As our online footprints grow in size and scope, it is more important than ever for Internet companies to protect us against hackers and disclose how they use our personal data. The Federal Trade Commission was long the main privacy cop enforcing these essential consumer protections. But last year, the FTC’s sister agency—the Federal Communications Commission—reclassified broadband ISPs as common carriers outside the FTC’s jurisdiction. Unless the courts reverse that decision, there are now two privacy cops on the Internet beat. The FCC polices ISPs like Verizon (VZ), Charter, and Sprint (S), while the FTC continues policing everyone else, from Google (GOOGL)and Facebook (FB) to Apple (AAPL)and Amazon (AMZN).
The critical question is how the FCC will exercise its new privacy powers. In our view, the FCC should follow the same basic approach that the FTC has successfully developed and enforced since the dawn of the commercial Internet.
The FTC is mainly an enforcement agency rather than a regulator. It goes after companies when they break their privacy commitments to consumers or take actions that cause consumers real harm. This enforcement-oriented approach has a proven track record of success. It is flexible and promotes high-tech innovation, but it has held hundreds of companies, large and small, accountable when they crossed the line.
The FCC should hold ISPs to the same privacy standards to which the FTC successfully held them for many years—and to which the FTC still holds all other companies. We were disappointed, then, when the FCC recently proposed to subject ISPs to a detailed set of burdensome data-privacy rules with no precedent in the FTC’s regime. These rules would severely restrict how ISPs may use consumer data. For example, they would prevent any ISP from offering its own branded home security system to its existing customers without their advance permission. The rules would further subject all ISPs—and ISPs alone—to unprecedented compliance costs and keep them from efficiently monetizing online data in the same way that Google and Facebook have long done, with astounding consumer benefits. Such restrictions would exert upward pressure on broadband prices and undercut the FCC’s central mission of promoting broadband investment and adoption.
Ironically, the proposed rules would do very little to promote the cause of “privacy” in the first place. If they are adopted, all other participants in the Internet ecosystem will remain exempt, will continue collecting all of the same information that the ISPs would have collected, and may continue selling the same information as before to the same data brokers. The Big Data marketplace will carry on—except, ironically, the FCC will have insulated its largest players from ISP competition. Meanwhile, the rules would simply confuse all but the savviest consumers about what data is, and is not, subject to collection and use.
The FCC nonetheless suggests that ISPs should be treated differently from all other Internet companies because, it says, they “have direct access to potentially all customer information” transmitted over their broadband pipes, whereas non-ISP companies do not. But that is factually incorrect, as former Clinton administration Privacy Czar Peter Swire recently explained in his comprehensive report on ISP data collection. First, ISPs cannot read encrypted communications, and most Internet traffic is now encrypted. Indeed, almost all of the top websites now encrypt by default or on user log-in. When you type “nearby hospitals with oncology practices” into Google’s search engine, Google knows you’re asking about cancer treatment, but your ISP does not.
Also, any given ISP today handles only a portion of a typical consumer’s Internet traffic. Suppose you use your Android smartphone on your home wi-fi network in the morning, switch to a wireless network during your commute, then switch to your work wi-fi network when you arrive at the office, and then switch again to a Starbucks wi-fi connection during your coffee break. On the same Android device, you might have used four separate ISPs, and any given ISP handled only a fraction of your communications. But you used your phone’s Android operating system and Chrome browser throughout the day, giving Google potentially broad insights into your online profile.
The FCC additionally suggests that ISP-specific regulatory burdens are needed because consumers find it harder to make privacy choices by switching among ISPs than by switching among rival non-ISP providers. But that, too, is factually mistaken. T-Mobile, Verizon, AT&T, and Sprint bombard us daily with inducements to switch providers. It would be far easier for you to take them up on those offers than switch to a different social networking site or abandon your Gmail account.
We remain hopeful that the FCC will adopt a less rigid, more FTC-like approach to the privacy practices of ISPs. FCC Chairman Tom Wheeler recently acknowledged that one of the challenges in protecting privacy “is to make sure we are consistent with the FTC’s thoughtful, rational approach.” Let’s hope that the FCC will take these words to heart and build on the proven success of its sister agency.
Jon Leibowitz is a former U.S. Federal Trade Commission Chairman and Jonathan Nuechterlein is a former FTC General Counsel and U.S. Federal Communications Commission Deputy General Counsel. The authors are now in private law practice and represent ISPs, among other clients. The views expressed here are their own.