As broadband connectivity makes data exchange faster and more robust, concerns about how that information is monitored has Internet service providers (ISPs) and privacy advocates at odds on how – or if – personal data should be protected by the federal government.
Representatives from academia, industry and government debated that issue and how online privacy expectations have changed over the last several years during a public workshop on April 28, at the Federal Communications Commission in Washington, D.C. In a pair of 75-minute panels, experts delved into what data is collected by providers, what use it serves, the difference between metadata and browsing activity, and whether further steps were necessary to ensure the information is protected.
The first panel, which covered the privacy implications associated with broadband access, pitted AT&T Chief Privacy Officer Robert Quinn, also senior vice president of federal regulatory, in a back and forth discussion with Laura Moy, senior policy counsel for New America’s Open Technology Institute. The duo exchanged points about the uniqueness of data that providers have access to and whether it is necessary to provide tailored advertising online.
Quinn explained that the data available to ISPs is “not unique,” noting that peoples’ Web browsers collect the same data about what a person visits on the Internet as providers do. That information is then used to support an advertising business model that has gained in popularity -- an advertising model that providers need to be able to compete in.
In addition, Quinn lobbied for the Federal Trade Commission (FTC) and FCC to work together to set policies that are consistent irrespective of the underlying technology being used to deliver service.
“If you don’t do that, and we can’t compete in an ad-supported model -- and that’s what the market wants and the consumers want -- we are going end up with opposite of what [Section] 706 [of the Communications Act] wants, which is more investment in broadband infrastructure,” Quinn said.
Moy argued that consumers want confidentiality, and don’t expect that the network they use is going to monetize their information in a way that would violate their expectations of privacy. She likened the protections needed to the doctor-patient confidentiality privilege people expect.
“Broadband providers are in a unique position to have a view of personal communications,” Moy said. “I think given our interest in maintaining the contextual integrity of the network as a platform for free and open communications, it’s important for us to consider that information – that ISPs ought to be held to a high standard to protect that information.”
Catherine Tucker, associate professor of Management Science with the MIT Sloan School of Management, countered Quinn’s argument by saying that in general, online advertising is “pretty ineffective” overall. She argued that research in Europe has shown if data use is restricted in online ads, you can still get peoples’ attention through “interruptive” on-screen messaging.
Tucker admitted, however, that while the strategy works, consumers likely don’t want an increase in those types of advertising interruptions.
“In the general sense, if we have advertising for the Internet, we have to be careful that inadvertently shutting down access to data to tailor advertising we are not going to end up with more floating intrusive pop-up ads in its place,” Tucker said.
The second panel discussed the FCC’s authority to protect the confidentiality of broadband consumers under Section 222 of the Communications Act. The commission invoked Section 222 most recently in its 2015 Open Internet Order, where it adopted strong net neutrality rules, reclassifying Internet connectivity as a telecommunications service under Title II of the Communications Act.
Section 222 requires telecommunications companies to protect the confidentiality of its customers, and restricts how it can use and disclose customer proprietary network information (CPNI). In the Open Internet Order, however, the FCC elected not to apply the rules it had previously adopted regarding telephone carriers’ handling of CPNI, which it found might not “be well suited to broadband Internet access service,” according to an FCC statement.
Some panelists argued that a gap now exists in privacy protections because broadband services were reclassified under the order. Harold Feld, senior vice president of public-interest group Public Knowledge, said Section 222 is “sophisticated and was designed to be so,” to cover that gap.
“This is about implementing Congress’ statutory directive with regard to communications platforms, which … under Section 222 is not limited to the concerns over telecommunication,” Feld said. “Congress in particular directed the FCC in a manner that is narrow, but deep, to protect privacy on the communications platform itself."
Nancy Libin, a partner with Wilkinson Barker Knauer who specializes in privacy law and data governance, disagreed. She called Section 222 different from other privacy laws and would be complicated to implement.
Libin instead urged the commission to adopt a “21st-century privacy regime” that reflects the unique nature of the Internet economy and provides a consistent framework to handle data across multiple platforms. She requested that the FCC consider issuing a Notice of Inquiry to further explore the issue.
“Unlike in the phone services context, data has a special purpose in the Internet ecosystem,” Libin said. “It is the lifeblood of the digital economy that depends on the free flow of data. I would caution the FCC in defining CPNI under Section 222 broadly, or imposing strict rules on broadband providers because it would have a very different effect in [that] ecosystem.”