Widgets Magazine

FCC Changes the Rules of Personal Privacy

This September in New York City, InfoComm International held the third IoT Insights event where I was invited to speak about government policy issues and how that applies not only to the Internet of Things, but also to the audiovisual industry as a whole. You can see the Periscope stream of the presentation I gave that day here.
Sensing Your Data
One of the main topics of discussion that day was IoT (Internet of Things) and the development of all the sensors and smart devices that are putting more and more information out into the world so that devices and services can react to the circumstances themselves, without even having to consult the users. It hits a certain time of day and the building recognizes that it needs to lower shades because it’s sunny and the southern side will be exposed to extra light bleed and direct heat. It also knows to adjust the HVAC solution to lower the temperature on that side to keep it a consistent sixty-eight degrees so everyone in the office remains comfortable.
That’s a minor example of basic information being shared between devices, but what happens when that information becomes personal and must reach beyond the local network? For example, let’s look at a home that’s using Amazon’s Alexa. Through this device people can make something like a simple grocery list that will correspond to an app on their phone. To do this, Alexa has to gather the information from the user, reach out to the network and communicate to the third party application so that the data is received and filed correctly.
To perform this action, not only are edge services required to communicate with each other, the user must pass this data over an ISP because at least two different companies’ data servers will be used. Assuming the data isn’t encrypted – and not all data passing across a network is – that means that each of these edge service providers and any ISP involved in the transmission has potential access to that information, and, depending on your user agreements, potentially have the ability to profit off of your personal data by analyzing it and using it internally, or selling it to other service providers so that they can target what advertising you see.
Who’s Your Regulator?
In the past there has been one government agency responsible for protecting consumers and ensuring that personal information and the right to determine who would have access that information, regardless of service agreements, was protected. This was all part of the domain of the FTC (Federal Trade Commission).  However, as part of the FCC (Federal Communications Commission) passing the Open Internet Rules in 2015 they reclassified ISPs under their Title II provisions which give them the increased ability to regulate the ISPs. This ended up creating a gap in regulation because the ISPs no longer fell under the jurisdiction of the FTC but the FCC didn’t have updated privacy regulations ready. This resulted in the first attempt to add regulation by exploring how the FCC could increase the amount of privacy that consumers have when dealing with their ISPs.
The FCC’s initial proposal, which was sent out for public comment in June, put forth the idea that consumers should have the ability to opt out of the ISP being able to track their personal information – including browsing activity – as well as the fact that ISPs would be required to get consumers to opt in to the ISPs being able to turn around and sell their personal information, like browsing activity, to third party service providers for targeted advertising. These rules were much more stringent than those put in place by the FTC, which have been all that the ISPs were required to meet. Obviously, this caused quite an uproar with most of the ISPs because now the FCC was looking at regulating one of their revenue streams.
Earlier this month the FCC started revealing some of the details of their proposed privacy rules. These updates clearly show that they have worked with and listened to the FTC as to what has been effective in the past, but it also demonstrates that they are attempting to go just a little farther as the new rules will establish a tiered system ISPs will be required to follow in gaining consent from the consumers. “Sensitive information,” like financial or health data, will fall under one set of rules while other types of data will have less stringent standards. Regardless, the new rules require ISPs to obtain explicit consent from consumers before using web browsing and app usage history.
Parent Company Privileges
The first problem that this creates is that now the edge service providers (web sites, online service providers, and other destinations people visit online) will have one definition of “sensitive information,” which was defined by the FTC, while the ISPs will have another as defined by the FCC. This double standard becomes difficult to enforce and will create confusion in regards to how that data is treated by each of the services handling it.
The second problem creates even more issues. What will be done about ISPs that own edge service providers? The most well-known example of this would be Comcast’s ownership of NBC Universal, or potentially based on last weekend’s activity it might now be AT&T’s seeking ownership of Time Warner. In the case where the consumer is using the ISP that owns the edge service provider, how is that data to be managed? If the edge service provider gains access to sensitive information, isn’t it possible that they would be required to share that information with their parent company? Wouldn’t this potentially violate the FCC regulation giving the parent company, an ISP, access to that information to then be disseminated among other properties? Or vice versa? Without the text of the rules, it’s still unclear whether this loophole will be closed.
Theoretically, in the example above the content was obtained by the edge service provider within the FTC rules, but the rest is potentially highly suspect. But who would have jurisdiction? Would the FCC or the FTC be the government agency that pursues the violation? The FCC is defining sensitive information in regards to “the particular context of the relationship between the ISP and the consumer,” which leaves the door open for what’s happening above as a back door way for them to gain access to that information. This is especially true given that the FTC rules do not include things like web browsing and app usage activity, merely social security numbers, and health or financial information, while the FCC rules do look at web browsing and app usage as sensitive information.
Is Digital Privacy A Myth?
Our data is now the way that companies see us in the world. It’s how they are able to advertise to us, understand consumer trends, and strategically predict what behavior. The battle for access to that data versus the securing of that data is going to continue to rage for a long time to come. It’s not just companies trying to gain access to our information, but also the government looking for easier ways to get access to our digital footprint. While the regulations above affect service providers and ISPs, there are other regulations being proposed out there, such as Rule 41, that would give government agencies access to more than just the data, but also our devices, without a warrant.
We have to remain diligent as technologists in understanding how the tools that we use every day (in this case the Internet) are being regulated so that we can best protect our customers and ourselves moving forward.
Today, October 27th, the FCC will vote on these new privacy rules. Once they have voted there will be a brief period before the rules are public, and almost certainly a period of lawsuits being filed by ISPs and their representatives to follow. While it’s good to see that the government is attempting to protect consumers, the litany of bad legislation that still exists and has to be accounted for will continue to cause problems for technologists and the average user for decades to come. Without drastic reform we our regulations will always be a step behind protecting adopters from the next wave of innovation.
UPDATE: The rules were approved by the FCC.

About Author

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.