[Senate Hearing 114-564]
[From the U.S. Government Publishing Office]
S. Hrg. 114-564
HOW WILL THE FCC'S PROPOSED PRIVACY
REGULATIONS AFFECT CONSUMERS
AND COMPETITION?
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
JULY 12, 2016
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
24-204 PDF WASHINGTON : 2017
__________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri MARIA CANTWELL, Washington
MARCO RUBIO, Florida CLAIRE McCASKILL, Missouri
KELLY AYOTTE, New Hampshire AMY KLOBUCHAR, Minnesota
TED CRUZ, Texas RICHARD BLUMENTHAL, Connecticut
DEB FISCHER, Nebraska BRIAN SCHATZ, Hawaii
JERRY MORAN, Kansas EDWARD MARKEY, Massachusetts
DAN SULLIVAN, Alaska CORY BOOKER, New Jersey
RON JOHNSON, Wisconsin TOM UDALL, New Mexico
DEAN HELLER, Nevada JOE MANCHIN III, West Virginia
CORY GARDNER, Colorado GARY PETERS, Michigan
STEVE DAINES, Montana
Nick Rossi, Staff Director
Adrian Arnakis, Deputy Staff Director
Rebecca Seidel, General Counsel
Jason Van Beek, Deputy General Counsel
Kim Lipsky, Democratic Staff Director
Chris Day, Democratic Deputy Staff Director
Clint Odom, Democratic General Counsel and Policy Director
C O N T E N T S
----------
Page
Hearing held on July 12, 2016.................................... 1
Statement of Senator Thune....................................... 1
Letter dated July 11, 2016 to Hon. John Thune, Hon. Bill
Nelson, Hon. Fred Upton, Hon. Frank Pallone, Hon. Greg
Walden and Hon. Anna Eshoo from Laurence H. Tribe, Carl M.
Loeb Universty Professor and Professor of Constitutional
Law, Harvard Law School; Richard A. Epstein, Laurence A.
Tisch Professor of Law, The New York University of Law, The
Peter and Kirsten Bedford Senior Fellow, The Hoover
Institution, The James Parker Hall Distinguished Service
Professor of Law Emeritus and Senior Lecturer, The
University of Chicago; Robert Corn-Revere, Partner, Davis
Wright Tremaine LLP; Robert D. Atkinson, President,
Information Technology and Innovation Foundation; Jane
Bambauer, Associate Professor of Law, University of
Arizona, James E. Rogers College of Law; Babette Boliek,
Associate Professor of Law, Pepperdine University School of
Law; Fred H. Cate, Distinguished Professor and C. Ben
Dutton Professor of Law, Indiana University Maurer School
of Law; James C. Cooper, Associate Professor of Law and
Director, Program on Economics and Privacy, Scalia Law
School, George Mason University; Justin (Gus) Hurwitz,
Assistant Professor of Law, Nebraska College of Law; Mark
A. Jamison, Director and Gunter Professor, Public Utility
Research Center, University of Florida; Daniel A. Lyons,
Associate Professor of Law, Boston College Law School;
Geoffrey A. Manne, Executive Director, International Center
for Law and Economics; David W. Opderbeck, Professor of
Law, Seton Hall University Law School and Director, Gibbons
Institute of Law, Science and Technology; and Paul H.
Rubin, Samuel Candler Dobbs Professor of Economics, Emory
University................................................. 62
Letter dated July 11, 2016 to Hon. John Thune and Hon. Bill
Nelson from Gary Shapiro, President and CEO, Consumer
Technology Association; Jim Halpert, President and CEO,
Internet Commerce Coalition; Jonathan Spalter, Chair,
Mobile Future; Scott Belcher, CEO, Telecommunications
Industry Association; Meredith Attwell Baker, President and
CEO, CTIA�; Genevieve Morelli, President, ITTA; Michael
Powell, President and CEO, National Cable and
Telecommunications Association; and Walter B. McCormick,
Jr., President and CEO, USTelecom.......................... 64
Paper entitled ``The Curious Absence of Economic Analysis at
the Federal Communications Commission: An Agency in Search
of a Mission'' by Gerard R. Faulhaber and Hal J. Singer.... 67
Statement of Senator Nelson...................................... 3
Statement of Senator Blunt....................................... 131
Statement of Senator Schatz...................................... 132
Statement of Senator Markey...................................... 134
Statement of Senator Moran....................................... 137
Statement of Senator Klobuchar................................... 139
Statement of Senator Daines...................................... 141
Statement of Senator Gardner..................................... 143
Statement of Senator Heller...................................... 145
Statement of Senator Blumenthal.................................. 147
Witnesses
Hon. Jon Leibowitz, Partner, Davis, Polk & Wardwell and Co-
Chairman, 21st Century Privacy Coalition....................... 4
Prepared statement........................................... 6
Dean C. Garfield, President and CEO, Information Technology
Industry Council (ITI)......................................... 14
Prepared statement........................................... 15
Paul Ohm, Professor, Georgetown University Law Center and Faculty
Director, Georgetown Center on Privacy and Technology.......... 20
Prepared statement........................................... 22
Matthew M. Polka, President And CEO, American Cable Association.. 28
Prepared statement........................................... 29
Peter Swire, Huang Professor of Law and Ethics, Scheller College
of Business, Georgia Institute of Technology................... 35
Prepared statement........................................... 37
Article dated May 2016 entitled ``Online Privacy and ISPS:
ISP Access to Consumer Data is Limited and Often Less than
Access by Others'' by Peter Swire.......................... 48
Appendix
Response to written questions submitted by Hon. Deb Fischer to:
Paul Ohm..................................................... 155
Dean C. Garfield............................................. 155
Matthew M. Polka............................................. 156
HOW WILL THE FCC'S PROPOSED PRIVACY
REGULATIONS AFFECT CONSUMERS
AND COMPETITION?
----------
TUESDAY, JULY 12, 2016
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10:04 a.m. in
room SR-253, Russell Senate Office Building, Hon. John Thune,
Chairman of the Committee, presiding.
Present: Senators Thune [presiding], Nelson, Cantwell,
Blunt, Rubio, Klobuchar, Ayotte, Blumenthal, Heller, Schatz,
Markey, Fischer, Sullivan, Moran, Manchin, Johnson, Peters,
Gardner, and Daines.
OPENING STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
The Chairman. Good morning. This hearing will come to
order.
The protection of privacy on the Internet is vital.
Protection from identity theft, protection from deeply private
information: this is important to us as citizens and as
consumers, and it's fundamental for allowing the Internet and
the information economy to thrive, and thrive they have.
Internet usage has increased 900,000 percent since the
Telecom Act of 1996, and to meet that demand, the broadband
industry has invested $1.4 trillion. This growth occurred under
the Federal Communications Commission's light regulatory
treatment of the Internet as an information service, and under
the careful eye of the Federal Trade Commission, which, with
limited exceptions, was responsible for protecting consumer
privacy on the Internet. The FTC has brought over 500 cases
protecting the privacy and security of consumer information,
including cases where companies were alleged to have
deceptively tracked consumers online or to have shared privacy
consumer data with unauthorized third parties.
The FTC has been the leader in protecting consumer privacy,
but with the FCC's 2015 Open Internet Order, all of that
changed. Broadband Internet Access Service, or BIAS, was
reclassified as a telecommunications service, which, in turn,
meant the FTC lost its jurisdiction over the privacy policies
of BIAS providers.
So now, after having forced the FTC off the field for
broadband providers, the FCC has proposed a novel regulatory
scheme for the newly reclassified providers. But the FCC's
rules would apply only to certain parts of the Internet, and
that is a source of significant concern. Both the Obama
administration and the FTC have endorsed a consistent privacy
regime across the digital landscape. Indeed, the FTC staff
filed comments with the Commission stating, ``The FCC's
proposed rules, if implemented, would impose a number of
specific requirements on the provision of BIAS services that
would not generally apply to other services that collect and
use significant amounts of consumer data. This outcome is not
optimal.''
For those of you not familiar with bureaucrat-speak, let me
tell you this, when they say, ``this outcome is not optimal,''
it's pretty strong stuff for one agency to say about another.
I share the FTC's concern, and by overwhelming majority, so
do the American people. Progressive Policy Institute polling
shows that 94 percent of Internet users believe that all
companies collecting data online should follow the same
consumer privacy rules so that consumers can be assured that
their personal data is protected regardless of the company that
collects or uses it.
I am concerned that at any particular time consumers will
not have reasonable certainty of what the rules are and how
their privacy decisions apply. At home on Wi-Fi? At home on a
smartphone? Using your smartphone on a friend's Wi-Fi? Using
the Internet at a library? Each of these could have very
different privacy implications for a consumer because of the
FCC's proposed piecemeal approach to privacy.
There are other problems for consumers as well. Will the
Commission's proposed rules make it more or less likely that
BIAS providers will be able to provide better and more
innovative services that could benefit consumers? And of
particular importance to our rural communities, how are small
BIAS providers going to be able to comply with the Commission's
proposed regulations? Most of the rural carriers in South
Dakota have between 2,000 and 5,000 broadband subscribers. How
are they supposed to pay for the additional staff, software
licenses, training, and other expenses that would be required
to comply with the Commission's proposed rules?
The FCC's push for a separate regulatory scheme for BIAS
providers is based in significant part on their claim that ISPs
are the most important and extensive conduits of consumer
information, and thus have access to very sensitive and very
personal information. I am not so sure about that. It appears
that many companies that are not broadband providers have
access to information about consumers that is more personal and
more sensitive than much of what ISPs can access, yet those
entities are not covered by the Commission's proposal.
Is the FCC, which is a novice when it comes to regulating
Internet privacy, the right agency to protect us from identity
theft and to protect our private information? Do we want to
have inconsistent privacy protection for consumers, with
distinctions based upon how the Commission chooses to classify
services under the Communications Act, an act that never
envisioned the FCC dealing with online privacy or
cybersecurity? Would consumers and companies be better off with
the FCC's proposal?
The witnesses we have before us today represent a broad
variety of backgrounds and are true experts on these issues.
And I look forward to your answers to these and other questions
that you are asked here today.
With that, I would yield to our distinguished Ranking
Member, the Senator from Florida, Senator Nelson, for an
opening statement.
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Nelson. Thank you, Mr. Chairman.
If we all share the same goal of how to best protect
consumer online privacy, then it seems that we are bifurcated
in our approach to this because in looking at the FCC's
proposed privacy rules, both sides of the debate come at these
questions with preconceived notions about how best to achieve
this goal. On the one side, we are told that the FCC should not
be adopting any rules for broadband providers because we are
not also applying those same rules to every online player. On
the other side, we're told that the FCC should adopt the most
stringent rules possible in order to prohibit broadband
providers from using any consumer data.
Well, it seems to me that the question is ultimately how to
preserve the benefits of online commerce, but in a way that
takes into account consumers' right to know about and, when
appropriate, control the collection and use of their personal
information. So putting aside the claims of regulatory
overreach or power grabs, isn't it clear the FCC is the expert
agency for regulating communications networks, including
broadband networks? It is an expert oversight agency with
flexible forward-looking authority to protect consumers.
If the content is governed by the FTC under the fair and
deceptive practices standard, isn't it right for the FCC, as it
has over the past several years and as I have pushed, to also
use its authority to protect privacy? We need regulators who
are not afraid to use their authority when necessary, to
protect consumer privacy, but also we need the regulators to
know when to exercise that authority in a restrained manner.
Now, this is a difficult balance, but that doesn't mean
that an agency should defer or otherwise be reluctant to do
what it believes is in the best interest of protecting
consumers. The FCC is still in the middle of a rulemaking to
sort all of this out.
Thank you, Mr. Chairman, for calling this hearing so that
we can hear all the attitudes about the FCC's proposals and
alternative approaches, but at the end of the day, I can tell
you this Senator is going to side with the consumers in
whichever approach that I can conclude best protects the
privacy of broadband subscribers.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Nelson.
We've got a great panel today to hopefully shed some light
on this subject. And on my left and your right is Mr. Jon
Leibowitz, a Partner at Davis, Polk & Wardwell, and a Co-Chair
of the 21st Century Privacy Coalition. He is also a former
Chairman of the Federal Trade Commission.
Next to him is Mr. Dean Garfield, who is the President and
CEO of the Information Technology Industry Council.
Professor Paul Ohm of Georgetown University Law Center.
And Mr. Matthew Polka. He is the President and CEO of the
American Cable Association.
And Professor Peter Swine [sic], the Huang Professor of Law
and Ethics for the Scheller College of Business at the Georgia
Institute of Technology.
We're delighted to have all of you with us today. Thank you
for being here. We look forward to hearing from you and asking
you some questions. And we'll start, as I said, on my left, and
your right, with Mr. Leibowitz. So please proceed with your
remarks. And if you could all confine it as close to possible
with 5 minutes, we would very much appreciate it.
Thank you.
STATEMENT OF HON. JON LEIBOWITZ, PARTNER, DAVIS, POLK &
WARDWELL AND CO-CHAIRMAN, 21ST CENTURY PRIVACY COALITION
Mr. Leibowitz. Thank you, Chairman Thune, Senator Nelson,
other distinguished members of the Committee. I appreciate you
inviting me to testify today on behalf of the 21st Century
Privacy Coalition, which I chair with former Representative
Mary Bono.
Our Coalition is comprised of the Nation's leading
communications companies, which have a strong interest in
bolstering consumers' trust in online services. We believe the
best way to ensure protection of consumer privacy is through a
comprehensive and technology-neutral framework based on the
type of data being collected and how it is used rather than on
the type of entity collecting the data. And that is exactly the
approach that the Obama administration has endorsed and the FTC
has taken in decades, as you know, of robust privacy
enforcement.
The FTC has held hundreds of companies, large and small,
accountable for breaking their privacy commitments to
consumers, and by taking a largely enforcement-based approach
rather than setting out prescriptive rules, the FTC has
powerfully protected privacy while permitting the type of high-
tech innovation that has yielded huge benefits to all
Americans. And when the FTC has done a rulemaking--so think
about Do Not Call or the Children's Online Privacy Protection
Act, as Senator Klobuchar and Senator Markey know, they have
been successful. Indeed, the FTC approach has been so
successful that in 2012 the White House called on the FTC to be
solely responsible for protecting the privacy of every American
across every industry, and that, of course, includes ISPs.
As we know, last year the FTC's sister agency, the FCC,
reclassified Internet service providers as common carriers, as
part of the Open Internet Order. That decision removed ISPs
from the FTC's jurisdiction. Having assumed sole jurisdiction
to protect privacy among broadband users, the FCC is reasonably
engaged in rulemaking. After all, we want to have a cop on the
beat. And our Coalition was initially encouraged by Chairman
Wheeler's stated aim to craft the proposed privacy rules in a
manner, and I quote, consistent with the FTC's thoughtful,
rational approach, and with the core principles of the FTC's
2012 private report in mind.
But the FCC's proposed rules, as currently drafted, are
very different from FTC practice and policy. Instead, the
proposed rules impose a restrictive set of requirements on
broadband providers that don't apply to other entities that
collect much or more consumer online data. The ISP's specific
rules don't provide clear benefits to consumers, they don't
protect privacy in the way that they should, they may
themselves be unconstitutional, and more troubling, or at least
as troubling, these restrictive requirements represent a
fundamental change in the U.S. approach to privacy, a change
that should not be made lightly or without the input of all
stakeholders. Indeed, the FCC has not identified any consumer
harms that warrant a vast departure from the FTC's successful
approach.
So the goals may be laudable, I have no doubt they are, but
the draft rules betray a fundamental lack of understanding
regarding how the Internet ecosystem works. Indeed, the FCC's
proposed rules may well discourage the very broadband
innovation that the FCC is statutorily obligated to promote,
thereby harming the very consumers it's supposed to benefit.
Let me highlight four salient flaws in the FCC's proposal.
First, it is not technology-neutral. It would impose
prescriptive rules on only a subset of the Internet ecosystem,
and by doing so, diminish broadband providers as a potential
competitive force to benefit consumers.
Second, the FCC's proposal would impose opt-in consent
requirements for non-sensitive data and basic everyday business
practices, like first-party marketing. For example, an ISP,
absent an opt-in consent, would be prohibited from marketing
its own home security, music streaming, or energy management
services to its own customers using its own customer lists,
that makes no sense at all, nor would prohibiting a typical
working-class family of four from accepting a discount in
exchange for an ISP using customer information, even if that
information isn't shared with anybody else. Consumers should be
able to make their own choices as long as they are informed
choices. Choice is really supposed to be what the Internet is
about.
Third, the NPRM, as drafted, would miss the opportunity to
create consumer benefits from de-identified data.
And, fourth, the proposal would impose an unrealistic
timeline for breach notification and mandate massive
overnotification that could cause consumers to ignore truly
important messages from their ISP or from others.
And don't take my word for it, as you pointed out, Senator
Thune, my former agency, the FTC, has referred to aspects of
the NPRM as, ``not optimal.'' In the FTC's comments on the FCC
proposal, comment to the FCC, there are 28 separate instances
where the FTC raises concerns about the FCC's approach.
If I could make one suggestion to the FCC, it would be
this: listen to the FTC and consider whether the FCC proposal
is in tension with the U.S. successful NIST cybersecurity
framework or could undermine the EU-U.S. Privacy Shield as it
works its way through the European Parliament.
Mr. Chairman, I ask for an additional 30 seconds and then I
will end. Thank you.
But with that said, let me make one last point: Final rules
are often more balanced than proposed ones. I think you made
this point, Senator Nelson. We may see a lot of improvement
when the NPRM moves to completion. But even if you don't
believe the FCC's current proposal is a solution in search of a
problem, it would nevertheless create inconsistent standards
across the Internet, confuse consumers, and undermine
innovation that benefits consumers as well. And there are
serious questions about whether it would withstand
constitutional scrutiny.
For all these reasons, the 21st Century Privacy Coalition's
view is that the FCC should adopt the FTC's time-tested and
proven approach, a privacy framework that has largely been
embraced by the Obama administration.
Thank you. I'm happy to answer questions.
[The prepared statement of Mr. Leibowitz follows:]
Prepared Statement of Hon. Jon Leibowitz, Partner, Davis, Polk &
Wardwell and Co-Chairman, 21st Century Privacy Coalition
Chairman Thune, Ranking Member Nelson, other distinguished Members
of the Committee, thank you for inviting me to testify at this
important hearing. My name is Jon Leibowitz and, along with former
Representative Mary Bono, I serve as Co-Chair of the 21st Century
Privacy Coalition.
Our group is comprised of the Nation's leading communications
companies, which have a strong interest in bolstering consumers' trust
in online services and confidence in the privacy and security of their
personal information. We believe that consumers should enjoy the same
robust protections throughout the Internet ecosystem. I offer testimony
today regarding the FCC's ongoing broadband privacy rulemaking on
behalf of our group.
As consumers' online activity grows in size and scope, it is more
important than ever that consumers have a clear notion of how their
data is being used and shared, and what is being done to protect their
data from hackers and other bad actors. Since the Internet's inception,
the Federal Trade Commission (``FTC'') has been the main privacy cop
enforcing these essential consumer protections. But last year, the
FTC's sister agency--the Federal Communications Commission (``FCC'')--
reclassified Internet Service Providers (``ISPs'') as common carriers
subject to Title II of the Communications Act, removing ISPs from the
FTC's jurisdiction. Having assumed sole jurisdiction over the privacy
practices of ISPs, the FCC is currently engaged in a rulemaking to set
out a privacy framework for ISPs.
The 21st Century Privacy Coalition was encouraged by FCC Chairman
Wheeler's stated aim to craft the proposed broadband privacy rules in a
manner ``consistent with [the] FTC's thoughtful, rational approach,''
and with the core principles of the 2012 FTC Privacy Report,
``Protecting Consumer Privacy in an Era of Rapid Change:'' privacy-by-
design; choice; and transparency. Our group believes that an FCC
rulemaking consistent with the FTC's privacy framework would ensure
that privacy enforcement remains both robust and technology neutral--
that is, based on the sensitivity of data collected and how that data
is used, rather than on the type of entity collecting the data. This
would protect consumers while continuing to facilitate and encourage
innovation and competition on the Internet.
Such an approach also would better reflect the privacy and data
security principles promoted by the Obama Administration after
extensive research and outreach to stakeholders. In its 2012 Report
``Consumer Data Privacy In a Networked World: A Framework for
Protecting Privacy and Promoting Innovation in the Global Digital
Economy,'' the Administration advocated for ``a level playing field for
companies, a consistent set of expectations for consumers, and greater
clarity and transparency.'' Moreover, the Report also recognizes that
most first-party marketing is consistent with the context of the
provider-consumer relationship, and that ``[c]ompanies should be able
to infer consumer consent to collect personal data for these limited
purposes.'' And the Report encourages companies to develop privacy
protections based upon the ``sensitivity of the personal data that they
collect, use, or disclose.'' In addition, the National Institute of
Standards and Technology (``NIST'') Cybersecurity Framework has been
highly lauded as an effective means of fostering increased security
across a multiplicity of industries by placing a priority on risk
management and flexible standards, rather than prescriptive and
inflexible a priori rules.
Unfortunately, while some parts of the FCC's proposed rules are
consistent with the Obama Administration and FTC approach, in many
important areas the rules deviate sharply from that approach,
demonstrating both the FCC's lack of experience in the privacy area,
and its failure to fully consider and test the likely impact of its
proposed rule on consumers and ISPs alike during the course of its
drafting process. Thus, we agree that, as the FTC noted, the FCC's
approach is ``not optimal.''
The FCC has proposed regulations for ISPs that go well beyond those
imposed upon the rest of the Internet economy, and which, if adopted,
would undercut benefits to the very consumers such rules seek to
protect. Yet the FCC has failed to identify any harms or particular
problems posed by ISPs that necessitate a divergence from the effective
privacy framework that has applied to ISPs for years.
The FCC's proposed rules do not reflect the economic and
technological realities of the Internet ecosystem, which bears little
to no resemblance to the traditional voice services market that the FCC
has regulated under its Title II authority. In addition, it is
inapposite to attempt to analogize the ISP industry to banks or health-
care companies to which sector-specific laws apply. Online data is
collected and exchanged by many entities other than ISPs.
In the Internet ecosystem, myriad entities have access to and use
consumers' online information to provide customers free, advertising-
supported content and services, and a wide array of customized
capabilities and offerings. Data-driven insights and offerings are a
key driver of the growth of the Internet economy and the source of
considerable innovation and benefits for consumers. Unfortunately, the
FCC's proposed rules will make it much harder for ISPs to deliver these
benefits, particularly compared to other online entities. For example,
the NPRM would restrict consumer choice by prohibiting efforts by ISPs
to promote broadband access by offering discounted service in exchange
for targeted marketing. Thus, if enacted in its current form, the NPRM
would harm, rather than benefit, consumers.
In fact, ISPs are new entrants in the online advertising market,
where ten companies, none of which are ISPs, hold over seventy percent
of the market. The proposed rules would curtail ISPs' ability to enter
that market and provide sorely needed competition. Under a reasonable
reading of proposed rules set forth in the NPRM, ISPs would not be able
to market their own non-communication-related products--like cloud
services, music streaming, or a home security system--to their own
customers without such customers' prior opt-in consent. The FCC must
avoid an outcome in which ISP marketing practices that are clearly
consistent with consumer expectations are restricted in a way that
undermines consumer choice and eliminates opportunities for consumers
to save money on products offered by an existing service provider.
These marketing restrictions are also inconsistent with marketing laws
already on the books--including CAN-SPAM and Do-Not-Call--in which
Congress struck a balance between privacy and the dissemination of
information to consumers by setting up opt-out regimes.
Moreover, the proposed rules threaten to create not only consumer
confusion, but also frustration and disruption of their online
experiences. In a recent survey published by the Progressive Policy
Institute, 94 percent of consumers agreed that ``[a]ll companies
collecting data online should follow the same consumer privacy rules so
that consumers can be assured that their personal data is protected
regardless of the company that collects or uses it.'' In addition,
because the United States has highlighted the FTC's approach to privacy
in its negotiations with the European Union regarding cross-border data
transfers, including the so-called Privacy Shield, there are concerns
on both sides of the Atlantic that FCC divergence from the FTC privacy
framework could undermine the Privacy Shield in the European Court of
Justice as well as other U.S. international privacy negotiations. As
the Obama Administration and FTC have long recognized, a truly
consistent approach is critical to the continued growth of the
Internet, to avoiding consumer confusion and misunderstanding regarding
the uses of their data, as well as to permitting online innovation and
competition to continue to flourish. The FCC's approach, as currently
drafted, fails to achieve these important goals. This is an outcome
that the FCC should abandon before adopting final rules.
Further, the FCC's approach suffers from multiple constitutional
infirmities and is unlikely to withstand court scrutiny. Rather than
embark on such an approach just to be rebuked by the courts, the FCC
should redraft its proposal to take into consideration the FTC's
successful approach to privacy and to respect the constitutional
boundaries of the FCC's authority.
The FTC Approach
Privacy has long been a cornerstone of the FTC's consumer
protection mission, and all of us who worked at the FTC are proud of
the work we did to both protect consumer privacy and to ensure that
consumers continue to benefit from the high-tech innovation and
competition that has revolutionized modern life. As consumers migrate
more and more of their lives online, the FTC has worked to ensure both
that consumer privacy is safeguarded while providing companies with the
flexibility to use data in ways that benefit consumers and foster
competition and innovation.
The FTC has a proven track record of success, built on robust
enforcement, including over 500 successful privacy enforcement actions;
occasional regulation such as the initial 1999 and subsequent 2010
rulemakings on the Children's Online Privacy Protection Act; and
thoughtful policy initiatives like the 2012 Privacy Report, a multi-
year endeavor that incorporated the findings of iterative policy
workshops beginning in 2006, a draft Privacy Report in 2010, and over
450 comments from consumer and industry advocates, technology and
policy experts, and the public. Indeed, when the FTC published its
comprehensive Privacy Report in 2012, its approach received praise from
many consumer and privacy groups, and some criticism from businesses.
For example, the privacy organization Electronic Frontier Foundation
praised the FTC for ``creat[ing] strong guidelines for protecting
consumer privacy choices,'' while the Information Technology and
Innovation Foundation criticized the FTC, raising concern about
``important trade-offs and costs'' associated with the FTC framework.
In the four years since the publication of the FTC's Privacy
Report, in which there have been continued developments in the way
consumers access and use the Internet itself, the FTC has held more
workshops and issued additional reports and guidance tailored to
specific sectors, technologies, and practices to account for changes in
the services offered over the Internet, and in the data collection and
tracking technologies used by various entities within the Internet
ecosystem. Despite these changes, the framework established in 2012 and
the principles within the framework not only remain the same, but are
even more resonant.
The 2012 Privacy Report presents a single, comprehensive framework
that companies should consider and implement when collecting, using,
and maintaining consumer data. These principles are:
(1) Privacy by Design: calling on companies to provide reasonable
security for consumer data, to limit the collection of consumer
data to what is consistent in a context of a particular
transaction, to implement reasonable data retention and
disposal policies, and to maintain reasonable accuracy of
consumer data;
(2) Consumer Choice: encouraging companies to offer consumers the
ability to make decisions about the collection and use of their
personal data in a timely and contextual manner; and
(3) Transparency: encouraging companies to increase the transparency
of their information collection and use practices through
easily-readable privacy statements and consumer education.
The FTC furthers these principles through robust enforcement rather
than prescriptive regulation. It goes after companies when they break
their privacy commitments to consumers or take actions that cause
consumers real harm. This approach is flexible and promotes high-tech
innovation, and it has held hundreds of companies, large and small,
accountable when they cause real harm to consumers without
countervailing benefits to consumers or competition.
Importantly, in addition to creating a comprehensive framework for
both online and offline data collection and use, the FTC Report
highlighted the importance of a technology-neutral approach to privacy:
Even after thoroughly studying the data collection and use practices of
ISPs and other large platform providers, the FTC concluded that ``[a]ny
privacy framework should be technology neutral.'' In other words,
privacy enforcement should not depend upon the type of company using or
collecting consumer data or the particular technology being used to do
so. Indeed, the FTC specifically examined the question of whether large
platform providers--a category that includes ISPs, but also social
networks, operating systems, browsers, and advertising platforms--
should be subject to more stringent privacy obligations and, after a
comprehensive inquiry, declined to take such a step. Instead, the FTC
framework focuses on the sensitivity of the data collected and how
those data are used. Consistent application of the principles is
designed to provide consumers with clear and uniform privacy and data
security protections, regardless of the particular product or service
being used. The Administration has supported the FTC's policy of
technology neutrality for privacy and the goal of a harmonized privacy
framework for the entire Internet ecosystem.
Finally, it is worth noting that the comments the FTC filed in the
FCC's privacy proceeding, based largely on its 2012 Privacy Report,
were unanimously supported by all three sitting commissioners. There is
more enduring impact, and often more legitimacy, from bipartisan
regulatory action.
The FCC's Proposed Rules
The FCC's stated principles of transparency, consumer choice, and
data security are framed as matching the principles at the heart of the
FTC's framework and other privacy regimes in the United States and
globally. And certain specific proposals in the NPRM are also
consistent with the FTC approach. For example, the FCC's call for
notice and consent to consumers of retroactive material changes to data
collection and use is consistent with the FTC's framework and
enforcement.
But, as the FTC staff noted in its comments on the FCC's proposal,
``the FCC's proposed rules, if implemented, would impose a number of
specific requirements on the provision of [broadband] services that
would not generally apply to other services that collect and use
significant amounts of consumer data. This is not optimal.''
In effect, the FCC proposal amounts to a de facto rejection of the
FTC's technology neutral treatment of ISPs under the same set of
standards applicable throughout the Internet ecosystem. Instead, the
FCC's proposed rules require a broad default opt-in requirement for the
use and sharing of customer data, with limited exceptions, rather than
narrowly tailoring its opt-in to the collection and use of sensitive
customer data. The FCC is also much more restrictive with regard to
first-party uses of information, which enable companies to improve
their service and apprise their customers of offers and products of
interest to them. The FCC should recognize the FTC's experience and
heed the latter's concerns with the NPRM.
The breadth of data covered by the proposal, and the highly
restrictive nature of the permissions regime employed by the FCC,
creates a serious risk of unforeseen consequences that could adversely
affect Internet capabilities and operations as well as disrupt consumer
expectations. During the development of the 2012 Privacy Report, FTC
staff addressed the potential impact of various proposals and ideas
through extensive ``stress testing,'' whereby staff held scores of
meetings with industry and consumer groups alike to test particular
components in order to determine whether the desired outcome would be
achieved. The FCC should conduct similar meetings to fully understand
the effects of its proposed requirements, which have the potential to
disrupt not only the broadband industry, but the entire Internet
ecosystem, including competition in the online advertising market. What
follows is a discussion of specific differences between the FCC
proposed rules and the FTC approach.
Scope
The FCC's Notice of Proposed Rulemaking (``NPRM'') applies onerous
privacy and security requirements to a sweeping range of information
that is not sensitive, such as IP and MAC addresses, as well as any
other information that is ``linked or linkable to'' a user or device.
This differs from the FTC approach, which sought to calibrate the
framework's obligations to incentivize the strongest protections for
the most sensitive data.
The FCC's treatment of de-identified data is particularly
problematic. Because de-identified data does not present a risk to
consumer privacy or security, the FTC framework does not govern the
notice, use, disclosure, security, or notification of breach of
anonymized or de-identified individual data, as long as such data
cannot be reasonably linked to a particular consumer, computer, or
device. The FCC's proposal appears to confuse the FTC's guidance on the
``reasonable linkability'' standard and the appropriate steps companies
can take to minimize such linkability with a standard for aggregation,
which is but one way to de-identify data. The NPRM would limit the
exception for de-identified data only to data that is both aggregated
and de-identified.
