Clearing up the Senate’s confusion on FCC privacy rules

At an oversight hearing on Wednesday, the Senate Commerce Committee confronted Federal Communications Commission Chairman Pai with questions over last week’s partial stay of the commission’s broadband privacy order. While privacy rules are certainly highly complicated, comments from some senators telegraphed a fundamental misunderstanding of what has been done to date to protect consumers, and given the current ecosystem, what the FCC’s proper role should be going forward.

For instance, Democratic Massachusetts Sen. Edward Markey framed the unprecedented expansion of FCC authority over ISPs as exactly the obverse of reality: “The privacy rules that are on the books aren’t cumbersome. They’re not complex or complicated. They’re common sense.”

{mosads}But the rules he refers to are neither well established nor rooted in common sense.

In fact, the order was pushed through by the former chairman, Democrat Tom Wheeler, who put it “on the books” in late October, and stayed it in (relevant) part before it was ever implemented. No firm has ever been governed by these rules and no consumer has ever been “protected” by them. What is actually “on the books” — in the sense that it is long standing practice at both the FCC and the Federal Trade Commission — is a case-by-case approach to dealing with alleged privacy harms that deters bad conduct by forcefully addressing it when it arises, rather than imposing a new prescriptive rule that provides little guidance to reasonable actors, and which could deter useful experimentation.

During Wheeler’s term, for instance, the commission investigated and brought to resolution claims against both TerraCom and Verizon over specific allegations of privacy violations.

And it’s important to remember that the FTC set the precedent for case-by-case enforcement of privacy harms. It wasn’t until the FCC displaced the FTC as the cop on the privacy beat through Title II reclassification in 2015 that the FCC even became broadly relevant to privacy enforcement. Thus the long-established practice — what can be much more fairly characterized as “on the books” — has been case-by-case enforcement and not ex ante rules.

Further, the substantive problem with Wheeler’s order is that it sets up a bifurcated privacy regime without providing any justifying analysis. With scant attention paid to business realities, it arbitrarily applies one privacy standard to ISPs that is not applicable to edge providers. This approach makes it confusing for consumers to understand their rights across all of their Internet interactions (including both ISPs and edge providers). The truth is that there is nothing particularly different about an ISP using consumer data for marketing or service improvement than an edge provider using the data for the same purposes. It makes little sense to have different privacy rules for data depending on how it is transmitted — whether it happens to pass through an ISP’s facilities or an edge provider’s servers.

Yet, according to proponents of the commission’s flawed approach under Wheeler, ISPs are “gatekeepers” with unparalleled access to consumer data. But as my colleagues and I noted in our filing to the FCC this week: “ISPs’ access to sensitive data is not, in fact, unique, and contrary to the order’s cherry-picked assertions, the latest comprehensive analysis suggests that ISPs’ access is more limited than that of many edge providers. Having ‘some’ access is very different than having ‘comprehensive’ access.”

The order itself tries to dance around this data access point by claiming that “only three companies (Google, Facebook, and Twitter) have third party tracking capabilities across more than 10 percent of the top one million websites, and none of those have access to more than approximately 25 percent of web pages.”

This assertion is highly misleading. Looking at a share of all webpages is far less useful than is looking at the share of all unique user visits. On that dimension, the top 10 websites account for 33 percent of all US website visits — and all of these websites are tracked via ad networks. Further, the major platforms employ encryption, which effectively removes ISPs’ access to relevant data.

Thus, far from the characterization of ISPs as major gatekeepers comprehensively collecting user data, the reality is that social media, search and e-commerce platforms are in a much better position to record and utilize consumer data.

So yes, Sen. Markey, let’s go back to the rules that have been “on the books” for a long time. Let’s restore the privacy principles that developed as a result of the FTC’s and FCC’s historical practices around privacy protections, and not create a new regime that creates distinctions in governance with respect to activities, and actors, that are rapidly converging in both form and function.

Kristian Stout is the associate director for innovation policy at the International Center for Law and Economics, a non-profit global think tank.

The views expressed by contributors are their own and are not the views of The Hill.