Skip to content
Naked Security Naked Security

New FCC ISP privacy rules create more questions than answers

The FCC's new ISP privacy rules have opened wide the debate on when and what data gathered over the internet should be deemed sensitive.

Just over a week ago the US Federal Communications Commission (FCC) imposed new privacy rules for ISP customers. The rules aimed to give customers better control, more privacy and stronger security over their data.

But, while the rules imposed restrictions on ISPs, they have opened up questions about what types of data should be deemed as sensitive along with a debate on the disparity between how privacy is protected between data from other internet sources.

The all important opt-in

The new rules include an opt-in, which requires ISPs to obtain ‘affirmative’ consent from consumers to use and share sensitive information. It’s this that has been causing the biggest stir.

The information classed as sensitive by the FCC and requiring an opt-in includes:

  • precise geo-location
  • financial information
  • health information
  • children’s information
  • social security numbers
  • web browsing history
  • app usage history
  • the content of communications

In an interview with the E-Commerce Times before FCC’s adoption of the new rules, Information Technology and Innovation Foundation Telecom policy analyst Doug Brake revealed that the opt-in would in effect mean that ISPs would need:

…to obtain opt-in consent for any uses of consumer data.

Sensitive or not sensitive – that is the question

Bearing that in mind, it’s not surprising that the debate around which types of data should be classified as sensitive is particularly fierce.

According to the E-Commerce Times, the tech industry has lambasted the new rules, particularly this aspect. In an interview, Mark MacCormack, vice-president of public policy at the Software & Information Industry Association, argued that the FCC:

…is casting too wide a net by classifying web browsing information, app history and other such data as sensitive.

And that the opt-in requirement…

…is likely to create substantial confusion for consumers.

The media company reports the other side of the fence too, quoting John Simpson, Consumer Watchdog’s privacy project director as observing:

Web browsing and app use history, and the content of communications are critical pieces of information that are tremendously revealing about you. We completely applaud the FCC for [protecting] it.

Gaining that op-in

The E-Commerce Times also reports that six major e-commerce business associations had previously lobbied against the new rules. One of the concerns raised was the opt-in consent – and particularly the fact that it’s required for web browsing and app usage history – would only:

… bombard consumers with unnecessary notices.

Meanwhile, Evan Shuman writing for Computerworld believes that ISPs will find other ways to get consumers to opt-in: by hiding the permission in massive T&C forms that require a single click to begin the ISP service. It’s either take it or leave it.

Schuman suggests an alternative approach would serve the consumer better:

If the FCC wanted to truly protect privacy, it would have prohibited ISPs from including this opt-in as part of the agreement to provide services – it should have given consumers the right to reject such data sharing and still retain the right to have broadband service.

Confused?

While the new rules cover ISPs, they don’t cover websites, search engines and data aggregators. According to Security InfoWatch, some of the officials at the FCC who opposed the new privacy rules did so because they felt the different expectations for internet providers and websites will create confusion among consumers. FCC Commissioner Ajit Pai suggested:

If the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulation of all companies in the internet ecosystem at the new baseline the FCC has set.

FCC commissioner Michael O’Rielly takes a broader view, noting that the rules may have unintended consequences for the Internet of Things – how data is shared between its connected devices is still very much open to question.

And so it seems that the new rules have opened up the debate. In my eyes that’s a good thing. We as individuals need clarity and control over how our information is used in today’s increasingly connected world.

How long that debate will take to resolve is another question. And, to be quite frank, the FCC are most likely to continue to lag behind. After all, they focus on resolving the issues already here today rather than pre-empting the challenges of tomorrow.

5 Comments

This was a remarkably good move by a government body. I don’t think it went far enough, but it was light-years ahead of my expectations.
The thing I would add is a detailed opt-in that can only be triggered BY ITSELF. In other words, the checkbox contains ONLY the text necessary to understand the question. The words would contain JUST the 8 items above, and one short paragraph explaining. No legalese and no ties to any other agreement.
In an ideal world, the ISPs should allow each of the 8 types of data to be individually opted for or against. But, that’s a pipe dream, I think.

There is no confusion if he the info is seen as belonging to the individual and use of any part is at the opt-in discretion of that individual.

I expect that the Opt In will be part of the TOS, with no way to opt out if you want internet service.
I sense a huge growth in the VPN market about to happen. Time to open a VPN service in a “free country” that doesn’t monitor “Every move you make” (Police, Every breath you take, released 1983)

A:financial information
health information
children’s information
social security numbers
Q:name four things that should not be opt-in, but in fact off-limits

This attitude is unsurprising from a country that is so used to having to give away its personal data and have communications monitored by various agencies its engrained in the culture. I mean how dare US citizens expect the right of privacy, don’t they know that criminals and terrorists are all around them and that everyone is a suspect until its unable to be proven otherwise – sheesh. I am glad I live in the UK, although we are not much better off we are a little more further along thanks to the EU I suppose.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?