By discouraging companies from investing in resources and tools to
de-identify data, the FCC's proposal actually exacerbates--rather than
mitigates--risks to consumer privacy. For example, as discussed below
the proposed breach notification rules would require ISPs to notify
consumers if there is an incident in which IP addresses are
compromised. Because IP addresses on their own cannot be used to
identify, let alone contact, an individual, the proposed rule would
force ISPs to associate IP addresses with appropriate customer contact
information to comply, increasing the likelihood that any incident
results in the release of information that could be used to harm
consumers. But both the Administration and FTC policies encourage
providers to dissociate such data to minimize the potentially harmful
effects of any security incident.
Finally, by including broad categories of non-sensitive data within
the scope of the NPRM's definition of customer proprietary information,
the FCC invites irrational outcomes by placing burdensome requirements
on ISPs that serve no discernible consumer privacy interest. For
example, under a reasonable reading of the rule, ISPs must provide
notice of data breaches to law enforcement and customers even under
circumstances where there is no risk of harm to consumers. ISPs would
also be prohibited from using their own customer lists to e-mail
consumers about their own non-communications-related products and
services.
Application
As noted above, in the 2012 Report, the FTC stated: ``[A]ny privacy
framework should be technologically neutral.'' There is widespread
agreement on this point among consumer and industry advocates alike. At
the FTC's December 2012 workshop, ``The Big Picture: Comprehensive
Online Data Collection,'' Maneesha Mithal, Associate Director of the
Privacy Division at the FTC noted this consensus in her closing
remarks, describing ``the need for tech neutrality'' as an area of
consensus and emphasizing that ``[w]e can't be picking winners and
losers in this space.''
Moreover, since 2012, the precipitous rise of encryption and the
proliferation of networks and devices have limited the scope of
customer data available to ISPs, while other companies operating online
have gained broader access to consumer data across multiple contexts
and platforms. For example, today, nearly half of Internet traffic is
encrypted, dramatically limiting the information visible to ISPs, and
an estimated 70 percent will be encrypted by the end of this year. This
sea change in only four years drives home the importance of technology
neutral privacy frameworks. Because the FCC is not in a position to
dictate privacy rules for the entire Internet ecosystem, it should
strive to harmonize its proposed rules with the FTC framework, and
carefully consider the consequences of failing to do so. Unfortunately,
the NPRM seems to be unaware of marketplace developments in the last
several years as well as the harms caused by a bi-furcated privacy
framework.
Choice and Context
In its comments, FTC staff leveled criticism at the FCC's proposed
consumer choice rules and recommended ``that the FCC consider the FTC's
longstanding approach, which calls for the level of choice to be tied
to the sensitivity of data and the highly personalized nature of
consumers' communications in determining the best way to protect
consumers.'' In particular, the FTC has never considered all web
address information to be sensitive. Such a conclusion would have major
implications for the entire Internet ecosystem.
The FCC's proposed restrictive choice mandates that selectively
target ISPs prevent consumers from accessing new products and services
and potentially confuse them, but provide no benefits to consumers.
They also constrain ISPs' ability to compete with edge providers, and
likely will discourage broadband investment in a manner contrary to the
FCC's mandate to promote such investment.
Under the FTC framework, when a consumer does business with a
company, there are certain uses of the consumer's information by the
company for which consumer choice is implied because such use is
consistent with ``the context of interaction between a business and the
consumer.'' This implied consent covers uses and disclosures for
product or service fulfillment, internal operations, most first-party
marketing, and more. As the FTC commented ``[o]pt-in consent should be
required for use and sharing of contents of consumer communications and
sensitive data for purposes other than those for which consent is
implied.'' The Administration's 2012 report, also recognizes that
``companies may infer consent to use personal data to conduct marketing
in the context of most first-party relationships.'' Opt-in consent is
limited to truly ``sensitive data'' and technologies that use ``all or
substantially all'' customer data.
The FTC framework calls for a consumer opt-out for almost all
online tracking, not an opt-in. According to the FTC, ``[o]pt-out is
sufficient for use and sharing of non-sensitive data.'' The FCC
proposal is a vast departure from this guidance.
Rather than narrowly tailoring a requirement for opt-in consent to
truly ``sensitive data,'' the proposed rules would impose a broad opt-
in requirement upon ISPs for the use or disclosure of a wide swath of
consumer data for an extensive range of practices--including practices
for which the FTC requires no choice at all because consent is implied.
The notion that a bright-line opt-in requirement should apply to the
collection of online information would represent a wholesale revision
of U.S. privacy laws and would risk harm to the overall health of the
Internet by constraining the beneficial use of data.
The FCC's proposed rules disregard the context of the interaction
between the consumer and the service provider. In today's economy, a
company's relationship with its customers involves more than just
providing service. It also requires understanding the ways in which
services are used, identifying areas for improvement, and making
consumers aware of product offers and enhancements that may interest
them. By ignoring the balance between privacy and data-driven insights
and innovation, the FCC's approach actually makes consumers worse off.
The FTC does not require companies to provide any choice to present
advertising to their own customers, except where that advertising was
presented by tracking a user's online activity across other companies'
websites or intentionally using sensitive information collected from
its customers. Under the FCC's proposal, however, any use of customer
information that is not relevant to marketing a communications-related
service would require opt-in consent from the customer. Indeed, under
the proposed rules, an ISP would likely not be able to market its own
non-communication-related products--like a home security system, cloud
services, or music streaming--to its own customers without their prior
opt-in consent, regardless of the marketing channel used and despite
the fact that this type of first-party marketing is certainly
consistent with consumer expectations, and, indeed, with the
significant benefits consumers have received from lower bundled prices
and innovative new offerings for many years.
The FCC's overbroad opt-in proposal has the potential to stifle
innovation and competition in the online advertising marketplace and
undermine benefits to consumers. As the FTC has recognized, the ability
to effectively monetize online data has yielded astounding benefits to
consumers. But consumers presented with an opt-in notice are likely to
choose the path of least resistance. That is, many consumers will click
``no'' to avoid devoting time and energy to understanding an opt-in
request. However, when opt-in requirements are the rule rather than the
exception, and consumers take this approach in aggregate, everyone
loses out on the benefits of reduced-cost or free products and services
subsidized by the effective monetization of online data. While ISPs
rely primarily on subscription fees, limiting their ability to
effectively use customer data in turn limits a potential avenue for
reducing the cost of broadband Internet access to consumers. Consistent
with the FTC's technology-neutral approach, ISPs should be able to use
information in a manner consistent with consumer expectations and in a
way that correlates to how the rest of the Internet ecosystem provides
choice. Requiring over-inclusive opt-in consent mechanisms would unduly
restrict ISPs from participating in the same Internet marketplace the
FTC has found to provide benefits to both consumers and competition.
The FCC's NPRM also departs fundamentally from FTC guidance and
questions the core principle of customer notice and choice by
suggesting that it could be appropriate to prohibit ISPs from offering
discounted services in exchange for being able to offer targeted
marketing. Many of us may decide that the price to pay to avoid
personalized marketing is worthwhile, and so long as ISPs provide
sufficient information to enable an informed choice, consumers
themselves should be able to choose how to value their own privacy. The
FCC should not interfere with consumer choice.
The application of a broad opt-in requirement for non-sensitive
information as proposed by the FCC would create an isolated privacy
regime for ISPs that bears little correlation with consumer data
practices used in virtually every other sector. Deviating from the
FTC's privacy framework overall, but especially from the FTC's emphasis
on determining consumer choices based upon the sensitivity of the
information, the context of a consumer's interaction with a company,
and the consumer's expectations, will inevitably result in consumer
confusion over illogical, disparate standards applied to the same set
of data. Ultimately, while the FCC Privacy NPRM purports to be based
significantly on the FTC privacy framework, it is far more restrictive
in all of the above respects, without providing any clear benefits to
consumers or identifying harms it is trying to address. Rather than pay
lip service to the FTC's well-tested approach to privacy, the FCC
should actually heed the FTC's advice and harmonize the former's
privacy regime with the latter's.
Data Security and Breach Notification
The FCC's proposed data security provisions, requiring ISPs to take
reasonable measures to protect customer data, are consistent at a high
level with the approach set out in the FTC Report. However, their
prescriptive and static nature are at direct odds with the NIST
Cybersecurity Framework, which has been voluntarily adopted by a wide
swath of industry and reflects flexible and reasonable standards that
emphasize business-driven responses and solutions to cyber threats over
prescriptive regulatory measures. Specifically, the FCC should replace
its strict liability data security standard with a reasonableness
standard. In addition, these requirements should be more narrowly
tailored to apply to customer information that carries a risk of harm
in the event of a breach.
The proposed FCC breach notification rules would require ISPs to
notify consumers of a breach of a very broad new definition of
``customer proprietary information,'' much of which includes categories
of data that do not pose any risk of harm to customers in the event of
a breach, such as IP and MAC addresses and de-identified data. While
the concept of breach notification is consistent with the approach the
FTC and most states have taken, the proposed implementation by the FCC
for innocuous data and to notify only ten days after discovery of the
breach is very different and far more cumbersome.
The FTC has long supported requirements for companies to notify
consumers of security breaches in appropriate circumstances, such as
when information has been compromised that can lead to harms such as
financial loss or identity theft. The FTC has advocated that ``any
trigger for providing notification should be sufficiently balanced so
that consumers can take steps to protect themselves when their data is
at risk, while avoiding over-notification, which may confuse consumers
or cause them to ignore the notices they receive.''
The proposed rules, as currently drafted, would mandate over-
notification. As the FTC staff notes in its comments on the proposed
rules, the FCC should limit its notification requirement to a
``narrower subset of personal information than `customer proprietary
information' '' as the FCC has proposed that term to be defined in
order to avoid over-notification to consumers. As the FTC staff
asserts, ``when consumers receive `a barrage of notices' they could
`become numb to such notices, so that they may fail to spot or mitigate
the risks being communicated to them.' '' The NPRM states that the FCC
intends to avoid this outcome, but major changes are required to the
breach notification provision to achieve this goal. Otherwise, the FCC
will jeopardize, rather than enhance, data security.
The proposed rules also contain an unrealistic timeline for
customer notification, requiring ISPs to notify customers of a breach
no later than ten days after the discovery of a breach. The FTC's
Health Breach Notification Rule requires companies to notify affected
consumers ``without unreasonable delay'' and within 60 calendar days
after the breach is discovered. Under the most restrictive time
requirements among the general state breach notification laws--there is
currently a patchwork of 47 state laws--an entity is required to
provide notice ``as expeditiously as practicable and without
unreasonable delay but no later than 30 days after determination of
breach, consistent with time necessary to determine scope of the
breach, identify individuals affected, and restore the reasonable
integrity of the system,'' and with a 15-day extension granted for
``good cause shown.'' The FTC staff comments suggest an outer limit of
between 30 and 60 days, which it views as ``adequate for companies
while protecting consumers.'' When finalizing its breach notification
rules, the FCC should take these realities into consideration.
Constitutional Flaws In the FCC's Proposal
Fundamentally, the NPRM's requirements would impose a substantial
burden on speech because they would preclude ISPs from engaging in
important and relatively routine communications with their customers.
As discussed above, the NPRM would impose an opt-in consent requirement
for the use or sharing of information, including non-sensitive
information, by ISPs and their affiliates to market a broad category of
non-communications related services. While this requirement is also the
wrong policy outcome, it would prevent the type of targeted speech from
which consumers benefit, and would prevent speech which will continue
to be permitted for non-ISPs.
In order to pass constitutional muster, such a burden on commercial
speech must satisfy each element of the three-part test set out in
Central Hudson Gas & Elec. Corp. v. Pub. Serv. Comm'n, 447 U.S. 557
(1980), which asks whether (1) ``the government interest is
substantial''; (2) ``the regulation directly advances the governmental
interest asserted''; and (3) ``it is not more extensive than necessary
to serve that interest.'' Harvard Professor Laurence H. Tribe has
concluded that the NPRM fails on each prong of the Central Hudson
test.\1\
---------------------------------------------------------------------------
\1\ Laurence Tribe and Jonathan Massey, The Federal Communication
Commission's Proposed Broadband Privacy Rules Would Violate the First
Amendment, at 4 (May 27, 2016), http://www.ctia.org/docs/default-
source/defaultdocument-library/ctia-ncta-ust-file-tribe-paper.pdf.
---------------------------------------------------------------------------
First, in Professor Tribe's view, the government has not
articulated a substantial interest in restricting ISPs ability to use
customer information already in its possession, particularly where that
information is not disclosed to third parties. Second, as discussed
above, the NPRM completely ignores the fact that, even if the proposed
highly burdensome rules are imposed on ISPs, myriad edge providers will
continue to collect and share the same type of consumer information. As
Professor Swire notes in his testimony, edge providers often collect
more consumer information than ISPs and the former represent the
dominant players in the online advertising market. For this reason,
Professor Tribe has concluded that this asymmetry demonstrates that the
NPRM cannot be considered to directly advance an important governmental
interest. And third, Professor Tribe has concluded that the NPRM's
proposed opt-in rule is not narrowly tailored because a less obtrusive
opt-out rule would serve any legitimate government interest in
protecting consumers from first-party marketing.
The FCC is already familiar with the Central Hudson constraints on
the restrictions the agency may impose pursuant to Section 222 of the
Communications Act (47 U.S.C. Sec. 222). In U.S. West Communications,
Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999), the U.S. Court of Appeals
for the 10th Circuit struck down the FCC's attempt at regulations
governing Customer Proprietary Network Information (``CPNI'') with
respect to voice communications. In that case, the court determined
that the collection and sharing of CPNI among affiliates constituted
speech and that the FCC's opt-in regime did not satisfy intermediate
First Amendment scrutiny. As Professor Tribe notes, the proposals in
the NPRM ``represent a much larger burden on speech and are far less
tailored to any substantial governmental interest.'' (emphasis in
original) \2\ Because the NPRM's proposed opt-in requirement poses a
substantial burden on speech and is not tailored to any substantial
governmental interest, it is susceptible to a constitutional challenge.
---------------------------------------------------------------------------
\2\ Id.
---------------------------------------------------------------------------
Conclusion
Mr. Chairman, thank you for holding this hearing today. Our
Coalition commends you and Senator Nelson for devoting the Committee's
attention to this critically important issue. It is through the
exercise of your crucial oversight authority that Congress can right
the course of agency rulemakings that have veered away from mainstream,
practical policy goals.
In reviewing the record in the FCC's privacy proceeding, the
breadth and depth of the objections to the proposed rules are striking.
A diverse set of parties, ranging from civil rights groups, academics,
researchers, security specialists, start-ups, advertisers, ISPs,
equipment companies, software providers, IT providers, edge entities,
and other Federal agencies all raise important and substantive concerns
about key features of the FCC's proposal. Indeed, separate and apart
from ISP objections to the FCC's proposal, there is very little support
in the record for these rules from any entity that is in any way
involved in network operations, management or security, or otherwise
involved--either as an ISP or an edge provider--in providing services
to broadband consumers. The FCC's proposal is so troubling that a
number of parties that are clearly outside the scope of the proposed
rules (as well as competitors in the marketplace) nonetheless felt
compelled to submit comments due to the proposal's potentially
disruptive effects on the Internet ecosystem as a whole. I think this
is something that should give policy-makers--both here and at the FCC--
pause. And it certainly counsels against rushing ahead to adopt an
entirely new set of rules that depart so dramatically from the proven
and effective FTC framework that governed ISPs online activities prior
to reclassification.
As the FCC formalizes its privacy and data security rules, the
agency should hold ISPs to the same robust privacy standards to which
the FTC successfully held them for many years--and to which the FTC
still holds the rest of the Internet ecosystem. A truly consistent
approach will ensure a comprehensive, technology-neutral privacy
framework that provides consumers the strong protections and choices
they need and deserve, while reducing consumer confusion regarding what
protections apply. At the same time, a consistent approach will promote
the types of competition and innovation that fuel our economy. Such an
approach will also demonstrate that the United States views the FTC
approach to privacy as the preeminent model for consumer protection,
which will help provide confidence to our trading partners that their
own consumers will enjoy robust privacy protections under U.S. law.
As someone who has been involved in more than a handful of
rulemakings, it is important to point out that final rules are often
more balanced than proposed ones. But the FCC's current proposal fails
to achieve its own goals. Instead, it would create inconsistent
standards across the Internet, harm and confuse consumers, and
undermine innovation. The NPRM is of questionable constitutionality and
does not reflect a reasoned approach to consumer privacy. For all these
reasons, the 21st Century Privacy Coalition's view is that the FCC
should ensure that any rules it adopts hew closely to the FTC's time-
tested and proven approach, which is consistent with the Obama
Administration's approach to privacy and data security, and abandon its
overly prescriptive, asymmetric rules.
The Chairman. Thank you, Mr. Leibowitz.
Mr. Garfield.
STATEMENT OF DEAN C. GARFIELD, PRESIDENT AND CEO, INFORMATION
TECHNOLOGY INDUSTRY COUNCIL (ITI)
Mr. Garfield. Good morning. Chairman Thune, Ranking Member
Nelson, members of the Committee, on behalf of 60 of the most
dynamic and innovative companies in the world, we thank you for
inviting us to present at this hearing.
This hearing is both timely and important. The companies
that we represent that are members of ITI reflect the full
cross-section of the tech sector, from servers to software and
service, from social media to search. Those companies do not
fall within the ambit of the FCC's Open Internet Order and so
are not covered by the proposed rules.
We are not here to choose sides between distinct regulatory
agencies. Instead, what we present is our perspective on how to
ensure that this vibrant ecosystem remains innovative and
vibrant. I've submitted my testimony for the record, so rather
than repeat it, I would like to hone in on three things: one,
our perspective on privacy and cybersecurity; two, our views on
the flaws of the FCC's approach; and, third, a path forward.
I've chosen to focus on privacy and cybersecurity first
because for our companies, they are first principles that are
foundational. No two issues are more important to building and
retaining trust with our customers, and we treat them
accordingly. Privacy and security, by design, are not
catchphrases in the tech sector, they're truly reflective of
the commitment we place on privacy and security from the design
phase to the delivery.
The commitment of our companies to privacy and security is
complemented by a rich, robust, well-developed privacy
ecosystem that works. Jon alluded to much of it. In addition to
the work of our companies, we have self-regulatory standards.
We have the enforcement from the FTC and State attorney
generals and, importantly, constant and consistent feedback
from our companies that help to inform the approach that we
take. The problem with the FCC's approach is that it parachutes
into this rich, robust, well-developed ecosystem and assumes
that it needs to rework all of the rules whole cloth. That
presumption is faulty. For example, as Jon noted, the
definition of PII is uniquely broad and bolts onto it a binary
and rigid framework that's likely to prove unworkable. As well,
around consent and choice, the FCC proposes an opt-in approach
and to put its fingers on the thumb of the scale with no
evidence that it's likely to work more effectively for
consumers.
The FCC takes the same approach on cybersecurity, where
rather than following the leadership of the experts at NIST,
that have focused on a risk-based approach that's grounded in
standard global standards, it instead adopts an approach that's
mechanical and focused on mandates. The rules, or the proposed
rules, around data breach are reflective of that. There is
little evidence that the approach proposed by the FCC will be
more workable, and it's completely inconsistent with the
approach that's being taken at the state level today.
Our suggestion, or my testimony, should not be read to
suggest that the FCC does not have a role here. Senator Nelson,
the point you made resonates. We do not intend to suggest that
the FCC's evaluation of these issues and attempt to find
resolution of them is mistaken. What we intend to suggest is
that the approach that they've taken is one that's inconsistent
with best practices and what we know works.
And so what we suggest as a path forward is that the FCC
should take on board the comments that it's receiving, revise
the existing NPRM to one that's more consistent with the well-
established privacy and security framework that exists today,
largely guided by the FTC and NIST, and then come back with
further comments so that we end up with something and rules in
place that will help to advance the innovation ecosystem rather
than to stymie them.
I see that I have a few minutes remaining. I would just
like to really thank the folks who are sitting behind me who
are responsible for this testimony. My comments are really an
embodiment of the thoughts that they've helped us to develop.
Thank you.
[The prepared statement of Mr. Garfield follows:]
Prepared Statement of Dean C. Garfield, President and CEO,
Information Technology Industry Council (ITI)
Chairman Thune, Ranking Member Nelson, and members of the
Committee, thank you for the opportunity to testify today. I am Dean
Garfield, President and CEO of the Information Technology Industry
Council (ITI), and I am pleased to testify before your committee today
on the important topic of how the Federal Communications Commission's
(FCC or the ``Commission'') proposed broadband privacy regulations
could impact consumers and competition.\1\
---------------------------------------------------------------------------
\1\ Protecting the Privacy of Customers of Broadband and Other
Telecommunications Services, WC Docket No. 16-106, Notice of Proposed
Rulemaking, FCC 15-138 (April 1, 2016) (``Broadband Privacy NPRM'').
---------------------------------------------------------------------------
ITI shares the Commission's interest in, and respects its efforts
to, protect the privacy of consumers of broadband Internet access
services. Privacy is of paramount concern to our member companies, many
of whom are providers of information technology and Internet services,
because it is at the core of the trust relationship with our customers.
Though the FCC lacks the authority to regulate our member companies who
are the ``edge providers'' of ``over the top'' internet-based services
referred to in its Notice of Proposed Rulemaking (``NPRM''), we are
nonetheless concerned with the approach taken by the Commission in a
number of respects. We therefore welcome your interest and engagement
on this subject.
ITI is the global voice of the tech sector. We are the premier
advocate and thought leader in the United States and around the world
for the information and communications technology (ICT) industry, and
this year we are pleased to be commemorating our centennial. ITI
represents 61 of the world's leading ICT companies,\2\ and we advocate
globally for policies that advance U.S. leadership in technology,
promote innovation, open access to new and emerging markets, protect
and enhance consumer choice, and foster increased global competition.
ITI's members comprise leading technology and innovation companies from
all corners of the ICT sector, as well as companies using technology to
fundamentally evolve their businesses, including wireless and wireline
network equipment providers, computer hardware and software companies,
mobile computing and communications device manufactures, Internet and
digital service providers, and network security providers. ITI's member
companies are also at the forefront of developing next-generation
wireless communications equipment, infrastructure, networks, and
services, along with the content, applications, and new uses that will
be enhanced as mobile service evolves and advances. In other words,
many of our members are the ``edge providers'' referred to in the FCC's
proposal.
---------------------------------------------------------------------------
\2\ For more information on ITI, including a list of its member
companies, please visit: http://www.itic.org/about/member-
companies.dot.
---------------------------------------------------------------------------
Privacy is of paramount concern to our member companies. Protecting
our customers' personally identifiable information (PII) and their
privacy, along with providing robust security, are essential to earning
citizens' trust in the global technology marketplace. Innovating to
protect privacy and security and to strengthen consumers' trust in the
global digital infrastructure and Internet services are core to our
companies' business practices and philosophies. Privacy is thus
critical to our members' success, an essential component of our
businesses, and impacts our ability to grow and innovate in a future
heralding continued advances in the Internet of Things, Big Data, and
beyond. Consequently, ITI has been a leading voice in advocating
effective approaches to privacy, both domestically and globally.
The Internet has thrived--and privacy has been protected--under the
Federal Trade Commission's (FTC) approach to privacy, which is grounded
in the Fair Information Practices Principles (``FIPPs''). This
framework applies to all entities under the FTC's jurisdiction who
collect and use consumer data. We believe the FCC's primary objective
should be to closely harmonize with the existing FTC framework any
Internet Services Provider (ISP) or broadband privacy rules it
ultimately adopts. While the FCC has concluded that the regulation of
Broadband Internet Access Services (BIAS) providers is uniquely within
its purview following the FCC's decision to reclassify broadband as a
Title II service, irrespective of whether that order is ultimately
upheld in the courts, there is nothing in that decision that
necessarily warrants a departure from the FTC's successful approach to
privacy based on effective notice to consumers and a meaningful choice
as to how their data is used. Unfortunately, the FCC intends to proceed
in another direction, proposing a series of onerous privacy and data
security rules that are out of step with established policy, law, and
practice in this area.
I will focus my testimony on four areas: (1) The FCC's lack of
legal authority to regulate ITI's companies, including ``OTT'' or
``Edge'' providers; (2) the inconsistency of the FCC's proposed privacy
regulations with consumer expectations; (3) the broader inconsistency
of the FCC's proposed privacy regulations with existing privacy
authorities, frameworks and enforcement regimes, as embodied in the
FTC's well-established approach to privacy; and (4) ITI's concern that
the proposed rules will establish negative precedents that will
ultimately adversely impact consumers, businesses, and the global
policy ecosystem.
On this latter point, I will highlight our concerns regarding how
several of the specific rules proposed by the FCC are out of step with
current law and practice, including: (1) the unreasonably short and
inflexible breach notification periods; (2) the overbroad and
unnecessary definition of personally identifiable information; (3) the
overly burdensome consumer choice and consent framework; and (4) the
prescriptive, inflexible data security requirements that are misaligned
with current industry practice and Federal and state policymaking.
The FCC Lacks the Authority to Regulate ITI's Companies
By and large, ITI's companies do not offer broadband Internet
access service as a core part of their businesses, and could not be
categorized as such given the definitions for BIAS and BIAS providers
in the Open Internet Order and these proposed broadband privacy rules.
Given this, ITI's companies are not subject to the FCC's
jurisdiction under Title II, even after the FCC reclassified broadband
Internet access service as a telecommunications service under Title II,
nor is there a valid legal argument which could subject our companies
to Title II regulation under the Open Internet Order adopted last year.
The FCC specifically defines BIAS to mean ``[a] mass-market retail
service by wire or radio that provides the capability to transmit data
to and receive data from all or substantially all Internet endpoints,
including any capabilities that are incidental to and enable the
operation of the communications service, but excluding dial-up Internet
access service. This term also encompasses any service that the
Commission finds to be providing a functional equivalent of the service
described in the previous sentence, or that is used to evade the
protections set forth[.]'' The FCC defines a ``broadband Internet
access service provider'' as a person or entity engaged in the
provision of broadband Internet access service. Furthermore, the
Commission specifically notes over-the-top services and service
providers--a category into which many ITI member companies fit--are not
broadband Internet access service providers and were not captured under
the Open Internet Order nor the Broadband Privacy Notice of Proposed
Rulemaking. In fact, in the Open Internet Order the Commission went out
of its way to emphasize that while broadband Internet access service
providers may offer over-the-top services, over-the-top providers of
voice over Internet protocol, Internet protocol messaging services, and
Internet video providers are separate and distinct from broadband
Internet access providers.
There are well-founded consumer, business, and economic reasons to
rationalize why Internet and IT services providers and network
operators including broadband services providers are treated
differently from a regulatory perspective. From a consumer choice
standpoint, there are significant differences between OTT services
providers or Internet companies and BIAS providers. Consumers have
traditionally had limited choices when it comes to choosing a BIAS
provider for purposes of acquiring broadband or Internet service.
Indeed, broadband access itself is increasingly considered a
fundamental right by many--it is necessary for basic services at all
levels of government, educational opportunities, workforce
opportunities, and numerous other basic needs. Once a consumer has a
broadband connection, however, consumers can easily choose amongst many
different OTT applications and Internet service options, including
choosing to discontinue one service, switch to another service, or
subscribe to several comparable services simultaneously. And certainly,
these types of services are not considered a right; rather, inherent in
their multiplicity is the very concept of choice.
Additionally, there are significant differences between the
business and economic models of ISPs and edge service providers.
Internet companies providing content or services to consumers have
different economic interests than ISPs. For instance, consumers
typically pay for broadband services whereas much of the content and
many of the services provided to consumers over the Internet are ad-
supported and thus provided to consumers free of charge. This
relationship has not changed under the reclassification of broadband
Internet access service, nor has the legal and regulatory authority
governing that relationship. Internet companies' relationship with
their customers and the use of their customers' data has been and
remains subject to FTC enforcement.
ITI's perspective on this matter is solely driven by years of
experience in engaging with, and helping to develop, the domestic and
global privacy policy frameworks we operate under today.
The FCC's Proposed Data Privacy Rules are Inconsistent with Consumer
Expectations
As I described above, ISPs and edge providers are very differently
situated from the perspectives of consumers both in terms of how their
business models are implemented and in terms of the regulatory reach of
the FCC. The fact that there are fundamental differences between ISPs
and Internet companies and those differences have historically given
rise to different regulatory and enforcement regimes, however, does not
give license to creating data privacy rules that are inconsistent with
consumer expectations. Rather, how the FCC regulates data should be
determined by what is best for consumers, whether consumers are
suffering identifiable and quantifiable harms, and whether gaps exist
in the current regulatory and enforcement regime.
Additionally, sound privacy policy for one entity in the Internet
ecosystem should be sound policy for all others. The FCC has not made
the case to justify the type of expansive and prescriptive regulatory
regime contemplated by the NPRM--a significant departure from the
current FIPPs-based approach undertaken by the FTC.
Fundamentally, if the FCC seeks to ensure the goals articulated in
the NPRM of protecting consumer privacy, it must carefully weigh
consumer interests and expectations. Unfortunately, the proposed
regulations contain no indication that consumer interests--in
particular whether they are suffering any harm under the current
regulatory approach--demand expansive new regulations in this area.
Consumers have embraced today's thriving internet, fueled by
responsible data practices governed by the existing regulatory
framework, and they have come to expect a seamless online experience
across multiple devices that delivers convenience while also protecting
their privacy. The current online ecosystem subsidizes online offerings
that consumers value, promotes innovation, and grows the economy. There
is simply no record of consumer harm supportive of the FCC's proposal
for such restrictive regulations. In other words, the FCC's proposal
should embrace a more measured approach. Consumer expectations have
also not been factored into the FCC's analysis. Indeed, as Commissioner
O'Reilly points out in his dissent, ``there is no need for the Notice
to describe consumer expectations because it is irrelevant to the FCC's
analysis.''
The FCC's Proposed Data Privacy Rules are Inconsistent with Existing
Privacy Frameworks and Enforcement Regimes
We believe what would most benefit consumers is an approach that is
consistent with existing privacy frameworks grounded in the FIPPs and
consistent with existing privacy enforcement regimes. Consumers and
industry benefit when one agency takes the lead on privacy regulation
and enforcement because regulatory consistency permits continued
innovation without bias among sectors. The FTC has a long history of
addressing and enforcing privacy-related issues across industries.
Indeed, the FTC has shown much leadership over the years as the
enforcer on digital ecosystem issues, for both technical and legal
reasons, and it remains well-situated to provide such leadership into
the future.
Specifically, existing voluntary self-regulatory standards
supported by FTC enforcement are the appropriate tool to govern the
dynamic and interrelated online content and advertising ecosystem.
Currently, online data collection and use are governed by robust
industry self-regulatory regimes that subject the industry to the
jurisdiction of the FTC and state attorneys general. These regimes are
regularly updated to reflect new business models, which reflect the
responsible data practices so essential for the continued success of
the Internet economy. Enforceable, voluntary, self-regulatory codes
remain best suited to promote consumer privacy protections while
allowing these legitimate data practices to flourish.
Further, the FTC's enforcement authority provides effective legal
safeguards for online data practices. In addition to industry self-
regulation, the FTC robustly enforces consumer privacy and data
security standards using its authority to address ``unfair or deceptive
acts or practices'' under Section 5 of the FTC Act. The FTC has used
this authority to enforce company commitments to customers, to comply
with industry self-regulatory requirements, and to protect consumers
from harmful practices. State attorneys general typically follow FTC
positions to actively enforce similar laws at the state level. These
legal frameworks already provide consistent, meaningful consumer
protections which can apply across industries, including to the
practices the FCC now seeks to regulate. There is no need to create a
new framework such as that proposed by the FCC because the FTC has
well-established principles in this area.
