March 4, 2017
Marlene H. Dortch
Secretary
Federal Communications Commission
445 12th Street S.W.
Washington, D.C. 20554
Re: In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services
WC Docket No.16-106
Dear Ms. Dortch:
The Commission has proposed, in its words, “to apply the traditional privacy requirements of the Communications Act to the most significant communications technologies of today: broadband Internet access service.” Further the Commission claims that “both consumers and Internet Service Providers would benefit from additional” rules. The NPRM makes claim that such rules will be the silver bullet for consumers to protect themselves, that ISPs are the one part of the Internet ecosystem with consumer information and power, and further, that the FTC is not competent to use its long standing authority in the area of consumer privacy to protect users of modern communications systems. The entirety of this justification and explanation is nothing short of completely wrong.
Current Situation
The FCC caused a great disruption in privacy protection for consumers in 2015 when the agency voted to reclassify Internet service providers as Title II common carriers. Before, privacy was protected by the FTC under its authority to police unfair or deceptive trade practices. Next, in late 2016, almost as if to intentionally make matter worse, the FCC again voted on a party line vote to put into place a new discriminatory, restrictive set of rules applied only to Internet service providers. The rules were complicated and immediately confusing for consumers.
As a result, the Joint Petition for a Stay was filed on January 27, 2017, with the stay recently granted. The stay did note that it was necessary “in order to undo the Order’s dramatic departures from the FTC’s privacy framework, which effectively balances the twin objectives of providing consumers control over their personal information while preserving opportunities for beneficial uses of data that lead to innovation, new products and capabilities, customized services, and growth in the digital economy.” This is clearly then no an attempt to repeal or lessen protections for any consumer as some would attempt to allege. Rather this is clearly the time to do the precise opposite and guarantee the protections consumer shad before the errant meddling of the FCC.
Ultimately, the time afforded by the stay should be used guarantee that the FCC gets out of the business of randomly applying so-called privacy rules to parts of the Internet ecosystem and to instead put consumer’s protection first, returning privacy protection to where it is best handled, at the FTC.
Let the Consumer Beware
The proposed rule will in no way provide any, much less greater, protection to consumers. To the contrary, the logical and obvious result of the proposal is to create a confusing thicket of government privacy rules emanating from both the FCC and FTC which will lead consumer confusion and likely resulting in real harm to consumers. Flying in the face of fact-based decision making, the Commission has proposed to pursue a course founded on illusory correlations and selective perception. As is well known, organizations fail or succeed based on their decision making quality.
Fact based decision making relies on hard facts and verified observations. While other factors may be part of decision-making, such as a “hunch” or “hope,” those factors are inferior to facts. Time must be taken to gather facts and data even before determining and framing the issue. The facts must be weighed and options provided before a legitimate final decision, or a “proposed rule,” can move forward. In this case, the proposed rules seemingly were created completely ignoring reality, and the facts. Not even a simple cost-benefit analysis has been provided.
The rules single out one part of a complicated and interdependent ecosystem, for intrusive discriminatory regulation. Consumers need clear and consistent rules, not being left to suffer at the hands of faulty decision making, or to suffer from rules obviously designed to intentionally hamper an arbitrary part of a whole — an intrusive action that will predictably lead to higher costs and less competition. Consumers should not be the pawns of a regulatory authority that repeatedly places the protection of consumer data beneath institutional desires.
The FCC has been here before – being arbitrary in trying to layer heavy handed privacy rules on the Internet ecosystem. In U.S. West, Inc. v. Federal Communications Commission the court noted that the FCC failed to justify that their scheme was the least intrusive to free speech, and failed to prove that the government’s interests trumped the constitutional concerns of consumers. In short, the FCC failed to demonstrate any facts or urgency as compared to the consumer’s best interests. The proposed privacy scheme at issue here could easily be met with similar concerns and once again be frowned upon by the courts. Truly putting the consumer first is one way to avoid many problems. Yet, the FCC does not point to real or even perceived consumer harms to justify an ISP-specific regime, while ignoring the high likelihood of consumer harm.
There is an Internet Eco-system
A change to any part of the ecosystem has an impact on all parts of the ecosystem. The well-being of the Internet, at least as it exists in the U.S., is dependent on all parts of the ecosystem being healthy, and free from interference.
