If your ISP is selling info about you, that has to be opt-in, says FCC boss
Regulator hopes to smother broadband providers in privacy-protecting rules
FCC chairman Tom Wheeler has proposed new rules that would bring ISPs in line with general data privacy laws and give citizens the right to opt out of their personal information being shared commercially.
Wheeler has put forward a proposed "notice of rulemaking" to the other FCC Commissioners, who will vote on it later this month. If approved, the proposal will be put out to public comment.
A summary document [PDF] published by the FCC says that the new rules would extend the privacy requirement in the Communications Act – which covers mobile phones – to broadband internet access service.
In essence, it would break up the information that ISPs gather about their customers – including what websites you visit and how often, what searches you carry out, and any unencrypted traffic that goes over your internet connection – into three groups.
- Information that is necessary for the provision of broadband – such as size and type of data usage – will be usable by ISPs without requiring consent.
- Information and data gathered by ISPs and used to market other "communications-related services" would become opt-out, ie, customers would have to actively say they do not want that information to be shared.
- All other uses of information and data gathered would be opt-in, meaning that ISPs would require explicit consent.
The data is not trivial. According to the FCC: "Even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website. Using this information, ISPs can piece together enormous amounts of information about their customers – including private information such as a chronic medical condition or financial problems."
The rules would also require ISPs to introduce – if they haven't already – specific data security standards, data management training, and strong authentication, and identify a senior data security manager.
ISPs would also be required to follow standard data breach rules: affected customers would have to be informed within 10 days; the FCC within seven days; and the FBI informed within seven days if a data breach affects more than 5,000 customers.
The FCC has also drawn lines around what the rules would and would not cover. They would extend only to broadband providers, rather than websites themselves (which is the FTC's territory); they would not extend to other services provided by ISPs; and they would not impact the provision of information to the security services or law enforcement.
Most extraordinary in the proposed rule-making is the fact that ISPs are not already under common data privacy rules.
Having blown up the cozy relationship that the FCC has always had with the telco industry over net neutrality regulations, it appears that Wheeler has gone to his staff and asked them to put forward proposals to fix all the black holes that exist but that the FCC never dared to touch previously.
Although Wheeler's term ends in 2018, two of his commissioners will be selected by the next president in 2017 – meaning that if the Republicans win the White House, the persistent partisan split at the FCC will likely fall in the Republicans' favor and makes the passing of such measures much harder.
With depressing inevitability, the FCC's announcement was met almost immediately with a complaint from Commissioner Pai (a Republican) who argued: "The FCC is doubling down on its misguided and broken Net Neutrality decision by imposing troubling and conflicting 'privacy' rules on Internet companies, as well as freelancing on topics like data security and data breach that are not even mentioned in the statute."
Last month, Wheeler took on the long-term consumer bugbear of "rented" cable boxes with clunky interfaces by proposing that telcos be obliged to use common standards and that cable boxes be opened up to competition.
This month, he is tackling a loophole that almost no consumers knew existed. We'll be interested to see what Wheeler and the FCC staff come up with next month in an effort to drag the telco industry into the internet era. ®
Sponsored: 2016 Cyberthreat defense report