Nonetheless, if the FCC is ultimately found to possess the
requisite authority to regulate broadband privacy and follows through
on its intent to do so, it should make certain that any such efforts
are consistent with existing robust privacy frameworks and enforcement
authorities, particularly those of the FTC. One way to ensure this sort
of consistency is for the FCC to work closely with the FTC to harmonize
its privacy rules for broadband ISP consumers with the framework that
protects consumers of those online businesses or services falling under
the jurisdiction of the FTC. In addition, the FCC and FTC should work
closely together to help the communities within their purview--
broadband ISPs and businesses providing service over the internet,
respectively--to clearly understand the applicable rules to enable good
faith compliance.
The FCC's Privacy Proposal is Out of Step with Current Law and
Practice, and would Establish Precedents that Will Negatively
Impact
Consumers, Companies, and the Internet Ecosystem
Rather than adopt a regime aligned with the FTC's well-established
approach to privacy, the privacy regime proposed by the FCC in the NPRM
departs from the FTC framework in significant and material respects. We
are particularly concerned that the prescriptiveness of the proposed
regulatory approach could have precedential effects that would
negatively impact the rest of the Internet ecosystem, including the
tech sector. While it is hard to say for certain what the implications
on other sectors will be if the FCC moves forward with the NPRM and
adopts standards that diverge from those the FTC has already
established for customer information, we believe the existence of
multiple sets of privacy rules will, at a minimum, send a troubling
message to governments and businesses internationally. Additionally,
I'd like to point out four specific components of the FCC's proposal
that are out of step with currently established policy and practice and
raise significant concerns for both consumers and businesses.
The Breach Notification Periods are Unreasonably Short and
Inflexible. The FCC proposes extremely short data breach notification
periods in the NPRM--entities suffering a breach would be required to
provide notice within seven days to the Commission, FBI, and Secret
Service, and within 10 days to customers (NPRM � 75), without regard to
whether the breach creates a significant risk of customer harm. Such
notices would need to be provided regardless of whether a breach is
malicious or inadvertent, which is an element in determining whether a
risk of harm exists (NPRM � 75).
First, the FCC's data breach proposal fails to include a risk
analysis, and therefore will contribute to notice fatigue at best or
incite unnecessary panic at worst. Additionally, the proposal fails to
account for breaches of data that are rendered not actionable through
technology, such as encryption, or for inadvertent but innocent
breaches, such as an employee accidentally opening the wrong file.
Notifying individuals that their information has been compromised is an
important step that enables them to take protective measures.
Notification to consumers, however, is not productive if all data
breaches result in notifications. If over-notification becomes
commonplace, consumers will have difficulty distinguishing between
notices and determining which ones warrant them to take action.
Notification should be made to consumers if an organization has
determined there is a significant risk of identity theft or financial
harm. Upon receipt of such a notice, consumers can then implement
measures to help avoid being financially damaged.
Second, the proposal does not afford organizations adequate time to
remediate any discovered vulnerabilities or to conduct thorough
investigations to ascertain the nature and scope of any breach before
notifying customers or government agencies of a breach of data. Unless
vulnerabilities are addressed prior to making the breach incidents
public, organizations and their customers are susceptible to further
harm by wrongdoers. Because the NPRM does not afford organizations
adequate time to investigate the scope and nature of breach incidents,
the NPRM not only encourages over-notification by organizations, but it
creates a standard of notification that would be counterproductive
should the alleged breach prove a false alarm or if the breach does not
create a significant risk of identity theft. A tremendous amount of
forensics, decision-making, and clerical and legal work is required
before ascertaining the nature and scope of a breach, assessing the
risk of harm, or in determining the appropriate form of notification
based on the organization's relationship with the effected customer.
More fundamentally, the FCC proposes to regulate breach
notification in a way that is contrary to the existing state
notification regimes and the proposals under consideration by Congress.
Recognizing the sophistication of today's hackers and the challenging
nature of a post-data breach forensic investigation, a breach
notification regime must provide realistic, flexible, and workable time
requirements. ITI has long advocated for Congress to establish a
uniform but flexible approach to data breach notification that notifies
customers where there is a significant risk of identity theft or other
financial harm. Such a uniform approach not only eases compliance
burdens for businesses, but it reduces or eliminates confusion for
consumers.
The Proposed PII Definition is Overbroad and Unnecessary. The FCC
proposes to define PII as ``any information that is ``linked or
linkable to an individual.'' (NPRM � 60). This is an overly broad
definition that subsumes the entirety of the Customer Proprietary
Network Information (``CPNI'') category that the FCC proposes to expand
elsewhere in the NPRM. As a result, both the proposed PII and CPNI
definitions expansively include data elements that have never before
been considered PII under U.S. law, such as Internet protocol addresses
or other unique identifiers necessary for the functioning of connected
Internet devices, application usage data, persistent online identifiers
(cookies), and Internet browsing history--data that is highly unlikely
to contribute to a risk of concrete harm such as identity theft. (NPRM
�� 62-63).
First, it is unclear why the Commission endeavors to define PII at
all, rather than just focusing on the CPNI data clearly within its
statutory ambit. Further, the Commission acknowledges that BIAS
providers may not actually collect all of the categories of information
included within the proposed expansive definitions, yet the FCC
proposes to regulate the collection of such data anyway. The potential
unintended consequences of these overly and unnecessarily broad
definitions are quite concerning, particularly since many of the types
of data captured by the proposed definitions are integral to providing
Internet services to consumers, including securing Internet
transactions.
Exhibiting some awareness of the potential unintended consequences
that could flow from such a broad PII definition, the FCC proposes a
number of exceptions to the definition of PII. For example, the NPRM
exempts from the definition of PII data collected by entities ``to
protect themselves or others from cybersecurity threats or
vulnerabilities.'' (NPRM � 117). We are concerned this exception may
not be nearly broad enough to adequately help protect the Internet
ecosystem. To illustrate, the definition suggests that companies would
only be allowed to collect such information to counteract specific
threats. This belies the reality that some of this information, such as
unique IDs, must be collected and shared by companies as part of their
cybersecurity risk management programs in order to prevent
cybersecurity intrusions from happening. Indeed, the trajectory of
Federal policymaking in this area over the past several years has been
to encourage both continuous monitoring by organizations and the
sharing of cybersecurity threat information to counteract cyber
threats. The approach here is illustrative of the overall flawed
approach to, and treatment of, PII in the FCC's proposal.
The Proposed Consumer Choice and Consent Framework is Overly
Burdensome and Restrictive. The consent standard proposed by the FCC is
both overly burdensome and restrictive. Generally, the FCC has proposed
to restrict most collection, use, and disclosures of data with an
``opt-in'' consent standard, which it acknowledges may cause ``notice
fatigue'' for consumers (NPRM � 141). The Commission further
acknowledges the ``burden of [their] proposed customer choice
framework'' on businesses, particularly on smaller entities (NPRM �
151). The proposed choice framework is also out of step with current
policy and practice.
Experience shows that an opt-out or implied consent standard is an
effective mechanism to effectuate consumer privacy preferences with
respect to non-sensitive online data while allowing legitimate
practices, including advertising, to continue. We urge the FCC to
follow the FTC approach of permitting an opt-out approach for use of
consumer data in most instances, with an opt-in approach reserved for
uses of the most sensitive consumer data.
The Proposed Data Security Requirements are Prescriptive,
Inflexible, and Misaligned with Both Industry Approaches and Federal
Cybersecurity Policies. In the NPRM, the FCC proposes both general data
security requirements for BIAS providers and ``specific types of
practices they must engage in to comply with the overarching
requirement.'' (NPRM � 167).
While the Commission acknowledges any proposed security
requirements must ``allow for flexibility for practices to evolve as
technology advances,'' and claims it does not propose ``to specify
technical measures for implementing the data security requirements,''
(NPRM � 176), it nonetheless proposes a series of increasingly
prescriptive security requirements. For example, the Commission
proposes to not only require regular Graham-Leach-Bliley-like risk
assessments (NPRM � 180) at a frequency to-be-determined (NPRM � 183),
but it also asks whether the FCC should prescribe specific risk-
management requirements on BIAS providers, and how the risk assessments
themselves should be conducted. (NPRM � 182) These proposed
requirements contradict existing cybersecurity public policy--such as
that embedded in the Framework for Improving Critical Infrastructure
Cybersecurity (``Cybersecurity Framework'')--that risk management is a
continuous process demanding flexibility in order to provide reasonable
protections in light of the nature and scope of the activities of a
given company, including the sensitivity of the data it handles, its
threat profile, and the size and complexity of the relevant data
operations of the company. Another example can be found in the series
of proposed specific authentication measures the Commission proposes to
prescribe (NPRM �� 191-200).
Indeed, the structure of the entire security section appears
contrary to many of the core concepts of risk management (e.g.,
voluntariness, flexibility, etc.) as throughout the NPRM the Commission
asks a series of ``should we require this'' and ``should we require
that'' questions. This is a fundamentally flawed approach, out of step
with the approach embodied in the Cybersecurity Framework and the
consensus standards and best practices included within. We agree with
Commissioner O'Reilly's dissenting statement that the proposed
prescriptive security rules are inconsistent with the voluntary
approach embodied in the Framework and are indeed ``alarming.''
Conclusion
Members of the Committee, ITI and our member companies are pleased
you are examining the important issue of how the FCC's proposed
broadband privacy regulations may impact consumers and competition. We
share both the FCC's and your interest in protecting the privacy of
consumers of broadband Internet access services. As noted above,
however, we are concerned with the approach taken by the Commission in
a number of respects. We have raised our concerns directly with the
Commission by submitting comments on the NPRM, urging the agency to
reconsider promulgating data privacy rules that are inconsistent with
consumer expectations or existing privacy authorities, frameworks and
enforcement regimes, such as embodied by the FTC's longstanding
approach to privacy. We appreciate the opportunity to reiterate these
concerns today, including our belief that the privacy regime proposed
by the FCC is out of step with current law and practice and would
establish precedents that will negatively impact not only consumers but
companies and the Internet ecosystem as a whole. Please consider ITI a
resource on these important issues moving forward, and do not hesitate
to contact us with any questions regarding this submission.
Thank you for the opportunity to appear before you today.
The Chairman. Thank you, Mr. Garfield.
Professor Ohm.
STATEMENT OF PAUL OHM, PROFESSOR, GEORGETOWN
UNIVERSITY LAW CENTER AND FACULTY DIRECTOR,
GEORGETOWN CENTER ON PRIVACY AND TECHNOLOGY
Mr. Ohm. Chairman Thune, Ranking Member Nelson, and
distinguished members of the Committee, it's really my
privilege to be here today to discuss a very important topic
with you. The basic principle at stake is a very old one. The
Postal Service cannot track the letters you send or open your
letters in order to sell that information to marketers. Without
your consent, your telephone company cannot track the phone
numbers you dial or listen in on your conversations in order to
sell that information to advertisers. We should have the same
rule for ISPs, and without your consent, they should not be
able to sell your reading habits and your physical location to
advertisers.
So to help protect this very old basic principle, the FCC
has proposed the rule we are discussing today. I want to say
three things about the rule. I believe it is unambiguously
authorized by law, it is a wise rule, and it is a measured
rule. Let me take those in turn.
Now that the D.C. Circuit has ruled that reclassification
of broadband service into Title II was within the power of the
FCC, it's incumbent on the FCC to elaborate what this means for
broadband providers, including rules for customer privacy. And
nobody in the debate disputes that Congress enacted Section 222
of the Telecommunications Act to obligate telecommunications
providers, such as telephone companies, to respect the privacy
of their customers. It makes a straightforward reading of the
statute to extend this obligation to ISPs as well. Because this
is a straightforward reading, the burden should be on those who
would rewrite the statute, or even worse, ask the FCC to
disregard it, rather than the agency that's merely trying to
apply it.
Number two, and I want to spend the most of the time on
this, Why is the law wise? Congress's act reflects the well-
reasoned conclusion that telecommunications providers owe a
heightened level of privacy to their customers. I've already
explained the historical antecedent for this with our Postal
Service and our telephone companies. Three other factors
support this conclusion: visibility, choice, and sensitivity.
Visibility. Your ISP sits at a privileged place in the
network. They are the bottleneck between you and the Internet.
You cannot access the Internet but by sending information
through this bottleneck, and with this privileged location,
they can be a part of every website or online destination that
you visit. For unencrypted websites, this visibility is
unparalleled, comprehensive, and complete, but even for
websites that use encryption, the ISP's view is only partially
obscured, they can see the domain names of the websites you
visit, how often you return to these websites, how much
information you exchange with these websites. It is a very,
very complete and privileged location.
Number two, choice. Most Americans today, as you well know,
do not have a meaningful choice when it comes to fixed
broadband service. The situation is specifically and especially
difficult in rural America, and I'm glad, Chairman Thune, you
raised rural America, where only 13 percent of residents have
more than one choice for high-speed fixed broadband. And even
for those Americans who do happen to have more than one choice,
switching costs make it quite difficult to switch their ISP.
Finally, sensitivity. With the visibility providers have
and given the lack of your choice for exit, your provider can
compile a detailed list of what you read, with whom you
communicate, what you say, and, increasingly, where you go. And
because storage is cheap, ISPs can record all of this vital
sensitive information about you across years and eventually
across decades. Privacy scholars have long tried to properly
come up with a metaphor to characterize what we should think
about a data base like this about every person in this room.
Some have referred to them as digital dossiers. Others have
talked about the right to intellectual privacy we ought to
enjoy. My contribution to the metaphor debate has been to
describe the database of ruin, the idea that there is now a
corporate database in the celestial cloud that contains at
least one fact about every member of our society that you would
not want your worst enemy to know.
These four factors together--history, choice, visibility,
and sensitivity--led Congress in 1996 to do what it had done
several times before. Simply put, in the American privacy law
system, when we identify a sector or a context that has unique
privacy risks like we have in telecommunications, we create a
sectoral privacy law. We did this for health information in
HIPAA, we did this for education information in FERPA, and,
indeed, we did this in Section 222 of the Telecommunications
Act.
Finally, why do I believe that the FCC proposal is
measured? Number one, the FCC proposal does not propose a ban.
You might be excused from misunderstanding that based on some
of the heated rhetoric that has come from critics of the
proposal. You are not prohibited from any conduct under this
rule. This is simply a disagreement about the type of user
consent we ought to require before your ISP can look over your
shoulder and record everything you do in order to sell it to
advertisers. The FCC decided to require prior, informed,
expressed consent before they could undertake this type of
activity. I think this is the only sensible choice. And I'm
happy to talk with you more about why during Q&A.
Last, the proposal preserves the necessary conditions for
competition by treating all providers alike. When Google
operates as a broadband provider, as it now does in Kansas City
through Google Fiber, they are required to follow the
strictures of Section 222. When Verizon acquires American
Online in order to bolster its advertising business, as it did
last year, they are no longer regulated for that activity under
Section 222. The playing fields are level.
In closing, we do not have many privacy laws in this
country. Section 222 is one of the few. And given the
powerlessness your constituents feel and all Americans feel
about this state of affairs, we ought to be bolstering and
supplementing our privacy law, not cutting back on one of the
very few that we have on the books.
Thank you again for your invitation.
[The prepared statement of Mr. Ohm follows:]
Prepared Statement of Paul Ohm, Professor, Georgetown University Law
Center and Faculty Director, Georgetown Center on Privacy and
Technology
Chairman Thune, Ranking Member Nelson, and Members of the
Committee, I appreciate the opportunity to discuss with you the Federal
Communications Commission's (FCC) proposal to protect the privacy of
the customers of broadband Internet access service (BIAS).
I am a Professor at the Georgetown University Law Center and a
Faculty Director of the Center on Privacy and Technology at Georgetown.
I specialize in information privacy, computer crime law, and technology
and the law. I make these comments to you in my independent, academic
capacity.
In 1996, Congress enacted section 222 of the Telecommunications Act
of 1996, delegating to the FCC the power to promulgate rules to protect
the information held by telephone companies and other
telecommunications providers covered by Title II of the Act. Under this
clear statutory authority, the FCC has proposed new rules requiring
BIAS providers to respect and protect the privacy of their customers,
in the wake of the agency's decision to reclassify these providers into
Title II, a reclassification recently found to be a proper exercise of
the FCC's power by a panel of the Court of Appeals for the D.C.
Circuit.
The FCC has acted appropriately and wisely. The application of
section 222 to BIAS providers represents not only a straightforward
implementation of the law but also a laudable exercise of privacy
theory and policy. I support these conclusions not only through my
academic work \1\ and the work of other scholars, but also by
leveraging the experience I have gained as a former Senior Policy
Advisor to the Federal Trade Commission (FTC) on privacy issues,
Department of Justice computer crimes prosecutor, and professional
network systems administrator.
---------------------------------------------------------------------------
\1\ This testimony builds on several articles I have written on
information privacy, most notably on Paul Ohm, The Rise and Fall of
Invasive ISP Surveillance, 2009 U. Ill. L. Rev. 1417 (2009). A full
list of my published works is available online at http://paulohm.com/
scholarship.shtml.
I have recently filed two public documents commenting on the FCC's
NPRM. See Statement of Paul Ohm Before the Subcommittee on
Communications and Technology, Committee on Energy and Commerce, U.S.
House of Representatives (June 14, 2016), available at http://
paulohm.com/projects/testimony/PaulOhm20140614FCCPrivacyRules.pdf and
Reply Comments of Paul Ohm Before the Federal Communications Commission
in the Matter of Protecting the Privacy of Customers of Broadband and
Other Telecommunications Services, WC Docket No. 16-106 (June 22,
2016), available at https://www.fcc.gov/ecfs/filing/10622254783425.
---------------------------------------------------------------------------
In this testimony, I make four points:
Section 1: The Telecommunications Act of 1996 obligates
telecommunications providers to serve as important gatekeepers
of privacy, a sensible choice then and now, one that continues
to protect important values in today's online environment.
Section 2: The proposed FCC rules will decrease overall
consumer confusion by creating a clear, bright line of privacy
protection.
Section 3: Rather than ban any behavior, the proposed rules
will create and preserve opportunities for innovation and
competition. Importantly, BIAS providers will retain the
ability to compete directly with edge providers subject to the
same privacy rules as any other company.
Section 4: There remains a significant need to strengthen
privacy rules for online actors other than BIAS providers. The
Federal Trade Commission (FTC) does not have all of the
authority or resources required to solve all online privacy
problems.
1 The Statute Treats BIAS Providers as the Gatekeepers of Individual
Privacy
Our Federal laws protect privacy on a sector-by-sector basis and in
piecemeal. The FTC Act provides an essential backstop across many
industries, but there are limits to its approach, as I will discuss
later. In narrowly circumscribed contexts, Congress has seen fit to
create heightened privacy obligations. HIPAA protects the privacy of
some health information, FERPA does the same for some education
records, and the Fair Credit Reporting Act protects some credit
reports, to name only three examples. In the same way, Congress
reaffirmed in the Telecommunications Act of 1996 (1996 Act) that
certain telecommunications providers would be subject to heightened
privacy obligations. This was a measured and appropriate choice at the
time, and it remains even more so today, even in light of
reclassification.
There are four reasons why it is essential to provide heightened
protection for the privacy of information gathered by the companies
that serve as our gatekeepers to the rest of the Internet: history,
choice, visibility, and sensitivity. Each of these reasons contributes
an answer to the question: why was Congress correct to require
communications gatekeepers to respect the privacy of their customers?
Let me elaborate each of these reasons in turn.
1.1 History
The first reason to subject BIAS providers to special privacy rules
is history. Since the dawn of intermediated communications, we have
almost always required our common carriers to respect the privacy of
what they have carried. It was so for the postal service in the
nineteenth century, the telephone service early in the twentieth
century, and parcel delivery services in more recent years. Time,
experience, and theory demonstrate why we must enact laws to create the
conditions that allow people to have faith in the privacy, security,
and confidentiality of the information and goods they entrust to
intermediaries like these.
Congress enacted privacy protections in the original Communications
Act of 1934 and restated and perhaps even broadened those protections
in the 1996 Act. We are not working from a legal blank slate. Too much
of the commentary around the FCC rules ignores the--perhaps
inconvenient for some--fact that Congress has spoken quite clearly on
this matter. The law protects what it protects, and the burden should
be on those who would rewrite the statute, not on the agency that
implements it.
1.2 Choice
It is also appropriate for Congress to protect the privacy of
information sent through a BIAS provider because of the relative lack
of choice consumers enjoy for BIAS services. Today, most people in the
United States have only a single broadband Internet service provider to
choose from.\2\ Even when there is a nominal choice, high switching
costs in the form of time, effort, hassle, and contractual lock-in make
it difficult for a privacy-sensitive consumer to change providers in
search of a more privacy-respecting alternative.
---------------------------------------------------------------------------
\2\ FCC 2016 Broadband Progress Report, 31 FCC Rcd 699
(``Approximately 51 percent of Americans have one option for a provider
of 25 Mbps/3 Mbps fixed broadband service.'').
---------------------------------------------------------------------------
1.3 Visibility
Every BIAS provider sits at a privileged place in the network, the
bottleneck between the customer and the rest of the Internet. This
favorable position gives it a unique vantage point, from which it
enjoys the ability to see at least part of every single packet sent to
and received from the rest of the Internet.
No other entity on the Internet possesses the same ability to see.
If you are a habitual user of the Google search engine, Google can
watch you while you search, and it can follow you on the first step you
take away from the search engine. After that, it loses sight of you,
unless you happen to visit other websites or use apps or services that
share information with Google. If you are a habitual Amazon shopper,
Amazon can watch you browse and purchase products, but it loses sight
of you as soon as you shop with a competitor. Habitual Facebook users
are watched by the company when they visit Facebook or use websites,
apps or services that share information with Facebook, but they are not
visible to Facebook at any other times.
When users interact with websites or use apps or devices that do
not support encryption or do not enable it by default, a BIAS
provider's ability to spy is complete and comprehensive. While it is
true that BIAS providers can view less about its users' visits to
websites that deploy encryption, it is a regrettable fact that millions
of websites, including many of the most popular ones, still do not
enable encryption by default.\3\
---------------------------------------------------------------------------
\3\ Upturn, What ISPs Can See: Clarifying the Technical Landscape
of the Broadband Privacy Debate, March 2016, https://
www.teamupturn.com/reports/2016/what-isps-can-see (reporting that more
than 85 percent of popular sites in health, news, and shopping
categories do not encrypt browsing by default).
---------------------------------------------------------------------------
Even for user visits to websites that deploy encryption, a BIAS
provider retains a significant ability to observe. When you visit a
website protected by the most widespread form of encryption in use,
https or http over TLS, even though your BIAS provider cannot tell
which individual page you are visiting on the website, it still can
tell the domain name of the website you are communicating with, how
often you return, roughly how much data you send and receive, and for
how long each visit lasts.
Compare the richness of this information to the information a
telephone company can see, which although subjected to the heightened
protection of section 222, is relatively limited by comparison. In the
1996 Act, Congress decided to impose significant limits on what
telephone companies could do with the list of numbers an individual
customer dials. This made good sense because even though this list did
not literally expose the contents of communications, it nevertheless
testified to something very private, individual, and important about
our habits and associations. The list of websites visited by an
individual (including how often and how long she visits each site) is
even more private, individual, and sensitive than those older lists of
telephone contacts.
1.4 Sensitivity
Perhaps the most important reason to protect the information a BIAS
provider can obtain is the intrinsic sensitivity of this
information.\4\ A BIAS provider can gather at least three types of
information we have long deemed sensitive: communications, reading
habits, and location.
---------------------------------------------------------------------------
\4\ See Paul Ohm, Sensitive Information, 88 S. Cal. L. Rev. 1125
(2015) (providing a detailed review of the use in privacy laws of the
concept of sensitive information).
---------------------------------------------------------------------------
Our laws have long recognized the sensitivity of our
communications. Under the Fourth Amendment, almost nothing receives the
heightened protection for privacy given to the content of our
conversations. Federal and state statutes vigorously protect both the
content of and the metadata associated with communications. We reveal
intimate portraits of ourselves through what we say to our friends,
family, and associates. A BIAS provider can readily access the content
and metadata of communications, particularly sent across unencrypted
services.
A BIAS provider can also build a fairly complete dossier of our
reading habits across time. The list of websites an individual visits,
available to a BIAS provider even when https encryption is used,
reveals so much more than a member of a prior generation would have
revealed in a composite list of every book she had checked out, every
newspaper and magazine she had subscribed to, every theater she had
visited, every television channel she had clicked to, and every
bulletin, leaflet, and handout she had read. Nobody has been able until
now to watch us read individual articles, calculate how long we linger
on a given page, and reconstruct the entire intellectual history of
what we read and watch on a minute-by-minute, individual-by-individual
basis.
Professor Neil Richards describes the right we should enjoy to
``intellectual privacy.'' \5\ He argues that the law ought to protect
vigorously the record of what we read and write. His writing supplies a
powerful and well-reasoned justification for treating BIAS providers
precisely as the 1996 Act does.
---------------------------------------------------------------------------
\5\ Neil Richards, Intellectual Privacy: Rethinking Civil Liberties
in the Digital Age (2015).
---------------------------------------------------------------------------
Finally, with the rise of mobile broadband, BIAS providers now also
track our location across time in a finely granular manner. Never
before has anybody compiled such a complete accounting of the precise
comings-and-goings of so many of us.
So much of us can be revealed to a company that compiles a finely
wrought accounting of where we have traveled, what we have read, with
whom we have engaged, and what we have said. BIAS providers might
respond that they want this information only to reduce us into
marketing categories to sell and resell. I derive no comfort from that
justification.
1.5 Privacy for All
The four reasons for holding BIAS providers to high privacy
standards--history, choice, visibility, and sensitivity--each implicate
the same, difficult question: will privacy be enjoyed by every
American, regardless of wealth or station in life, or only by America's
privileged few? For each of these factors, the need for meaningful
privacy protections for broadband customers is even stronger from the
perspective of mainstream and marginalized Americans.
For example, when it comes to visibility, some have argued that we
need not worry about the privacy threat to a given consumer from any
single ISP because the average American owns 6.1 devices and accesses
the Internet using at least three different networks: one each for
home, mobile, and work.\6\ These arguments ignore the lived reality for
the many Americans who rely on only a single smartphone with a single
connection as their lifeline to the Internet, and as a group tend to be
less wealthy, younger, and disproportionately members of minority
groups than the general population.\7\ Also, the average American
worker does not have access to a Virtual Private Network (VPN) provided
by an employer, the way some white collar workers do, and so is left
looking for clunkier, costlier alternative technologies if she wants to
shield her online activities from her provider.
---------------------------------------------------------------------------
\6\ E.g., Comments of the United States Telecom Association, WC
Docket No. 16-106 at 4; Comments of Mobile Future, WC Docket No. 16-106
at 6. These commenters uniformly rely on statistics cited in a report
by a team of attorneys from Georgia Tech and Alston & Bird, Peter
Swire, et al., Online Privacy and ISPs at 3 (May 2016) [hereinafter
Broadband for America Report].
\7\ Pew Research, Chapter One: A Portrait of Smartphone Ownership,
U.S. Smartphone Use in 2015, April 1, 2015, http://www.pewinternet.org/
2015/04/01/chapter-one-a-portrait-of-smart
phone-ownership/.
---------------------------------------------------------------------------
The problem of insufficient choice, the next factor, is
particularly stark for rural Americans, many of whom have only a single
available provider to access the network. While 44 percent of Americans
in urban areas have more than one available provider offering 25 Mbps/
3Mbps fixed broadband, only 13 percent of Americans in rural areas can
say the same.\8\ Protecting only information deemed ``sensitive'' tends
to underprotect Internet users with idiosyncratic or non-majoritarian
sensitivities, such as members of minority religions, racial or ethic
groups, or marginalized political viewpoints. Finally, history suggests
that we protect the privacy of the telephone system (and the mail
system before it) as a reflection of how important these networks are
for average Americans seeking basic access to employment, social
interaction, and benefits, which is even more true today for the
Internet. This argument weighs much more heavily for those without
stable employment or social support than for those who enjoy greater
stability, wealth, and political power.
---------------------------------------------------------------------------
\8\ FCC 2016 Broadband Progress Report, 31 FCC Rcd 699, � 86
(2016).
---------------------------------------------------------------------------
We should reject arguments that would set information policy based
only on the conditions of urban and wealthier Internet users who have
relatively more (but still very little) service choice, more devices,
more connections, better access to privacy tools, and whose
sensitivities conform to society's default standards. Privacy should be
available to all.
2 The FCC's Proposed Rule Will Decrease Consumer Confusion
The FCC has proposed a simple, bright-line rule for the privacy of
information transiting a BIAS provider's network: a BIAS provider may
not use its customer's private information for purposes unrelated to
the provision of service unless and until the informed consumer
consents to those uses. The burden of communicating the purported
benefits of uses of information rests on the party best positioned to
make that case, the BIAS provider itself. This approach mirrors the
approach the law takes in other sectors where the information at stake
is especially sensitive or private, including healthcare, banking, and
education.
Contrast the straightforward nature of this proposal with the
``notice-and-choice'' background rules that apply to otherwise
unregulated online actors. Notice-and-choice regimes rest on the
fiction that Internet users read and understand the hundreds of Terms
of Service and Privacy Policy documents with which they are presented
online each year.\9\ Each one of these lawyer-drafted and densely-
worded documents sets idiosyncratic ground rules for acceptable
provider behavior for a single site or service alone. Even when
companies break their own ground rules, they cannot be held to account
unless the FTC or a state Attorney General notices, pursues, and proves
the deception or unfairness.
---------------------------------------------------------------------------
\9\ Two noted privacy experts, Aleecia McDonald and Lorrie Faith
Cranor (currently Chief Technologist of the Federal Trade Commission),
estimate that it would take the average person 244 hours per year to
read the privacy policies of all sites and apps they used. Aleecia M.
McDonald and Lorrie Faith Cranor, The Cost of Reading Privacy Policies,
4 I/S: J L & Pol Info Soc'y 540, 560 & table 7 (2008), available at
https://lorrie.cranor.org/pubs/readingPolicyCost-author
Draft.pdf.
---------------------------------------------------------------------------
This crazy cacophony is somehow the ideal framework that BIAS
providers urge the FCC to embrace, in the dubious name of reducing
consumer confusion. The FCC's proposed default rule is much simpler and
comprehensible: no unexpected uses of your information. A BIAS provider
can diverge from the default, but only if it explains to you in clear,
non-deceptive terms what it intends to do and receives your informed,
express consent. To argue that this will increase rather than decrease
consumer confusion not only defies good sense but also fails to give
the consumer his or her due respect.
3 By Allowing Data Uses with Consent, the FCC's Proposed Rule Benefits
Consumers Without Unduly Burdening Providers or Competition
In section 222, Congress made clear that covered providers could
continue to use any information they could access ``with the approval
of the customer.'' Faithfully applying this provision, the FCC proposes
to allow any uses of information after prior customer consent. Neither
Congress nor the FCC has enacted or even proposed a ban on uses of
information, although you might think otherwise based on the
characterizations of many of the covered providers.
Put plainly, this debate is not about prohibiting conduct. Stripped
of this confusion, this is simply a disagreement about the type of user
consent we ought to require for conduct that at least some consumers
find objectionable. In my reply comment to the FCC, I pointed out that
the difference between the proposed opt-in rule and an alternative opt-
out rule is not nearly as stark a difference as some have stated.\10\
Recent research suggests that companies in other industries subjected
to opt-in requirements have managed to convince large numbers of users
to choose to opt in.\11\ I do not doubt that BIAS providers will try to
replicate these results.
