As we previously reported, on April 28, the FCC held a public workshop on protecting the privacy of consumers who use broadband Internet access services.
Opening Remarks by Chairman Wheeler. The workshop began with remarks by Chairman Tom Wheeler who expressed that changes in technology don’t change our values and that “privacy is unassailable.”
Technical Explanation of ISP Practices and Capabilities. Matt Blaze, Associate Professor of Computer and Information Science at the University of Pennsylvania School of Engineering and Applied Science, gave a presentation about how ISPs are seeking to avoid commodization of their role as mere distributors by looking deeper into the packets they are switching (e.g., deep packet inspection) and monetizing the metadata collected. Professor Blaze said that one of the most difficult distinctions from a technical point of view is the one between content (which generally is not stored by the network) and metadata, and that the line between the two is blurry. Metadata such as location information, communities of interest (i.e., who you communicate with), web logs, and connection logs all reveal quite a bit about the user, but are subject to much less protection than content. Professor Blaze explained that consumer countermeasures are much less effective against tracking and metadata collection because some data simply must be exposed to the network and some tracking and logging techniques bypass encryption. Therefore, policy and regulation must step in to protect this information because technical protection is essentially not an option.
Panel 1: Policy. The first panel focused on the policy implications associated with privacy and broadband Internet access services. This panel sparked a debate among the panelists about whether ISPs are in a unique position in the Internet ecosystem to collect information about consumers and therefore, whether they should be regulated differently. On the one hand, panelist Robert Quinn, Senior Vice President-Federal Regulatory & Chief Privacy Officer at AT&T, stressed that the data set that ISPs have access to (e.g., location information, where you go online, numbers called) is not unique to ISPs and that other entities in the Internet ecosystem can also create these data sets. Quinn further argued that the evolution of the Internet has demonstrated that the entity-based approach to privacy regulation is a “last century” approach and that regulation should be consistent based on the type of information collected — that is, restricting ISPs’ use of location information doesn’t make sense when apps have access to the same — and even much better — location data. On the other hand, panelist Laura Moy, Senior Policy Counsel for New America’s Open Technology Institute, argued that ISPs, as the gatekeepers to essential services, are in a unique position to collect comprehensive data and that consumers expect that they have no choice but to give information to ISPs to receive that service. Moy argued that therefore ISPs ought to be held to a high standard with respect to that information because we want to foster confidence in the network as a reliable platform for all communications.
The first panel also discussed the use of consumers’ information for advertising. Panelists stated that consumers should be afforded notice, choice, and control over the information that is collected. Some panelists expressed concern about opt-in consent requiring the payment of additional fees (e.g., consumers could avoid ISP-targeted advertising if they pay additional fees for Internet access service).
Panel 2. Law. The second panel discussed the application of section 222 of the Communications Act to broadband Internet access services. There was consensus among the panelists that application of section 222 to ISPs is far from straightforward. There was a debate between Harold Feld, Senior Vice President, Public Knowledge, on the one hand, and Jim Halpert, Partner at DLA Piper, and Nancy Libin, Partner at Wilkinson Barker Knauer LLP, on the other hand, about the extent to which section 222 can even accommodate an ISP privacy framework and the extent to which it was appropriate for the FCC to find an obligation to protect “proprietary information” based on the introductory text in section 222(a). For example, the panelists wrestled with how to define “customer proprietary network information” (CPNI) – the principal subject matter of section 222 – in the Internet context. Halpert argued that many provisions in section 222 do not fit ISPs and raised that “personally identifiable information” is not in section 222’s definition of CPNI and that instead the definition is tied to information obtained by the carrier solely by virtue of the carrier-customer relationship. Libin cautioned the FCC against defining CPNI too broadly and pointed out that section 222’s protection of location information is primarily concerned with “call location information.” Panelist Peter Swire, Professor at Georgia Institute of Technology, argued that the following priorities should guide the FCC’s application of section 222: anti-fraud, cyber-security, and permitting research about network usage. Feld argued that the FCC has a statutory directive to protect privacy and that it can protect consumers by applying rules to ISPs based on section 222 while ensuring that there are no barriers to research and network configuration. Halpert argued that, while there may be a place for rules, the FCC should mimic the FTC’s approach and use guidance documents and workshops to provide standards to encourage good practices so as to keep up with a rapidly evolving landscape. Some panelists also argued that the FCC should apply a similar set of criteria as the FTC so that there is one set of rules that fit consumer expectations.