Six Reasons FCC Rules Are Not Needed to Protect Privacy

The Competitive Enterprise Institute has been long been skeptical of the Federal Communication Commission’s (FCC) approach to regulating how Internet service providers (ISPs) use subscriber data. We filed comments expressing our concerns to the FCC in July 2016, before the agency adopted the rule, and again in March 2017. The FCC’s privacy rule, adopted by the agency in October 2016, regulates broadband providers’ data security practices and dictates how providers must obtain consent from their subscribers before collecting or disclosing user information. Last week, the Senate passed a Congressional Review Act resolution to rescind the misguided rule, while the House of Representatives is set to vote on the joint resolution on Tuesday afternoon.

Much of the narrative surrounding this debate centers on the fear that consumers will have no privacy protection if the president signs the resolution. But these fears, simply put, are based on a myopic understanding of the numerous laws, regulations, and institutions that protect our privacy on the Internet other than the FCC’s burdensome, legally questionable privacy rule. Here’s a partial list of all the things that are stopping ISPs from misusing customer data or selling it to third parties in a way that could harm Internet users.

Federal and state wiretapping laws. Under the Wiretap Act, it’s generally illegal to intentionally intercept or divulge the contents of electronic communications—including Internet traffic—without the consent of a party to the communications. Violators of this law are subject to criminal prosecution, while any person whose communications are illegally wiretapped may sue the perpetrator for $10,000 or more (plus attorneys’ fees and costs). In other words, if an ISP intercepts the contents of a subscriber’s Web traffic, or gives such data to an advertiser, that provider had better be sure it has the subscriber’s consent.

Although the Wiretap Act limits only the interception of the contents of communications, as opposed to metadata, the websites you visit—also known as URLs (uniform resource locators)—are arguably part of the contents of your Internet traffic, as the U.S. Court of Appeals for the Third Circuit explained in a 2015 opinion. The Ninth Circuit has adopted a somewhat narrower view of when URLs are “contents,” but there is agreement among the courts that URLs are at least protected by the Wiretap Act in some circumstances. Moreover, each state has its own wiretapping statute, of which many are modeled after the federal law.

State attorneys general. Every state has a law on the books making it illegal for companies to engage in deceptive practices. In nearly all of these states, the state attorney general (AG) may go to court to stop a company from deceiving consumers. And although some states also have enacted laws preventing regulation of Internet service providers, these laws generally do not apply to a state attorney general who wishes to bring an action against a provider that has engaged in deception. The upshot: In many states, if an ISP has represented to consumers that it protects their privacy and safeguards their data, that ISP must act in accordance with such representations—or else it may see one or more state AGs in court.

Litigation (or arbitration) against providers that violate their privacy policies. Nearly every ISP maintains a privacy policy or terms of service that sets forth the circumstances in which it may collect and disclose subscriber information, including users’ communications over the provider’s network. For instance, Comcast’s Xfinity privacy notice says that while the company may collect and store personally identifiable information when users visit websites, transfer files, etc., the notice limits the purposes for which Comcast may use this information—and sets forth when it may divulge such data to third parties.

Similarly, Verizon’s privacy policy restricts the company’s ability to share any information that individually identifies its customers to third parties outside the Verizon family of companies. Although this policy reserves the right to share certain information with third-party firms for advertising purposes, Verizon may do so only on an aggregate basis that does not individually identify any customers. Other providers, such as AT&T and Charter, also have privacy policies that do not permit the selling of personal Internet usage data to third parties without a subscriber’s consent.

Although an ISP may amend its privacy policy, it must notify its customers when it does so and give them a chance to opt out of any material change—either by continuing service under the original terms, or by discontinuing service entirely. But if an ISP fails to live up to its contractual promises, a customer may sue the provider for breach of contract—or, depending on the provider, the customer may be able to initiate binding arbitration against the ISP. A provider may also face liability under the common law, which has developed four torts protecting individual privacy, one of which affords injured persons a cause of action against the public disclosure of embarrassing private facts.

The FCC itself. Even without the privacy rule, the FCC is authorized under Section 201(b) of the Communications Act to police “unjust” or “unreasonable” practices by broadband providers, including conduct related to data privacy. Reversing the 2016 privacy rule won’t stop the FCC from adjudicating privacy violations on a case-by-case basis, as TechFreedom explained in a recent FCC filing. And the FCC can enforce its transparency requirements, which were adopted by the agency in its 2010 net neutrality rules and expanded in the 2015 “Open Internet Order.” To be clear, CEI opposed the FCC’s 2010 and 2015 rules, and we believe that Internet providers should not be regulated as common carriers. But so long as ISPs remain under Title II regulation, the FCC will have authority over their privacy practices, with or without the privacy rule in place.

Technologies that circumvent surveillance. Many tools can protect Internet users’ communications from ISP monitoring. Some of these are often “on” by default. For example, many websites now use HTTPS, which prevents an ISP from seeing full URLs and other content sent to or from their subscribers and any website that has HTTPS enabled. Other privacy-enhancing tools are readily available for a few dollars per month, such as Virtual Private Network (VPN) services, which I first highlighted in 2008. In the nine years since, VPN services have proliferated, and now command a large and growing following among Internet users. If you use a VPN, your ISP can’t surveil your Internet traffic, regardless of the security settings of any particular website or service.

The marketplace. Speaking of voluntary measures, not every hypothetical scenario involving unseemly corporate conduct justifies a federal regulatory response. We know that firms generally must compete to attract and retain customers, and the same holds true in the market for Internet service, despite increasing regulatory barriers. Contrary to popular belief, most people have choices when it comes to their Internet service provider. As of December 2013, over half of the U.S. population had access to at least three broadband providers offering 3 Mbps downstream—and as of December 2014, two in five U.S. households had access to at least two providers offering 25 Mbps downstream.

Given recent advances in mobile broadband, along with continually improving “standard tier” speeds offered by cable and DSL providers, these figures almost certainly underestimate the level of competition in the broadband marketplace. Thus, if an ISP were caught mishandling subscriber data or selling sensitive user information to unscrupulous third parties, the resulting outrage could have real consequences for that provider’s bottom line. Similarly, back in 2007, AT&T quietly changed its terms so that it could terminate a subscriber’s account for activity that “tends to damage the name or reputation of AT&T.” But after the media caught wind of AT&T’s controversial new provision, it soon became a major news story. Within days, AT&T relented to public pressure and nixed the language about hurting the firm’s reputation. Imagine the pummeling a firm would experience if it began “snooping through your traffic” in a harmful manner. Even if most consumers don’t read the fine print, all it takes is one person to notice a problematic change—and tip off a vigilant journalist or tech blogger—to spark a media firestorm.

In light of these laws and institutions safeguarding user privacy, members of the House of Representatives need not fear that voting for the joint resolution to rescind the FCC’s privacy rule will mark the end of individual privacy on the Internet.