---------------------------------------------------------------------------
\10\ Reply Comments of Paul Ohm Before the Federal Communications
Commission in the Matter of Protecting the Privacy of Customers of
Broadband and Other Telecommunications Services, WC Docket No. 16-106
(June 22, 2016), available at https://www.fcc.gov/ecfs/filing/
10622254783425.
\11\ Id. citing Lauren E. Willis, When Nudges Fail: Slippery
Defaults, 80 U. Chi. L. Rev. 1155 (2013).
---------------------------------------------------------------------------
The new rules also preserve other level playing fields to
facilitate unburdened competition. BIAS providers like Verizon or
Comcast can acquire (and have acquired) edge provider services such as
content publishers, search engines, and social networking sites. A BIAS
provider that launches or acquires a search engine will be able to use
the information it takes from its search engine customers in the
relatively unrestricted manner the law currently provides for that
industry. Likewise, if a traditional edge provider like Google creates
or acquires a broadband Internet service, such as the Google Fiber
service, it will fall for those purposes within Title II of the
Communications Act and thus be subject to the FCC's privacy rules. In
either case, any two companies competing in the same market will be
subjected to precisely the same rules under precisely the same terms.
4 The Need to Enhance Privacy in Other Contexts
Of course, the FCC's new privacy rule will not solve all of the
privacy problems we face. We need to raise our privacy standards across
other parts of the online ecosystem as well. We ought to increase the
resources we provide to the FTC and enhance its power to police
deceptive and unfair privacy practices. We also ought also to consider
imposing new and more stringent rules for industry segments striving to
develop the kind of pan-Internet view that BIAS providers structurally
enjoy or that handle vast amounts of sensitive information, as BIAS
providers do.
4.1 The FTC Cannot Go It Alone
It was my privilege to serve the FTC as a Senior Policy Advisor on
privacy issues from 2012 to 2013. I was convinced during my service and
continue to feel today that the FTC has become an important bulwark of
privacy in a tumultuous time of change. We should view the FTC as the
irreducible floor of online privacy protection, and we should do what
we can to give the FTC additional resources to raise that floor.
But the FTC simply cannot go it alone. The rise of the FTC as a
capable and well-respected privacy regulator does not mean we should
dismantle sectoral privacy regulation. The FTC's jurisdiction and
enforcement activity cannot supplant the Department of Health and Human
Service's role under HIPAA, the Department of Education's role under
FERPA, or the Consumer Financial Protection Bureau's role under
numerous financial privacy laws. Likewise, the fact that the FTC has
been very active and successful policing privacy online does not mean
we should discourage the FCC from protecting privacy under Section 222
using its distinctive approaches and capabilities.
For all of the amazing strides the FTC has taken to become an
expert in online data collection, the FCC has had a much longer time to
develop expertise in the protection of network access subscribers. With
this head start, the FCC has unparalleled experience ensuring that the
Nation's communications networks function in a way that is reliable and
trustworthy and crafting regulations that promote the buildout of
networks. Nobody has more experience and staff expertise on these
matters than the FCC.
Moreover, the FCC's clear statutory mandate in Section 222 is
specific and proactive, in contrast to the FTC's mandate in Section 5
of the FTC Act, which is far more general and reactive. Fortunately,
these two mandates work together, as nothing in the proposed FCC rule
will subject any company to conflicting FTC rules and vice versa. It is
to the credit of the staff of these two agencies that they have entered
into a Memorandum of Understanding committing to work together in their
common privacy endeavors.
4.2 The Need to Strengthen Other Privacy Laws
As I have argued above, it is a combination of history, choice,
visibility, and sensitivity that justifies subjecting BIAS providers to
the same kind of special privacy rules we have enacted for doctors,
schools, credit agencies, and other industries. A sectoral approach to
privacy law continues to be a desirable approach.
It is true that other online entities are beginning to rival BIAS
providers on at least some of these critical dimensions.\12\ Other
entities traffic in location information, a category Congress ought to
consider protecting as especially sensitive. Social networking sites
carry exceptionally sensitive information and exhibit network effects
and insufficient data portability that limit customer choice and exit.
Finally, advertising networks strive to attain a BIAS-provider-like
visibility across the Internet.
---------------------------------------------------------------------------
\12\ Peter Swire, et al., Online Privacy and ISPs (May 2016).
---------------------------------------------------------------------------
Congress should examine whether any other industry segment has
implicated individual privacy along these dimensions so much that they
have begun to rival doctors, schools, credit agencies, or BIAS
providers. But once it identifies such an example, the answer will not
be to decrease privacy law across industries, the answer will be to
enact another new, measured and narrow sectoral privacy law, perhaps
one modeled on the FCC's rules.
5 Conclusion
Given the deep concern many of your constituents feel about their
lack of control of information about them; given the calls and e-mails
you no doubt receive after every significant data breach or other
privacy debacle; given the survey after survey which bear witness to
the breadth and depth of concern American citizens have about this
state of affairs; and given the critical importance of an Internet we
can trust for commerce, communications, and innovation, this is not the
time to roll back one of the very few privacy protections we have for
online activity. We should be strengthening not weakening the privacy
of online activity. All American Internet users owe owe our thanks to
Congress and the Federal Communications Commission for taking modest,
sensible, and legally authorized steps toward enhancing the protection
we enjoy.
The Chairman. Thank you, Professor Ohm.
Mr. Polka.
STATEMENT OF MATTHEW M. POLKA, PRESIDENT AND CEO, AMERICAN
CABLE ASSOCIATION
Mr. Polka. Thank you, Chairman Thune, Ranking Member
Nelson, and members of the Committee, for inviting me to
testify about the Federal Communications Commission's proposed
privacy regulations and their effect on consumers and
competition. Today I would like to focus on four essential
points.
First, American Cable Association members are already
subject to a host of privacy and data security obligations,
take those obligations seriously, and have an excellent track
record of compliance. We, too, are consumers and so understand
the need for privacy protections.
Second, to best serve the interests of broadband consumers,
the FCC should adopt a privacy and data security regime that is
consistent with the FTC's framework. It has proven valuable and
workable for all interests.
Third, we fear that the FCC's proposed privacy and data
security rules would impose needless, unduly burdensome
obligations on smaller broadband providers, chilling investment
and innovation, all with little consumer benefit.
And fourth, should the FCC nonetheless proceed and adopt
rules in line with its proposals, it should ease the burden on
small broadband providers by providing tailored exemptions,
extending compliance deadlines, and streamlining its rules.
The American Cable Association represents 750 smaller cable
operators, incumbent telephone companies, municipal utilities,
competitors, and other local providers which offer service in
all 50 States. Eighty percent of our members serve fewer than
5,000 customers. Fifty percent serve fewer than 1,000. Most
have 10 or fewer employees and cannot afford to dedicate
employees solely to regulatory compliance.
As I said at the outset, ACA members must comply, and have
complied, with numerous privacy and data security obligations,
several of which were the work of this committee. These two
longstanding provisions include the Communications Act, Section
631, for cable services enacted in 1984, and Section 222, the
Consumer Proprietary Network Information rules, also known as
CPNI, for voice and now broadband services, enacted in 1996.
These also include Section 5 of the Federal Trade Commission
Act for non-common carrier services and the laws of the states
where providers operate. Complying with all of these
requirements imposes a significant burden on smaller providers,
but ACA members understand their duty and their legal
obligations to protect the confidentiality of their customers'
information.
Because ACA members are subject to so many time-tested
privacy and security obligations, they had hoped that the FCC,
in crafting CPNI regulations to cover broadband, would have
proposed a regime consistent with requirements already on the
books. In fact, ACA joined with other industry organizations
last year to present to the FCC a privacy framework that would
promote the goals of transparency, choice, data security, while
retaining consistency with the FTC's framework.
Our privacy proposal would protect consumers and equally
regulate all participants in the Internet ecosystem. It would
also enable smaller providers to comply without undue burdens.
Unfortunately, the FCC insisted on blazing an entirely new path
by proposing novel, complex, and overly burdensome
requirements. In comments filed recently with the FCC, the
Small Business Administration's Office of Advocacy said that
smaller providers will be subject to onerous obligations.
In our view, these obligations would chill investment and
innovation while providing uncertain consumer benefits. Even
more importantly, these rules would apply only to broadband
providers, a mere subset of players in the Internet ecosystem.
This would lead to customer confusion as well as distort the
market through asymmetric regulation. The FCC should revise its
approach, reassess the costs and benefits of its proposal, and
seek to blend it with the FTC's approach.
In closing, ACA members have spent decades protecting their
customers' privacy and data security. As the FCC moves to craft
new rules for broadband, we seek to bring to bear our
experience and the previous efforts of this committee and other
government bodies to build a sound and lasting regulatory
regime. And we promise to continue our efforts to develop a
solution that works for all.
Thank you.
[The prepared statement of Mr. Polka follows:]
Prepared Statement of Matthew M. Polka, President and CEO,
American Cable Association
Thank you, Chairman Thune, Ranking Member Nelson, and Members of
the Committee, for inviting me to testify on behalf of the American
Cable Association (ACA) and its members about the steps we are taking
to protect the privacy and security of our customers' personal
information and our thoughts on the Federal Communications Commission's
(FCC's or Commission's) proposed privacy and data security rules for
broadband Internet access service (broadband service).
In my testimony, I will focus on four points. First, ACA members
are already subject to a host of privacy and data security obligations,
take those obligations seriously, and have an excellent track record of
compliance. Because they too are consumers, ACA members understand
consumers' expectations and the need for privacy protections. Second,
to best serve the interests of broadband consumers, the FCC should
adopt a privacy and data security framework that is consistent with the
Federal Trade Commission's (FTC's) approach, which has proven valuable
and workable for all interests. Third and most unfortunately, we fear
that the FCC's proposed privacy and data security rules would impose
needless, unduly burdensome obligations on smaller broadband providers,
chilling investment and innovation, all with little consumer benefit.
And finally, if the FCC nonetheless proceeds and adopts rules in line
with its proposals, it should ease the burdens on small providers by
providing tailored exemptions, extending compliance deadlines, and
streamlining its rules.
I. Background on ACA's Members
ACA represents approximately 750 small and medium-sized cable
operators, incumbent telephone companies, municipal utilities, and
other local providers, which provide service in all fifty states. ACA
members provide a variety of services to their residential and business
customers, including voice, cable service, broadband, and various non-
common-carrier services, such as home security, PC support, e-mail, and
data center services. Eighty percent of ACA members serve fewer than
5,000 subscribers, and roughly fifty percent serve fewer than 1,000
subscribers. Half of ACA's members have ten or fewer employees, with
typically just one or two engineers or individuals with technical
expertise, and these employees perform many duties within their
companies. Few have in-house personnel dedicated to privacy and data
security compliance. Yet, they take all necessary steps to comply with
today's regulatory mandates, even though it is a challenge and cuts
into their ability to upgrade systems and to offer new products and
services.
Consequently, ACA urges Congress and the Commission to continue to
seek to balance actions that would impose new obligations with the
resource capabilities of smaller providers. Skewing that balance
against broadband providers--as the Commission proposes to do--imperils
investments in high performance networks and information services so
critical for consumers and our economy.
II. ACA Members Are Already Subject to A Host of Privacy and Data
Security Rules, Take Those Obligations Seriously, and Have
an Excellent Track Record of Compliance
ACA members must comply and have complied with numerous privacy and
data security obligations, several of which were the work of this
Committee. ACA members that provide cable service must comply with
Section 631 of the Cable Communications Policy Act of 1984 (the Cable
Act).\1\ ACA members that provide voice services--whether traditional
circuit-switched voice or interconnected voice over Internet Protocol
(VoIP)--must comply with Section 222 of the Communications Act of 1934,
and its implementing rules related to customer proprietary network
information (CPNI).\2\ ACA members that provide broadband service must
comply with the FCC's transparency rule (which requires disclosure of
privacy policies), and since the 2015 Open Internet Order, the FCC has
asserted that they must comply with Section 222 (notwithstanding
ongoing challenges to the agency's authority to do so). ACA members
that provide non-common-carrier information services, a term which
until recently applied to broadband service, must also comply with
Section 5 of the Federal Trade Commission Act, which prohibits ``unfair
or deceptive acts or practices,'' including those related to privacy
and data security. Further, our members are subject to the laws and
rules of the states in which they operate, including but not limited to
data breach notification laws.\3\ In addition, to the extent that they
interact with institutions handling sensitive information such as
banks, hospitals, and schools, they often must assume obligations--by
statute, rule, or contract--to protect such information.
---------------------------------------------------------------------------
\1\ Cable operators have been subject to Section 631 for over 30
years. Section 631 includes a robust set of requirements, including
annual subscriber notices, a customer consent framework, access rights,
and a private right of action.
\2\ Section 222 and its implementing rules are designed to protect
the confidentiality of individually identifiable CPNI, a narrow
category of information that includes information about a customer's
use of the network (e.g., call detail records) and information
contained within customer bills. The CPNI rules include a three-tiered
notice and consent regime, data security safeguards, a breach
notification rule, and annual certifications. Beginning in 2014, the
FCC began to read Section 222 more broadly to protect ``customer
proprietary information,'' a category of information that according to
the FCC includes both CPNI as well as all personally identifiable
information. ACA and others have challenged the Commission's broad
interpretation of the statute as unlawful.
\3\ Every state has a law prohibiting deceptive practices, and most
have laws prohibiting unfair practices, similar to the FTC's Section 5
prohibition. See, e.g., Conn. Gen. Stat. Sec. 42-110b(a); Fla. Stat.
Ann. Sec. 501.204; Mass. Gen. Laws Ch. 93A, Sec. 2(a); S.D. Codified
Laws Sec. 37-24-6(1). Further, 47 states have enacted data breach
notification laws. See, e.g., Conn. Gen Stat. Sec. 36a-701b; Fla. Stat.
Sec. Sec. 501.171, 282.0041, 282.318(4)(j)(1); Mass. Gen. Laws
Sec. 93H-1 et seq. Moreover, several states have enacted additional
privacy and data security requirements. See, e.g., Fla. Stat.
Sec. 501.171; 201 CMR 17.00. For example, Massachusetts requires
companies to ``develop, implement, and maintain a comprehensive
information security program that is written in one or more readily
accessible parts and contains administrative, technical, and physical
safeguards,'' with granular requirements that every such information
security program must include. See 201 CMR 17.00.
---------------------------------------------------------------------------
Complying with all of these privacy and data security laws is a
significant burden for smaller providers, but they understand their
responsibilities and have taken the necessary steps to ensure they
comply. ACA members notify their subscribers of their privacy practices
through welcome packages, annual notifications, and website privacy
policies. Our members also provide opportunities for customers to make
choices about how service providers use or share their information and
give all the necessary information to make an informed choice. They
also understand the importance of effective personnel training, as well
as the need to ensure that agents and independent contractors--e.g.,
billing and customer service companies--protect the confidentiality of
customer information.
ACA members employ reasonable physical, technical, and
administrative data security practices to protect against breaches of
customer information. For example, ACA members have established robust
authentication requirements, such as password protection for access to
customer information or, for small-town providers, requiring customers
to authenticate themselves in person with proper identification. In
addition, our members are responsible in their duties to comply with
the recordkeeping and reporting obligations of the FCC's existing
privacy and data security rules, including obligations to keep records
of customer approval status and marketing campaigns, as well as annual
certification obligations. We have been active in the FCC's
Communications Security, Reliability and Interoperability Council
Working Group IV proceeding, which is intended to assist companies with
implementing voluntary cybersecurity measures for the communications
sector that respect the unique challenges that small and medium-sized
providers face.
The privacy and data security actions described above and others
that smaller providers undertake do not exist in a vacuum--they are
just one part of an increasingly complex web of legal and regulatory
obligations with which providers must comply, including law
enforcement, disabilities access, copyright, emergency alert service,
universal service, and open Internet obligations, as well as a variety
of state and local regulations.
ACA members have an excellent track record in protecting the
confidentiality of their customers' information and complying with
privacy and data security laws and rules. Indeed, in the decade during
which the FTC exercised its authority over broadband providers--
conducting innumerable investigations and actions against companies
related to privacy and data security--we are not aware of a single
action against a smaller broadband provider for the sorts of privacy
and data security practices that the FCC seeks to regulate pursuant to
its proposals. Such a long run free of major incidents reinforces the
view that a new and more intrusive privacy and data security regime is
not needed to protect consumers.
III. To Best Serve the Interests of Broadband Consumers, the FCC Should
Adopt a Privacy and Data Security Framework That Is Consistent
With the FTC's Approach, Which Has Proven Valuable and Workable
for All Interests
Until the FCC classified broadband service as a Title II
telecommunications service in the 2015 Open Internet Order, all
industry participants in the Internet ecosystem were subject to the
jurisdiction of the FTC. The FTC's approach combines a flexible
statutory provision--Section 5 of the FTC Act--with heightened
obligations for limited categories of sensitive information (e.g.,
children's information, health information, or financial information).
As such, the FTC's approach has at its core the concepts of
flexibility, context specificity, and technological neutrality. This
framework has enabled the Internet ecosystem to flourish to the benefit
of consumers, edge providers, and broadband providers alike. Further,
by avoiding hyper-prescriptive rules and focusing instead on the
reasonableness of providers' practices and the truthfulness and
completeness of their representations to their customers, the FTC's
framework lessens the compliance burdens on smaller providers.
In contrast, the FCC proposes to cleave the Internet ecosystem in
two by subjecting one set of participants--broadband providers--to a
different and more burdensome privacy and data security regime, while
another set--including edge providers--remain subject to the FTC's
approach. The FCC is proposing these rules despite the fact that the
large edge providers can know more about a user's activity and, unlike
broadband providers, often employ business models that depend on the
collection, use, and sharing of their customers' personal information.
For smaller broadband providers, which lack scale, such business models
are rarely in our members' strategic plans.
In advance of the FCC issuing its proposals, ACA and several trade
associations proposed a framework that would protect consumers and
promote the FCC's goals of transparency, choice, and data security
while retaining consistency with the FTC's framework. Such an approach
would protect consumers and avoid entity-based regulation that would
create consumer confusion and stifle innovation. Consumers expect their
data will be subject to consistent privacy standards based upon the
sensitivity of the information and how it is used, regardless of which
entity in the Internet ecosystem uses that data. Indeed, FTC staff has
stated that ``any privacy framework [for broadband providers, operating
systems, browsers, and social media] should be technology neutral,''
and has argued that the FCC's failure to propose a consistent privacy
regime is ``not optimal.''
We recommended that to maintain consistency with the FTC's
framework, the FCC should adopt rules based on the following
principles:
Transparency. A broadband (telecommunications service)
provider should provide notice, which is neither deceptive nor
unfair, describing the CPNI that it collects, how it will use
the CPNI, and whether and for what purposes it may share CPNI
with third parties.
Respect for Context and Consumer Choice. A broadband
provider may use or disclose CPNI as is consistent with the
context in which the customer provides, or the provider
obtains, the information, provided that the provider's actions
are not unfair or deceptive. For example, the use or disclosure
of CPNI for the following commonly accepted data practices
would not warrant a choice mechanism, either because customer
consent can be inferred or because public policy considerations
make choice unnecessary: product and service fulfillment, fraud
prevention, compliance with law, responses to government
requests, network management, first-party marketing, and
affiliate sharing where the affiliate relationship is
reasonably clear to consumers. Consistent with the flexible
choice mechanisms available to all other entities in the
Internet ecosystem, broadband providers should give consumers
easy-to-understand choices for non-contextual uses and
disclosures of their CPNI, where the failure to provide choice
would be deceptive or unfair. The provider should consider the
sensitivity of the data and the context in which it was
collected when determining the appropriate choice mechanism.
Data Security. A broadband provider should establish,
implement, and maintain a CPNI data security program that is
neither unfair nor deceptive and includes reasonable physical,
technical, and administrative security safeguards to protect
CPNI from unauthorized access, use, and disclosure. Providers'
CPNI data security programs should provide reasonable
protections in light of the nature and scope of the activities
of the company, the sensitivity of the data, and the size and
complexity of the relevant data operations of the company.
Data Breach Notifications. A broadband provider should
notify customers whose CPNI has been breached when failure to
notify would be unfair or deceptive. Given that breach
investigations frequently are ongoing at the time providers
offer notice to customers, a notice that turns out to be
incomplete or inaccurate is not deceptive, as long as the
provider corrects any material inaccuracies within a reasonable
period of time of discovering them. Broadband providers have
flexibility to determine how and when to provide such notice.
Our proposal would meet consumers' privacy needs while allowing
them to take advantage of products and services they expect from their
service provider and would avoid inconsistent and burdensome oversight.
Moreover, it would ensure a level playing field between edge providers
and broadband providers, promoting an innovative and competitive
broadband ecosystem.
Our proposal also would improve the ability of smaller providers to
comply without incurring undue costs or other burdens. As I explained
earlier, smaller providers work to ensure that they use customer
information consistent with their customers' expectations. Since these
providers are already familiar with the FTC framework, they would not
have to incur material additional costs to bring their policies,
processes, and systems into compliance if the FCC adopts rules
consistent with this framework.
Our proposal also is superior because the consumer choice
provisions align with consumer expectations by respecting the context
of customer-carrier interactions. This will enable small providers to
offer new and innovative services to their customers, increasing
consumer choice and competition.
The data security rule in our proposal also contains a robust
general security standard that requires ``physical, technical, and
administrative'' security safeguards while including the size of the
company as a factor in determining whether particular safeguards are
reasonable. As such, in the event that smaller providers grow, the
rules will require more sophisticated processes commensurate with their
larger operations. Additionally, our framework enables the FCC to
establish best practices through multi-stakeholder processes.
Finally, our proposed data breach notification rule is superior to
the FCC's proposed rule because it provides flexible deadlines that
will not overburden small providers and a safety valve for good faith
disclosures so that small providers can avoid counterproductive strict
liability enforcement actions associated with inflexible and overly
prescriptive regimes.
IV. The FCC's Proposals Would Needlessly Impose Unduly Burdensome and
Costly Restrictions on Small Providers, Chilling Investment and
Innovation With Minimal Additional Consumer Benefit
The FCC proposes a set of privacy and data security rules that, if
adopted, would be one of the most complex in the United States. Let me
highlight just some of the new notice, customer approval, data
security, and data breach notification obligations the FCC proposes to
impose on smaller broadband providers.
Proposed Notification Rules. The proposed notification rules
would prescribe, in minute detail, when, where, how, and how
often providers must notify their subscribers about their
privacy and data security practices, which would require
smaller providers incur legal costs to draft and update privacy
notices, administrative costs to deliver the notices, and
technical costs to post the notices ``persistently'' on the
provider's website, mobile app, and any functional equivalent.
Proposed Customer Approval Rules. The proposed customer
approval rules would replace the long-standing, context-
specific, and consumer-friendly opt-out regime of the FTC with
an incredibly complex and restrictive three-tiered framework
that would erect unnecessary barriers to collecting, using, or
sharing customer information by requiring opt-in consent in
many situations that are well within consumer expectations.
Proposed Data Security Rules. The proposed data security
rules would replace the FTC's reasonable security standard with
a general strict liability rule requiring providers to
``ensure'' the confidentiality, security, and integrity of
customer information, irrespective of the sensitivity of that
information and ignoring the fact that most agencies recognize
that there is no such thing as perfect security. The proposed
data security rules also would impose exacting operational
requirements on broadband providers, such as: requiring regular
risk management assessments; appointing ``senior officials'' to
oversee providers' privacy and data security practices;
implementing third party oversight mechanisms; and conducting
training for personnel, agents, and affiliates.
Proposed Data Breach Notification Rules. The proposed data
breach notification rules would impose a strict, seven-day
turnaround time from discovery of the breach to notify the FCC
and law enforcement about any data breach, and a ten-day
turnaround for notifying affected customers, regardless of
whether the breach was intentional or whether consumer harm is
reasonably likely. The result of this proposed breach
notification rule will be over-notification, often including
incomplete or evolving facts, which will confuse consumers,
breed unnecessary distrust in the Internet ecosystem, and work
to undermine the ``virtuous circle'' of demand for Internet
services, deployment of broadband infrastructure, and
innovation.
Unlike the existing CPNI rules, the proposed rules would not be
limited to ``customer proprietary network information''--the narrow set
of information that Section 222 was drafted to address--but rather
would apply to all ``customer proprietary information,'' a broad,
amorphous term that appears nowhere in the Communications Act and
covers everything from the make and model of a user's modem to an
individual's public demographic information. Further, unlike the
existing CPNI rules, the proposed rules would apply to all past,
present, and prospective customers of a broadband provider. The FCC
even seeks comment on whether to expand the definition of customer to
include minors, members of a group plan, or other individual users who
can access a shared account. By extending the universe of covered
information and individuals, smaller providers will need to manage
significantly more information, dramatically increasing the costs and
burdens of compliance.
To meet all of these new, extensive obligations, smaller broadband
providers would need at least to:
Develop and implement new data security controls, website
policies, and customer approval tracking systems;
Hire and train dedicated privacy and data security staff;
Provide additional customer notices, including data breach
notifications that would increase customer confusion and
``notice fatigue'';
Retain attorneys and consultants for such activities as
regulatory analysis, contract negotiation, risk management
assessments, and preparing required policies, forms, training,
and audits;
Ensure compliance for call centers, billing software, and
others that interface with customer proprietary information;
and
Divert scarce resources from innovation and infrastructure
deployment to regulatory compliance.
These new costs would be most burdensome for smaller providers,
decreasing their ability to innovate, upgrade systems, and compete
while increasing costs, confusion, and inconvenience for their
customers. Indeed, the Office of Advocacy for the Small Business
Administration (SBA) told the FCC that its ``proposed rules will be
disproportionately and significantly burdensome for small Broadband
Internet Access Service (BIAS) providers,'' arguing that ``the FCC
failed to comply with the [Regulatory Flexibility Act's] requirement to
quantify or describe the economic impact that its proposed regulations
might have on small entities,'' and ``[t]he FCC has provided no
estimate of the paperwork hours required to comply with the
regulations.''
V. If the FCC Adopts Its Proposed Rules, It Should Take Steps to Ease
the Burden on Smaller Providers Through Exemptions to the More
Onerous Elements of the Rules, Extensions of the Applicable
Compliance Deadlines, and Streamlined Regulations
If the FCC rejects our proposal in favor of its prescriptive, ex
ante privacy and data security framework, it should, consistent with
similar privacy regimes:
Exempt smaller providers from prescriptive specific data
security requirements (while maintaining a flexible general
data security standard) and add ``the size of the BIAS
provider'' to the factors that the FCC must consider when
assessing the reasonableness of a BIAS provider's security
program;
Exempt smaller providers from the more onerous elements of
its customer approval framework by grandfathering existing
customer consents and exempting smaller providers from the
requirement to obtain additional approval where they do not
share sensitive personal information with third parties for
marketing purposes;
Exempt smaller providers from several elements of the FCC's
proposed data breach notification rule (as applied to voice and
broadband services) by exempting smaller providers from the
specific notification deadlines in favor of an ``as soon as
reasonably practicable'' standard; and
Exempt smaller providers from any customer dashboard
requirements that it adopts pursuant to its notice and choice
regulations.
These exemptions address and reduce the burdens that the proposed
privacy rules would have on smaller providers, and align with the SBA
Advocacy Office's request that the FCC adopt ``exemptions for small
BIAS providers wherever practicable.''
The FCC also should extend the deadlines for smaller providers to
comply with any new privacy and data security rules by at least one
year beyond any general compliance deadline (i.e., the date at which
larger providers must comply with the rules). The FCC should commit to
initiate a subsequent rulemaking together with or immediately after any
order that results from this proceeding to determine whether to further
extend the deadline and/or establish additional exemptions, and should
further commit to rule on whether to extend the deadline or establish
additional exemptions prior to the expiration of the general compliance
deadline. The FCC often has extended effective dates for small entities
in the context of its consumer protection regulations, including: (1) a
three-year waiver for certain analog-only cable systems to comply with
the emergency information rule; (2) a two-year delay to comply with the
User Guide Requirements of the FCC's accessibility rules; (3) a one-
year extension of the compliance deadline for the FCC's open Internet
enhanced transparency rule, which it subsequently extended for another
year; and (4) a six-month extension to implement requirements of the
2007 CPNI Order.
Moreover, the FCC should rationalize and streamline its proposed
rules to ensure that they are not too burdensome for smaller broadband
providers by:
Developing, with industry and other stakeholders,
standardized notices with safe harbor protection that small
providers can use to reduce enforcement risks, as well as the
need to pay for outside counsel, consultants, and developers;
Streamlining its proposed customer approval requirements to
better align with consumer expectations and avoid disrupting
existing customer relationships;
Adopting a general data security standard and working with
industry to establish and update best practices rather than
imposing prescriptive data security rules;
Tailoring any data breach notification requirements to ease
burdens on broadband providers, including by adopting flexible
deadlines for breach notification, limiting notifications to
situations where consumer harm is reasonably likely, creating a
one-stop-shop for breach reporting, and preempting state breach
notification laws; and
Harmonizing its rules within Section 222, but not across
statutory provisions including Section 631 of the Cable Act,
which would undermine consumer expectations and would upend
providers' existing compliance regimes.
While a suite of extensions, exemptions, and rationalized rules
would not be as effective as adopting rules consistent with the FTC
framework, it would address the concerns of smaller providers and many
others in the record--including the SBA--that the FCC's proposed rules
go too far without adequately considering the burdens of its proposals
on smaller providers.
ACA members have a strong record of protecting consumer data and
complying with myriad state and Federal privacy and data security laws.
Based on this experience, we urge the Commission to adopt the time-
tested privacy framework employed by the FTC. It has proven valuable
for consumers and imposes important but reasonable obligations on
smaller broadband providers. We look forward to working with the
Committee and the Commission as this process moves forward.
The Chairman. Thank you, Mr. Polka.
Next up is Professor Swire. And I apologize, I
mispronounced your name----
Mr. Swire. It's happened before.
[Laughter.]
The Chairman.--during my introduction. That was from me not
wearing these (referencing glasses). But, Professor Swire,
please proceed.
STATEMENT OF PETER SWIRE, HUANG PROFESSOR OF LAW AND ETHICS,
SCHELLER COLLEGE OF BUSINESS, GEORGIA INSTITUTE OF TECHNOLOGY
Mr. Swire. Thank you, Chairman Thune, and Ranking Member
Nelson and members of the Committee. And thank you for the
opportunity to testify today on the FCC's proposed privacy
rule. As you said, my name is Peter Swire, not Swine. I teach
at George Tech.
Today I'm testifying about a major research project that my
co-authors and I issued this year called ``Online Privacy and
ISPs.'' It's 125 pages. It has pretty color illustrations. We
tried to set out the facts for how this stuff works. Before our
report came out, many of those supporting stronger privacy
rules signed a letter stating that ISPs, ``have a comprehensive
view of consumer behavior,'' and they said, ``that ISPs have a
unique view in the online ecosystem because they connect the
users to the Internet.''
And our report documented two factual findings. First, ISP
visibility into consumer online information is far from
comprehensive and will likely continue to decline, and the
biggest reason is the huge growth in encryption.
Second, ISPs appear to lack unique insights into users'
Internet activity. The biggest reason is that the data the ISPs
see is generally not as detailed and insightful as that
available to others in the Internet ecosystem. These two
conclusions are surprising to many people on first encounter
for understandable reasons based in history, but the facts have
changed over time and will continue to do so.
My own work here began when the FCC invited me to testify
over a year ago at their workshop on broadband consumer
privacy. That day, the debates were about comprehensive and
unique access, and I believe getting more facts would be
useful.
I'll say just a word about my own role in this discussion.
