Just over a week ago the US Federal Communications Commission (FCC) imposed new privacy rules for ISP customers. The rules aimed to give customers better control, more privacy and stronger security over their data.
But, while the rules imposed restrictions on ISPs, they have opened up questions about what types of data should be deemed as sensitive along with a debate on the disparity between how privacy is protected between data from other internet sources.
The all important opt-in
The new rules include an opt-in, which requires ISPs to obtain ‘affirmative’ consent from consumers to use and share sensitive information. It’s this that has been causing the biggest stir.
The information classed as sensitive by the FCC and requiring an opt-in includes:
- precise geo-location
- financial information
- health information
- children’s information
- social security numbers
- web browsing history
- app usage history
- the content of communications
In an interview with the E-Commerce Times before FCC’s adoption of the new rules, Information Technology and Innovation Foundation Telecom policy analyst Doug Brake revealed that the opt-in would in effect mean that ISPs would need:
…to obtain opt-in consent for any uses of consumer data.
Sensitive or not sensitive – that is the question
Bearing that in mind, it’s not surprising that the debate around which types of data should be classified as sensitive is particularly fierce.
According to the E-Commerce Times, the tech industry has lambasted the new rules, particularly this aspect. In an interview, Mark MacCormack, vice-president of public policy at the Software & Information Industry Association, argued that the FCC:
…is casting too wide a net by classifying web browsing information, app history and other such data as sensitive.
And that the opt-in requirement…
…is likely to create substantial confusion for consumers.
The media company reports the other side of the fence too, quoting John Simpson, Consumer Watchdog’s privacy project director as observing:
Web browsing and app use history, and the content of communications are critical pieces of information that are tremendously revealing about you. We completely applaud the FCC for [protecting] it.
Gaining that op-in
The E-Commerce Times also reports that six major e-commerce business associations had previously lobbied against the new rules. One of the concerns raised was the opt-in consent – and particularly the fact that it’s required for web browsing and app usage history – would only:
… bombard consumers with unnecessary notices.
Meanwhile, Evan Shuman writing for Computerworld believes that ISPs will find other ways to get consumers to opt-in: by hiding the permission in massive T&C forms that require a single click to begin the ISP service. It’s either take it or leave it.
Schuman suggests an alternative approach would serve the consumer better:
If the FCC wanted to truly protect privacy, it would have prohibited ISPs from including this opt-in as part of the agreement to provide services – it should have given consumers the right to reject such data sharing and still retain the right to have broadband service.
While the new rules cover ISPs, they don’t cover websites, search engines and data aggregators. According to Security InfoWatch, some of the officials at the FCC who opposed the new privacy rules did so because they felt the different expectations for internet providers and websites will create confusion among consumers. FCC Commissioner Ajit Pai suggested:
If the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulation of all companies in the internet ecosystem at the new baseline the FCC has set.
FCC commissioner Michael O’Rielly takes a broader view, noting that the rules may have unintended consequences for the Internet of Things – how data is shared between its connected devices is still very much open to question.
And so it seems that the new rules have opened up the debate. In my eyes that’s a good thing. We as individuals need clarity and control over how our information is used in today’s increasingly connected world.
How long that debate will take to resolve is another question. And, to be quite frank, the FCC are most likely to continue to lag behind. After all, they focus on resolving the issues already here today rather than pre-empting the challenges of tomorrow.Follow @NakedSecurity