Diary

The FBI, FCC, Online Privacy And You: Whose Data Is It Anyway?

Federal Communications Commission (FCC) Chairman Tom Wheeler is proposing discriminatory Internet marketing rules — rules that restrict the marketing efforts of Verizon FIOS and other Internet service providers (ISPs) only while giving Google and other big data companies in Silicon Valley an anticompetitive advantage in online advertising. Wheeler claims discriminatory marketing restrictions are intended to protect the privacy of “your data,” including “the websites that a customer visits, how often they visit them, and the amount of time they spend on each website.”

It appears Wheeler didn’t get the memo from the Federal Bureau of Investigation (FBI) and other law enforcement agencies about the law governing privacy and ownership of communications addressing and routing volumes. According to a line of federal court cases dating back to the nineteenth century, users of communications networks don’t have a “justifiable,” “reasonable,” or even a “legitimate expectation of privacy” in that type of data. In fact, it’s not “your” data.

Consumers may have an expectation of privacy in the content of their communications, but that expectation doesn’t reasonably extend to the addresses or volumes of their communications. The federal courts have held that consumers don’t have a legitimate expectation of privacy in the addresses they write on sealed letters and packages sent through the U.S. mail or their weight, the numbers they dial on their telephones or the number of calls they make, or the to/from addresses of their email messages and IP addresses of the websites they visit or the volume of the data transmitted. The Supreme Court has held that an expectation that this type of information should be private “is not one that society is prepared to recognize as ‘reasonable.’”

In each of these communications media — the U.S. mail, a plain-old telephone call and the Internet — the courts have recognized that a person must voluntarily give addressing information to a third-party in order to route the desired communication; and once given, this data becomes the “property” of the third-party communications service provider, who may use it “for a variety of legitimate business purposes.”

In any normal life, even in pursuing his most private purposes, the individual must occasionally transact business with other people. When he does so, he leaves behind, as evidence of his activity, the records and recollections of others. He cannot expect that these activities are his private affair.”

Because this data is not “private,” the government doesn’t even need a warrant to obtain addressing information for telephone calls and Internet communications, even when it is obtaining the data for the purpose of conducting a criminal investigation. Indeed, the Federal Bureau of Investigations (FBI) has routinely relied on this fact to collect cell phone data and other addressing information without seeking a warrant.

If communications routing information cannot reasonably be considered “private” or a form of consumer “property” with respect to law enforcement investigations — which could (quite literally) entail a consumer’s loss of life, liberty and property — it’s difficult to see why Wheeler believes the same information can reasonably be considered “your private data” with respect to commercial advertisers.

It’s particularly ironic that Wheeler has chosen such an extreme position now, when the FBI is fighting Apple over court-ordered access to a locked iPhone and struggling with technological change more generally. In his appearance before Congress earlier this month, FBI Director James Comey testified that technological changes that limit legitimate access to criminal evidence “will have ongoing, significant impacts on our ability to identify, stop, and prosecute [terrorists and other malicious] offenders.” Unsurprisingly, President Obama later warned tech leaders not to take an “absolutest” stance on consumer privacy issues. If the FCC adopts Wheeler’s absolutest proposal, however, it would put a government stamp of approval on the idea that society is prepared to place far greater restrictions on law enforcement access to data in the Internet era than in the past.

The disconnect between Wheeler’s views on the one hand and the views of the Supreme Court and law enforcement agencies on the other regarding the types of information that can reasonably be considered “private” raises legitimate questions as to whether Wheeler’s proposal is really about protecting Internet “privacy” — especially when there is strong evidence that Wheeler’s proposed rules would do little or nothing to protect consumer information while tipping the competitive balance in favor of dominant players in the market for online advertising.

Let’s be clear: Wheeler’s plan would let Silicon Valley’s big data companies keep collecting and selling the same types of consumer information that his proposed rules would prevent ISPs from using. Google and other online marketing companies would still know which websites consumers are visiting and how often, and these companies would still be able to share that information with the government and a host of third-party advertisers. So far as Silicon Valley’s big data companies are concerned, the same data that Wheeler claims is “yours” is actually theirs to do with as they please.

Wheeler admits his proposal wouldn’t constrain the use of consumer information by the Internet’s biggest data brokers, but attempts to brush this critical fact aside by pointing to the jurisdiction of the Federal Trade Commission (FTC) over those companies’ data practices. Don’t worry, the FTC is already doing “a great job dealing with such companies and their privacy practices,” says Wheeler.

Wheeler’s acknowledgement that the FTC is already doing a “great job” on Internet privacy actually undermines his claim that the proposed rules are necessary to protect consumer privacy.