During 2009 and 2010, I worked in the White House on the
National Economic Council. As part of that job, I signed what
is sometimes called the ``Obama Pledge,'' I will not engage in
any lobbying of Federal officials while President Obama is in
office. As a consequence, all of my writing about this privacy
rulemaking has been factual, and I do not and have not
advocated for any policy outcome.
As a related point, I know why I think our research has
been helpful to those with different views about the policy
issues here. For those who believe the proposed rule is too
strict, and we heard several people today already, our research
has corrected important misperceptions that policymakers might
have had, and now we can decide based on current facts rather
than previous impressions. And for those who support the FCC's
proposed rules, such as Professor Ohm, I believe our research
has also been useful. Before the working paper, much of the
advocacy for the rule was based on factual claims that have not
stood up to scrutiny, especially the claim that ISPs, because
of their place in the ecosystem, see everything about a user's
activity. Without the working paper, supporters of the rule
faced a real risk the rule would be based on inaccurate facts,
thus exposing the rule to risk of reversal in judicial review.
And I believe the factual record now before the Commission is
more nuanced and complete than it would have been.
So turning to these facts and the issue of whether there is
comprehensive access, the most cited findings in our working
paper concern the recent and rapid and historic rise in
encrypted communications for the typical user. Just two years
ago, in 2014, in February, 13 percent of the bits going through
the U.S. backbone were encrypted. By this January, that number
had soared to 49 percent, half the bits, and we expect it to be
70 percent by the end of this year.
And with the shift to HTTPS, which is the secure protocol,
there are two main effects. First of all, the content gets
encrypted. This is again for a majority of bits now today. And
for years, the biggest privacy concern about ISPs is what was
called ``deep-packet inspection,'' and that was because ISPs
technically can go deep into the packet to see the full content
and not just the header. For encrypted communications, deep-
packet inspection doesn't work anymore, it's encrypted, they
can't get in.
Second, blocking of detailed URLs. HTTPS also blocks ISP
access to the detailed URLs. With encryption, the ISP sees
something like ``www.example.com,'' but along with blocking
content, encryption blocks all the details, such as
``www.example.com/sensitivemedical
condition.'' So a lot of the details get blocked, and that
applies broadly to our e-mails now and social networks and web
search.
The other topic is to discuss briefly whether ISPs have
unique data, maybe because they're the bottleneck, as Professor
Ohm mentioned, and whether they have unique insights. My
written remarks discuss five categories of data: domain names,
location information, IP addresses, subscriber information, and
NetFlow or IPFIX information.
Sticking with domain names as the example, ISPs can see the
general domains, such as ``example.com,'' but so can a lot of
others, and that's sort of the point here. The user's operating
systems see it, the user's browser, the app that he or she is
using, the advertising network, all the people with cookies in
the system. Advertisers also have third parties who sell
profiles based on where people surf. And so the point when it
comes to domain names is that compared to other Internet
actors, ISPs access only the domain names, that's third best,
not as good as the content or the detailed URLs that others
see.
So in conclusion, at a factual level, there are greater
limits in ISP visibility than most people had assumed, and I
had assumed when I began the research, and the FCC should base
its conclusions on the ecosystem we have today and going
forward rather than a simplified view of what ISPs used to be
able to see.
My thanks to the Committee for the opportunity to speak
here, and I look forward to your questions.
[The prepared statement of Mr. Swire follows:]
Prepared Statement of Peter Swire, Huang Professor of Law and Ethics,
Scheller College of Business, Georgia Institute of Technology
Chairman Thune, Ranking Member Nelson, and Members of the
Committee, thank you for the opportunity to testify today on ``How Will
the FCC's Proposed Privacy Regulations Affect Consumers and
Competition?'' I am Peter Swire, the Huang Professor of Law and Ethics
at the Scheller College of Business at Georgia Tech. I have worked
intensively on privacy and cybersecurity issues in government,
academia, and practice for over twenty years. A biography is attached
to the end of this testimony.
In February of this year, my co-authors and I issued the 125-page
Working Paper called ``Online Privacy and ISPs: ISP Access to
Information is Limited and Often Less Than That of Others.'' \1\ My
testimony today, based on reply comments filed this week with the
FCC,\2\ focuses on two principle factual findings arising from that
research project:
---------------------------------------------------------------------------
\1\ Peter Swire, Justin Hemmings, and Alana Kirkland, Online
Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less
than Access by Others (Feb. 29, 2016) available at http://
www.iisp.gatech.edu/working-paper-online-privacy-and-isps.
\2\ https://www.fcc.gov/ecfs/filing/107062066122504/document/
10706206612250467ca.
(1) ISP visibility into consumer online information is far from
---------------------------------------------------------------------------
comprehensive, and will likely continue to decline; and
(2) ISPs appear to lack unique insights into users' Internet
activity.
These two conclusions, in my experience, are surprising to many
people on first encounter. For understandable reasons based in history,
many observers have believed that ISPs do have comprehensive and unique
insights into users' Internet activity. Our research has sought to
provide an accurate factual basis for consideration by the FCC and
other policymakers about these topics. As discussed further below, we
have researched the facts about ISP activity, and I do not take any
position on the policy issues facing the FCC concerning broadband
privacy.
This testimony first discusses the context for our research
project. It next discusses the limits on the comprehensiveness of ISP
visibility into consumer behavior, notably due to the historic rise in
encrypted communications. It concludes by examining claims that ISPs
have unique insight into users' Internet activity.
1. The Context for the Research Project
I briefly discuss the origins of the research project in 2015, and
the chronology of work product through the testimony today.
A. The Origins of the Research Project
My research into ISP access to user data began with the request
from the Federal Communications Commission to participate in its April
28, 2015, Public Workshop on Broadband Consumer Privacy.\3\ In
connection with that Workshop, I was asked by a senior FCC official
about a prominent dispute during the workshop--advocates for stricter
privacy regulation essentially argued that ISPs have ``comprehensive''
access to consumer online information, while the ISPs instead
emphasized the limited data to which they have access. In response, I
answered that this was actually a factual question--research could
illuminate the extent to which ISPs do or do not have ``comprehensive''
access.
---------------------------------------------------------------------------
\3\ My statement is at https://peterswire.net/wp-content/uploads/
Swire_FCC-testimony
_CPNI_04_27_15.pdf.
---------------------------------------------------------------------------
My research project has sought to shed light on the
``comprehensive'' access and related issues. As disclosed from the
start, in addition to funding from Georgia Tech-related sources,
funding also came from Broadband for America, a trade association that
includes major ISPs. At each stage, my co-authors and I have had
complete editorial discretion--the views expressed are our own. To
underscore our commitment to accurate research, we have asked for
public comments about any factual inaccuracies. Our Working Paper in
February 2016 held up very well to scrutiny. Our May 2016 comments to
the FCC included detailed responses to comments, including deletion of
two sentences (out of the 125-page report) that we concluded we could
not support.
As someone who has often previously provided policy recommendations
concerning privacy issues, I provide some detail about why my work on
this topic has been factual rather than making any policy
recommendations about what the FCC should do in its privacy rulemaking.
I am under binding obligations that arise from my role as Special
Assistant to President Obama for Economic Policy in 2009-2010. As a
condition of that employment, I signed what is sometimes called the
``Obama Pledge''--I will not engage in any lobbying of Federal
officials while President Obama remains in office. As a consequence, my
writing about the FCC privacy rulemaking has been factual, and I do not
and have not advocated for any policy outcome in the proceeding.
As a related point, I note the role that our research has played
both for those concerned the FCC's proposed privacy rule is too strict
as well as those who support the FCC's proposed rule. For those
concerned that the FCC's proposed rule is too strict, I believe our
research has served a distinctly useful role--the public debate had
often assumed that ISPs have comprehensive insights into user online
activity, but in fact that is not so. The research, most clearly
concerning the rising use of encryption, thus has corrected important
misperceptions, prompting policymakers to decide based on current facts
rather than false impressions. For those who support the FCC's proposed
rule, I submit that our research has also served a distinctly useful
role. Prior to our Working Paper, a substantial part of the advocacy
for the rule had been based on factual claims that have not stood up to
scrutiny, especially the claim that ISPs, due to their place in the
Internet ecosystem, see ``everything'' about a user's Internet
activity. In the absence of our Working Paper, proponents of the rule
faced a risk that the rule would be based on inaccurate facts, thus
exposing the rule to the risk of reversal during the process of
judicial review.
B. The Chronology Related to the Research Project
Here is the chronology related to our research project:
1. As discussed above, in April 2015, the FCC invited me to
participate as a panelist in its Public Workshop on Broadband
Internet Privacy. The Workshop notably featured the debate
about the extent to which ISPs have ``comprehensive'' access to
user online information. Shortly thereafter, we began our
research project on the topic.
2. In January 2016, over fifty public interest groups signed a
letter urging the FCC to enact a broadband privacy rule,
stating that ISPs have a ``comprehensive view of consumer
behavior,'' and ``have a unique role in the online ecosystem''
due to their role in connecting users to the Internet (emphasis
supplied).\4\
---------------------------------------------------------------------------
\4\ Letter from Access, et al., to Tom Wheeler, Chairman, Federal
Communications Commission (Jan. 20, 2016) available at https://
www.publicknowledge.org/assets/uploads/documents/
Broadband_Privacy_Letter_to_FCC_1.20.16_FINAL.pdf.
3. In February, we issued the Working Paper on ``Online Privacy and
ISPs: ISP Access to Information is Limited and Often Less Than
That of Others.'' \5\ We submitted a slightly revised version
as initial comments to the FCC, including with an appendix that
documents that our initial draft is factually accurate based on
expert review.\6\
---------------------------------------------------------------------------
\5\ Peter Swire, et al., Online Privacy and ISPs: ISP Access to
Consumer Data is Limited and Often Less than Access by Others (Feb. 29,
2016) available at http://www.iisp.gatech.edu/working-paper-online-
privacy-and-isps.
\6\ Comment of Peter Swire, In the Matter of: Protecting the
Privacy of Customers of Broadband and Other Telecommunications
Services, WC Docket No. 16-106 (May 24, 2016) available at https://
www.fcc.gov/ecfs/filing/60001926727.
4. Several comments in the wake of our Working Paper modified the
claim that ISPs have a ``comprehensive'' view to a revised
statement that ISPs have a ``comprehensive view of unencrypted
traffic,'' \7\ (emphasis supplied) an important change because
a majority of non-video Internet traffic is already encrypted
today and there are strong trends toward greater encryption.
Comments also emphasized types of data where ISPs may have
unique advantages, such as the time of user log-in and the
number of bits uploaded and downloaded.
---------------------------------------------------------------------------
\7\ See, e.g., FCC Overreach: Examining the Proposed Privacy Rules:
Hearing Before the Subcomm. on Commc'ns and Tech. of the H. Comm. on
Energy and Commerce, 114th Cong. 3 (2016) (statement of Paul Ohm,
Prof., Georgetown University Law Center) (``When users interact with
websites or use apps or devices that do not support encryption or do
not enable it by default, a BIAS provider's ability to spy is complete
and comprehensive.'') (emphasis added) available at https://
energycommerce.house.gov/hearings-and-votes/hearings/fcc-overreach-
examining-proposed-privacy-rules, Examining the Proposed FCC Privacy
Rules: Hearing Before the Subcomm. on Privacy, Tech. and the Law of the
S. Comm. on the Judiciary, 114th Cong. 1 (2016) (statement of Tom
Wheeler, Chairman, Federal Communications Commission) (``. . . an ISP
has a broad view of all of its customers' unencrypted online
activity'') (emphasis added) available at http://
www.judiciary.senate.gov/meetings/examining-the-proposed-fcc-privacy-
rules, Comments of Public Knowledge, et al., In the Matter of:
Protecting the Privacy of Customers of Broadband and Other
Telecommunications Services, WC Docket No. 16-106, 19-22 (May 27, 2016)
(discussing why traffic remains largely unencrypted) available at
https://www.fcc.gov/ecfs/filing/60001974141/document/60002080037.
5. On July 6, we submitted reply comments to the FCC, providing
additional facts and insights to support our view that ISPs
lack comprehensive knowledge of or unique insights into users'
Internet activity.\8\ The key parts of the reply comments are
laid out in this testimony today. As with our February Working
Paper, the reply comments and this testimony take no position
on what rules should apply to ISPs and other players in the
Internet ecosystem going forward. As we did in February, we
will receive comments on the Georgia Tech Institute of
Information Security and Privacy Website, and publish edits or
corrections if needed.
---------------------------------------------------------------------------
\8\ https://www.fcc.gov/ecfs/filing/107062066122504/document/
10706206612250467ca.
---------------------------------------------------------------------------
2. ISP Visibility into Consumer Online Information is Far From
Comprehensive, and Will Likely Continue to Decline
Our February Working Paper informed the public debate by
documenting how encryption is limiting the possibility of ISP's viewing
much of the content and the detailed URLs accessed by consumers. The
trend toward greater encryption has continued since February, including
the recent Apple announcement that apps in the iOS ecosystem must be
encrypted by the end of 2016. The growing use of encryption and other
developments mean that ISP visibility is likely to continue to decline
during the period when any new FCC broadband privacy rule would go into
effect.
A. The Trend Toward Encryption is Continuing
The most-cited findings of our Working Paper concern the recent and
rapid rise in encrypted connections for the typical user, most notably
by use of the HTTPS (secure HTTP) protocol. As we reported in our
Working Paper, HTTPS traffic in the U.S. Internet backbone was 13
percent in February 2014. That number rose to 49 percent by January
2016, an historic shift. Sandvine estimates that figure will grow to 70
percent of global Internet traffic by the end of 2016,\9\ and
encryption will become increasingly ubiquitous in the next five to ten
years.\10\ Some of the continuing growth in encrypted bits is due to
the decision of high-volume video providers such as Netflix to shift to
encryption. As discussed in the Working Paper, however, a majority of
non-video traffic is already encrypted, including widespread encryption
for potentially revealing activities such as e-mail, text messages,
video conversations, social networks, and web search.
---------------------------------------------------------------------------
\9\ ``2016 Global Internet Phenomena, Latin America & North
America,'' Sandvine, 1, Jun. 2016 (``Sandvine forecasts that 70 percent
of global Internet traffic will be encrypted in 2016, with many
networks expected to exceed 80 percent'') available at https://
www.sandvine.com/trends/global-internet-phenomena/.
\10\ Larry Downes, The Downside of the FCC's New Internet Privacy
Rules, Harvard Business Review (May 27, 2016) available at https://
hbr.org/2016/05/the-downside-of-the-fccs-new-internet-privacy-rules.
---------------------------------------------------------------------------
The Working Paper provides diagrams and detailed explanations of
what changes with the shift from HTTP to the encrypted HTTPS protocol.
The shift to HTTPS has two main effects, the shift to encrypted content
and blocking of detailed URLs.
i. The shift to encrypted content. Based on my professional
experience, the most prominent privacy concerns about ISPs for
the past twenty years have been about ``deep-packet
inspection'' (DPI). When an ISP uses DPI, then the ISP can go
``deeply'' into the packet, examining the full content in
contrast to the header information about where the packet
should go. Privacy experts have long expressed concerns that
ISP examination of all of a user's content could reveal a great
deal of sensitive personal information.\11\ Notably, for
encrypted communications, DPI does not work. Even if ISPs
sought to profile customers based on content, the use of HTTPS
blocks the ISP's access to the content.\12\ In short, the rise
of HTTPS provides technical assurances that address the
longest-voiced privacy concern about ISPs.
---------------------------------------------------------------------------
\11\ See, e.g., Center for Democracy and Technology, Online
Behavioral Advertising: Discussing the ISP-Ad Network Model (Sep. 18,
2008) available at https://cdt.org/insight/online-behavioral-
advertising-discussing-the-isp-ad-network-model/, Declan McCullagh, Web
Monitoring for Ads? It may be Illegal, C/Net (May 19, 2008) available
at http://www.cnet.com/news/web-monitoring-for-ads-it-may-be-illegal/,
Grant Gross, ISP Backs off of Behavioral Ad Plan, PCWorld (Jun. 24,
2008) available at http://www.pcworld.com/article/147508/article.html.
\12\ Professor Nick Feamster, in his comments to the FCC, said
``DPI is typically not widely deployed in many ISP networks,'' and,
``contrary to some conventional beliefs, ISPs often do not retain much
of the data that they collect because the cost of doing so can be
substantial.'' Taken together with the increasing prevalence of HTTPS,
these comments from Professor Feamster provide the basis for concluding
that DPI going forward is much less of a privacy concern than has often
been asserted in ISP privacy debates. Comment of Nick Feamster, In the
Matter of: Protecting the Privacy of Customers of Broadband and Other
Telecommunications Services, WC Docket No. 16-1606, 6 (May 27, 2016)
available at https://www.fcc.gov/ecfs/filing/60001973502/document/
60002079367.
Professor Feamster discusses other possible privacy risks in his
comments, which are discussed below.
ii. Blocking of detailed URLs. Along with blocking ISP access to
content, HTTPS blocks ISP access to detailed URLs. By contrast,
ISPs continue to see the domain itself, such as
www.example.com. Compared to the domain, detailed URLs
typically reveal more granular detail about a user's interests
and communications. For a news site, the detailed URL is
typically more revealing (www.OnlineNewspaper.com/
PoliticalNewsStory) than the domain itself
(www.OnlineNewspaper.com). As another example, the major search
engines have shifted to HTTPS. With HTTP search, information
known as ``HTTP refer'' would reveal the search terms to the
ISP. With HTTPS search, however, ISPs can no longer see the
search terms. As Professor Neal Richards has explained, more
granular information provides greater risks to what he calls
``Intellectual Privacy,'' or the ability of the organization
gathering the data to make inferences about a person's
interests and personality.\13\ Consistent with this view,
Federal courts have found content and detailed URLs deserving
of stricter legal protection under the Electronic
Communications Privacy Act than the domain itself.\14\
---------------------------------------------------------------------------
\13\ Neil Richards, Intellectual Privacy: Rethinking Civil
Liberties in the Digital Age (2015).
\14\ In Re: Google Inc. Cookie Placement Consumer Privacy
Litigation, 806 F.3d 125, 138 (3rd Cir. 2015) available at http://
www2.ca3.uscourts.gov/opinarch/134300p.pdf.
---------------------------------------------------------------------------
Comments made after release of the Working Paper have agreed with
the growth of encryption and the fact that HTTPS blocks content and
detailed URLs, and have focused instead on other points. A report from
Upturn, for instance, correctly states that while HTTPS is prevalent on
some of the most popular websites, the majority of total websites
remain unencrypted, including a large percentage of health, news, and
shopping sites.\15\ In considering these statistics, we note that the
number of bits transferred is an important measure of whether users'
communications are typically encrypted, including for important
communications such as e-mails, search, and social networks. Users do a
large portion of their Internet activity on the most popular such
sites, where encryption has often already been adopted.
---------------------------------------------------------------------------
\15\ ``What ISPs Can See: Clarifying the Technical Landscape of the
Broadband Privacy Debate,'' Upturn, 3-4, Mar. 2016, available at
https://www.teamupturn.com/reports/2016/what-isps-can-see.
---------------------------------------------------------------------------
News and a wide variety of other sites that rely on display
advertising. Change is occurring for sites that rely on display
advertising, including news sites, where encryption adoption has been
slow to date. The announcement this April that Wired Magazine is
shifting to HTTPS is instructive. Wired Magazine has reported that
every advertisement placed on a page must be delivered via HTTPS for
the page to work properly.\16\ Wired Magazine is thus staging its
deployment of HTTPS, working with its advertising providers to make the
transition. This effort by Wired Magazine as an early adopter is a
promising sign that display advertising-based sites will shift to
HTTPS. Once an advertising company has upgraded to HTTPS to serve Wired
Magazine and other early adopters, there is a positive spillover
effect--the advertising company can then support HTTPS for the other
news, shopping, health, and other sites where it places display
advertisements.
---------------------------------------------------------------------------
\16\ Zack Tollman, We're Going HTTPS: Here's How Wired is Tackling
a Huge Security Upgrade, Wired (Apr. 28, 2016) available at https://
www.wired.com/2016/04/wired-launching-https-security-upgrade/.
---------------------------------------------------------------------------
In considering the prevalence of encryption under any FCC broadband
privacy rule, policymakers should move beyond a static view of the
state of encryption today, and consider the overall trend toward
increasingly ubiquitous deployment of encryption, including for the
``long tail'' of websites that have lower user traffic.
In 2016, signs of the expansion of encryption include:
Apple is requiring HTTPS for iOS applications. In June,
Apple announced at its Worldwide Developers Conference that app
developers will be required to connect over HTTPS servers when
transferring data online.\17\ App developers must make these
changes by January 1, 2017, and new apps will not be listed on
the App Store unless they are encrypted.
---------------------------------------------------------------------------
\17\ Kate Conger, Apple Will Require HTTPS Connections for iOS Apps
by the End of 2016, TechCrunch (Jun. 14, 2016) available at https://
techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-
apps-by-the-end-of-2016/.
Progress for the Let's Encrypt Project, to make implementing
HTTPS easier. The Let's Encrypt project is a free, automated,
and open certificate authority.\18\ The organization hosts a
support community for those seeking to implement Let's Encrypt
certificates and to navigate the obstacles to encrypting a
website.\19\ In March, Let's Encrypt issued its one millionth
certificate and reported a rate of growth of 100,000
certificates per week.\20\ The success of the project, thanks
in part to the support of numerous sponsors from public
interest groups and technology companies,\21\ is raising
encryption adoption for smaller websites.\22\
---------------------------------------------------------------------------
\18\ About, Let's Encrypt (last visited Jun. 24, 2016) available at
https://letsencrypt.org/about/.
\19\ Let's Encrypt Community Support, Let's Encrypt (last visited
Jun. 24, 2016) available at https://community.letsencrypt.org/.
\20\ Josh Aas, Our Millionth Certificate, Let's Encrypt (Mar. 8,
2016) available at https://letsencrypt.org/2016/03/08/our-millionth-
cert.html.
\21\ Current Sponsors, Let's Encrypt (last visited Jun. 24, 2016)
available at https://letsencrypt.org/sponsors/.
\22\ https://letsencrypt.org/2016/03/08/our-millionth-cert.html.
WordPress has enabled HTTPS by default for hosted content.
WordPress announced in April that it will provide HTTPS by
default for hosted content, providing increasingly available
and accessible encryption for the ``long tail'' of sites.\23\
By utilizing the Let's Encrypt project, WordPress was able to
automatically deploy and manage HTTPS for the over 1 million
custom domains hosted through the company.\24\ The announcement
by WordPress illustrates the growth of encryption and how
encryption is becoming easier to implement. In addition, with
26.3 percent of all content management systems running
WordPress,\25\ the shift would appear to provide a competitive
advantage for WordPress compared to other hosting services,
incentivizing other services to offer easy-to-use encryption
tools.
---------------------------------------------------------------------------
\23\ HTTPS Everywhere: Encryption for All WordPress.com Sites,
WordPress (Apr. 8, 2016) available at https://en.blog.wordpress.com/
2016/04/08/https-everywhere-encryption-for-all-
wordpress-com-sites/.
\24\ Id.
\25\ Darren Pauli, WordPress Pushes Free Default SSL for Hosted
Sites, The Register (Apr. 11, 2016) available at http://
www.theregister.co.uk/2016/04/11/wordpress_pushes_free_default
_ssl_encrypts_26_of_the_webs_cmses/.
The Federal Trade Commission has emphasized the importance
of encrypting Internet of Things (IoT) devices. In January, an
FTC report strongly recommended encryption of confidential
consumer information transmitted by IoT devices.\26\ The FTC
gave notice that companies face the risk of enforcement action
if they fail to encrypt their devices and communications.\27\
The public threat of enforcement action provides an incentive
for companies to deploy encryption for the IOT, where
encryption adoption has previously lagged.
---------------------------------------------------------------------------
\26\ ``Internet of Things: Privacy & Security in a Connected
World,'' Federal Trade Commission, 27-28 (Jan. 2015) available at
https://www.ftc.gov/system/files/documents/reports/federal-trade-
commission-staff-report-november-2013-workshop-entitled-internet-
things-privacy/150127iotrpt.pdf.
\27\ Id. at 30.
As discussed above, Wired.com's switch to full HTTPS will
make it easier for news and a wide variety of other display
---------------------------------------------------------------------------
advertising-supported sites to follow suit.
Our original Working Paper provided extensive additional
information about the trend toward prevalent use of encryption.\28\ As
one notable example:
---------------------------------------------------------------------------
\28\ Peter Swire, et al., Online Privacy and ISPs: ISP Access to
Consumer Data is Limited and Often Less than Access by Others, 28-30
(Feb. 29, 2016) available at http://www.iisp
.gatech.edu/working-paper-online-privacy-and-isps.
Google Search ranks HTTPS higher. In 2014, Google announced
it would use HTTPS as a ranking signal as part of its ``HTTPS
Everywhere'' campaign. In light of Google's large market share
in search, website owners thus have an incentive to enable
HTTPS in order to gain better search rankings and subsequent
page views. Together with developments such as the ``Let's
Encrypt'' campaign, this means that even small website owners:
(i) have an incentive to use HTTPS; and (ii) increasingly have
the ability to do so.
B. The Rise of Mobile and Other Reasons for Limits on ISP Visibility
Beyond encryption, our Working Paper discussed other limits on ISP
visibility into consumer online information, notably the shift toward
mobile access to the Internet. Historically, many consumers did most or
all of their Internet access from home, using an unencrypted connection
through a single ISP. We believe that this mental model of Internet use
is a reason that many people have believed that an ISP does have a
``comprehensive'' view of its customers' Internet activity. The rise of
smartphones, tablets, and other mobile computing, however, places
limits on an ISP's ability to gain such a view, in addition to the
limits that come from prevalent encryption:
Mobile is becoming the leading way to access the Internet.
As our Working Paper noted, the number of mobile Internet-
enabled devices today is as large as traditional laptops and
desktops combined,\29\ and the market share of desktop
computers is continuing to fall.\30\ Today, the great majority
of Internet users own mobile devices.\31\
---------------------------------------------------------------------------
\29\ Angela Moscaritolo, Tablets to Make Up Half the PC Market in
2014, PCMag (Nov. 26, 2013) available at http://www.pcmag.com/article2/
0,2817,2427623,00.asp.
\30\ Robert McMillan, PC Sales Continue to Fall, Wall St. J. (Jul.
9, 2015) available at http://blogs.wsj.com/digits/2015/07/09/pc-sales-
continue-to-fall/, Jordan Weissman, The End of the Home Computer: Why
PC Sales Are Collapsing, The Atlantic, (Apr. 11, 2013), available at
http://www.theatlantic.com/business/archive/2013/04/the-end-of-the-
home-computer-why-pc-sales-are-collapsing/274899/.
\31\ At the beginning of 2015, one study showed that 91 percent of
users owned a desktop or laptop. Smartphone use has climbed sharply, to
80 percent. In addition to desktops, laptops, and smartphones, nearly
50 percent of users reported owning a tablet. See Jason Mander, 80
percent of Internet users own a smartphone, GlobalWebIndex (Jan. 5,
2015) available at http://www.globalwebindex.net/blog/80-of-internet-
users-own-a-smartphone.
Mobile traffic is offloaded to WiFi networks. By 2014, an
estimated 46 percent of all data traffic shifted to WiFi
networks,\32\ growing to an estimated 60 percent of all mobile
data traffic by 2020.\33\ The ISP that connects the WiFi
network to the Internet (WiFi ISP) is often different from the
ISP that connects the mobile user to the Internet (subscriber
ISP). In such cases, the subscriber ISP has no visibility into
the subscriber's Internet activity connected through the WiFi
network.\34\
---------------------------------------------------------------------------
\32\ ``Cisco Visual Networking Index, Forecast and Methodology,
2014-2019 Working Paper,'' Cisco (May 27, 2015) available at http://
www.cisco.com/cen/us/solutions/collateral/service-provider/ip-ngn-ip-
next-generation-network/white_paper_c11-481360.html.
\33\ ``Juniper Mobile Data Onload & Offload Report,'' Juniper (Jun.
2015) available at http://www.juniperresearch.com/researchstore/
enablingtechnologies/mobile-data-onload-offload/wifi-small-cell-
network-strategies.
\34\ If the Wifi ISP and subscriber ISP are the same, then that ISP
can generally detect that the individual is using the same MAC address
to connect to the ISP.
Consumers switch carriers. According to FCC statistics, 82
percent of mobile broadband Internet users have a choice of at
least four providers, and 98.8 percent have at least
two.\35\According to the FCC, between a fifth and a third of
wireless subscribers switch their carriers annually.\36\
Consumers also switch wireline carriers, with one out of six
subscribers switching wireline providers every year, and 37
percent of subscribers switching every three years.\37\
Switching carriers cuts off the visibility of the old carrier,
splitting the user's Internet history.
---------------------------------------------------------------------------
\35\ ``Seventeenth Annual Mobile Wireless Competition Report,''
Federal Communications Commission, DA 14-1862 � 51, rel. Dec. 18, 2014,
available at https://apps.fcc.gov/edocs_public/attachmatch/DA-14-186
2A1.pdf; ``2015 Broadband Progress Report and Notice of Inquiry on
Immediate Action to Accelerate Deployment,'' Federal Communications
Commission, FCC 15-10 109, rel. Feb. 4, 2015, available at https://
apps.fcc.gov/edocs_public/attachmatch/FCC-15-10A1.pdf.
\36\ ``Annual Report and Analysis of Competitive Market Conditions
with Respect to Mobile Wireless, Including Commercial Mobile Services:
Fifteenth Report,'' Federal Communications Commission (Jun. 27, 2011)
available at https://apps.fcc.gov/edocs_public/attachmatch/FCC-11-
103A1.pdf.
\37\ ``Broadband Decisions: What Drives Consumers to Switch-or
Stick with-Their Broadband Internet Provider,'' Federal Communications
Commission (Dec. 2010) available at https://apps.fcc.gov/edocs_public/
attachmatch/DOC-303264A1.pdf.
Consumers access the Internet through multiple mobile
carriers. Any given ISP loses visibility into the subscriber's
Internet activity as the user moves between cellular
connections and WiFi hotspots during the day. For example, they
may connect using their home and work WiFi, then free WiFi in a
coffee shop, then WiFi at a friend's house, any of which may
---------------------------------------------------------------------------
use different ISPs.
In conclusion about whether ISPs have ``comprehensive'' visibility
into user Internet activity, the prevalence of encryption and the shift
to mobile computing put important limits today on ISPs' visibility. In
addition, the role of both encryption and mobile computing will
continue to grow in the coming years, during the period when any new
rule would enter into effect.
3. ISPs Appear to Lack Unique Insights Into Users' Internet Activity
Public debate about privacy and ISPs has featured comments that
ISPs ``play a unique role in the online ecosystem'' \38\ and their
position as an Internet ``bottleneck'' gives them unique access to
privacy sensitive insights about users.\39\ To clarify the role that
ISPs play in the online ecosystem, our Working Paper explained the
roles played by other online actors, including their access to
sensitive personal information, devoting separate chapters to: social
networks; search engines; webmail and messaging; mobile and other
operating systems; interest-based advertising; and browsers, Internet
video, and E-commerce.
---------------------------------------------------------------------------
\38\ Letter from Access, et al., to Tom Wheeler, Chairman, Federal
Communications Commission (Jan. 20, 2016) available at https://
www.publicknowledge.org/assets/uploads/documents/
Broadband_Privacy_Letter_to_FCC_1.20.16_FINAL.pdf.
\39\ FCC Overreach: Examining the Proposed Privacy Rules: Hearing
Before the Subcomm. on Commc'ns and Tech. of the H. Comm. on Energy and
Commerce, 114th Cong. 3 (2016) (statement of Paul Ohm, Prof.,
Georgetown University Law Center) available at http://docs
.house.gov/meetings/IF/IF16/20160614/105057/HHRG-114-IF16-Wstate-OhmP-
20160614.pdf.
