Bridge Pier 16-1: Comments to the FCC Regarding Privacy and Broadband

May 27, 2016

Marlene H. Dortch

Secretary

Federal Communications Commission

445 12th Street S.W.

Washington, D.C. 20554

 

Re: In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services

WC Docket No.16-106

 

Dear Ms. Dortch:

The Commission has proposed, in its words, “to apply the traditional privacy requirements of the Communications Act to the most significant communications technologies of today: broadband Internet access service.”  Further the Commission claims that “both consumers and Internet Service Providers would benefit from additional” rules. The introduction of the NPRM goes on to claim that such rules will be the silver bullet for consumers to protect themselves, that ISPs are the one part of the Internet ecosystem with consumer information and power, and that the FTC is not competent to use its long standing authority in the area of consumer privacy to protect users of modern communications systems.  The entirety of this justification and explanation is nothing short of abusive and breathtakingly wrong.

Let the Consumer Beware

The proposed rule in no way will lead to the stated goal of protecting consumers.  In fact, the logical and obvious result of the proposal is to create a confusing thicket of government privacy rules emanating from both the FCC and FTC which will lead consumer confusion and likely real harm.  Flying in the face of fact based decision making the Commission has proposed to pursue a course founded on illusory correlations and selective perception. As is well known, organizations fail or succeed based on their decision making quality.

Fact based decision making relies on hard facts and verified observations.  While other factors may be part of decision-making, such as a “hunch” or “hope,” those factors are inferior to facts.  Time must be taken to gather facts and data even before determining and framing the issue.  The facts must be weighed and options provided before a legitimate final decision, or a “proposed rule,” can move forward.  In this case, the proposed rules seem to have been created with the intention of completely ignoring reality, and the facts.  Not even a simple cost-benefit analysis has been provided.

The rules single out one part of a complicated and interdependent ecosystem, for intrusive discriminatory regulation.  Consumers need clear and consistent rules, not being left to suffer at the hands of faulty decision making, or to suffer from rules transparently designed to intentionally hamper an arbitrary part of a whole.  An action the will predictably  lead to higher costs and less competition.  Consumers should not be the pawns of a regulatory authority that repeatedly places the protection of consumer data beneath institutional desires.

The FCC has been here before – being arbitrary in trying to layer heavy handed privacy rules on the Internet ecosystem.  In U.S. West, Inc. v. Federal Communications Commission the court noted that the FCC failed to justify that their scheme was the least intrusive to free speech, and failed to prove that the government’s interests trumped the constitutional concerns of consumers.  In short, the FCC failed to demonstrate any facts or urgency as compared to the consumer’s best interests.  The proposed scheme at issue today could easily be met with similar concerns and once again be frowned upon by the courts.  Truly putting the consumer first is one way to avoid many problems.  Yet, the FCC does not point to real or even perceived consumer harms to justify an ISP-specific regime.

There is an Internet Eco-system

A change to any part of the ecosystem has an impact on all parts of the ecosystem.  The well-being of the Internet, at least as it exists in the U.S., is dependent on all parts of the ecosystem being healthy, and free from interference.

Platforms such as social networks, search engines, operating systems, webmail, browsers, mobile apps, and e-commerce, all too with access to data, are proliferating.  The relationship between these various layers in the stack of the ecosystem, including service providers is tightly woven in part because of vertical integration but also because of contracts and interdependencies.  Upsetting or isolating one part of the stack does not necessarily lead to linear and predictable results.  In fact, observation informs us that the opposite is typically true.  Innovation in the Internet and communications space moves rapidly but unevenly.  That is a fact.  Perhaps nowhere else is “supply creating its own demand” more observable than in this technology space, yet even understanding that only allows innovation experts the most slender of chances to understand where innovation is headed next.  Regulatory hubris regularly leads to any number of unintended consequences and is damaging pollution to this ecosystem. Desperate attempts to try to bring order to what, to continue to be effective, is not orderly are doomed to failure or will only succeed in suffocating innovation.

These sorts of antics distract from the very real issue at hand – that the Internet ecosystem is often under attack and as such the entire ecosystem needs to respond, not be divided. True success in the digital world is achievable when all parties understand that they cannot stand on their own, that in fact an economically thriving digital ecosystem requires cooperation with an eye towards what is best for the broader ecosystem. The distributed nature of the Internet is a fundamental part of its design, and no one entity can be an island. Stakeholder cooperation is imperative for the success of all – and that includes a FCC that truly understands this ecosystem and does not attempt to use it for its own ends.

