Sruti Mamidanna

Amidst the controversial debate regarding consumer’s online privacy, President Trump signed a bill last Monday that repealed online privacy protections put forth by the Federal Communication Commission (FCC) under the Obama administration. Opponents of the bill, including the targeted Internet Service Providers (ISPs), adamantly claim their service privacy provisions won’t change.

But what the repeal has done is parlously unleash ISPs into a lucrative, unregulated minefield of user’s private information and online activity, opening the doors for third party ad campaigns at the expense of price gouging customers. The crux of the debate isn’t just the methodological ethics of how ISPs like AT&T, Comcast, and Verizon collect and share customer’s data. It’s about the consequences of lacking formal rules that require ISPs to explicitly state users’ privacy rights.

In the feud over net-neutrality, the FCC passed an Open Internet Order in 2015 that essentially treats the Internet as a public utility, thereby considering ISPs such as Verizon’s FiOS, Comcast’s Xfinitiy, and Charter Spectrum as “common carriers.” Prior to the 2015 order, ISPs were regulated by the Federal Trade Commission (FTC), but after being reclassified under the Telecommunications Act of 1996 as “utility services,” service providers fell under the oversight of the Federal Communications Commission (FCC) which aimed to place more regulatory pressure on how ISPs aggregate and utilize customers’ data. Under the FTC, the privacy provisions for ISPs required that customers be given the option to opt-out of having personal information, browsing history, and app usage monitored and shared at the company’s leisure.  

Had the new FCC regulations been enacted, ISP’s would be required to not only explicitly state customer’s opt-out privacy rights, but be required to gain advanced permission — known as “opting-in” — before collecting and sharing user data.

Now if we consider the likelihood that customers will remember or even know to opt-out of service features, it’s easy to see why there was heavy backlash from ISPs over the new FCC rules about advanced opt-ins. Additionally, ISPs argued against the bill’s unfair exclusion of big websites like Google and Facebook, who arguably track more of user’s information. Moreover, statements issued by ISPs like Comcast, Verizon, and AT&T to quell the repeal controversy emphasize their voluntary commitment to the former FTC opt-out rules, and note the increased encryption of the online world that is already inaccessible to third parties.

Thus, the future for the repeal becomes a question of hypotheticals where we are being asked to trust the privacy ethics of ISPs who now have greater liberty to change policies due to minimal regulatory guidelines. And quite honestly, their track records are off to a rocky start.  

For instance, Carrier IQ (CIQ) faced tremendous backlash in 2011 after investigations found the app software pre-installed on nearly 141 million devices purchased by Sprint, AT&T, and T-Mobile. The software recorded user key-presses, mobile device app usage, and more frighteningly, encrypted URL viewing history which led to a still unsettled class-action lawsuit. While CIQ, now absorbed by AT&T, claimed they only collected and reported information to network carriers and device manufacturers about app crashes and internet accessibility, there is a larger concern about the lack of transparency from providers to consumers.

Even when ISPs discuss the safety net of an increasingly cryptic web, they avoid outlining the ways in which they consciously dismantle those provisions. In 2014, Verizon was fined 7.4 million dollars for injecting a “super-cookie” tracker, known as X-UIHD, without user consent. Despite enabling private browser modes, the tracker monitored activity across several websites, creating a profile of customer’s browsing history, and thus aiding third party advertisers collecting consumer data.

These examples represent a need for the enforcement of concrete rules not left to the interests of the service providers, but in a method of regulation that prioritizes the privacy of users. Privacy is not a question of cherry-picking what is personal or collective. So, the issue of data collection is not about defining what ISPs can do with customer’s “sensitive” and “non-sensitive” information. The bottom line is that we are beholden to the service providers near us, and even more so under this repeal, which places customers at the discretion of companies’ self-enforced honor systems in delineating privacy practices.