Platforms such as social networks, search engines, operating systems, webmail, browsers, mobile apps, and e-commerce, all with access to consumer data, are proliferating. The relationship between these various layers in the stack of the ecosystem, including service providers is tightly woven in part because of vertical integration, but also because of a web of contracts and interdependencies. Upsetting or isolating one part of the stack does not necessarily lead to linear and predictable results. In fact, observation informs us that the opposite is typically true. Innovation in the Internet and communications space moves rapidly but unevenly. That is a fact. Perhaps nowhere else is “supply creating its own demand” more observable than in this technology space, yet even understanding that fact only allows innovation experts the most slender of chances to understand where innovation is headed next. Regulatory hubris regularly leads to any number of unintended consequences and is corrosive pollution to this ecosystem. Desperate, heavy handed attempts to try to bring order to what is not orderly are doomed to failure or will only succeed in suffocating innovation. These sorts of antics distract from the very real issue at hand – that the Internet ecosystem is often under attack and as such the entire ecosystem needs to respond, not be divided.
True success in the digital world is achievable when all parties understand that they cannot stand on their own, that in fact an economically thriving digital ecosystem requires cooperation with an eye towards what is best for the broader ecosystem. The distributed nature of the Internet is a fundamental part of its design, and no one entity can be an island. Stakeholder cooperation, and an FCC that truly understands this ecosystem and does not attempt to use it for its own ends, is imperative for the success of all
The Power in the Ecosystem
Last year’s news about Facebook and its means of selecting trending topics, as well as Google’s decision to no longer allow ads by certain industries, both demonstrate that there is “power” in various parts of the Internet ecosystem. In neither case were service providers involved and yet end results were altered. That “power” – market power – is not a bad thing and consumers wield it as well. Contrary to the FCC’s bias as expressed in this rulemaking, it is not the service providers alone that might have some ability to affect a user’s experience, but neither are the consumers powerless. This reality exposes that the FCC’s proposed rules will do nothing to increase consumer protection, but instead will burden only one part of the ecosystem with intrusive regulation even while backing away from the so called consumer protections in other areas. In short, the proposal is reckless.
None of this is to say that there is not a real threat posed by hackers whether with malicious intent or simply on a lark. Instead of taking action to try to alleviate that problem, the FCC is proposing rules that would only be applied to ISPs with respect to consumer data, apparently ignoring how the ecosystem operates. But access to consumer data is far from unique to ISPs. As stated by FTC Commissioner Ohlhausen, “The FCC proposal applies to just one segment of the Internet ecosystem, broadband ISPs, even though there is good evidence that ISPs are not uniquely privy to your data.”
And this data, known as Consumer Proprietary Network Information, is not a means for collecting the most intrusive information that some companies in other parts of the ecosystem do collect online. An analysis last year was stunning clear in its title and the conclusions, “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others,” Feb. 29, 2016 by Peter Swire, Justin Hemmings, and Alana Kirkland. (http://www.iisp.gatech.edu/working-paper-online-privacy-and-isps).
The challenge of protecting customer’s online privacy only incidentally involves ISPs. The real challenge is ecosystem wide as was indicated in a Pew report cited by the FCC. The report demonstrates the concern about consumers’ expectations of privacy on the Internet at large. The report does not cite anything specific about ISPs as the FCC tries to make it seem in paragraph 129 of the NPRM, when it writes, “More recently, studies from the Pew Research Center show that the vast majority of adults deem it important to control who can get information about them.” Further, the FCC refers back to a 2002 FCC order, before any suggestion of mobile apps or an iPhone or even Gmail and writes “Research demonstrates that customers view the use of their personal information by their broadband provider differently than disclosure to or use by a third party for a variety of reasons.” In Internet time that “research” is ten generations old – useless. Taken together, these weak and misleading arguments make a case that even the FCC itself does not believe what it is doing is justifiable.
In fact, the opposite of the FCCs baseless assertion is true. As research published in the Harvard Business Review (https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust) and by the Pew Research Center (http://www.pewinternet.org/files/2015/05/Privacy-and-Security-Attitudes-5.19.15_FINAL.pdf) have shown, consumers do not seem to think that ISPs are problematic and actually trust their ISPs typically more than they do other operators in the ecosystem.