The Power in the Ecosystem

Recent news about Facebook and its means of selecting trending topics, as well as Google’s decision to no longer allow ads by certain industries, both demonstrate that there is “power” in various parts of the Internet ecosystem.  In neither case were service providers involved and yet end results were altered. That “power” – market power – is not a bad thing and consumers wield it as well. Contrary to the FCC’s bias as expressed in this rulemaking, it is not the service providers alone that might have some ability to affect a user’s experience, but neither are the consumers powerless. This proven reality exposes that the FCC’s proposed rules will do nothing to increase consumer protection, but instead will burden only one part of the ecosystem with intrusive regulation even while backing away from the so called consumer protections in other areas. In short, the proposal is reckless.

None of this is to say that there is not a real threat posed by hackers whether with malicious intent or simply on a lark.  Instead of taking action to try to alleviate that problem, the FCC is proposing rules that would only be applied to ISPs with respect to consumer data, apparently ignoring how the ecosystem operates.  But access to consumer data is far from unique to ISPs.  As stated by FTC Commissioner Ohlhausen, “The FCC proposal applies to just one segment of the Internet ecosystem, broadband ISPs, even though there is good evidence that ISPs are not uniquely privy to your data.”

And this data, known as Consumer Proprietary Network Information, is not a means for collecting the most intrusive information that some companies in other parts of the ecosystem do collect online.   An analysis earlier this year was stunning clear in its title and the conclusions, “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others,” Feb. 29, 2016 by Peter Swire, Justin Hemmings, and Alana Kirkland. (http://www.iisp.gatech.edu/working-paper-online-privacy-and-isps).

The challenge of protecting customer’s online privacy only incidentally involves ISPs.  Rather, the challenge is ecosystem wide as was indicated in a Pew report cited by the FCC.  The report demonstrates the concern about consumers’ expectations of privacy on the Internet at large.  The report does not cite anything specific about ISPs as the FCC tries to make it seem in paragraph 129 of the NPRM, when it writes, “More recently, studies from the Pew Research Center show that the vast majority of adults deem it important to control who can get information about them.”  Further, the FCC refers back to a 2002 FCC order, before any suggestion of mobile apps or an iPhone or even Gmail and writes “Research demonstrates that customers view the use of their personal information by their broadband  provider differently than disclosure to or use by a third party for a variety of reasons.”  In Internet time that “research” is ten generations old – useless.  Taken together, these weak and misleading arguments make a case that even the FCC itself does not believe what it is doing is justifiable.

In fact, the opposite of the FCCs baseless assertion is true. As research published in the Harvard Business Review (https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust) and by the Pew Research Center (http://www.pewinternet.org/files/2015/05/Privacy-and-Security-Attitudes-5.19.15_FINAL.pdf) have shown, consumers do not seem to think that ISPs are problematic and actually trust their ISPs typically more than they do other operators in the ecosystem.

The FCC again ignores this reality and rushes forward to hinder one part of the ecosystem, inserting greater costs with a proposal that will solve nothing given that the FCC has no authority over the vast majority of the companies in the ecosystem including those best known for manipulative and abusive data strategies.  Under the FCC proposal, these entities will continue to collect and use data for their own ends.

Solutions Should Be Pro-Consumer, Based in reality and Not Simply Pro-Regulatory or Anti-ISP

The thought is not original, but it is accurate and should carry more than fair share of weight in this rulemaking. Chairman Wheeler: “The pace of innovation on the Internet is much, much faster than the pace of a notice-and-comment rulemaking…We cannot hope to keep up if we adopt a prescriptive regulatory approach.”

There was a time when Washington would react negatively to new technologies, being concerned, if not afraid, of the impact that those technologies might cause to privacy – never recognizing that tools are just tools, often equally available to be used for good or for evil.  But the FCC is blazing new trails, fearing technology that is already well known. Instead solving the problem the Commission has dreamt up instead it moves to create a prescriptive regulatory system ensured to create consumer confusion, harming the very protections consumers already enjoy.

The proposed rules will fail, not just ultimately but immediately, primarily because the rules are designed to only burden one part of the Internet ecosystem, ISPs, rather than targeting the presumed problem.  In turn consumers will be left with a confusing message about how online data is collected and shared.

Placing ISPs in a category bound by rigid rules around data, and then arbitrarily limiting what businesses they can pursue, is wrong for consumers and certainly does not comport with any tenant of competition, a level playing field, fairness or a free market.  Just picking one example, Google would have to juggle two different and conflicting sets of privacy regulations even while trying to explain such nonsensical government interference to its customers.  In the end, industry is left holding the bag of liability, and hence costs, when it has no unique access to consumer data.  A lesson should have been learned by the FCC in the case of Netflix in March of this year.  As was noted in the Washington Post, slower Netflix mobile video speeds for Verizon and AT&T customers was not due to actions of the ISPs, but rather occurred because of bad behavior by Netflix – throttling speeds for its customers and blaming the resulting problems of “interconnection congestion” on others.