---------------------------------------------------------------------------
In the reply comments and this testimony, we examine sources of
data, raised by commenters, which are potentially available to ISPs.
For each source of data, we look at the visibility to others--other
actors in the online ecosystem often have access to the same or
comparable data as that available to ISPs. We also look at the insights
available from data seen by the ISPs. Looking at each category of data,
the data available to ISPs appears to offer the same as or less insight
than the data used by other actors. For instance, ISPs sometimes see
``third-best'' information: they can see the basic domain name a user
visits (such as www.example.com) but not the encrypted content (what
example.com sends to the user) or the detailed Uniform Resource Locator
(URL) (such as www.example.com/InterestingPageTitle). Others in the
Internet ecosystem, meanwhile, see the content and detailed URLs.
Before discussing the relevant categories of data, I note the
difference between having access to unique data and having access to
unique insights about users. Any two companies, at some level, have
unique data--they have at a minimum different customer lists and
different specific interactions with their customers. For purposes of
informing the record about online privacy, the discussion here provides
detail about the uniqueness or lack thereof of several categories of
data available to ISPs. Our analysis here and in the Working Paper
primarily focuses, however, on whether ISPs have unique insights about
their customers--to what extent their position in the online ecosystem
may mean that ISPs can learn more about consumers than others can. For
commercial businesses, the focus on insight is key. These insights are
what provide economic value, including for internal proprietary
purposes, to sell more valuable advertisements, or to sell to other
parties such as data brokers. To date, of the top 10 ad-selling
companies, which earn over 70 percent of the total online advertising
dollars, none gained their current position by providing broadband
Internet service.\40\ For the reasons discussed below, ISPs, based on
our review, appear to lack unique insights about consumer online
activity because other players in the Internet ecosystem can collect
the same (or equivalent) information.
---------------------------------------------------------------------------
\40\ Peter Swire, et al., Online Privacy and ISPs: ISP Access to
Consumer Data is Limited and Often Less than Access by Others, 4 (Feb.
29, 2016) available at http://www.iisp.gatech.edu/working-paper-online-
privacy-and-isps.
---------------------------------------------------------------------------
I next examine categories of Internet activity data identified by
commenters, which are sometimes or always available to ISPs. For each
category, I provide: (i) the type of data; (ii) a description of who
other than ISPs has visibility, including in some cases data being
considered already ``public''; (iii) discussion of the quality of
insights that the available data may provide about users; and, (iv)
other discussion.
Domain names. As discussed above, with HTTPS, general domain
information is visible to the ISP (such as www.example.com),
while the content (what www.example.com sends to the user) or
the detailed URL (such as www.example.com/InterestingPageTitle)
are not for encrypted traffic.
Visibility to others: Many or all of the domain names
a user visits are available to others, including the user's
operating system, the user's browser or application, and
advertising networks and other third parties with cookies
or services that are present on the page being visited.\41\
Third parties sell profiles of users based on the domains
and/or detailed URLs they visit.
---------------------------------------------------------------------------
\41\ Moreover, the domain resolution process was expressly designed
to be public. Comment of Manos Antonakakis, et al., In the Matter of:
Protecting the Privacy of Customers of Broadband and Other
Telecommunications Services, WC Docket No. 16-106, 6 (May 27, 2016)
available at https://www.fcc.gov/ecfs/filing/60001973444/document/
60002079307.
Insights: The domain names a user visits are not as
revealing as the content accessed or full URLs. Some domain
names, however, can reveal information that would be
considered sensitive by most privacy experts, such as
www.SensitiveHealthSite.com or
---------------------------------------------------------------------------
www.UnusualPoliticalViews.com.
Discussion: Compared to other Internet actors, ISP
access to domain names can be seen as ``third-best''
information, less revealing than content or detailed URLs.
With HTTPS, ISPs cannot see encrypted content or detailed
URLs, whereas that more detailed information is available
to others, including the operator of the page being
visited, the operating system, and the browser or
application.
Location information. As discussed in the Working Paper,
mobile carriers can estimate a user's location through the
process of ``trilateration,'' based on the distance from the
user to three or more cell towers.\42\
---------------------------------------------------------------------------
\42\ Peter Swire, et al., Online Privacy and ISPs: ISP Access to
Consumer Data is Limited and Often Less than Access by Others, 70-72
(Feb. 29, 2016) available at http://www.iisp
.gatech.edu/working-paper-online-privacy-and-isps.
Visibility to others: Commercial services today
principally determine location based on information from
the global positioning system (GPS) or Bluetooth. When GPS
is switched on, at a minimum the operating system can
determine location. A large number of popular mobile apps
gather detailed location information. Third parties sell
profiles based on location information. Moreover, mobile
operating systems and apps can collect trilateration
results using the known locations of cell towers and WiFi
---------------------------------------------------------------------------
networks.
Insights: Most privacy experts consider precise
location history to be sensitive information.
Discussion: As discussed in our Working Paper,
trilateration results in rough location information
compared to GPS or Bluetooth location tracking, which is
significantly more precise and available to the user's
device, operating system, and any application or service
with access to those sensors.\43\
---------------------------------------------------------------------------
\43\ Id.
Subscriber information. ISPs often learn subscriber
information, such as name, address, credit card information,
---------------------------------------------------------------------------
and Social Security number.
Visibility to others: Many players in the online
ecosystem gain access to data such as name, address, and
credit card information. Companies that seek information
under the Fair Credit Reporting Act (such as for lending,
employment, or insurance purposes) also learn Social
Security number. A company that has name and address can
often purchase additional profiling information, a process
that Jules Polonetsky of the Future of Privacy Forum calls
``the democratization of data.'' \44\
---------------------------------------------------------------------------
\44\ Comment of The Future of Privacy Forum, In the Matter of:
Protecting the Privacy of Customers of Broadband and Other
Telecommunications Services, WC Docket No. 16-1606, 14-16 (May 27,
2016) available at https://www.fcc.gov/ecfs/filing/60001981713/
document/6000208
9525.
Insights: Many privacy experts, along with the FTC in
its report on Data Brokers,\45\ have expressed concerns
about the amount of personal information that can be
purchased when a company knows subscriber information such
as name and address.
---------------------------------------------------------------------------
\45\ ``Data Brokers: A Call for Transparency and Accountability,''
Federal Trade Commission, 47-49 (May 2014) available at https://
www.ftc.gov/system/files/documents/reports/data-brokers-call-
transparency-accountability-report-federal-trade-commission-may-2014/
140527data
brokerreport.pdf.
Discussion: The insights that ISPs can gain from
subscriber information are available to many others in the
---------------------------------------------------------------------------
Internet ecosystem.
IP addresses. ISPs use Internet Protocol addresses to
connect an individual device to the Internet. IP addresses are
assigned by the ISP.\46\
---------------------------------------------------------------------------
\46\ Number Resources, Internet Assigned Numbers Authority (last
visited Jul. 5, 2016) available at https://www.iana.org/numbers.
Visibility to others: IP addresses are visible to
every carrier between the customer and the relevant content
provider. Operating Systems, websites, applications,
content/website providers, browser plug-ins, and software
development kits can all collect IP address
information.\47\ E-commerce sites can combine IP addresses
of visiting customers with the names and addresses of those
customers, along with purchase history. Logs of IP
addresses are commonly used for purposes other than
marketing, including for cybersecurity. Third parties sell
correlations of IP addresses with cookies and other
information. All these channels enable other actors to
replicate IP address information that an ISP can access
through providing its services.
---------------------------------------------------------------------------
\47\ See, e.g., View IP Address, Chrome Web Store (last visited
Jul. 5, 2016) available at https://chrome.google.com/webstore/detail/
view-ip-address/mfhcchbdblkggcenfmmpgkpgphfhfc
be?hl=en.
Insights: IP addresses can give clues to information
such as a user's location, commonly visited sites, and
usage patterns (including time of log-in, amount uploaded
---------------------------------------------------------------------------
and downloaded, and some information on protocols used).
Discussion: Many of the insights that ISPs can gain
from IP addresses are available to many others in the
Internet ecosystem.
IPFIX Data/Netflow. The Internet Protocol Flow Information
Export (IPFIX)\48\ and NetFlow \49\ are protocols for
monitoring network traffic.\50\ For any individual IP flow, or
``sequence of packets sent from a particular source to a
particular. . .destination,'' \51\ IPFIX can be used to record
and store the start and end time for the flow, the number of
bytes and packets in the flow, the protocol/type of connection
(e.g., TCP or UDP), and the source and destination of the
flow.\52\
---------------------------------------------------------------------------
\48\ IPFIX is a protocol developed by the Internet Engineering Task
Force as an open, universal standard for exporting Internet Protocol
flow information and as an alternative to Cisco's proprietary NetFlow
protocol. See RFC 5102--Information Model for IP Flow Information
Export, Internet Engineering Task Force (Jan. 2008) available at
https://tools.ietf.org/html/rfc5102.
\49\ NetFlow is Cisco's proprietary protocol for exporting Internet
Protocol flow information. The term ``NetFlow'' is often used
interchangeably with IPFIX to refer to this type of protocol.
Introduction to Cisco IOS NetFlow--A Technical Overview, Cisco (May 29,
2012) available at https://www.cisco.com/c/en/us/products/collateral/
ios-nx-os-software/ios-netflow/prod_white
_paper0900aecd80406232.html.
\50\ See id.
\51\ See RFC 3697--IPv6 Flow Label Specification, Internet
Engineering Task Force (Mar. 2004) available at https://tools.ietf.org/
html/rfc3697.
\52\ Id.
Visibility to others: IP flow information is visible to
each: network operator; ISP; transit provider; Internet
backbone provider; and edge provider along the path between the
end-user and the destination. The same IP flow information, as
well as additional information, is visible to the user's
operating system and applications. For other members of the
ecosystem, this data can be aggregated through purchase from
and sale to data brokers, including data linked to the IP
addresses of a service's users.\53\
---------------------------------------------------------------------------
\53\ Oracle, Little Blue Book: A Buyer's Guide, 84 (Dec. 2014)
available at http://www.bluekai.com/bluebook/assets_20150102/bluekai-
little-blue-book.pdf.
Insights: Access to IPFIX/Netflow data may in some instances
provide ``side channel'' information from these flows that can
help in inferring end-user behavior such as whether they are
browsing the web, streaming a video, or chatting with someone
online. Comments state it is possible to ``identify certain web
page visits'' or ``information about what those packets likely
contain'' \54\ from the IP flow information; to do this appears
to require ``finger printing'' each website of interest \55\
and the collection of a high fraction of the flows. In
addition, concerning the statement that such information is
stored as a ``permanent record of these individual
transactions,'' \56\ Professor Nick Feamster reports that IPFIX
normally samples one out of every 1,000 packets for traffic
statistics.\57\ Thus, ``many short flows may not be recorded
whatsoever.'' Sampling this data would be an inefficient way to
profile users compared to analysis of the actual content
available to the operators of pages that users visit and
others. Similarly, given the volume of connections and volume
of websites, we are not aware of a business justification for
creating a ``permanent record'' of all of IPFIX data for an
ISP's users nor for maintaining an archive of website
fingerprints (which change often and dynamically).
---------------------------------------------------------------------------
\54\ ``What ISPs Can See: Clarifying the Technical Landscape of the
Broadband Privacy Debate,'' Upturn, 8, (Mar. 2016) (``It is possible to
uniquely identify certain web page visits or otherwise reveal
information about what those packets likely contain.'') available at
https://www.teamupturn.com/reports/2016/what-isps-can-see.
\55\ Chen, Shuo; Side-Channel Leak in Web Applications: a Reality
Today, a Challenge Tomorrow; https://www.microsoft.com/en-us/research/
wp-content/uploads/2016/02/WebAppSideCha
nnel-final.pdf
\56\ FCC Overreach: Examining the Proposed Privacy Rules: Hearing
Before the Subcomm. on Commc'ns and Tech. of the H. Comm. on Energy and
Commerce, 114th Cong. 52 (2016) (testimony of Paul Ohm, Prof.,
Georgetown University Law Center) available at http://docs.house.gov/
meetings/IF/IF16/20160614/105057/HHRG-114-IF16-Transcript-20160614.pdf.
\57\ Comment of Nick Feamster, In the Matter of: Protecting the
Privacy of Customers of Broadband and Other Telecommunications
Services, WC Docket No. 16-1606, 3-4 (May 27, 2016) available at
https://www.fcc.gov/ecfs/filing/60001973502/document/60002079367.
Feamster also states: ``even though IPFIX records contain no
information about the actual content of communication, information such
as volumes, sources, and destinations can sometimes reveal private
information about user behavior.'' The discussion here has pointed out
that access to the content of communications will provide greater
insights than partial information about the types of data Feamster
describes. Id. at 4.
Discussion: Professor Feamster also states: ``even though
IPFIX records contain no information about the actual content
of communication, information such as volumes, sources, and
destinations can sometimes reveal private information about
user behavior.'' This data, along with other ``side channel''
inferences, is an example of what we believe is ``third-best''
advertising data--inferences based on information that provides
less insight than content or detailed URLs. We are not aware of
any evidence that these methods are currently widely used, let
alone profitable,\58\ for advertising. This data, however, is
useful for purposes including network management, network
security, and research.\59\
---------------------------------------------------------------------------
\58\ ``What ISPs Can See: Clarifying the Technical Landscape of the
Broadband Privacy Debate,'' Upturn, 8 (Mar. 2016) available at https://
www.teamupturn.com/reports/2016/what-isps-can-see.
\59\ Comment of Nick Feamster, In the Matter of: Protecting the
Privacy of Customers of Broadband and Other Telecommunications
Services, WC Docket No. 16-1606, 4 (May 27, 2016) (``Network operators
may also share IPFIX data with researchers. I use IPFIX data collected
at interconnection points to analyze utilization patterns. In another
project related to DoS mitigation, we are using IPFIX data to better
understand traffic attack patterns. In the past, we have also used
IPFIX traffic traces from access ISPs to design and validate algorithms
to detect botnets, large networks of compromised machines. Most
recently, I have been using IPFIX data collected at the interconnection
points from seven access ISPs in the United States--covering 50 percent
of the U.S. broadband subscriber population--to explore the
characteristics and patterns of utilization between access ISPs and
edge providers. Interestingly, this type of project that provides
exactly the type of insight and analysis that the FCC is increasingly
paying attention to. Preventing ISPs from sharing this type of data
with researchers would impede progress on this research.'') available
at https://www.fcc.gov/ecfs/filing/60001973502/document/60002079367.
---------------------------------------------------------------------------
Conclusion
In conclusion about whether ISPs have ``unique'' visibility into
user Internet activity, the discussion here has pointed out the many
places where other players in the Internet ecosystem receive the same
(or equivalent) information about user actions. Concerning unique
insights into user behavior, ISPs in many instances have access to data
that is less revealing than content or other information about user
activity available to the companies providing services to the user.
In conclusion, I thank the Committee for the opportunity to testify
today, and would be glad to answer any questions.
Background of the witness
I am the Huang Professor of Law and Ethics at the Georgia Tech
Scheller College of Business, with appointments by courtesy with the
College of Computing and School of Public Policy. Consistent with
university consulting rules, I am Senior Counsel with Alston & Bird,
LLP.
I have been immersed in privacy and cybersecurity issues for two
decades. In 2015, the International Association of Privacy
Professionals, among its over 20,000 members, awarded me its Privacy
Leadership Award. In 2013, I served as one of five members of President
Obama's Review Group on Intelligence and Communications Technology.
Prior to that, I was co-chair of the global Do Not Track process for
the World Wide Web Consortium. I am Senior Fellow with the Future of
Privacy Forum.
Under President Clinton, I served as Chief Counselor for Privacy,
in the U.S. Office of Management and Budget. In that role, my
activities included being White House coordinator for the HIPAA medical
privacy rule, serving as White House representative to the privacy
rulemaking process under the Gramm-Leach-Bliley Act, and helping
negotiate the U.S.-E.U. Safe Harbor agreement for trans-border data
flows. Under President Obama, I served as Special Assistant to the
President for Economic Policy in 2009-2010.
I have testified on privacy and other issues before almost a dozen
committees in the U.S. Congress, and worked closely with the Federal
Trade Commission and other Federal agencies on privacy and
cybersecurity issues. In 2011, the Federal Communications Commission
asked me to summarize and comment on the day's proceedings for its
Workshop on Location Information. Further information is available at
www.peterswire.net.
Attachment
Complete article can be found at: http://www.iisp.gatech.edu/sites/
default/files/images/online--privacy--and--isps.pdf
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Professor Swire.
Before I begin with questions, I want to submit a few items
for the record of today's hearing. I received two letters that
I believe contribute greatly to this topic. The first letter is
signed by constitutional scholar Laurence Tribe and 13 other
law professors, economists, and experts. They support strong
protections for consumers in the online space, but they have
significant concerns with the FCC's proposal, and, instead,
they suggest that the Commission adopt rules modeled after the
FTC's longstanding and highly successful approach, their words.
The second letter, signed by the heads of eight trade
associations representing both the technology sector and the
telecom industry, also argues for the FCC to harmonize its
effort with the existing FTC framework, in order to minimize
consumer confusion and provide flexibility for the marketplace
to innovate.
[The letters referred to follow:]
International Center for Law & Economics
July 11, 2016
VIA EMAIL
Hon. John Thune,
Chairman,
Committee on Commerce, Science, and Transportation.
Hon. Bill Nelson,
Ranking Member,
Committee on Commerce, Science, and Transportation.
Hon. Fred Upton,
Chairman,
Committee on Energy and Commerce.
Hon. Frank Pallone,
Ranking Member,
Committee on Energy and Commerce.
Hon. Greg Walden,
Chairman,
Subcommittee on Communications and Technology,
Committee on Energy and Commerce.
Hon. Anna Eshoo,
Ranking Member,
Subcommittee on Communications and Technology,
Committee on Energy and Commerce.
Re: Letter from legal scholars and economists concerning the Federal
Communications Commission's Broadband Privacy NPRM
Dear Senators Thune and Nelson, Congressmen Upton, Pallone and Walden,
and Congresswoman Eshoo:
We, the undersigned experts in the law and economics of the
Internet, have significant concerns with the proposal of the Federal
Communications Commission (``Commission'' or ``FCC'') to adopt new data
privacy and security rules for broadband Internet access service
providers (``ISPs'') under Title II of the Communications Act.
We support strong consumer protection and believe that the
Commission has a role to play in protecting consumers' data privacy and
security. For several reasons, however, we find that the proposed rules
take the wrong approach and would harm consumers, competition, and
innovation.
As a fundamental matter, the proposed rules do not reflect the
technological and economic nature of the Internet environment, in which
ISPs are just one of many types of entities that have access to and can
use consumers' online information to provide services, including access
to ad-supported content. The proposed rules would single out ISPs for
heightened regulation, imposing strict opt-in consent requirements on
their use and disclosure of customer information.
By contrast, other online entities--such as social media networks,
operating systems, browsers, data brokers, and search engines--would
operate under the Federal Trade Commission's (``FTC's'') strong but
flexible opt-out consent regime, which would allow them to continue
collecting, using, and sharing information about consumers' online
activities for a variety of commercial purposes. The FTC's framework
focuses on stopping practices that truly harm consumers, allowing
companies ample space to develop innovative and beneficial products and
services.
As a result, the FCC's proposed rules would not only distort the
marketplace in ways that are likely to increase costs to consumers, but
also mark an unprecedented and unwarranted departure from the
successful balance that has governed the Internet economy for the past
couple of decades and which has led to substantial innovation,
investment, competition, and growth.
Moreover, the asymmetrical regulatory framework that would be
created by the proposed rules likely would confuse consumers and
negatively affect the Internet economy. Specifically, the Commission's
proposal to require ISPs to obtain opt-in consent before using or
disclosing consumers' data for most activities is diametrically opposed
to the approach that the FTC has taken for decades and to which
consumers have become accustomed. Consumers may not understand that the
choices they make through their ISPs' opt-in mechanism do not apply to
other participants in the Internet ecosystem, even though these other
participants will be collecting exactly the same data and using it for
exactly the same purposes (e.g., online advertising) as ISPs.
In addition, the free flow of data is the lifeblood of the Internet
economy. The proposed heightened consent requirements, however, would
impede consumers' access to information about new online services and
cost-savings that may be of interest to them and therefore would reduce
ISPs' incentives to develop new services, reducing competition and
innovation online.
The Commission's failure to take these costs into account
exemplifies its broader failure to conduct a full economic analysis of
the proposed rules.
Finally, the Commission's proposed choice rules are
unconstitutional because they would uniquely prohibit ISPs' use and
disclosure of information for marketing purposes without obtaining
consumers' opt-in consent. By treating ISPs differently from other
online entities, the proposed rules would create a discriminatory,
speaker-based regime. Such a regime is presumptively invalid and
subject to strict scrutiny, which the proposed rules could not
withstand. Nor could the proposed rules survive intermediate scrutiny:
by requiring opt-in consent for most first-party marketing and other
activities, regardless of the potential for consumer harm, they are not
narrowly tailored to advance a substantial governmental interest.\1\
---------------------------------------------------------------------------
\1\ See also Professor Laurence H. Tribe and Jonathan Massey, ``The
Federal Communications Commission's Proposed Broadband Privacy Rules
Would Violate the First Amendment,'' WC Docket No. 16-106 (May 27,
2016) (white paper detailing how the FCC's proposed rules would violate
the First Amendment in various respects and should not be adopted).
---------------------------------------------------------------------------
Fortunately, there is another path forward. The Commission should
adopt rules modeled after the FTC's longstanding and highly successful
approach, which the FTC staff highlighted in its comments filed in this
proceeding. This technology-neutral approach--which applies an opt-in
consent requirement to the use and sharing of sensitive information
such as financial, health, children's, and precise geolocation data as
well as social security numbers, plus robust notice and opt-out choice
for other data uses--would provide strong, time-tested, and consistent
privacy protections for consumers across the Internet ecosystem while
fostering continued innovation, competition, investment, and growth.
Respectfully submitted,
(Affiliations provided for identification purposes only)
Laurence H. Tribe
Carl M. Loeb University Professor & Professor of Constitutional Law
Harvard Law School
Richard A. Epstein
Laurence A. Tisch Professor of Law, The New York University School of
Law
The Peter and Kirsten Bedford Senior Fellow, The Hoover Institution
The James Parker Hall Distinguished Service Professor of Law Emeritus
and Senior Lecturer, The University of Chicago
Robert Corn-Revere
Partner
Davis Wright Tremaine LLP
Robert D. Atkinson
President
Information Technology and Innovation Foundation
Jane Bambauer
Associate Professor of Law
University of Arizona
James E. Rogers College of Law
Babette Boliek
Associate Professor of Law
Pepperdine University School of Law
Fred H. Cate
Distinguished Professor and C. Ben Dutton Professor of Law
Indiana University Maurer School of Law
James C. Cooper
Associate Professor of Law and Director, Program on Economics & Privacy
Scalia Law School, George Mason University
Justin (Gus) Hurwitz
Assistant Professor of Law
Nebraska College of Law
Mark A. Jamison
Director and Gunter Professor, Public Utility Research Center
University of Florida
Daniel A. Lyons
Associate Professor of Law
Boston College Law School
Geoffrey A. Manne
Executive Director
International Center for Law & Economics
David W. Opderbeck
Professor of Law, Seton Hall University Law School
Director, Gibbons Institute of Law, Science & Technology
Paul H. Rubin
Samuel Candler Dobbs Professor of Economics
Emory University
______
July 11, 2016
Hon. John Thune,
Chairman,
Senate Committee on Commerce, Science, and Transportation,
Washington, DC.
Hon. Bill Nelson,
Ranking Member,
Senate Committee on Commerce, Science, and Transportation,
Washington, DC.
Dear Chairman Thune and Ranking Member Nelson:
We write to applaud the Committee for your efforts to examine the
Federal Communication Commission's (``FCC'') proposed broadband privacy
rules. Now that the reply comment period in the FCC's proceeding has
closed, this hearing is a timely and important venue for considering
the deep flaws that we, and many other commenters, have identified in
the FCC's lead proposal. In the months since the FCC unveiled its
proposed rules, a diverse set of stakeholders has criticized the
proposals because they would impose unnecessary costs on consumers, put
a drag on innovation and competition, and make it harder for broadband
Internet access service providers (``ISPs'') to work with the
government and third-party partners to ensure the security,
reliability, and integrity of the service. The record before the FCC
adds depth and breadth to these criticisms and raises additional
arguments, including important constitutional concerns. It is clear
that the FCC's proposed rules are both inconsistent with consumer
expectations and clash with the important policies that have
successfully guided the Internet economy for almost two decades under
both Democratic and Republican administrations.
Title II of the Communications Act in no way requires the FCC to
adopt prescriptive privacy rules that would single out one subset of
the broader online ecosystem for heightened and inconsistent regulation
that ignores the sensitivity of the information at issue. As comments
from current and former Federal Trade Commission (``FTC'')
Commissioners, civil rights organizations, economists, legal scholars,
and companies ranging from advertisers to home efficiency companies
have noted, the FTC's consumer privacy framework is much better suited
for the dynamic, innovative, and highly competitive Internet economy--
in which ISPs play an important but limited role. At the center of the
FTC's framework and the Obama Administration's reports and legislative
proposals is the idea that companies should be transparent with
consumers, provide them with choices that are appropriate for the
sensitivity of data or use in question, and maintain reasonable data
security safeguards.
Consistent with that approach, before the FCC initiated the
broadband privacy proceeding, a broad industry coalition of ISPs, tech
companies, equipment providers, and others joined together to urge the
FCC to adopt a framework based on the broad principles of transparency,
respect for context, and choice. The coalition's proposal, which is
attached to this letter, emphasized that ``[c]onsumers should have
consistent and predictable privacy protections for the information they
deem private and sensitive, no matter how or with whom they share it.''
In other words, we support privacy protections that address the
potential for genuine consumer harm, allow consumers to exercise
appropriate control over how information about them is used and shared,
and provide the flexibility that is necessary to promote innovation and
competition. The FCC's proposed rules, however, are inconsistent with
the flexible framework that the FTC enforces against many other players
in the Internet economy; and the proposed rules offer no material
improvement to consumer privacy protections.
The staff of the FTC's Bureau of Consumer Protection recently made
the same point in their comments to the FCC, noting that creating
special rules for ISPs ``is not optimal'' and that the rigid proposed
rules ``could hamper beneficial uses of data that consumers may prefer,
while failing to protect against practices that are more likely to be
unwanted and potentially harmful.'' We agree: privacy rules that hamper
innovation and competition while also failing to meet consumers'
expectations are ``not optimal,'' to say the least.
The FCC's proposed rules are also seriously out of step with the
technology-neutral approach--applied to both ISPs and non-ISPs--that
that has guided the Administration's many efforts on privacy and
cybersecurity policy, with great success. For example, the
Administration's Consumer Privacy Bill of Rights emphasized the
importance of common principles that apply across the ecosystem, in
particular the need to harmonize the standards that apply to
communications companies with the standards that apply to the rest of
the Internet economy. The Consumer Privacy Bill of Rights framework
provides a ``clear statement of basic privacy principles that apply to
the commercial world, and a sustained commitment of all stakeholders to
address consumer data privacy issues as they arise from advances in
technologies and business models.'' Similarly, the Administration's
Cybersecurity Framework was ``created through collaboration between
government and the private sector, uses a common language to address
and manage cybersecurity risk in a cost-effective way based on business
needs without placing additional regulatory requirements on
businesses.'' This is the right approach for the innovative, dynamic,
competitive Internet economy.
The FCC's proposal to go in a radically different direction also
raises serious constitutional concerns. Professor Laurence Tribe, a
pre-eminent scholar of the U.S. Constitution, concluded that the
``profound mis-matches'' between the goals of the FCC proposal and its
actual effects if adopted would violate the First Amendment in several
ways. According to Professor Tribe, because the proposal ``singles out
broadband ISPs for extremely burdensome regulation'' while leaving a
wide range of other participants in the Internet economy under
different rules, it is the kind of speaker-based restriction that would
face strict scrutiny under the First Amendment. Professor Tribe also
concluded that the proposal would be unconstitutional even under the
more lenient standard that applies to commercial speech. The time-
proven effectiveness of the legal standards that the FTC enforces
demonstrates that a much less restrictive alternative is available to
the FCC.
Put simply, the ``profound mis-match'' between the FCC's highly
restrictive proposal and the surrounding legal, economic, and
technological landscape is bad policy and constitutionally problematic.
We appreciate the Committee's important recognition of this issue
and the need for Congressional oversight. We are hopeful that your
examination of these issues will lead to an FCC approach that closely
harmonizes FCC privacy rules with the existing FTC framework and is
consistent with the Administration's guiding principles for privacy and
security in the Internet economy. Doing so would protect consumer
privacy, minimize consumer confusion resulting from inconsistent
regulations, permit new entry into the online advertising market, and
provide the flexi-
bility the online marketplace needs in order to continue to innovate
and evolve as it has done for many years under such a regime.
Sincerely,
Gary Shapiro
President and CEO
Consumer Technology Association
Jim Halpert
President & CEO
Internet Commerce Coalition
Jonathan Spalter
Chair
Mobile Future
Scott Belcher
CEO
Telecommunications Industry Association
Meredith Attwell Baker
President and CEO
CTIA�
Genevieve Morelli
President
ITTA
Michael Powell
President & CEO
National Cable & Telecommunications Association
Walter B. McCormick, Jr.
President & CEO
USTelecom
The Chairman. There is also a new paper published by Gerard
Faulhaber, former Chief Economist at the FCC, and Hal Singer, a
Senior Fellow at the George Washington School of Public Policy.
Their paper is titled, ``The Curious Absence of Economic
Analysis at the Federal Communications Commission: An Agency in
Search of a Mission.'' And while it focuses primarily on the
Commission's failure to ground its recent regulations in
economic reasoning, Faulhaber and Singer offer some valuable
insight in this case about the FCC's privacy proposal, and
particularly noting the complete lack of any cost-benefit
analysis by the Commission in this proceeding.
So I want to as well submit that for the record.
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. As I mentioned in my opening statement, 94
percent of Americans prefer that all companies collecting data
online follow the same consumer privacy rules, and so the
question for any of you really is the FCC is, as I've said,
nonetheless proposing to create a privacy regime for ISPs
that's wholly distinct from the privacy rules governing all
other companies on the Internet. So do any of you believe that
consumers expect or want to have their online activity
subjected to privacy rules that differ depending on the type of
company collecting their information?
Mr. Ohm.
Mr. Ohm. Absolutely. I think companies--consumers do expect
that health care companies, for example, when interacting with
a consumer on the Internet, are obligated to follow different
rules. I think parents, and I'm a parent of young children,
hope that websites are obligated to follow different rules when
it comes to the sensitivity of information collected from
children. I think the same is said when our children go to
school and use Google Docs: we hope that the companies that are
engaging in contracts with our school districts are obligated
to follow special privacy rules. And as I said in my opening
statement, I think ISPs belong in this group as well for the
reasons that I've already laid out.
This speaks to something that we've heard in this debate,
that the FCC rule will somehow confuse consumers. I think I
give the American consumer a lot of credit, right? The notice
and choice regime that the FTC use, which is exalted by almost
everybody in this debate, is frankly a pretty complex system of
reading privacy policy after privacy policy after privacy
policy, trying to manipulate privacy settings. It's a really,
really straightforward thing. In contrast to that, what the FCC
proposes is a bright line opt-in consent for certain uses of
information that are unexpected. Thanks.