These are sorts of facts FCC that absolutely cannot be ignored, especially with a proposal designed to discriminatorily treat one part of the ecosystem. The proposal merely inserts greater costs nto the ecosystem. The proposal will solve nothing given that the FCC has no authority over the vast majority of the companies in the ecosystem including those best known for manipulative and abusive data strategies. Even under this FCC proposal, these entities will continue to collect and use data for their own ends.
Solutions Should Be Pro-Consumer, Based in reality and Not Simply Pro-Regulatory or Anti-ISP
The thought is not original, but it is accurate and should carry more than fair share of weight in this rulemaking – regulation can never keep up with innovation. Never has, and never will.
There was a time when Washington would react negatively to new technologies, being concerned, if not afraid, of the impact that those technologies might cause to privacy – never recognizing that tools are just tools, often equally available to be used for good or for evil. But the FCC is blazing new trails, fearing technology that is already well known. Instead of solving the problem the Commission has dreamt up instead it moves to create a prescriptive regulatory system ensured to create consumer confusion, harming the very protections consumers already enjoy.
The proposed rules will fail, not just ultimately but immediately, primarily because the rules are designed to only burden one part of the Internet ecosystem, ISPs, rather than targeting the presumed problem. In turn consumers will be left with a confusing message about how online data is collected and shared. And it is in this where the rules move from wrongheaded to dangerous. Consumers will be presented with confusing, conflicting rules, being led to believe that because new rules are in place on service providers that they are now free from privacy worries.
Placing ISPs in a category bound by rigid rules around data, and then arbitrarily limiting what businesses they can pursue, is wrong for consumers and certainly does not comport with any tenant of competition, a level playing field, fairness or a free market. Just picking one example, Google would have to juggle two different and conflicting sets of privacy regulations even while trying to explain such nonsensical government interference to its customers. In the end, industry is left holding the bag of liability, and hence costs, when it has no unique access to consumer data. A lesson should have been learned by the FCC in the case of Netflix in March of last year. As was noted in the Washington Post, slower Netflix mobile video speeds for Verizon and AT&T customers was not due to actions of the ISPs, but rather occurred because of bad behavior by Netflix – throttling speeds for its customers and blaming the resulting problems of “interconnection congestion” on others.
Yet the FCC declined to investigate claiming that such bad conduct was “outside” the FCC’s purview and rules. Apparently the Commission has yet to realize that this incident highlights the real problem and is precisely what leads to consumer’s confusion – different rules for different pieces of a consumer’s whole. Varying rules for various parts of one eco-system is a less than well thought out idea, and will harm the ecosystem itself.
If regulations are needed then the correct regulatory approach is obvious, a consistent treatment with consistent rules of all those who compete in the Internet ecosystem with access to data, much like what the FTC has accomplished. And with an FTC with rules none others are needed. A second set of rules, even if substantially similar, will only cause confusion now or in the future as competing agencies struggle for prominence further slowing a government already hopelessly behind the pace of innovation. The precise right answer is to not have privacy rules created by the FCC and instead, if enhancements are necessary, do so via the FTC. The notion that multiple agencies must regulate and enforce the same rules argues that one agency is no longer relevant, or effective, or particularly useful other than to impeded innovation.
If the FCC feels it needs to be involved in the policy issue to somehow demonstrate its relevance then again a better approach is obvious – a coordinated multi-stakeholder process of regulators and the actors in the Internet ecosystem. Such a process should focus on what regulators can do to enable all parts of the ecosystem to thrive, how artificial barriers to innovation can be removed for an increasingly robust marketplace that drives real benefits to consumers. Such a process should also be designed to address the fact that modern regulatory approaches are a hindrance to innovation, and therefore increase consumer costs while also being a drag on consumer benefits. But to reiterate, the better decision is to forebear from pushing into the privacy space at all.
The goal should not be to engineer excuses to try to discriminate against particular part of the ecosystem, thereby limiting the disruption in online advertising. ISPs are not even listed among the top ten competitors (and those ten own 70 percent of the market) in the online advertising space. This underscores the lack of a factual foundation for the NPRM.
