffic associated with Internet of things devices, which can be revealing, encrypted or not, notes Feamster. Traffic patterns from devices like connected thermostats, appliances, and other smart home systems can provide insights into what their users do and how they live.
Now that the rules are gone, Pai has multiple options as to how to proceed. His agency could try to replace the rules, a process that would take months at least. Perhaps what is most likely is that Pai will seek to overturn the FCC’s net neutrality rules, and in the process return the job of overseeing ISP privacy to the FTC. If the public’s reaction to repealing the privacy rules is any indication, though, that could be politically challenging.
It’s also not clear what it would mean if the FTC were to take over again as the federal government’s only consumer privacy cop. What constitutes “unfair or deceptive” is a matter of legal interpretation, and at this point Trump’s FTC has given us few indications about how it will approach privacy, says Reidenberg.