|

On broadband privacy: Working to protect your rights and your data

Today, Access Now provided comments on the importance of broadband privacy to the U.S. Federal Communications Commission (FCC).

I know. This sounds really nerdy, even for us. But it’s really important. Give me two minutes to explain why.

Broadband providers carry your data to the internet, so it’s possible that they can see EVERYTHING you do online. The FCC can issue rules for how they handle that data. And under current rules, your provider can (and probably does) sell information about you to third parties.

It is not proper for a company that you pay directly to provide a service to turn around and sell your data without your knowledge or consent. It harms human rights, particularly our right to privacy.

The FCC has now proposed new rules to protect the data your provider sees — including information about your web browsing.

We wrote to the FCC to support these rules and to suggest ways to make them even stronger. The FCC’s action is very important. First of all, the chairman who is pushing for these privacy-protecting rules, Tom Wheeler, will retire at the end of this year. The next chairperson may not fight as strongly for our rights. And secondly, for better or worse, the U.S. creates many of the “norms” we see on the global internet. If we win this battle in the United States, we hope it will have an international impact, helping to protect human rights for everyone, no matter where we connect to the internet.

Did I convince you this is a big deal? Keep reading to learn what we told the FCC.

It’s no secret that the FCC’s rulemaking procedures are fairly confusing. The proposed rules are in what is called a Notice of Proposed Rulemaking (NPRM). The NPRM asks for some feedback on the rules. You can read more about the NPRM here, and our first response here. Today we responded to this NPRM in full.

Things we support

The FCC’s NPRM creates a regulatory structure which would require service providers to obtain consumers’ “opt in” consent for some activity and allows the providers to give people the option to “opt out” of other activity.

In general, we support these rules, even if we’d prefer that nearly all sharing of users’ data require opt in consent that is affirmative, express, and adequately informed. That would mean that a company couldn’t hide the sale of your data behind a difficult-to-understand opt-out procedure. But the FCC’s proposal is a good first step toward greater respect for our fundamental right to privacy.

We also told the FCC that we support their inclusive definitions for what constitutes protected data. They correctly recognized how invasive the use of metadata and aggregated data can be. We’re also pleased that they applied these definitions and regulations to “affiliates” of the service providers. That means your data will be protected even if your service provider doesn’t sell your information, but gives it to another department for use by the same company.

The rules will create requirements for service providers to notify their users if their information is breached by hacking or by other means. Still, there is an opportunity for the FCC to help determine how organizations can better respond to breaches in which personal, non-financial data is breached. The NPRM asks whether there should be a “good faith exception” to the notification requirement. That would be a problem, because users should be notified of a breach regardless of the intention of the person responsible.

Things we don’t support

There are some things in the NPRM that we think should be improved. Primarily, we think the rules are too permissive. They still allow service providers to use personal data widely without informed consent. This is deficient because the rules allow private data to be shared or sold to marketing companies that create detailed profiles of users.

Security:

The rules allow service providers to use protected data “whenever reasonably necessary to protect themselves or others from cyber security threats or vulnerabilities.” We think that standard is too broad. The proposal should only permit the sharing of protected data if users’ personal information is scrubbed, if it is reasonably necessary to prevent future cyber threats, and if sharing does not risk user privacy or security.

Sharing Location Data in an Emergency:

The rules allow service providers to share your location with law enforcement in an emergency. While we agree with the intent, location data is extremely sensitive and deserves the highest levels of protection. Any public safety exceptions must be strictly limited and of the shortest duration and the most narrow scope possible. All transparency and oversight provisions must apply and retroactive authorization must be obtained.

Data Retention:

Data retention compromises data security, exposing information to government and corporate misuse, data breaches, and employee theft. It also imposes significant costs, creates liability risks and negative externalities, and wastes energy at data centers.

The proposed rule has a flexible approach to data retention allowing retention periods “according to the type of relationship and use of the data.” We instead recommend that the FCC adopt clear limits on data retention that prevent retention of customer data longer than necessary for the legitimate purpose intended.

Suggestions we made

In addition to encouraging the FCC to strengthen their proposed rules, we also suggested a few things they hadn’t yet considered. These are suggestions that, when added to the proposed rule, would significantly enhance oversight, transparency, and protection of your rights.

Audits and Transparency Reports:

The proposed rules will govern how service providers are able to use information. We suggested regular audits and transparency reports to ensure that providers follow these rules.

We also recommended the FCC require transparency reports from all broadband access providers. The reports should include data on requests they receive from the government and other third parties for user information and content restriction; their response processes and user notification policies; compliance rates; reasons for compliance or rejection of the requests; and other categories of information to be decided in conjunction with civil society and via public comment processes. This should be a standard best business practice for all companies that collect user data.

Access to YOUR Data:

We agree with Chairman Wheeler’s statement that “[w]e all deserve information about and control over how our data is used.” A person’s right to access and correct their own data is essential to guaranteeing control over their personal information. The proposed rule will empower people to access their own data. We recommend the FCC ensure that you are able to object, to erase, and to move your data. The ability to object enables you to reject collection and use of specific types of your information. The right to do this goes hand-in-hand with the European Union’s recognition of the “right to erasure,” which allows consumers to request that their data be purged when they stop using a service. Finally, portability means that when you move your information, you have the enforceable right to get a copy of your data in usable format and can transfer the information to other providers. This principle prevents you from being locked into a service, and promotes competition. The FCC already recognizes the usefulness of being able to transfer your phone number.

Dispute Resolution:

We recommend that the FCC oversee the creation of a Sector-wide Process for Oversight & Transparency (SPOT) to give people a single point of contact to file complaints, lodge appeals, and access remedy for potential violations of their privacy. The SPOT should require each service provider to designate a Privacy Office to handle complaints, and issue an annual report to the Chairperson of the FCC, who should then issue a public report aggregating the results of the complaints process and provide recommendations to improve overall efficiency and effectiveness.

Conclusion

You can read all our comments and suggestions here.

Given the breadth and reach of the United States’ digital economy, the rules put forward by the FCC have the potential to influence standards globally. This is an important opportunity to take a big step toward protecting our data and our right to privacy. We’ll continue to work with the FCC to support the rulemaking process, and to make sure the rules are strong as possible.