Why arbitrarily remove service providers from the competitive landscape? Why hinder competition that would drive more benefits to consumers through greater competition? These are good questions and have to be answered by the FCC. These should be necessary precursors to any discussion, much less a proposed rulemaking. The real issue should be whether a set of meaningful and consistent protections for consumer online data can be created, and administered by a part of the sprawling federal government that already has expertise in the area.
A New Additional Regulatory Agency is Not the Answer
There is a fundamental difference between private and public sector when it comes to the collection and use of consumer information. Government hardly has a record in protecting data privacy that would lead one to believe that it has the answers to adequately handing such concerns. Stunningly on point, even the FCC has struggled to handle simple routine and expected comments with its systems (human and otherwise), much less handling issues that are much more sensitive and that by the day can get worse if not addressed. This alone argues against more, if any, government intervention but certainly places a cloud on any FCC desire to enter into an area where it lacks expertise and authority. Fortunately then an obvious alternative already exists.
Essentially since the beginning of the World Wide Web the FTC has had oversight of the entirety of the Internet ecosystem, including ISPs. Specifically the FTC has helmed a regime that has been focused on deceptive and unfair practices and constantly focused on how data has been collected and used. In that time, an entity’s business model or where they have been in the technology stack has not been a point of concern. Why this is the case is obvious – consumers are not concerned with those details but rather with how data is used and appreciate that such a system empowers them with more control. Under this comprehensive FTC approach there have been very few ISP-related privacy or data security issues. Over the same time the FTC has had to take action on data issues many times against others in the Internet ecosystem.
As MANA National President Amy Hinojosa’s recently wrote in The Huffington Post, “The FTC is the lead federal consumer protection agency and has been a strong cop on the beat for our privacy. But in a classic case of the ‘law of unintended consequences,’ the FTC had the jurisdictional rug pulled from under its feet for a small portion of the internet — broadband providers — due to legal changes contained in the Open Internet rules passed last year.” Hinojosa writes, “As a result, the FCC — which regulates telecommunications — is now eager to put their footprint in this space by knitting a patchwork set of rules that would apply narrowly to broadband companies while exempting everyone else. In fact, the rules under consideration at the FCC would be a huge step backwards for consumers — confusing consumers and increasing the risk of abusive or discriminatory use of our data online.” Hinojosa argues, “Instead of an inconsistent patchwork based on false assumptions and a misreading of the privacy threat, the FCC can and should step back and put consumers ahead of this jurisdictional land grab and learn from the success of the FTC approach that puts consumers in the driver’s seat rather than in a maze.”
One part of the problem is that the FCC does not have relevant experience in the consumer privacy realm, leaving consumers at its mercy as it tries to wade into a complicated new area. While the Communications Act does convey a limited amount of power to cover consumer privacy of satellite and cable subscribers, the actions that the FCC has taken have been almost completely about billing information. The authority conveyed with relation to telephone subscribers is somewhat broader but is silent regarding the broad range of information that can now be gathered.
Further, the FCC lacks the tools to pursue the best enforcement. The FTC is limited in bringing to bear any forward looking rules but rather conducts enforcement proceedings after a determination that it has the authority to do so under the relevant law. Such actions send signals to the marketplace as to what is within and outside the bounds of acceptable and legal behavior. This allows for flexible solutions and for innovation to flourish. On the other hand, the FCC makes new rules which quickly constrain the marketplace with enforcement actions being brought if the rules are violated.
Regardless, the FCC lacks the reach to address the issue. Section 222 of the Communications Act does not provide a basis for the expansion of power that the FCC is seeking. Specifically, section 222(h)(1) contemplates records of phone calls and billing information, not authority over the sorts of data the FCC is trying to claim. To say otherwise is not just a stretch, but a story woven of whole cloth.
Government should avoid undue restrictions on the information economy. All parties, consumers, industry and others should be able to buy or use online services with minimal government interference. Unnecessary regulation of online activities will distort development of the information marketplace by decreasing supply and raising the costs of products and services for the consumer. Governments already possess tools to address the proposed problem presented in the proposed rulemaking. In fact, the 1996 Telecom Act encouraged intra-modal competition by creating a level playing field. Companies were overtly encouraged to enter markets they were not currently in. But now the FCC is charging off in the opposite direction, limiting competition and driving up costs.
