Congress Is About To Give Away Your Online Privacy
Wired Terrell McSweeny and Chris Hoofnagle 03.22.17
Congress is poised to roll back FCC privacy protections in a way that could seriously compromise our online lives. The protections require internet service providers to secure consumer data and obtain consumers’ consent before mining and selling it.
The resolution that could come to a Congressional vote this week aims to tackle differences in how the FCC rule treats ISPs compared with other internet companies. Your broadband provider has to offer you a choice about what information it shares about you, but ecommerce sites and search engines do not.
Advocates for repealing the current protections—the resolution is sponsored by Senator Jeff Flake (R-AZ)—argue that Congress should void the FCC’s rule using the Congressional Review Act. They contend that in order to properly govern privacy and avoid confusing consumers, the FCC should maintain consistent rules across the internet ecosystem. But inconsistent standards pervade privacy and consumer law. Furthermore, consistent standards militate in favor of increasing protections for privacy, rather than unraveling them as the current proposal would do.
An alphabet soup of state and federal laws set the privacy requirements for everything from our financial information to data about our children. That’s largely because privacy is both essential to and sometimes in conflict with our most deeply held value, liberty. So, legislators have never been able to craft omnibus privacy protections. Instead, they’ve developed frameworks informed by prevailing norms, incentives, political economy, and ways the information might be used.
As we connect more devices in our home and on our bodies, the array of technologies that raise data privacy and security concerns is expanding. The privacy landscape will likely continue to be shaped as technologies evolve.
Different consumer technologies may justify different approaches. For example, the safety issues inherent in cars and medical devices may warrant particularly strong privacy and security protections. In the future, privacy rules could come from the FCC as well as the Department of Commerce, National Highway Traffic Safety Administration, Food and Drug Administration, and other agencies.
Consider that your bank can—and probably does—sell your contact and financial information unless you opt out. Yet if you rent a movie, online or off, the rental service can’t sell information about your media consumption without your consent, and it must delete your rental history after it’s no longer needed. Congress enacted those protections to shield intellectual freedom, so that one can enjoy controversial movies without fear of one’s curiosity resulting in extortion or embarrassment.
This brings us to our second point: If consistency and reducing consumer confusion is the goal, consumers should demand stronger internet privacy norms. Given the animating purpose of protecting movie rental information, why not require consumers to consent to the sharing any information about their online behavior? After all, our web activity is the ultimate manifestation of our intellectual curiosity, representing second-by-second decisions about consuming news and entertainment.
In addition to existing federal laws, legislators could, as professor Helen Nissenbaum has suggested, look to offline contexts, such as the strong privacy norms governing searching for a book in a library, to guide the privacy rules we ought to enjoy when using a search engine. The government also could take a page from the confidentiality standards patients enjoy when conversing with physicians and apply those same norms to medical information websites. Policymakers could look to the last two centuries of privacy in the postal mail to guide rules for commercial scanning of email. Yet in all these contexts, web business models drive design decisions that have turned social and personal behaviors into marketplace transactions.
Left standing, the FCC rule offers an opportunity for a meaningful debate about how to better translate our analog privacy norms into the digital world. Broadband ISPs are essentially utilities, like postal mail and the telephone. Subscribers have little or no competitive choice as to which provider to use. ISPs know our identities, and their position gives them the technical capacity to surveil users in ways that others cannot. It makes sense to ensure consumers can choose whether to share data related to their internet usage.
The majority of consumers—91 percent in a recent survey—feel they’ve lost control of their personal information. Yet, paradoxically, the late, great privacy researcher and historian Alan Westin consistently found that Americans expect companies to handle personal data in a “confidential” way.
In reality, the modern internet is like a one-way mirror, where users are often unaware that they are being silently watched by third parties. The FCC rule exposes this one-way mirror and allows people to decide whether to draw a curtain on it.
Maintaining the current rules would make ISP practices more consistent with consumers’ expectations of confidentiality. Congress should spend time examining the strengths and weaknesses of our current approach, instead of using consistency arguments to eviscerate the FCC’s rule.