  • If the FTC is already doing a great job with Internet privacy practices, Wheeler’s proposal is obviously unnecessary (and, as noted below, anticompetitive). Why not let the FTC continue doing a great job regulating ISPs’ privacy practices, a role the FTC had assumed well before the FCC decided to get involved?
  • If the FTC is doing a great job, then why doesn’t the FCC propose to adopt the same, far less restrictive approach to regulating Internet privacy as the FTC — an approach that is consistent with privacy law established by federal courts and relied upon by federal law enforcement agencies?
  • If the FTC is doing a great job, Wheeler’s plan to impose marketing restrictions only on ISPs is obviously anticompetitive. Economic theory and practical experience show that imposing restrictions on companies in only one segment of a market (ISPs) harms competition and innovation by preventing those companies from competing with other segments (Silicon Valley’s big data companies) in that same market (online advertising). There is extensive FCC precedent on this point — precedent Wheeler has either missed or chosen to ignore.
  • Assuming the FTC is not doing a great job, why doesn’t Wheeler propose to apply the same rules to Silicon Valley’s big data companies? The FCC has legal authority to regulate the privacy practices of those companies using the same authority it has relied on to adopt net neutrality rules in the past. It appears disingenuous when Wheeler refuses to exercise the FCC’s jurisdiction over the privacy practices of big data brokers while simultaneously creating an entirely new regulatory scheme for broadband ISPs.

Those who support Wheeler’s plan implicitly acknowledge that it would have the effect of limiting the ability of ISPs to compete with big data companies in the market for online advertising. They attempt to justify this anticompetitive result by claiming that (1) ISPs pose a greater risk to privacy than Silicon Valley’s big data companies and (2) its necessary to restrict the marketing practices of broadband ISPs because Congress gave the FCC authority to restrict the disclosure or use for “marketing efforts” of certain “customer proprietary network information” (CPNI) by telephone companies when it added the CPNI provision to the federal Communications Act in 1996. Neither justification is persuasive.

First, according to the Georgia Institute for Information Tech Security and Privacy, who has taken no position on Wheeler’s plan, the notion that ISPs pose a greater risk to privacy than other big data companies is factually untrue. Based on an analysis of the different technologies and services used by big data companies, Silicon Valley’s big data companies have greater access to Internet users’ data than ISPs. As a factual matter, Wheeler’s plan would actually shut down insurgent competitors in the online advertising market.

Second, though there may be some dispute about whether Congress intended to regulate privacy on the broadband Internet when it enacted the CPNI provision in 1996, it is indisputable that the FCC is not legally required to apply the CPNI provision to broadband ISPs. The FCC has clear legal authority to forbear from applying this provision to ISPs (and telephone companies as well) — authority the FCC exercised to eliminate hundreds of other outdated Title II provisions when it adopted net neutrality rules last year. Proposing to apply the outdated CPNI provision to broadband ISPs was Wheeler’s voluntary policy choice, not a Congressional mandate. Wheeler’s decision to frame his proposal in terms of the “privacy” of “your data” was also a voluntary (and misleading) choice.  The CPNI provision applies to “customer proprietary network information” that, as a matter of federal privacy law, is neither “private” nor “owned” by the consumer.

It’s particularly unfortunate that Wheeler has chosen to apply a 20-year old statutory provision to the Internet now — for the first time — while describing his choice in terms of consumer “privacy.” Even if his proposal is well-intentioned, impartial factual analysis indicates Wheeler’s plan to adopt discriminatory rules based on an outdated statutory provision won’t protect consumer information online. And it also appears to be at odds with the Administration’s position on data ownership in the law enforcement context at a time when the FBI is attempting to preserve its ability to obtain timely, judicially authorized access to data relevant to terrorist and other urgent criminal cases.

The potential benefits of any new regulation should be balanced against the potential to cause harm to other public interest objectives. Sadly, it appears Wheeler has overlooked the inconsistency of his proposal with existing privacy laws, law enforcement practices, and the successful approach of the FTC in this area. He also appears to have overlooked the potential for his proposal to harm competition in the market for online advertising — a market that is already dominated by a handful of Silicon Valley companies.

As Supreme Court Justice Alito has observed, “In circumstances involving dramatic technological change, the best solution to privacy concerns may be legislative. A legislative body is well situated to gauge changing public attitudes, to draw detailed lines, and to balance privacy and public safety in a comprehensive way.” The FCC should vote against Wheeler’s proposal and leave the issue of new online privacy regulations to Congress where it belongs.