Ultimately, too many government entities looking after our privacy means that we do not have any. Consumers will not have a solid understanding of what signals to watch for that indicate a data breach or a scam. The result is a less vigilant populous increasingly prone to their data being collected and used inappropriately without the understanding that certain actions are wrong. The FCC should bear the burden of proving that it is needed in this area or can add something of value, before even considering moving forward. At the very least, a factual, data-driven analysis of whether consumers will gain or be harmed should be undertaken. Even if the Commission were to imagine the authority to institute of a new and untested regulatory regime does mean that it should do so.
If the FCC insists in playing in the privacy field despite these clear deficiencies and understanding that the area is appropriately covered by the FTC, then rather than creating fantastical windmills of unproven marketplace power for a quixotic FCC to tilt, it should be seeking to create clear rules that consistently protect consumer data end to end while promoting competition and innovation in the online marketplace.
Surprise! The Marketplace is Working
Fundamentally, the entire focus of the proposal is wrong. Positive public policy is encouraging, increases competition and cheers on innovation. This is not the thrust of this proposal.
Moreover, the private sector should lead. For the information economy and online culture to flourish, the private sector must continue to lead through self-regulation. Innovation, expanded services, broader participation, and lower prices will arise in a market-driven arena, not in an environment burdened by over-regulation.
The market has responded favorably and swiftly to consumer concerns regarding the collection and use of personal information. Innovators have crafted tools that let users block cookies, advertising, the tracking of Internet browsing behavior, and third party sharing of information. The market is responding to consumer concerns, without burdensome government regulation.
In addition, the market is providing greater service to consumers. Access to data, whether by ISPs or non-ISPs, leads to more relevant products and services, as well as greater protection for consumers through quicker fraud detection, better cyber-attack prevention. Prophylactic measures restraining particular business models are not only wrong-headed but also restrict consumer’s freedom of choice. The proposal to provide lower broadband prices in return for greater use of consumer information is an example where the only entity that loses is the consumer.
Consumers, in fact, are well ahead of the FCC in finding their level of comfort in matters of privacy. For example, as consumers have increased their use of encryption and secure online services, the ability of ISPs to track or view a consumer’s web history has been reduced. In fact, by the end of last year, it was estimated that more than two-thirds of online bits delivered to individuals were encrypted. According to Google, 77 percent of the data from its services is already encrypted.
As the market has rapidly moved to mobile, new challenges arose to protecting privacy and were quickly addressed by the market. Now a typical Internet user moves across a variety of connections and various ISPs. No one ISP is an Internet gatekeeper. As consumers increasingly opted for mobility, consumer protections changed as well. Today, the mobile operating systems with huge swaths of the market, Apple and Android, actually prevent ISPs from collecting information at all.
Consumers should be directing their own privacy choices. Individuals should be free to select the policy that best fits their needs and take responsibility for their online activities. The Commission can never be as nimble and tailored as the market. An FCC “one size fits all” so called solution will fit no one.
Conclusion
The egregious lop-sided nature of the proposed rules, arbitrarily singling out one piece of an ecosystem for differentiated treatment runs counter to any sense of fairness. Bereft of any consumer harm the Commission seems to strike out to regulate simply for regulation sake seeking to envelope anything it can attempt to justify that may come within its purview.
The FCC has tried similar schemes in the past only to ultimately be struck down by the courts as unconstitutional but not before a tremendous waste of time and resources by the private sector, not to mention the squandered tax dollars of Americans. If these rules are not repealed the same fate awaits.
The Commission should be deservedly criticized for designing regulations that will disrupt a vibrant eco-system. This scheme will throttle the development of new business models, limit consumer choice and opportunity, increase costs, and importantly, dramatically increase consumer confusion. Consumers expect a seamless experience, not one with artificial roadblocks and hurdles for this part or that part of the ecosystem.
The right answer is not to “soften” rules, nor to seek to rewrite rules to be “in line with a FTC approach.” The right answer is to provide best for consumers, and stop before harming the Internet ecosystem. The way to correctly accomplish those goals is to eliminate the rules. The facts demand it.