The Chairman. Mr. Leibowitz.
Mr. Leibowitz. Yes. Can I just respond to the last point?
And I have the greatest respect for Professor Ohm. He worked
for the FTC when I was there, he helped out with the Children's
Online Privacy Protection Act, and he did a great job. But
first of all, the FTC approach is not complicated, it is
simple. It prohibits unfair or deceptive acts or practices, and
if you--which means if you're a company and you don't honor
your privacy commitment, the FTC will go after you. And the FTC
has brought cases against Google, against Facebook, against
Dish Network for not honoring its privacy commitments.
The second point I'd make--I just want to come back to the
consumer confusion issue--90 percent of consumers, according to
a study--this might have been what you cited, Mr. Chairman--by
the Progressive Policy Institute, and I'll put this in the
record after the hearing, believe that consumers should be
under the same rules, and those same--and those same rules--and
the reason isn't just because of consumer confusion, although
that's a reason, the reason is because consumers benefit when
there is competition between ISPs and other technology
companies, and the FCC has an ability to take the FTC approach
and turn it into rules. And that's why I think Mr. Garfield's
idea of having them put out a second draft, because the draft
that they've put out is full of--it makes--I believe they have
policy choices or the Coalition believes, and it is riddled
with just mistakes, would be a good idea. You don't write a
bill--you don't write a bill, introduce it one day and go to
the floor the next day. It gets beveled by this committee, it
gets tested and stress-tested, and that's what the FCC should
do. This is a big part of industry. You want to get this right.
They're not very close yet. They need to do a better job.
Mr. Garfield. Yes, I would add that the problem is not
simply that it's distinct, and there's a problem there, as Mr.
Leibowitz has pointed it, it's also that it ignores what is
proven to be effective and workable over decades. And so
replacing something with something that's likely to not be
workable is making change for change's sake without any
evidence that will improve the nature of things for consumers.
The Chairman. Mr. Leibowitz, has the FCC identified any
specific harm or particular problems posed by ISPs that require
a different privacy framework from what the FTC has applied to
ISPs for years?
Mr. Leibowitz. No, I don't believe it has, Mr. Chairman,
and, indeed, you know, it would be easy for the FCC to take the
FTC's approach embodied in the 2012 report, which, by the way,
was criticized by some businesses and supported by a lot of
consumer groups, and just focus on the really important thing,
where consumers need protection, which is sensitive data.
The Chairman. Mr. Polka, while the FCC's proposals would
place significant additional burdens on all broadband
providers, as you pointed out, there are burdens that I think
probably disproportionately affect smaller providers, like
those serving much of South Dakota and rural America, who may
have only hundreds or perhaps a few thousand broadband
consumers.
Would you think the FCC's proposed regulations lead to more
and better broadband service options for rural American
households, or might they lead to less? And maybe you could
elaborate a little bit, too, some of the burdens and how they
do disproportionately affect providers in our part of the
world.
Mr. Polka. We believe it would lead to less with a chilling
effect on investment and deployment, which is something none of
us want. I mean, we're all here in Washington where we're
encouraging greater deployment of broadband in smaller markets,
rural areas. And the fact of the matter is you can look at our
members and say that they're good actors. They've been member
companies that have supported privacy and protected the privacy
of their customers for decades.
And, in fact, our member companies have been part of the
solution. We're the ones that have delivered broadband out to
the smaller markets in rural areas where the large companies
simply won't come. So we are part of that solution in reaching
those hard-to-reach communities.
But what we're talking about here is really the challenge
of balancing the need for privacy and privacy regulations with
the ability to deliver important broadband services in rural
markets in rural areas, in smaller markets, and in competitive
areas, and that's where I think the balance is necessary with
the FCC's rules.
When we look at changing the nature of what has been a
consistent longstanding policy that is applied to consumers in
the broadband--Internet ecosystem for years and now changing
that and changing their expectations, I think we're asking for
trouble.
As your previous question alluded to, consumers expect
privacy to apply across the board. If you create two different
systems of privacy regulation, the consumer is going to think
there is just one standard. They might be surprised on the
other end, where there's a lesser standard, to realize that
maybe their privacy isn't protected as maybe they assumed it
would be when they're dealing with their ISP.
The Chairman. Thank you. My time has expired.
Senator Nelson.
Senator Nelson. Thank you, Mr. Chairman.
I have been struck listening to your testimony, and I thank
you for it, I think it's very reasoned. What we have been going
through over the past several years in trying to protect the
privacy of American citizens and American persons from
intrusion by the government, and, thus, we have set up this
long case history that if you want to get something in
somebody's house, you have to go to a judge, if you're the
government, to get that. So, too, then in this new world of the
Internet and telephone calls, we have said that if the
government wants to get content of those communications, it has
to go to a specially set-up court to handle intelligence
matters, the FISA court.
Now, if that is true and now we move from government
wanting to get your content over to corporations wanting to get
your content, Professor Swire, is that the reason that half the
people are now encrypting their communications?
Mr. Swire. Well, a big reason for the shift in encryption--
and I was on the President's NSA Review Group and we worked a
lot on those FISA kinds of things--a big reason is that
American-based companies that operate overseas were facing a
lot of loss of confidence overseas, folks didn't want to use
U.S.-based services, and one of the ways that American-based
tech companies have responded is by upping the level of
encryption in a lot of different places.
Senator Nelson. But you said in your testimony, as I
understood it----
Mr. Swire. Yes.
Senator Nelson.--that it is the consumers that are choosing
to encrypt their communications.
Mr. Swire. It happens at the service level. So Gmail a few
years ago wasn't encrypted, and now it is. Facebook a few years
ago wasn't encrypted, and now it is. It's complicated for us,
as individuals, to set up an encryption system, but it's by
default, then it works, and what's happened for consumers is in
the last few years the defaults have shifted a lot more toward
encryption.
Senator Nelson. OK. Professor Ohm.
Mr. Ohm. Yes, no, it's a great question and it's a really
interesting one. I spent four years at the Justice Department
as a computer crime prosecutor----
Senator Nelson. In essence, my question to you is----
Mr. Ohm. Yes, yes.
Senator Nelson.--do we not have an obligation since we're
protecting American citizens and American persons from the
government intrusion of their content, do we not have an
obligation to protect from the commercial intrusion of their
content?
Mr. Ohm. Yes, it speaks to the Chairman's question about
consumer expectations, right? Privacy is in shambles
everywhere. The consumers and the citizens feel a lot of
anxiety about this, and again I'm guessing that you hear this
from your constituents. One measure of this is kind of clamor
for encryption. And, by the way, some of that encryption may
be, ``Please encrypt your service so my ISP can't look over
shoulder,'' which feeds the FCC's impetus, not cuts against it,
right? And for these reasons--and, in fact, in some of my work,
I've even documented how the line between these two systems of
surveillance is actually quite blurry, and that a lot of
government surveillance is sometimes abetted by massive data
bases that are held by corporations.
But to get to your basic point, I couldn't agree more. Like
if we want parity, we should have parity in all ways, including
parity in the understanding that information, when it's sent
through an intermediary that you have to use, you have no
option not to use an ISP, will have a modicum of measured level
of modest privacy support on top of that.
Mr. Garfield. What we're talking about is not a choice
between protection or no protection. What we're talking about
is the framework for that protection, and should it be grounded
in well-established principles or reinvented whole cloth by the
FCC?
Senator Nelson. Well, what we're talking about, when you
look at it from the consumer's standpoint, is, should the
consumer have the authority, by giving their consent or not, to
control the invasion of their content? That's what we're
talking about.
Mr. Garfield. Right. But opt-in and opt-out are both giving
consumers choice and consent. What we're talking about is
whether the agency gets to define which is----
Senator Nelson. But as a practical matter, that doesn't
work that way.
Mr. Ohm. Right. And if I may, Senator Nelson, it goes
directly to your question, the Wiretap Act and FISA, which you
referenced, they do have consent exceptions, but they're prior
consent exception just like the FCC's opt-in rule. Imagine if
it weren't so. Imagine if the baseline rule was all of our
communications could be wiretapped unless we found some obscure
government website and opted out. Right? So this goes exactly
to the question that you were asking.
Mr. Leibowitz. But the other thing I just wanted to mention
is you are talking about sensitive data, and I think we all
agree there should be protections for sensitive data. That was
the FTC's approach, and we believe that could be the FCC's
approach, but that is not the approach they have now, it's for
all data. And keep in mind that right now over the top 10 ad
sites and 70 percent ad-selling companies and 70 percent of
online advertising revenue, much of it driven by rich data
collection. It's not ISPs, it's everybody else in the Internet
ecosystem. And so everyone should be under the same--every
company should be under the same rules to protect the kind of
data you want protected.
Senator Nelson. Well, I'll get into it later on. But thank
you, Mr. Chairman.
But let me just tell you some country boy logic. One
person's sensitive data is not another person's sensitive data.
And so the question here to me is, Should the consumer have the
choice of whether they want that data shared with the
commercial sector?
The Chairman. Thank you, Senator Nelson.
Senator Blunt.
STATEMENT OF HON. ROY BLUNT,
U.S. SENATOR FROM MISSOURI
Senator Blunt. And following up on that thought, Mr.
Leibowitz, why would you have two different standards?
Mr. Leibowitz. Well----
Senator Blunt. Even if you do establish this data,
sensitive data standard, why would you have one standard for
one group of data providers and another standard for another
group of data providers?
Mr. Leibowitz. Well, I think you're absolutely right, and
in the FTC's 2012 report, which was widely praised by consumer
groups and had some praise and some criticism by businesses, we
called for the same standards to be imposed on all large-
platform providers, large-platform providers meaning both ISPs
and other collectors of data, if those standards were to be
applied at all, because we think that's what's critical, and
technology neutrality, which I think is the point that you're
going to.
Senator Blunt. It seems to me, Mr. Garfield, that that's
the fundamental debate we ought to be having here, is if we
determine the issue of sensitive data, why would it only apply
in one sector of the way we transmit this information? I mean,
everything from my flashlight on my iPhone, I believe if there
is a way to disconnect that from the location finder, I don't
know what it is, so if I turn on that flashlight, somebody
knows where I am, or at least it's been registered in a way
that somebody could find out where I was, and that kind of data
isn't even considered in this FCC discussion. Is that right?
Mr. Garfield. Correct. The FCC's proposed rules would only
apply to companies that provide broadband internet access
services and that are otherwise covered by the Open Internet
Order and so would not apply to many of the companies that I
represent.
Our advocacy--there are important differences between
network operators and our companies, but our advocacy today is
not suggesting that there shouldn't be protection, it is
actually making the point that you're making, which is we have
rules that have been working for the last--at least the last 3
decades, and rather than rewrite those rules with no
foundation, no data to suggest that they would help consumers
more, less rely on the rules that are well established that
have been working that have been developed by the FTC.
Senator Blunt. Mr. Polka, I believe your group of
companies, the American Cable Association, is largely small and
rural cable providers.
Mr. Polka. Right.
Senator Blunt. What would be discussed here? Does that
impact the ability of your companies to provide the higher
levels of Internet and communication that we think everybody
needs to have?
Mr. Polka. It would because it adds layers of complexity
regarding privacy compliance. And in saying that, I'm not
saying at all that our members are not strictly committed to
protecting the privacy of their customers, it's just that these
rules have a tradeoff effect in terms of providing broadband
service in smaller markets.
When you're talking about small companies in southeast
Missouri that I know of, such as BOYCOM Communications or
Fidelity Communications or SEMO Communications, that have less
than a couple of thousand subscribers, the FCC would be asking
them to maintain a strict liability of ensuring privacy
protection, which even the FTC has said is undoable. It's
impossible to meet that standard, not to mention the revision
of policies, the revision of consents that are asked of
consumers who opted out to provide consent for commercial
reasons, which they enjoy, now to an opt-in over non-sensitive
data that would necessitate the addition of legal time,
consultant time, man-hours. The FCC itself hasn't even
determined the cost-benefit analysis of these rules on smaller
operators, let alone larger ISPs, and I think it's a big issue
in terms of----
Senator Blunt. And in rural areas, it costs more to add
customers----
Mr. Polka. Absolutely.
Senator Blunt.--that are further spaced apart, and you're
saying this is just another reason not to make that additional
investment to further expand your liability for very little
impact on your company in a positive way? Is that----
Mr. Polka. What this would cause is a shift of resources
from investment and deployment into regulatory compliance for
smaller businesses, and that means less deployment of broadband
in smaller markets, rural areas, slower speeds, maybe less
capacity. And in addition, because of the customer confusion,
maybe customer anger over consents that they now have to give
that they didn't have to give before, more consents, and in
such a way, creating, you know, fatigue on the part of a
consumer to say, ``Well, I just give up. I don't even want the
service any longer.'' We don't want to see that happening in
our markets.
Senator Blunt. Thank you.
The Chairman. Thank you, Senator Blunt.
Senator Schatz.
STATEMENT OF HON. BRIAN SCHATZ,
U.S. SENATOR FROM HAWAII
Senator Schatz. Thank you, Mr. Chairman.
Professor Ohm, it seems to me that one of the basic
questions is, what is it that makes an ISP different from
another Internet company? And the Title II part is easy, that
was sort of pursuant to a legal strategy, the Open Internet
Order. Set that aside for a moment. Your assertion, and I find
it persuasive, is that ISPs occupy a unique place in the
Internet ecosystem, and especially for people in rural areas
and actually people in D.C. who have very few choices in terms
of how they get on the Internet.
So I want you to talk a little bit about that, and then I
want to give a chance for Mr. Leibowitz to respond, and then,
additionally, I want you to respond to Professor Swire's data
point regarding encryption because it seems to me that this
unique place in the ecosystem becomes somewhat less critically
essential if you're talking about 70 percent encryption
eventually and going up and up and up, which is to say,
intuitively, I don't want to necessarily let an ISP have all of
my data, and yet if all they know is that I went to Facebook, I
went to the Star-Advertiser back home, I went to Gmail, that I
do not find to be, to repeat Mr. Leibowitz's term, particularly
personally sensitive.
So I want you to address, first of all, what is it that
makes an ISP special? And how do you respond to the contention
that increasing encryption may diminish that argument?
Mr. Ohm. Absolutely, and thank you for the question. There
are actually two ways to take on the first question. I think
they're both consistent with one another. The first is simply
the choice point again, that if you have an operating system,
as Professor Swire suggested in his testimony, that is bucking,
frankly, their industry norms and beginning to build a dossier
on you as well. Well, first of all, it will have a press outcry
when this is revealed; second, you have a choice to switch
operating systems. It's even an easier choice if it's your
browser that is doing the untoward spying, but when it's your
Internet service provider, as you say, for rural Americans, for
people who live on tribal lands, and for urban dwellers, that's
not really a meaningful choice.
Second, it goes directly to Senator Blunt's----
Senator Schatz. So you're not necessarily talking about
current bad behavior, but potential future bad behavior.
Mr. Ohm. Potential future, yes.
Senator Schatz. Fairly.
Mr. Ohm. I strongly believe that we don't need to wait for
Pearl Harbors and data out--you know, dead bodies before we
decide in anticipation to regulate something, right? And I
think that's the decision that was made by this body in 1996.
Second, it goes to Senator Blunt's question about, Why have
two standards? Right? As I said earlier, we have numerous
privacy standards about online space itself. One reason why not
to have two standards is because Congress hasn't gotten around
to regulating----
Senator Schatz. Well, I'll just interject there and point
out that if you ask a person whether they think that there
should be one standard, the assumption of the respondent in the
poll is that it would be one high standard----
Mr. Ohm. Right.
Senator Schatz.--not one high standard and one low
standard. So I don't find that particularly persuasive at all.
Mr. Ohm. Yes, no, no. And if I can say one more thing
agreeing with you on that, I have all the respect in the world
for Professor Swire's work. You can read his report to say
everybody is collecting information in ways that consumers
don't know, don't expect, don't appreciate. Right? And so you
could read it, and I think he's even said this, you can even
read it as a full-throated defense for more privacy law in
different sectors. Right?
Senator Schatz. Can I get you to respond to the encryption
question and then kick it over to Mr. Leibowitz?
Mr. Ohm. Absolutely, absolutely. So encryption is
spreading, but as the report from Upturn, which has been widely
cited, has said, 85 percent of the most widely used websites
still don't encrypt. It's a sad fact in 2016.
The second thing is you were talking about a rather anodyne
list of websites that you may not care if people know about,
but it doesn't require much imagination to come up with the
websites we might care more about. This person is visiting the
NRA website reliably, this person is visiting Planned
Parenthood, this person is visiting Black Lives Matter related
websites. Right? There's a long tail of sensitivity, and
sensitivity is often in the eye of the beholder.
Senator Schatz. OK. Go ahead.
Mr. Leibowitz. So I will yield 30 seconds of my time to
Professor Swire at the end so that he can talk about why----
Senator Schatz. That gives you 10 seconds.
[Laughter.]
Mr. Leibowitz.--why ISPs are not unique. Then I will only
yield 15 seconds of my time.
[Laughter.]
Mr. Leibowitz. But I think the important answer--and I can
see you're struggling with this, and I think all of us are
struggling with this, is you can have similar--rules ought to
be technology-neutral to the extent that they can, and if
you're going to have a higher level of scrutiny--right?--for
the things that consumers are concerned about and that they
need to be protected about, then it should be the kind of
sensitive data like health, like financial information, and
like information that involves children--right?--which is what
the FTC did in its role, which Senator Markey was very involved
in, on the Children's Online Privacy and Protection Act.
And so all we are saying from a 21st Century Privacy
Coalition approach, Privacy Coalition approach, is have the
FCC's rules reflect more of the FTC's policies, which is
enforcement plus restrictions on sensitive data and technology
neutrality to the extent that you can do it, and then I'll turn
it----
Senator Schatz. With the Chair's permission, we'll go to
Professor Swire for just a couple of seconds.
Mr. Swire. I don't think I have really much to add.
Senator Schatz. OK. Thank you.
[Laughter.]
The Chairman. That is a first in front of this committee.
[Laughter.]
The Chairman. I have Senator Markey up next.
STATEMENT OF HON. EDWARD MARKEY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Markey. Thank you, Mr. Chairman, very much. And I
guess I would argue that where you go online all day long, and
we've learned from recent surveys that adults and children are
pretty much online all day long, but where you go online all
day long is as sensitive as your health information. It is as
sensitive. I mean, that's the profile of who you are as a human
being in the United States in 2016. OK? If that information is
not considered to be sensitive, then all of us have every bit
of information being gathered about us, about what we're doing
all day long, every single day, as being out there and kind of
being determined to be not sensitive, not sensitive, just kind
of a product, just information that can be sold to people. And
I think that's what the heart of this whole matter is all
about.
So historically, the telephone company was viewed as a
company that if you got on the phone and you called that
department store or you called this or you called that place,
we had laws that said the telephone company can't sell that
information, where you went, who you are. Right? And beginning
now, with this new FCC regulation that's been upheld, well,
this broadband access is now considered to be a common carrier
like a telephone company was, so now the FCC has the ability to
regulate it.
And so as you're looking at the issue again and you're
saying, OK, so what should the protections be? What should this
common carrier be allowed to do with all of this information,
which is essentially who we are as people? Now, what that
company did that you called with your information, that's one
issue, and we have to deal with that, but this is a separate
issue. What does the telephone company do? Because essentially
there's just a telephone company and a cable company. You don't
have a choice. If you're going to be online, you have to pick
one or the other, and in many places, you can just pick one.
So, Professor Ohm, can you talk a little bit about that
transferring over of what the expectations are of ordinary
Americans and the protection of this profile of who they are as
a human being?
Mr. Ohm. There are so many studies, including a
particularly distressing one about a survey of American
authors, that show that people hesitate to surf the Web in the
way they would like to because they're worried about where that
information may end up. Now, it may be that for some of the
people, they're worried about the government, and for others,
they're worried about corporations, but that chilling effect
has been documented and it has a sort of deleterious effect and
influence on expectations that you've been describing.
And the other thing I can tell you is I couldn't agree more
with your assessment of all of this information being
sensitive. I would be so bold as to say it probably could
justify a ban on the sort of behavior we're talking about, but
that's not what Congress did in 1996, and it's not what the FCC
has done in its rule. It's a very measured rule, and I would
love to say more about that, but it doesn't go to the extreme--
--
Senator Markey. Then say a little bit about that because
what they're talking about is giving consumers more power to
choose if their sensitive information can be used or shared by
the ISPs, require the ISPs to adopt ADA security protections
and notify consumers if a breach occurs, and promote
transparency by mandating that the ISPs disclose what they
collect about consumers. So what's wrong with that?
Mr. Ohm. Absolutely. It's a modest set of requirements. It
overlaps in significant part with the FTC report of 2012 that
Mr. Leibowitz has talked about several times. As I hear Mr.
Polka's testimony, and I'm very sympathetic to the idea that
small businesses need to be accommodated by regulations, I
heard him say repeatedly this his companies are responsibly
already doing right by their consumers when it comes to privacy
and security. I'm guessing most of them are not selling data en
masse to advertisers. This rule will have modest effect on
them, and if there is something that's disproportionate, then
the FCC ought to accommodate that.
Senator Markey. Yes. So this essentially says there's a
bill of rights, that is, that each American knows what the
rules are going in----
Mr. Ohm. Yes.
Senator Markey.--rather than hoping that the FCC brings a
case later on saying, ``You know, that was really an unfair and
deceptive practice.''
Mr. Ohm. Well, and I'm sorry to disagree just a little bit.
I wish it were more of a bill of rights. This is merely an
opportunity for a contractual, meaningful contractual,
conversation with your ISP, but you're not afforded any rights,
right? They can say in some meaningful ways, ``The deal we're
offering you is not a very good deal, but here's the deal we're
offering.''
Senator Markey. ``Here's the deal.''
Mr. Ohm. Yes. But, again, I totally agree. It's a modest
measured approach to privacy on this----
Senator Markey. There's kind of an argument here, well,
this is kind of like a radical departure from what's been going
on for the last 20 years, and what you're saying is it's not at
all.
Mr. Ohm. Yes.
Senator Markey. It's modest.
Mr. Ohm. Absolutely.
Senator Markey. It's reasonable. It gives the consumer some
rights, some sense of expectations about what they can expect,
but it's in their relationship with the ISP, with the telephone
company and cable company, and then they can decide what they
want to do.
Mr. Ohm. And, quite importantly, they're having a public
NPRM. Congress is watching them very closely. They have strong
incentives, the agency does, not to do something that's
terribly radical, hence the modest approach.
Senator Markey. OK, great. Thank you.
Thank you, Mr. Chairman.
The Chairman. Mr. Leibowitz, did you want in on that?
Mr. Garfield?
Mr. Garfield. It is far from modest, and that's--moreover,
if you are, as Professor Ohm said, going to regulate
prospectively, I think it's incumbent upon you to bring forward
evidence to suggest that the alternative approach that you are
going to move forward with is one that will actually benefit
consumers.
Mr. Leibowitz. Yes.
Mr. Garfield. And in this NPRM, there is no zero data
suggestive of that, and that's why we think it's critically
important that there's a second NPRM that cabins--reacts to the
responses that have been given thus far to date, and that gives
consumers, as well as the public broadly, the opportunity to
react to what's being proposed.
Mr. Leibowitz. Yes, and I just want to say I do agree that
they should put out a second draft of this proposal. But having
said that, going back to your point about the
constitutionality, Senator Markey, when we were dealing with
phones, it was a closed universe of information, as you know.
Now we're dealing with data, and when you're dealing with data
and so little of it is collected by ISPs and so much of it is
collected by others, you have a problem under the Central
Hudson Test because you are treating different entities that do
the same thing differently. So that's the constitutional
infirmity.
I won't dwell on it much longer, but it's something that
I'm sure the FCC is thinking about, and the more that they make
their rules technology-neutral, I think the higher the decibel
level goes down, the more--and I think the less they have
constitutional infirmities.
Senator Markey. Well, again, I would leave it up to the
same lawyers at the FCC that were just upheld at the Circuit
Court to determine what is, in fact, constitutional or not, and
so far their record has been very good in terms of drawing
those lines right where they can be upheld.
The Chairman. Thank you, Senator Markey.
Senator Moran.
STATEMENT OF HON. JERRY MORAN,
U.S. SENATOR FROM KANSAS
Senator Moran. Thank you, Mr. Chairman.
Mr. Polka, I want to talk again about small business. In
fact, I was reading the question as written in front of me, and
it said we want to shield small business from the effects of
harmful government regulations. The reality is, as I think
about that statement, it's not the business we want to shield
from harmful government regulation, it's the consequence that
that harmful government regulation has to the consumer----
Mr. Polka. Certainly.
Senator Moran.--and that's particularly true for a state
like Kansas. You visited with the Senator from Missouri, knew
there are small companies. That is what dominates in our state.
It is also a state in which we still struggle to have broadband
services, a wide array, across our state, and some places have
virtually none.
So one of the things that we've thought about doing is to
consider giving legislative clarification that the FCC has
exemption and waiver authority to deal with those kinds of
issues. And my question is, Do you believe that to be necessary
and helpful? And if so, I assume you and others would work with
us to try to get it right?
Mr. Polka. Without question. Companies like Eagle
Communications out of Hays, Kansas, that are phenomenal
providers of broadband service, have worked because our
regulatory scheme has encouraged smaller businesses working
with their consumers to flourish to provide these services in
their marketplace. But under today's circumstances, it's
becoming increasingly more difficult to do the same things.
We're here today talking about privacy where, with all due
respect to my new friend, Professor Ohm, I wouldn't say it's an
easy transition from one set of rules we're under to the
proposed new rules, particularly for smaller providers. But
that's one set of rules where we're talking about the need to
shift resources from providing more services to meeting a
regulatory compliance burden. But at the same time we're
sitting here, there are at least three other major rulemakings
that are moving forward at the FCC that have the same impact,
implementation of the Title II Order, the FCC's rulemaking on
set-top box reform, and also the FCC's rulemaking on broadband
business data, otherwise known as special access. Each of these
in their own could have the kind of negative effects that we
fear that our members would have to suffer by shifting
resources from deployment to compliance and regulation.
Now, again, it's not a situation where our members are at
all saying, ``We're not up to doing our duty,'' but there is a
balance that you have to reach when you talk about providing
the service from a commercial perspective as well as protecting
the consumers, and we're here to hopefully be part of the
answer to that. But certainly any greater understanding by the
FCC or requirement for the FCC to even look at the impact on
smaller businesses would be enormously helpful to achieving
everything we want to achieve, which is more deployment in
smaller markets.
Senator Moran. Sir, you make a good point. It never seems
to me that it's one regulation or one event that causes small
business to struggle and/or fail, it's the series of things,
it's death by 1,000 cuts----
Mr. Polka. That's correct.
Senator Moran.--one more additional burden, and at some
point in time the proverbial straw broke the camel's back.
Let me talk to Mr. Garfield about the cross-border data
transfers, the EU Privacy Shield negotiations. I'm told it has
just been announced that there is an agreement. This agreement
is necessary, I suppose, because the EU and the U.S. have
fundamental differences in the way we look at privacy, ours
based upon our Constitution. It's my understanding that
Americans officials advocated standards based upon the
longstanding FTC guideline for privacy. What effect would occur
in those negotiations, the resulting agreement, if we now have
the FCC regulations, the new standard?
Mr. Garfield. Let me begin by thanking Congress for their
role in getting the Privacy Shield passed. The passage of the
Judicial Redress Act was critically important in getting that
done. To answer your question, I think it would add a layer of
confusion that would be unhelpful, and so the Privacy Shield
recognizes that there is some distinction between the privacy
regime in the U.S. and the security regime in the U.S. and
Europe, but that they're essentially equivalent, and that's a
recognition that the FTC's framework and principles are well
established. It would be highly ironic and certainly unhelpful
if, because of another regulatory agency, that agreement that
has just been put in place would be called in question because
we're now questioning whether the privacy regime in the U.S. is
one that's workable.
Senator Moran. Mr. Leibowitz, anything you want to add to
that?
Mr. Leibowitz. No. I absolutely agree that the Commerce
Department and others are relying on the FTC approach, and if
it's being questioned it's not strong enough, I think that it
does not potentially bode well as the Privacy Shield goes
through the European Union vote.
Mr. Garfield. If I may just add one other thing that makes
it particularly relevant, is that though the Privacy Shield has
been passed, our expectation is that it will continue to get
challenged in Europe, including in the courts, and so the
actions that are taken here will certainly have impact, not
only in Europe, but in other markets around the world.
Senator Moran. Thank you.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Moran.
Senator Klobuchar.
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Thank you very much, Mr. Chairman. Thank
you. I've been going back and forth to a FOIA hearing in
Judiciary in the same area of information and issues, so I want
to thank you for this important hearing and all of you for
coming today.
I've been very involved in the broadband issue and, as has
the Chairman especially in the rural areas, trying to get
broadband out. We have many problems with a lot of our
businesses, small businesses, farmers having to go to
McDonald's parking lots to get any kind of access. So this
privacy concern with broadband is incredibly important, but to
some of them may be a luxury because they can't even get the
access yet. But for most people who have access, this is an
issue.
Senator Hoeven and I actually have worked hard to include
the Driver Privacy Act, it's part of the FAST Act that was
passed, to put in some privacy protections for data collected
in cars. I'm not going to focus on that as much today.
I guess I would start with you, Mr. Leibowitz, about data
breaches continuing to jeopardize the security of consumers'
personal information. Data breaches can have, as we know, long-
term financial consequences for consumers. How should we
determine, Mr. Leibowitz, what kind of threat should lead to a
consumer being notified of a data breach? We certainly had this
issue with Target, my hometown company, and others. How do we
ensure that consumers receive data breach information that's
useful to them?
Mr. Leibowitz. Well, I think that you have to have a harm
trigger because--and, of course, in the example of Target and
many of the 50 data breach cases that the FTC has brought, it
involved harm. But the FCC's approach for data breach doesn't
have a harm trigger at all. So our concern is under the
approach they have, there would be massive overnotification to
consumers, and consumers would become--would see so many
notifications, and this is a problem in other disciplines as
well that the FTC has commented on, that they won't look at the
real notification that they need to because they'll be swamped
with other notifications that don't really have meaning.
The other thing, less important because it's not consumer
related, but important nevertheless, is that a sort of a no
harm approach for the ISPs is in some contrast with the
cybersecurity framework that NIST has prepared, which is really
about protecting critical information.
Senator Klobuchar. I see. I get it. And you also argue
about the FCC proposal to prohibit Internet service providers
from allowing companies to pay for extra privacy protections,
and you state that many of us may decide that the price to pay
to avoid personalized marketing is worthwhile. Of course, not
all consumers have the financial means to make that decision.
How would you answer the criticism that allowing consumers to
pay for privacy will result in weaker privacy protections for
low-income consumers?
Mr. Leibowitz. Well, it's not certain. I mean, it's a
reasonable question to be raised, but it's not certain what
ISPs would do if this--and this is an actual prohibition, as
Professor Ohm knows, if this--or this would be, if they were
allowed discounts. It may just be collecting data and using it
with your similarly branded affiliates.
These are not--ISPs are not data brokers. No one, I think,
would ever propose something like that. And so I think the
approach should be give consumers real informed notice so they
know what they're being offered, if they're being offered a
discount, and let them make the decision. And if I'm a family
of four making $35,000 a year and living in Minnesota, and I
want, you know--I want home security service or I want music
streaming or I want energy efficiency, I should have the right
or the ability to make that determination. The FCC's approach
in that area, at least, seems to me very top-down and command-
and-control.
Senator Klobuchar. OK. Mr. Ohm, maybe you want to respond
to that? And do you think FCC regulation of broadband privacy
can complement the FTC's privacy work?