Yet the FCC declined to investigate claiming that such bad conduct was “outside” the FCC’s purview and rules.  Apparently the Commission has yet to realize that this incident highlights the real problem and is precisely what leads to consumer’s confusion – different rules for different pieces of a consumer’s whole.  Varying rules for various parts of one eco-system is a less than well thought out idea, and will harm the ecosystem itself.

If regulations are needed then the correct regulatory approach is obvious, a consistent treatment with consistent rules of all those who compete in the Internet ecosystem with access to data, much like what the FTC has accomplished.  If the FCC feels it needs to be involved in the policy issue to somehow demonstrate its relevance then again a better approach is obvious – a coordinated multistakeholder process of regulators and the actors in the Internet ecosystem.  Such a process should focus on what regulators can do to enable all parts of the ecosystem to thrive, how artificial barriers to innovation can be removed for an increasingly robust marketplace that drives real benefits to consumers.  Such a process should also be designed to address the Chairman’s correct observation that modern regulatory approaches are a hindrance to innovation, and therefore a drag on consumer benefits.  But to reiterate, the better decision is to forebear from pushing into the privacy space at all.

The goal should not be to engineer excuses to try to discriminate against particular part of the ecosystem, thereby limiting the disruption in online advertising.  ISPs are not even listed among the top ten competitors (and those ten own 70 percent of the market) in the online advertising space. This underscores the lack of a factual foundation for the NPRM.

Why arbitrarily remove service providers from the competitive landscape?  Why hinder competition that would drive more benefits to consumers through greater competition? These are good questions and have to be answered by the FCC. These should be necessary precursors to any discussion, much less a proposed rulemaking.  The real issue should be whether a set of meaningful and consistent protections for consumer online data can be created.

A New Additional Regulatory Agency is Not the Answer

There is a fundamental difference between private and public sector when it comes to the collection and use of consumer information.  Government hardly has a record in protecting data privacy that would lead one to believe that it has the answers to adequately handing such concerns.  The FCC has  recently struggled to handle even simple routine and expected comments with its systems (human and otherwise), much less handling issues that are much more sensitive and that by the day can get worse if not addressed.

This alone argues against more, if any, government intervention but certainly places a cloud on any FCC desire to enter into an area where it lacks expertise and authority. And it is not like there is no government already.

Essentially since the beginning of the World Wide Web the FTC has had oversight of the entirety of the Internet ecosystem, including ISPs.  Specifically the FTC has helmed a regime that has been focused on deceptive and unfair practices and constantly focused on how data has been collected and used.  In that time, an entity’s business model or where they have been in the technology stack has not been a point of concern.  Why this is the case is obvious – consumers are not concerned with those details but rather with how data is used and appreciate that such a system empowers them with more control.  Under this comprehensive FTC approach there have been very few ISP-related privacy or data security issues.  Over the same time the FTC has had to take action on data issues many times against others in the Internet ecosystem.

As MANA National President Amy Hinojosa’s recently wrote in The Huffington Post, “The FTC is the lead federal consumer protection agency and has been a strong cop on the beat for our privacy. But in a classic case of the ‘law of unintended consequences,’ the FTC had the jurisdictional rug pulled from under its feet for a small portion of the internet — broadband providers — due to legal changes contained in the Open Internet rules passed last year.” Hinojosa writes, “As a result, the FCC — which regulates telecommunications — is now eager to put their footprint in this space by knitting a patchwork set of rules that would apply narrowly to broadband companies while exempting everyone else. In fact, the rules under consideration at the FCC would be a huge step backwards for consumers — confusing consumers and increasing the risk of abusive or discriminatory use of our data online.” Hinojosa argues, “Instead of an inconsistent patchwork based on false assumptions and a misreading of the privacy threat, the FCC can and should step back and put consumers ahead of this jurisdictional land grab and learn from the success of the FTC approach that puts consumers in the driver’s seat rather than in a maze.”

Part of the problem is that the FCC dos not have relevant experience in the consumer privacy realm.  While the Communications Act does convey a limited amount of power to cover consumer privacy of satellite and cable subscribers, the actions that the FCC has taken have been almost completely about billing information. The authority conveyed with relation to telephone subscribers is somewhat broader but is silent regarding the broad range of information that can now be gathered.

Further, the FCC lacks the tools to pursue the best enforcement.  The FTC is limited in bringing to bear any forward looking rules but rather conducts enforcement proceedings after a determination that it has the authority to do so under the relevant law.  Such actions send signals to the marketplace as to what is within and outside the bounds of acceptable and legal behavior.  This allows for flexible solutions and for innovation to flourish.  On the other hand, the FCC makes new rules which quickly constrain the marketplace with enforcement actions being brought if the rules are violated.

