The US House of Representatives voted today to repeal rules preventing internet service providers from selling their customers' web browsing and app usage data without explicit consent. The Senate passed the same bill last week, which means the only obstacle that remains is a signature from President Trump — and the White House has already signalled he will do so.
Sen. Jeff Flake (R-AZ), who introduced the bill in the Senate last week. Image: Getty.
The rules would have required ISPs to get explicit opt-in consent from customers before selling their sensitive data, including web browsing history and app usage data. The rules hadn't gone into effect yet, and Federal Communications Commission (FCC) chairman Ajit Pai stopped the first provision, which would have required ISPs to keep customer data secure — what a concept! — from going into effect earlier this month.
Without these rules, "there will be no strong federal protection for consumers when it comes to how their ISP can use their information," Dallas Harris, a policy fellow at the privacy advocacy group Public Knowledge, told Gizmodo. Under the current statute, customers must be allowed to opt out of letting their ISP sell their data, but without a rule to interpret that statute, it's much harder to enforce. And the 2-1 Republican majority at the FCC is hardly desperate to enforce that rule. Eric Null, the policy counsel at the Open Technology Institute, told Gizmodo it's "highly unlikely" that we'd see any enforcement by the FCC if a provider doesn't provide reasonable measures to opt out.
The rules were repealed using the Congressional Review Act, which was used only once before the Trump administration, but has been implemented seven times since January. Essentially, this means the FCC can't issue any "substantially similar" rules in the future.
Gigi Sohn, former counsellor for ex-FCC chairman Tom Wheeler, told Gizmodo that it isn't clear whether this means the FCC would be prevented from passing stronger rules in the future, and that ISPs may not have "given a whole lot of thought" to that possibility. But it seems that ISPs are betting that this would act as a "nuclear option", eliminating the possibility of future regulation by the FCC.
So, what does this mean for US consumers? Harris told Gizmodo that they will "have to take their privacy into their own hands". Practically speaking, Harris said, this means Americans should "get online right now, get on [their] ISP's website" and opt out of having their data sold. It might also mean getting a VPN — a private network that routes all traffic through its servers — though they'll have to pick one they trust not to sell their data, too. Harris also fears that the repeal will have a "chilling effect" on broadband adoption among those who still aren't online.
As the Electronic Frontier Foundation has pointed out, there are also serious implications for security: If ISPs look to sell consumer data, "internet providers will need to record and store even more sensitive data on their customers, which will become a target for hackers". Even if they anonymise your sensitive data before they sell it to advertisers, they need to collect it first — and these companies don't exactly have a perfect track record in protecting consumer data. In 2015, for example, Comcast paid $US33 million ($43 million) as part of a settlement for accidentally releasing information about users who had paid the company to keep their phone numbers unlisted, including domestic violence victims.
This is all made much more difficult for consumers by the dearth of broadband competition in the US. More than half of Americans have either one or even no options for providers, so if you don't like your ISP's data collection policies, chances are you won't be able to do much about it, and providers know that. It's highly unlikely that providers, particularly the dominant companies, will choose to forego those sweet advertising dollars in order to secure their customers' privacy, when they know those customers don't have much choice.
After the Senate passed its version of the repeal last week, the bill was blasted by multiple open internet advocacy groups, including the Center for Democracy and Technology. There was also a last-minute push by advocacy groups to turn the public against the bill prior to the vote. The EFF and ACLU called on the public to call their representatives, which got a boost of sorts from actress Alyssa Milano:
— Alyssa Milano (@Alyssa_Milano) March 28, 2017
Meanwhile, lobbying groups that represent internet providers and tech companies lauded the bill. Last week, the Consumer Technology Association, which represents companies including Facebook, Apple and Twitter, said the privacy regulation "threatens to undermine innovation and competition in the internet ecosystem". (Gigi Sohn told us that's a "stock line they use any time they get regulation they don't like".)
The criticism that the rule is inconsistent with the FTC's privacy framework is utter garbage. Not only is it largely meaningless to almost everyone — who the hell knows what the FTC's privacy framework is? — it's also a rhetorical trick to obscure what ISPs actually want, which is weaker regulation. The FTC's privacy framework was only really different in one crucial way that ISPs hated: It doesn't consider web browsing and app usage "sensitive", which requires opt-in consent, but the FCC does, and advertisers really want to get their hands on that valuable web browsing data. Repealing the FCC rules "doesn't create a level playing field, it just creates a hole in protections," says Harris.
All is not completely lost. US ISPs still has to allow people to opt out of having their data sold, so customers can call them or go online to find out how to do that. But today's news is devastating for privacy overall. Consumers could have had more control over their privacy; your data could have been safer. Things could have been better, if Congress had done what it usually does and done nothing. Instead, they made things worse for anyone who doesn't run an internet company or an advertising agency. There's no policy justification and no public interest in doing this; consumers are deeply fearful, in fact, about their privacy online. It was an action solely designed to benefit some already very rich companies that barely anyone wanted.