Originally published by The Hill:
Consumer internet privacy: Leaving the back door unlocked
By Rick Boucher
The Federal Communications Commission’s (FCC) asymmetric approach to internet privacy is likely to create a false sense of security among web users. Despite stringent FCC privacy regulation of internet service providers (ISPs), consumers’ information will enjoy little protection when they are interacting on social media sites, shopping online or surfing the web.
The recent Senate hearing on Internet privacy that featured FCC Chairman Tom Wheeler and Commissioner Ajit Pai, along with Federal Trade Commission (FTC) Chairwoman Edith Ramirez and Commissioner Maureen Ohlhausen, underscored that the FCC’s approach to internet privacy — singling out ISPs while leaving the privacy practices of edge providers essentially unregulated — is unbalanced.
By analogy, compare internet privacy to protecting a house. Wheeler’s proposal only locks the front door to guard against ISP privacy violations, while keeping the back door wide open for edge providers, such as social media and e-commerce companies.
And that’s happening as the internet ecosystem shifts radically toward the ability of edge providers to make the greater use of consumer information. A recently released study demonstrates that the expanded use of end-to-end encryption renders ISPs incapable of accessing most data that moves across their networks. Meanwhile, edge providers have complete access to information about their users, and they have sophisticated processes for monetizing it.
Sen. Al Franken (D-Minn.) suggested a viable alternative that would be better for consumers: keeping both doors locked and assuring uniform privacy protections by both ISPs and edge providers. According to Franken, “Should they [consumers] choose to leave information with companies, they need to know this information is safeguarded to the greatest degree possible. Telecommunications providers and edge providers like Google need to ensure their customers have more information [on] the data being collected from them and if it is sold to third parties.”
The FCC claims it lacks authority over edge providers. The FTC regulates privacy through its “unfair trade practice” authority, under which enforcement only occurs when companies fail to deliver the privacy protections they promise. Neither agency can require edge providers to extend the privacy protections that Franken envisions. His goal could only be achieved if Congress conveys broader regulatory authority on one agency or the other.
Also better for consumers would be to keep both doors unlocked. It’s not ideal, but at least consumers would be aware that all of their personal data on the Internet, irrespective of the device, platform or service used, is susceptible to being tracked and utilized.
Each approach has strengths and weaknesses. The first approach would offer a consistent and enforceable set of consumer rights and expectations. However, Pai thinks the doors-unlocked approach would be better for investment and continued digital innovation.
If and until Congress acts to require edge providers to respect consumer privacy, the only way to assure parity of treatment across the ecosystem and give consumers clear privacy expectations is to rely entirely on the FTC to lightly oversee privacy for both ISPs and edge providers. As Ohlhausen said, the FTC’s approach, “which has been incremental and technology neutral, has allowed us to be flexible as technology changes.” It’s probably the best we can do under current law. Singling out one segment of the internet ecosystem for special and more onerous treatment is flawed policy.