The FCC lacks the reach to address the issue regardless.  Section 222 of the Communications Act does not provide a basis for the expansion of power that the FCC is seeking.  Specifically, section 222(h)(1) contemplates records of phone calls and billing information, not authority over the sorts of data the FCC is trying to claim.  To say otherwise is not just a stretch, but a story woven of whole cloth.

Regardless the entire focus of the proposal is wrong.  Positive public policy is encouraging, increases competition and cheers on innovation.

Moreover, the private sector should lead. For the information economy and online culture to flourish, the private sector must continue to lead through self-regulation. Innovation, expanded services, broader participation, and lower prices will arise in a market-driven arena, not in an environment burdened by over-regulation.

Government should avoid undue restrictions on the information economy. All parties, consumers, industry and others should be able to buy or use online services with minimal government interference. Unnecessary regulation of online activities will distort development of the information marketplace by decreasing supply and raising the costs of products and services for the consumer.  Governments already possess tools to address the proposed problem presented in the proposed rulemaking.   In fact, the 1996 Telecom Act encouraged intra-modal competition by creating a level playing field.   Companies were overtly encouraged to enter markets they were not currently in.  But now the FCC is charging off in the opposite direction, limiting competition and driving up costs.

Ultimately, too many government entities looking after our privacy means that we do not have any.  Consumers will not have a solid understanding of what signals to watch for that indicate a data breach or a scam.   The result is a less vigilant populous increasingly prone to their data being collected and used inappropriately without the understanding that certain actions are wrong.  The FCC should bear the burden of proving that it is needed in this area or can add something of value, before even considering moving forward.  At the very least, a factual, data-driven analysis of whether consumers will gain or be harmed should be undertaken. Even if the Commission were to imagine the authority to institute of a new and untested regulatory regime does mean that it should do so.

If the FCC insists in playing in the privacy field despite these clear deficiencies and understanding that the area is appropriately covered by the FTC, then rather than creating fantastical windmills of unproven marketplace power for a quixotic FCC to tilt, it should be seeking to create clear rules that consistently protect consumer data end to end while promoting competition and innovation in the online marketplace.

Surprise!  The Marketplace is Working

The market has responded favorably and swiftly to consumer concerns regarding the collection and use of personal information.  Innovators have crafted tools that let users block cookies, advertising, the tracking of Internet browsing behavior, and third party sharing of information. The market is responding to consumer concerns, without burdensome government regulation.

In addition, the market is providing greater service to consumers.  Access to data, whether by ISPs or non-ISPs, leads to more relevant products and services, as well as greater protection for consumers through quicker fraud detection, better cyber-attack prevention.  Prophylactic measures restraining particular business models are not only wrong-headed but also restrict consumer’s freedom of choice.  The proposal to provide lower broadband prices in return for greater use of consumer information is an example where the only entity that loses is the consumer.

Consumers, in fact, are well ahead of the FCC in finding their level of comfort in matters of privacy.  For example, as consumers have increased their use of encryption and secure online services, the ability of ISPs to track or view a consumer’s web history has been reduced.  In fact, by the end of 2016, more than two-thirds of online bits delivered to individuals will be encrypted.  According to Google, 77 percent of the data from its services is already encrypted.

As the market has rapidly moved to mobile, new challenges arose to protecting privacy and were quickly addressed by the market.  Now a typical Internet user moves across a variety of connections and various ISPs.  No one ISP is an Internet gatekeeper.  As consumers increasingly opted for mobility,  consumer protections changed as well.  Today, the mobile operating systems with huge swaths of the market, Apple and Android, actually prevent ISPs from collecting information at all.

And it should be consumers who are directing their own privacy choices. Individuals should be free to select the policy that best fits their needs and take responsibility for their online activities. The Commission can never be as nimble and tailored as the market.  An FCC “one size fits all” so called solution will fit no one.

Conclusion

The egregious lop-sided nature of the proposed rules, arbitrarily singling out one piece of an ecosystem for differentiated treatment runs counter to any sense of fairness.  Bereft of any consumer harm the Commission seems to strike out to regulate simply for regulation sake seeking to envelope anything it can attempt to justify that may come within its purview.

The FCC has tried similar schemes in the past only to ultimately be struck down by the courts as unconstitutional but not before a tremendous waste of time and resources by the private sector, not to mention the squandered tax dollars of Americans.  If these rules are adopted the same fate awaits.

The Commission should be deservedly criticized for designing regulations that will disrupt a vibrant eco-system.  This scheme will throttle the development of new business models, limit consumer choice and opportunity, increase costs, and importantly, dramatically increase consumer confusion.

Sincerely,

Bartlett D. Cleland

 

2 comments to Bridge Pier 16-1: Comments to the FCC Regarding Privacy and Broadband