Back in October of 2016, the FCC passed some pretty awesome rules that would bar your internet service provider (ISP) from invading your privacy. The rules would keep ISPs like Comcast and Time Warner Cable from doing things like selling your personal information to marketers, inserting undetectable tracking headers into your traffic, or recording your browsing history to build up a behavioral advertising profile on you — unless they can get your consent. They were a huge victory for everyday Internet users in the US who value their privacy.
But since the restrictions also limit the ability of ISPs and advertisers alike to profit from the treasure trove of data ISPs have about their subscribers, powerful interests have come out in force to strip those protections away. Lobbyists in DC are pulling out all the stops trying to convince Congress that these straightforward, no-nonsense privacy rules are unnecessary, unfair, overly burdensome, or all of the above. EFF wrote a memo for congressional staffers that busts these myths.
And we’re sharing the content of that memo with you, Team Internet, so you can see the type of FUD ISPs and their allies are pushing in order to take away your privacy.
(Fair warning: some of these are fairly wonky, so if you’re not the type that gets excited by telecom law, you can always skip to the part where you call your senators and representative and tell them not to repeal the FCC’s ISP privacy rules — because if we raise our voices together, we can stop Congress before it’s too late.)
Myth 1: If the FCC’s privacy rules are repealed, state officials and the Federal Trade Commission will fill the gap — so customers’ privacy will still be protected.
Fact: Unfortunately, recent court decisions have limited the FTC’s ability to enforce privacy rules on ISPs. Plus, relying on each state to enforce its own laws to protect privacy would create a terrible patchwork of mismatched regulations. You’d think with all the uncertainty and bureaucracy that would create, the ISPs would actually prefer clear, bright-line rules at the national level. But you’d be wrong: at this point, they’ll say anything to block the FCC’s privacy-protective rules.
The 2016 FTC v AT&T Mobility decision at the 9th Circuit eliminated the Federal Trade Commission’s authority to enforce privacy rules on ISPs in Arizona, Alaska, Hawaii, California, Idaho, Montana, Nevada, Oregon, and Washington. Other courts may do the same. And while some states’ Attorney Generals have brought actions against ISPs that mislead or deceive consumers about how the companies collect, share, and sell customer data, many other states have scaled back their enforcement on the premise that federal enforcement was sufficient and preferable.
What’s more, a state-by-state patchwork of consumer protection enforcement is bad for customers and telecoms. It leaves customers in states with weaker consumer protection statutes or less assertive Attorneys General without crucial safeguards from their ISPs. And it leaves ISPs subject to a bewildering array of regulations depending on where they operate. That regulatory thicket will impede competition and innovation by discouraging service providers from entering new markets.
Myth 2: Even if Congress repeals the FCC’s recent privacy rules, the FCC still has authority to enforce consumer privacy protections more generally under Section 222 of the Communications Act.
Fact: Due to the way Congress plans to repeal the FCC’s privacy rules, there’s going to be a lot of legal uncertainty about whether or not the FCC will be allowed to do anything related to ISPs and privacy in the future. In other words, it’s not clear if you’ll be at the mercy of your ISP or not, and by the time the courts figure it out, your ISP will have already had the chance to do some pretty creepy things.
Section 222 of the Communications Act is the underlying authorization for the rules the FCC has already adopted, but if Congress passes a Congressional Review Act (CRA) resolution to repeal the rules, whether or not the FCC can pass new rules using that authority will be an open question.
That’s because a CRA resolution would prohibit the FCC from issuing rules that are “substantially the same” in the future. If the FCC brings an action against an ISP under Section 222 for mishandling customer data, the ISP would likely try to challenge the action in court on the grounds that Congress preempted the agency with the CRA, creating uncertainty around ISP obligations and consumer privacy protections.
Myth 3: The FCC’s privacy rules put Internet service providers at an unfair disadvantage when compared to Internet companies like Google who can profit off of consumers’ data.
Fact: Google doesn’t see everything you do on the Internet (neither does Facebook, for that matter, or any other online platform) — they only see the traffic you send to them. And you can always choose to use a different website if you want to avoid Google’s tracking. None of that is true about your ISP. You probably only have one, maybe two options when it comes to ISPs offering high-speed Internet, and your ISP sees everything — they have to, in order to send your traffic to the right place. That’s why we need the FCC’s privacy rules: ISPs are in a position of power, and they’ve shown they’re willing to abuse that power.
To begin with, it’s worth remembering that ISPs and companies like Google or Facebook see entirely different parts of your Internet activity; namely that Google or Facebook only see the traffic you send to their servers, while ISPs see all your traffic. Even when you take into account the fact that Google and Facebook have creepy third-party trackers spread across the web, they still only see a fraction of what your ISP sees. Being able to see all of your traffic gives your ISP an unprecedented view into your life (everything from what you’re shopping for, to who you talk to, to what your politics are, to what you read), which not even Google or Facebook can achieve.
There’s also another big difference between Comcast and Google: choice. While Internet users can choose between numerous online services for search, email, and more — including services that feature built-in privacy protections as a selling point — most consumers have few if any options when it comes to choosing an ISP. According to the FCC’s 2016 Broadband Progress Report, 51 percent of households have access to only one high-speed broadband provider. If that provider decides to sell their data, they can’t vote with their wallets and choose another ISP.
There’s one last difference: Internet users can prevent companies like Google from spying on them as they surf the web. If you want to do something online without being tracked, you can use a variety of free tools that even powerful companies like Google cannot overcome. But nothing short of paying to use a virtual private network — essentially having to pay a fee to protect your online privacy — will protect you from your ISP.
Now that you’ve heard the FUD ISPs and the advertising industry are spreading, take a moment and help us protect your privacy from data-hungry ISPs: call Congress today and tell your senators and representative not to repeal the FCC’s ISP privacy rules!
Any and all original material on the EFF website may be freely distributed at will under the Creative Commons Attribution License, unless otherwise noted. All material that is not original to EFF may require permission from the copyright holder to redistribute.