Over the past few weeks, an extensive scare campaign has misled many Americans into believing that Congress and the Federal Communications Commission (FCC) are threatening their Internet privacy. These untrue accusations have generated borderline hysteria, to the point where, as an FCC commissioner, I was grilled by two friends on the topic at a recent wedding. To counter this misinformation, it’s important to understand how data is currently used in the Internet economy, which federal agencies oversee Internet privacy, and the effect of legislation recently enacted by Congress. At the same time, we must consider what can be done to protect consumers’ private information no matter whose hands it ends up in, on and off the Internet.
Everyone should acknowledge a simple truth: The heart and soul of today’s Internet economy is the collection of data, mainly for use in targeted advertising. From commercial companies to political campaigns, advertising dollars are increasingly being spent on the web, rather than on traditional media. Jeopardize this arrangement and a vast number of free Internet features and functions will evaporate in short order.
Take for instance Google, which is one of the largest American companies and certainly a dominant Internet force. It makes a large portion of its overall revenue from the desktop and mobile versions of Google search, even though this service — and Google’s many others, such as YouTube and Gmail — are essentially “free” to use. Its largest revenue stream comprises advertising based on keyword searches from users and ad placements from third parties. It collects, slices, and dices users’ search information for purposes of performance analytics, which allows for greater precision in the targeting of ads to interested consumers — a proven source of profit. It is by no means alone in its approach, as almost every Internet entity (webpages, applications, operating systems, e-mail clients, etc.) collects consumers’ data in one way or another. In fact, those that fail to do so have effectively found themselves shunned by the debt and equity markets.
In terms of current privacy protections, Internet-data collection and use has been and remains effectively overseen by the Federal Trade Commission (FTC), with a few notable exceptions. In particular, in 2015, the FCC decided to impose draconian regulatory burdens on broadband providers under the misnomer of the “Open Internet.” One consequence of the FCC’s decision to assert authority over broadband providers was to dismantle the FTC’s previous role in overseeing the privacy practices of these very same entities.
To address the void it had created, the FCC then decided, in the waning days of the Obama administration, to devise its own privacy regime exclusively for broadband providers. Unwilling to replicate the FTC’s time-tested and sensible approach, the FCC ratcheted up the privacy standard to require new “opt in” procedures for hastily defined categories of data, such as application usage, web-browsing history, and geolocation. This was done even though this data can be used for benign and consumer-friendly purposes.
The disparate treatment of broadband providers as compared with all other Internet companies is important, and it helps explain the recent legislative activity (but not the attendant uproar). Using the Congressional Review Act, Congress recently passed, and President Trump signed, legislation to effectively nullify the new FCC privacy rules before they even went into effect. Basically, lawmakers rejected the FCC’s creation of an uneven playing field disadvantaging broadband providers. It found — rightly, I think — that there was no reason to single out the privacy practices of broadband providers for heightened scrutiny, especially since they have less access to consumer information than other Internet companies. This is, in part, because the increased use of encryption technologies throughout the online ecosystem cloaks such data from broadband providers’ collection or use, and in part because the availability of multiple platforms from which consumers can access the Internet (e.g., wireline, wireless, or wi-fi networks) means that no one provider can have the full picture of an individual’s habits required to effectively deploy targeted ads.
Some will try to argue that Congress’s action, combined with a questionable recent Ninth Circuit Court of Appeals decision, creates a loophole for broadband providers to exploit. These agitators suggest that the Ninth Circuit’s decision, which utilized an exceedingly broad interpretation of the law and may yet be overturned on appeal, means that the FTC effectively cedes its power to protect users’ privacy whenever a company initiates a so-called “common carrier service.” Others will complain that broadband providers can now sell individual consumers’ browsing histories. In point of fact, these arguments are red herrings. By using its powers under the CRA, Congress has paved the way for the FCC to reset broadband privacy when it revisits its “Open Internet” decision, hopefully soon. One option squarely on our plate is to delete those rules altogether, thereby reinstating the FTC’s historic role in holistically and rationally overseeing the privacy practices and commitments of all participants in the Internet economy.
Moreover, a common review of the privacy practices of Internet companies reveals that they generally meet the privacy expectations of their users. These companies have little interest in abusing their customers’ trust, insofar as doing so risks losing valuable business. For instance, contrary to popular belief, no respectable company — broadband provider or otherwise — sells the web-browsing histories of individuals; instead, many websites, e-mail services, and apps sell ad slots based on data about prior user Internet activity, provided most commonly by browsers or search engines. In other words, if individuals search for high-end women’s shoes, they may see instantaneous targeted ads for Nordstrom or Jimmy Choo. But most broadband providers don’t do this and don’t have the capability to do it even if they would like to.
While the current FCC can act to reinstate the FTC’s authority by undoing the overreach of the “Open Internet” decision, a long-term and sustainable solution to consumer privacy is for Congress to step forward and enact balanced privacy legislation. Ideally, any such legislation would govern offline and online information collection and use practices alike, protecting appropriate uses of collected data. It would clear up any residual uncertainty caused by the Ninth Circuit’s ruling. And it would establish rules based on how sensitive particular information is to users, rather than what type of information it is or who possesses it. Anything less would do a disservice to Internet companies and consumers alike.
— Michael O’Rielly is a commissioner of the Federal Communications Commission.