New Rules Intended to Protect Your Online Privacy Are Already Under Threat
At a time when our country is divided about so many issues, there’s an area of overwhelming agreement: the importance of privacy. An October 2016 study by Pew found that 91 percent of adults feel they have lost control of their personal information. That’s hardly surprising. Our extensive and growing connectivity not only makes us vulnerable to hacks, it also leaves behind a digital trail that can reveal a lot about us as individuals—websites and locations we visit, our fitness routines, the settings on our thermostats, and much more.
Increasingly, such tracking occurs across the devices we use, so it combines information from, say, your tablet with information from your laptop. It may also include viewing information from smart televisions and external streaming devices, and health information from wearables and activities on apps. Much of this data collection is actually not transparent to us—and it’s done, without our knowledge or consent, by companies that we have no direct relationship with.
Just this week, the Federal Trade Commission settled a case with television-maker Vizio for secretly collecting detailed information about what people watch on their TVs—whether it’s from their cable connections, online, or even their DVD players. (One of us, Terrell McSweeny, is an FTC commissioner.) Vizio sold this information to advertisers and other companies that used it to monitor viewers’ reactions to certain programs and advertisements, such as whether they visited a website on their smartphone after viewing an ad on TV. Consumers were left in the dark about the whole scheme.
For years, the FTC has been the lead federal agency in protecting the privacy and data-security rights of the American consumer by bringing cases against companies that act against consumers’ privacy interests. The commission has also advocated for telling consumers about the data being collected about them and for offering people a choice before sensitive information—like data about their health, finances, children, or geolocation—is gathered and shared.
But the system has worked because the FTC has not acted alone. Other federal agencies (including the Federal Communications Commission) and state attorneys general have been helpful in this mission. For example, in 2014, the FCC fined two phone companies that left their customers’ social security numbers unprotected in public folders on the internet without password protection or encryption. Absent a comprehensive federal privacy law that provides protections to consumers across the entire internet ecosystem, the next best way to protect the American consumer is to continue to have multiple strong cops on the privacy beat.
In October, the FCC took the historic step of enacting basic consumer-privacy rules for internet service providers and wireless carriers. These new rules were aimed at providing people with a choice about whether to allow their carriers and cable companies to use and share their sensitive personal information. They are remarkably similar to the enforcement practices of the FTC’s long-standing and successful privacy program.
Unfortunately, with the change in administrations, one of the first orders of business for the cable and broadband companies (not to mention the Trump White House and congressional Republicans) is to rescind these rules. But removing them would essentially leave the cable and phone companies without any privacy regulator. These companies would have free rein to track and monetize their customers’ data without offering consumers any choice of control over who gets to see their information or how it is used. Since most of us have very little choice when it comes to what broadband service we use, we will have no choice but to accept these practices in order to stay connected.
This is particularly concerning given the growing range of devices we connect on our bodies and in our homes to the internet. Recent research has shown that even when these devices are encrypted, it is relatively easy to infer our behavior inside our homes based on traffic patterns and data flow.
Some argue that the FCC’s rules are unfair to internet service providers because platforms and websites are not under the same rules. As the Vizio case demonstrates, the FTC is prepared to step in to stop unfair tracking. But absent comprehensive privacy legislation, the FTC can only step in after harm has already occurred, and it does not have the same jurisdiction over ISPs like the FCC.
Critics of these rules contend that this different treatment between ISPs and websites creates so much consumer confusion that it would be better to have no rules at all. This is simply wrong. Eliminating protections and choices for consumers is not an effective way to restore trust in the security and privacy of their information.
American consumers visit billions of destinations on the internet through a multitude of devices. Broadband providers potentially have access to every bit of data that flows from a consumer. That type of access demands a set of rules that matches the long held expectations of Americans—that we should have the freedom to control access to the most sensitive information about our daily lives.
As two policymakers who take consumer protection very seriously, it is our hope the Trump administration stands up for these common sense rules. During the presidential campaign, there was a lot of talk about protecting the little guy. These rules do just that.
Rep. Frank Pallone Jr. is the ranking member of the House Energy and Commerce Committee.
Terrell McSweeny is a commissioner at the Federal Trade Commission.