Mr. Ohm. Yes, thank you for both those questions. Number
one, when it comes to pay for privacy, as it's colloquially
called, it does really give me a lot of pause, the idea that
we've already talked a lot during this hearing about the
paucity of choice that you have for a broadband provider, the
idea that the only broadband service you could possibly have is
one where you have to pay extra if you want the privacy version
of it, is distressing to me and it's something that I hope the
FCC will strongly consider dealing with.
It speaks to, I think, a broader undercurrent in this
debate. I don't have a lot of time, so let me say it briefly,
which is, a lot of the arguments and criticism has come from
the perspective of the well-paid D.C. lawyer. For example, a
statistic that's used often is the average American has 6.1
devices and three ISPs. Well, that may be true for the average
American, but it's not true for a lot of Americans, and, in
fact, a Pew study shows that a lot of Americans who have one
device and one ISP are disproportionately younger, they're
poorer, and they're also representative of racial and ethnic
minority groups.
So as we think about the policy questions, I want to make
sure we're thinking about all Americans, not just the well-to-
do.
Second, if you could repeat the same question, if I have
time to answer this.
Senator Klobuchar. Go ahead, yes. It looks like Mr.
Leibowitz might want to respond.
Mr. Leibowitz. That might be a point of privilege. But,
look, I spent--as you know, I spent most of my career in public
service, and, look, don't take my word for the concerns about
the FCC's rule, just look at the FTC's unanimous comment where
it says some of the choices made by the FCC are not optimal,
and it cites 28 different instances where they're in
disagreement, in polite, diplomatic language. Don't take my
word for it, don't take an academic's word for it, we're all--I
think we are all articulate witnesses, I may be the one
exception, but, you know, look at what the FTC thinks they have
done--thank you--they have done--the FTC has been the Nation's
leading privacy agency for the last 30 years, they're informed,
they know what they're talking about. I would listen to them as
well and perhaps more than all of us together.
Mr. Ohm. I think I'm out of time, but I invite the
opportunity to talk about the FTC. I would love to do that.
Senator Klobuchar. Well, I guess that's open for my
colleagues to ask you, and maybe I'll follow up with some of
this in writing, including with you, Mr. Garfield.
Mr. Ohm. I appreciate it.
Senator Klobuchar. So thank you very much.
Mr. Ohm. Thank you.
The Chairman. Thank you, Senator Klobuchar.
Senator Daines.
STATEMENT OF HON. STEVE DAINES,
U.S. SENATOR FROM MONTANA
Senator Daines. Thank you, Mr. Chairman.
Mr. Polka, I appreciate you highlighting in your testimony
the burden that these privacy rules will place on small
businesses. In a state like Montana, population and geography
pose tremendous challenges for small ISPs. I think about
Blackfoot Communications. They're the sole provider for
Elliston, Montana, population 225. Do small carriers even have
the technical capability to engage in the conduct the FCC is
trying to prevent? And if they do, do they have any incentive
to do so?
Mr. Polka. Not really, Senator. The situation you talked
about is typical, the company you referred to is typical. I've
been inside the network operation centers, if you want to call
them that, a small room in a head-end for a smaller provider,
and they may have a board and a diagram up there, and that
diagram has either a red signal or a green signal. Green means
the network is operating. Red means there's a problem they have
to fix. That's about the level that our members are looking at
to make sure that they're able to provide broadband service to
their customers.
The fact of the matter is, is that our members, the smaller
providers, as I've said before, are in the business of trying
to deliver that network service to their customer for the
customer to then use as the customer sees fit. And typically
our members have not been engaged, even under today's rules, in
the kinds of information gathering that would require opt-in
consent by a consumer.
Senator Daines. Let me--I want to continue this discussion,
and I think there has been talk about some of the inconsistency
perhaps. I'm just--I'm concerned about as these regulatory
bodies try to move at the speed of government when the world is
moving the speed of business, how we're just always playing
catch-up, and as Wayne Gretzky famously said, ``Skate to where
the puck is headed, not where it's at.''
When I send an e-mail, I add a Snapchat perhaps to a story,
there are a number of entities collecting data. Snapchat is my
browser, the ISP, they all have access.
Mr. Leibowitz, the question is, Do you think consumers
expect that all entities involved in sending an e-mail,
snapping a photo, are held to the same privacy standards, and
does it make sense to treat any one of these actors different
than the other?
Mr. Leibowitz. No. I think from the perspective of the 21st
Century Privacy Coalition, and I think from the perspective of
the consumers themselves, you want the same rules applying
across the board.
Senator Daines. So I was struck--I think, Mr. Leibowitz,
you made a comment I think in the back-and-forth with regard to
online ad marketing. Ten companies hold 70 percent of the
market share, none of them are ISPs.
Mr. Leibowitz. That's correct.
Senator Daines. In looking at the cross-context chart in
Professor Swire's report, it's astonishing how much consumer
information in the ad space, the social network space, have
compared to the ISPs. I mean, look at our phones. And, by the
way, if you want to see the behaviors, watch members during a
hearing, where are they at? They're camped out and probably
oftentimes on apps even more so than surfing. And I think when
you look at where young people are headed now, where, you know,
there's now more daily Snapchat users than Twitter users here,
it just crossed in the last 30 days. I mean, just profound
quick shifts here, where they're not out there surfing, they're
camped out on apps oftentimes. I realize the FCC does not have
jurisdiction over the entire Internet ecosystem, but does it
make any sense to have very prescriptive rigid rules for ISPs
and more flexible rules for edge providers and apps when ISPs
only see a fraction of what the edge providers see?
Mr. Leibowitz. No, it doesn't, and I agree with you
entirely. And it goes to another point as well, which is the
constitutional question, because when you are treating the same
information differently, you--it raises concerns under the
seminal Central Hudson Test, which is a Supreme Court case from
1980.
Senator Daines. So, again, this is a concern where I think
they're chasing the ISP issue right now, but look to where are
consumers increasingly headed more so?
Mr. Leibowitz. Yes, I agree with you, and the only other
thing I would add is if you want to protect consumer privacy,
which is critically important, and because the ISP--because the
FCC invoked Title II, they took away jurisdiction from the FTC.
The FTC has no jurisdiction over common carriers. ISPs are now
designated common carriers and upheld under the D.C. Circuit
decision, may be appealed. Because of that, they have to do a
rule, but they should do an intelligent rule that is free from
mistakes. We don't think their rule is balanced.
Senator Daines. So let me get a point the FCC made, and
this is my last question. In the FCC's Notice of Proposed
Rulemaking, it offered a justification for its approach, and it
stated, and I quote, ISPs are the most extensive conduits of
consumer information and have access to very sensitive and very
personal information, end quote.
Professor Swire, does your research find this statement to
be true?
Mr. Swire. It depends on the word ``conduit.'' If they're
the only conduits, then they'll be the most extensive conduit.
So it might be a finely crafted sentence that you could
technically say is true.
Senator Daines. So are ISPs the most extensive conduits of
consumer information with access to highly sensitive
information?
Mr. Swire. They have access to location data, which is
considered sensitive information, but overall, the point of our
research is that there is a lot of other folks who also see it,
and so--look, ISPs do see a bunch of information, so do a lot
of the other companies you were talking about, and this
committee and everyone has to figure out overall how we're
going to handle that.
Senator Daines. OK. Thank you.
The Chairman. Thank you, Senator Daines.
Senator Gardner.
STATEMENT OF HON. CORY GARDNER,
U.S. SENATOR FROM COLORADO
Senator Gardner. Thank you, Mr. Chairman. And thank you to
the witnesses for being here today.
Mr. Polka, why don't I start with you a little bit? This
committee, if you look around at the composition of the
Committee, it's a very rural committee, many members come from
states that have the very, very sparse populated areas, at
least in part, if not whole, of the state. I live in a little
tiny town in the eastern plains, about 3,000 people. The
nearest big city is a town that's 60 miles away, and it's
10,000 people, and then you have to go another 60 miles after
that to get to a town that may be 100,000 people. So these
areas are very, very spread out, very rural. And, if Senator
Klobuchar was here, I would say that having a McDonald's is a
luxury.
[Laughter.]
Senator Gardner. That's something that many of our small
towns, we don't have. But we talk about a lot of regulations
here in Washington that have opt-outs and provisions, and then
to say, you know what, we're going to pass this rule, but we
understand there are small businesses that would be overly
adversely impacted by this, and so we're going to give an opt-
out for this. Look at the CFPB, I know there are conversations
about whether community banks and credit unions ought to be
tailored, regulations tailored, under CFPB, the regulations
under Dodd-Frank, to address smaller banks and financial
services. Here we are talking about, well, a new rule that
would opt out for smaller providers, but it just seems like
that opt-out never happens, the regulations pile on, and then
you end up with higher costs and less service in many areas. So
how many of these companies you're talking about have full-time
regulatory compliance officers?
Mr. Polka. Very few. As I said in my statement, most of our
member companies have about 10 employees. Maybe they have one
or one and a half technical people that are out actually
putting service into the home or maybe climbing a pole or doing
a service call or maybe fine-tuning things in the head-end, so
to speak, where all the signals come in. But it's very, very
difficult. That being said, our members, over the last couple
of decades, have worked to comply with Section 631, the Cable
Privacy Rule, Section 222, for phone service of the CPNI rules,
and they have worked to develop policies that have been open
and that have been--provided disclosure to their customers. And
they have worked to protect the sensitive data of their
customers, whether, as Mr. Leibowitz was saying, whether it's
banking information, school information, health care
information, et cetera.
But to do what the FCC is requiring, would require under
this rule, would go to a level of complexity that when we talk
about shifting resources would be enormous in terms of legal
time to revise policies, to revise notices, to send out notices
that consumers aren't expecting, to comply with higher
standards of data security, which, as the FTC has said, is
impossible to meet.
Senator Gardner. So take away time from expansion,
investment, upgrades----
Mr. Polka. Without question, and without even an idea yet
from the FCC how much time, man-hours, paperwork, or cost it
would take. And, frankly, from a small business perspective, I
would have hoped that the FCC might have done a little bit of
homework in that area before implementing these rules or moving
forward because, in our view, there is none, and it's not my
word, it's the Small Business Administration's Office of
Advocacy that said these would be overly burdensome for smaller
ISPs. That's a fear and a threat that our members face.
Senator Gardner. Thanks. Mr. Garfield, you spent a good
deal of your testimony arguing about the FCC's approach to
privacy being both inconsistent with consumer expectations and
inconsistent with existing privacy regulations at the Federal
Trade Commission, FTC. I've supported numerous pro-privacy
initiatives during my time in Congress, and I want to ensure my
constituents that--I want to ensure their private information
is protected. But do you believe the inconsistencies you
mentioned could actually undermine consumer privacy
protections? And if so, how might negative consumer reaction to
concerns with their personal privacy impact your member
companies' businesses?
Mr. Garfield. I made the point--thank you for the question,
Senator Gardner--in my testimony that privacy and security are
first principles for our companies, and so any rule or
regulation that undermines our ability to advance both is
highly problematic.
Connecting your second to your first, I think this
proceeding of the FCC is actually an opportunity, it's an
opportunity to do something that is not a framework based on
exemptions for small business or exemptions generally, but to
build on things that have worked in protecting consumer privacy
and to call on the well-established history that has been built
by the FTC. And so it's incredibly important, and I want to
ensure, and I think our companies in general want to ensure,
that we don't miss the opportunity to protect consumer privacy
in a way that's workable.
Senator Gardner. Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Gardner.
Senator Heller.
STATEMENT OF HON. DEAN HELLER,
U.S. SENATOR FROM NEVADA
Senator Heller. Mr. Chairman, thank you.
And I'm another rural advocate over here, so I'll probably
go down the same line as the previous comments. But, frankly,
anything that you really want to ask has probably been
discussed here at one point or another. And I want to thank all
of our witnesses for being here, for your comments, for your
insight, because it has been very helpful.
You know, we do have an answer to all this, and we actually
saw this in this committee. We've already passed out the FCC
Reform Act. The purpose of the FCC Reform Act was to make sure
that the Commission, the FCC Commission, operates in a
transparent and effective manner. And this FCC Act had two
important principles, and one was that there would be a
conducted cost-benefit analysis, and we've discussed that, and
the Commission should demonstrate a market failure. And in
neither of these cases can I tell by any discussion that we've
had today that either of these have been the case.
Even the Chairman, even the Chairman of the FCC, last year
came in front of this committee and stated that consumers
deserve a uniform expectation of privacy, in front of this
committee he said that, and that the FCC will not be regulating
the edge providers differently from Internet service providers.
This is what the FCC Chairman said. So in March, there was a
vote, a 3-to-2 vote, to switch that position. I'm wondering if
there is anybody here on this committee, Mr. Leibowitz, perhaps
yourself, that would tell me what has happened, what's the
change of heart, for the FCC to say exactly the opposite of
what they're doing today a year ago?
Now, it doesn't surprise me that the FCC changes or, for
that matter, Mr. Wheeler changes his mind because he changes
his mind on everything. I mean, we have seen this consistently
over and over and over again, that the Chairman of this
particular Commission changes his mind. Can someone tell me,
what has changed in the last year when this Chairman came, the
FCC Chairman, Wheeler, came in front of this committee and said
that the consumers deserve a uniform expectation of privacy?
Why has all this changed?
Mr. Leibowitz. Well, I mean, I can't tell you why. I'm a
former FTC Chairman, I'm not an FCC Commissioner----
Senator Heller. But he was agreeing with you. He was
agreeing with you a year ago.
Mr. Leibowitz. And in fairness to Chairman Wheeler, you
know, they could modify their rule to make it look more like
the FTC approach, that would be what the 21st Century Privacy
Coalition would encourage them to do. But I do hear you.
And I guess I would make one other point for those who have
watched the FTC. At the FTC, we didn't always have unanimity,
but we always strived to have it, and on important votes
involving rulemakings, involving major cases, we would
typically end up with unanimity or a supermajority, bipartisan
supermajority, and I think that makes rules much more enduring.
Senator Heller. I agree.
Mr. Leibowitz. And you know this, when you have a
bipartisan coalition, and all of you on this panel sitting here
have put them together, it makes the rules more legitimate, it
makes your bills more legitimate, your legislation, and it
helps them last longer.
Senator Heller. Well, I would just argue that transparency
is the difference between the FTC and the FCC. That is the
difference, is the transparency, and I think that's the reason,
the most important reason, why we pushed this FCC Reform Act,
Process Reform Act, is to make sure that we get this
transparency into the FCC.
I just want to touch on one other point before my time runs
out, and that is the Small Business Administration, their
advocacy office came out with concerns about this particular
proposal, and, Mr. Polka, I would like you to respond, but they
were knowing that the costs would include consulting fees,
attorneys fees, hiring and training in-house privacy personnel,
consumer notification costs, and probably opportunity costs, if
you want to do the economics behind that also. These are the
costs. So the question is, one, there hasn't been a cost-
benefits analysis because the FCC does not believe in a cost-
benefits analysis. But, two, do you believe that the FCC has
considered the economic harm to small providers like those in
my state of Nevada?
Mr. Polka. And not to mention what you said, but also risk
management assessments, which smaller providers don't do today,
which would take significant legal and consultant times as well
as other items.
I do not believe that the specific concerns of smaller
companies and the economic impact has been considered. And we
were very pleased to see that the SBA noted that from the
Office of Advocacy. Frankly, the rules relating to the FCC and
implementation of a rulemaking does require it, to do at least
some sort of analysis about the impact on smaller businesses.
The FCC in its rulemaking has asked questions about the impact
on smaller business, but to our knowledge, no type of cost-
benefit analysis, and as I said before, no estimation of man-
hours, paperwork hours, et cetera. And when we look at other
opportunity costs that would be shifted, one of the things that
the FCC would require us to a point would be a senior privacy
officer, senior data security officer, someone who has that
title within our company. As I said before, when you have 10 or
fewer employees, I think we're going to be looking around the
office to say, ``Do you want it?'' because it's going to be
hard to fill.
Mr. Swire. Can I just very briefly, as a point of
information, under HIPAA, there's a whole part of the HIPAA
rule called ``scalability,'' which is the Mayo Clinic has to be
super strict and big, but two doctors in a little office have a
different level of privacy and cybersecurity, and it may be,
and I don't think this was fully fleshed out in the FCC's
proposed rule, that there could be some learning done from 15
years of experience there and how to handle small versus large
organizations.
Mr. Polka. And that's consistent with what the FTC has done
over the years as well, to take size into account.
Senator Heller. Thank you. I want to thank all of the
witnesses.
Mr. Chairman, thank you.
The Chairman. Thank you, Senator Heller.
Senator Blumenthal.
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. Thanks, Mr. Chairman.
Mr. Leibowitz, you mentioned in your testimony how ISPs
want to enter the online advertising market, not really a new
phenomenon. You and I probably both recall, although you may
not because it may have been just a minor blip on your radar,
but in 2008, Charter Communications announced plans to launch a
pilot program in Newtown, Connecticut, that would target
advertising to subscribers based on their Internet traffic
through an invasive technique called deep-packet inspection.
I was Attorney General at the time. I sent a letter to
Charter with serious concerns about the legal and privacy
implications, and fortunately in this case, Charter reversed
course, abandoned the plan, and there was also, parenthetically
I should mention, a public outcry from consumers, consumer
advocates, and lawmakers, including none other than Congressman
Edward Markey, of the great state of Massachusetts, although he
may not remember it either because it was probably a minor blip
on his radar of many accomplishments in the area of consumer
protection.
So what I guess I'm asking you and Mr. Ohm is, is what the
ISPs are trying to do today different from what they were
trying to do in 2008? In what ways has the technology for
tracking a subscriber's browsing history and deep-packet
inspection, DPI, grown more sophisticated and potentially more
intrusive on consumer privacy since 2008 when Charter tried to
do it in Connecticut?
Mr. Ohm. So I welcome the question. It actually wasn't a
blip on my radar. I wrote I think the only extended Law Review
article analyzing the work of your office and others, in which
I came down pretty hard on ISPs for the moves that they were
making.
The Swire report does establish that deep-packet inspection
will not work to the same level of efficacy as it has in the
past with encrypted communications, but it's again important to
underscore that there are a lot of communications that remain
unencrypted, and deep-packet inspection remains a problem that
looms large on the horizon, and, in fact, today there is a rich
ecosystem of vendors just chomping at the bit to sell deep-
packet inspection systems to ISPs.
The second thing I would say is there was a time in the not
so distant past, in fact, 2008, 2009, where because of the
relative processing speeds of computers versus the speeds of
these fiber optic cables, it was really hard to do surveillance
on everybody all at once. That curve has completely flipped,
and today a company that really does want to compile a dossier
about every single one of their customers, even one with
relatively constrained resources, like a small ISP, can
absolutely off the shelf buy the technology to do something
like that.
Senator Blumenthal. Mr. Leibowitz, I would ask you the same
question also about perhaps the ISPs you represent voluntarily
committing to refrain from using deep-packet inspection.
Mr. Leibowitz. So I think that's a great question, and we
had discussions, and you were involved, and very successful, I
think, enforcement advocacy and jawboning, and the DPI never
got off the ground.
We addressed this issue in our 2012 FTC Privacy Report
because we thought that all large-platform providers, that is,
companies that collect data, including ISPs, shouldn't collect
sensitive information, so health information, financial
information, kids' information, and we talked about deep-packet
inspection. And, in fact, in 2012, ISPs--two ISPs committed,
and I'll get you this, and it is in our Privacy Report, two
ISPs committed to not using deep-packet inspection without
advanced opt-in consent. So we thought that was really
important to follow up on your work, and because we had
concerns about it at the FTC, as a commission.
So I think I would have to go back to our companies, but I
think if what's on the table is a prohibition on deep-packet
inspection, that would be great to know from the FCC, and a
second iteration of their draft, if they went in that
direction, I think would be tremendously meaningful.
Senator Blumenthal. Thank you. Well, I would very much like
to work with you on this issue, and as the FTC Chairman, you
certainly helped to make the FTC the primary champion of
privacy in the Federal Government, so I think your leadership
then and now is profoundly important. Thank you.
Mr. Garfield. If I may just add, your question speaks to
the importance of having an approach and a paradigm that has
some flexibility to it, which is part of the problem with the
FCC's approach, is that it's very much based on rigid,
mandatory, mechanical approach, unlike the approach the FTC has
taken and that NIST is taking when it relates to privacy and
cybersecurity.
Mr. Swire. Very briefly on deep-packet inspection. So three
points. This first is, as Professor Ohm said, there is some
good news here, which is where there is encryption, DPI doesn't
work. So some things have gotten better in life, even though we
don't usually notice that.
The second point is that deep-packet inspection has been
used by ISPs for cybersecurity purposes to look for signatures
in malware, and so whatever your views are on marketing, there
are some cybersecurity things to take into consideration about
that.
And the third and related point is there's comments by a
group of network researchers trying to improve overall network
performance who have said that having a research exception so
that it can really analyze the data has some public benefits.
So an across-the-board ban might run into cybersecurity and
research problems, so there should be some nuance as people
consider that.
Senator Blumenthal. Thank you.
The Chairman. Thank you, Senator Blumenthal.
Senator Markey, do you have other questions?
Senator Markey. May I, Mr. Chairman?
The Chairman. Yes.
Senator Markey. Thank you. Tell me, Professor Ohm, if you
could, how you view this issue of what information can ISPs
collect about consumers, and how can that information be used
to paint a detailed picture of their lives?
Mr. Ohm. I like when I talk to my students about this, I
like to ask them to imagine, if they will, a stream of
information just streaming behind you, always connected to you,
that in a very detailed way really does kind of amount to the
sum and substance of who you are. I think you actually said
this earlier in the hearing, right? This is detailed, this is
persistent, and it's very, very, very difficult to escape this,
right?
Senator Markey. So if a mother is searching for information
about her 13-year-old daughter's anorexia----
Mr. Ohm. Yes.
Senator Markey.--the ISP has that information.
Mr. Ohm. Absolutely, and----
Senator Markey. And so does the website that she went to--
--
Mr. Ohm. Of course.
Senator Markey.--but the ISP has the information as well.
Mr. Ohm. That's right, and it speaks to proposals that some
have suggested that the FCC just make this about what is
sensitive or not, right? But that is getting at this problem
the wrong way. I mean, it's better to categorically say that
this is intrinsically who you are, and, in fact, whether
something is sensitive or not really might vary minute to
minute, second to second.
Senator Markey. So if the mother or the daughter, the 13-
year-old, went to a religious website, the ISP has that
information.
Mr. Ohm. Right.
Senator Markey. Now, the daughter or the mother, they know
that they went to the religious website, so they know what
they're doing.
Mr. Ohm. Right.
Senator Markey. Now, the ISP has it as well.
Mr. Ohm. That's right. That's right.
Senator Markey. Is that sensitive?
Mr. Ohm. Absolutely. Not just that they visited it once,
but precisely to the second when they visited it, how much
information they downloaded from it, perhaps if it's not
encrypted, exactly what sub-page they were looking at, what
specific affliction or what specific religious question they
were interrogating the website about, and I think, as
importantly, how many times they revisit it, when they revisit
it, and the name of the game here in a big data world is to
correlate that with everything else in your life.
Senator Markey. So how about if I need a loan and I've gone
to one of those websites?
Mr. Ohm. Absolutely.
Senator Markey. I know I'm going to that website, I need a
loan, but the ISP knows it as well.
Mr. Ohm. And contrast this with 1996, when we were focused
a little bit more on telephone numbers, right? There was a tiny
bit of comfort from a privacy point of view in not knowing
exactly what you did when you called a particular number, and,
in fact, examples have been made, people call weather lines and
they call for the lottery numbers. On the Web, often the domain
name will reveal exactly what you are doing. In fact, I've
sometimes described it as a machine that preserves the very
last thought that you had in your head. So that's what's being
logged.
Senator Markey. So how can ISPs use the information in a
way that could harm the consumer?
Mr. Ohm. Yes, I mean, you know, the FTC itself has
documented in their Big Data report that they would like to
sell this information to data brokers, and just to be clear,
that's not what the FTC said about ISPs, but I'm talking about
the advertising ecosystem more generally, and they would like
to categorize you, and, you know, it might just be for
marketing purposes. It might be that you're the kind of person
who is more likely to be interested in this product because of
the things that you've been reading lately.
Senator Markey. And so how would the FCC's rules protect
that personal information that I just outlined amongst
thousands of other potential examples?
Mr. Ohm. Yes. In my mind, the most important, I would say,
feature of the rule is the fact that in an opt-in world, you
have the comfort of not having to think about this, that if
you're someone who is worried about this in any way, your
choice by default is not to be tracked or for the information
not to be used in this way. On the other hand, if you're
someone looking for a deal with your ISP, your ISP has ample
opportunity to sell that service to you, and you can opt in to
the tracking----
Senator Markey. In other words, the ISP says, ``Please give
us the right to sell all of your private information.''
Mr. Ohm. Yes.
Senator Markey. You have the right to give them the
permission.
Mr. Ohm. Absolutely. Like I said, there's no ban here. And,
in fact, I think ISPs are probably going to be successful
convincing some consumers to undergo programs like this, but
for the rest of the people, again, it's the comfort of the
bright line, it's the ability to live under the default rule,
which protects the expectation that a lot of consumers have and
to address the fears that a lot of----
Senator Markey. And I find that in general as kind of a
rule, there are some people, they have some disease, you know,
they're telling everyone about it.
Mr. Ohm. Right.
Senator Markey. OK?
Mr. Ohm. Yes.
Senator Markey. And there's an equal number of people
going, ''I'm not telling anybody about this. If you tell anyone
I have this disease, I'm going to kill you.`` Right?
Mr. Ohm. Right.
Senator Markey. So you should have that right, you know,
just to say, you know, if you want to brag about it, you know,
then you go and do it, but if you want to keep it a complete
secret, you should be able to do so as well, and this is the
option that the FCC is giving to people.
Mr. Ohm. I think it's not inaccurate at the end of the day
to boil down this rulemaking as, how can we best give the
opportunity for consumer choice, respect that consumer choice,
and at the same time allow ISPs to engage in innovative and
competitive economics?
Mr. Garfield. Professor Ohm, what you've eloquently argued
for in your writing and today is a reworking of the privacy
framework in the United States, and what I would humbly suggest
is that the appropriate place for that discussion to occur is
in Congress and not in an agency.
Mr. Ohm. And I would just submit that I think that debate
was had at least in part in 1996, when this Section 222 was
enacted, and, frankly, I think it's continuing to happen. The
House had a hearing on this last month. The Senate has a
hearing today. There is ample opportunity to amend the statute
if that's the will of this body, but the law on the books is
clear and unambiguous.
Senator Markey. I guess the way I would view it is you put
HIPAA on the books, you put FERPA on the books----
Mr. Ohm. So there, well, the law is there for the FCC to
act under.
Senator Markey. They're there as a section of the law, and
they're acting under that section of law, so it's not a
rewriting of the laws, it's an interpretation of the law
reflecting the change in technology, but not a change in the
authority under which they are operating.
Mr. Ohm. And Mr. Garfield is right, it's a distinctly
American phenomenon that we do not have a lot of privacy laws.
This body has been very deliberate about identifying those
opportunities, those moments, those industries, those contexts
where specific law is needed, and it did so when it comes to
telecommunications providers.
Senator Markey. And common carriers have always been.
Mr. Ohm. Absolutely.
Senator Markey. Since 1934 in this special category.
Mr. Ohm. That's right.
Mr. Garfield. It is true that the U.S. approach is
distinct, but the U.S. approach is not deficient, and so we
shouldn't confuse those two things. Even in Europe, which is
viewed as heightened privacy protection, is based on the same
FIPs framework that the United States is, and the Privacy
Shield that was just advanced is a reflection of the rough
equivalence of the approaches that are taken here in the United
States and Europe. So to suggest that just because the U.S. is
different in fact means it's distinct is counterfactual.
Senator Markey. Thank you.
Thank you, Mr. Chairman.
The Chairman. Thank you.
Mr. Leibowitz, do you have anything to add on that?
Mr. Leibowitz. No. I mean, I think yours is a principal
position, Senator Markey, as it always is, but, you know, the
vast majority of data collection online is by non-ISPs, and we
had a term for them at the FTC, for all collectors of data, we
called them ``cyberazzi.'' And the better approach to take,
from my perspective, and again we can disagree, and from the
21st Century Privacy Coalition's perspective, is try to keep
your approach technology-neutral, and when you can't, try as
much as possible to adopt the FTC approach, which you've been
supportive of and which has been tested for many years and
deemed reasonably successful.
Senator Markey. And again, I think that, while I agree with
you on all these social media sites in terms of the protections
which should be there, the ISP has a special relationship, it's
the only way you can get online. You don't have a choice. You
know? If you want to reach 1 million websites, you've got to go
through one company, and so that's a special relationship.
They're gathering everything. And so that's separate from an
individual decision which a consumer is making to go to that
social website or that one or that one. And so I just think
there is a distinction that exists because they control the
conduit. The content-conduit divide is quite profound, and
that's why this industry, this conduit industry, which is the
ISPs, but it was the telephone company as we were growing up,
was always under this special regime because everyone had to go
through the same company.
The Chairman. So, Mr. Leibowitz, is there any reason to
think that consumers under the FCC proposal, having been given
some greater control about how broadband providers use their
information, may feel a false sense of security that other
online entities are also going to be respecting those ISP-
related control decisions?
Mr. Leibowitz. Well, I mean, they may feel a false sense of
security, there may be consumer confusion. They may not
understand why they can't get discounted products from their
ISPs online without either an opt-in, or if it's for the
broadband itself, why they can't get it at all while they can
get it from everyone else in the Internet ecosystem. So, yes, I
think that's a possibility.
The Chairman. All right. Senator Blumenthal, do you have
any more questions?
Senator Blumenthal. I have just a couple of quick
questions, Mr. Chairman.
To ask a somewhat mundane question, I'm impressed--maybe I
should direct this to both you, Mr. Leibowitz, and any other
members of the panel who want to respond--that there is often
overlapping and disparate responsibility for enforcement of
privacy protections. The example that comes to mind is HIPAA.
The Department of Health and Human Services enforces the Health
Insurance Portability and Accountability Act, I'm saying it
just so I can remember what it stands for, HIPAA----
[Laughter.]
Senator Blumenthal.--the privacy rules that operate under
that statute and regulate the use and disclosure of protected
health information. The FTC exercises a complementary
jurisdiction over all the entities or individuals with access
to the personal medical information not covered by HIPAA, and
for many people, their introduction to HIPAA and to privacy
concerns is when they want information about a loved one and
find obstacles to obtaining it.
So my question is whether this system can be rationalized.
I know it sounds like mundane and somewhat nuts and bolts.
Would you say that the broadband privacy rule is analogous to
this issue?
Mr. Leibowitz. Well, yes, Senator, I do think it is, or at
least it was. So in the first Obama term, they came up with a
Consumer Privacy Bill of Rights, and they wanted the FTC to be
responsible for all privacy enforcement across the board, and
they wanted it to focus on sensitive information. It's now--the
answer is, yes, of course, it could be, but now with the FTC
having invoked Title II, it has created, it has designated ISPs
as common carriers, and so as common carriers, it can't
forebear back to the FTC in this area.
What it can do--and as you know, we need a cop on the beat
because when the FTC's jurisdiction was taken away, there was
no one left but the FCC. But what they can do, and it goes to
your point about DPI and sensitive information, is they can
make their rule sort of more rational and more reflective of
the FTC's approach. And, by the way, they have authority over
practices that are unjust and unreasonable, and that's not too
far from the unfair and deceptive statute that you worked with
when you were the Connecticut AG and that the FTC works with
all the time.
Mr. Ohm. So if I may, Chairman Leibowitz receives a lot of
well-deserved praise for the work that the agency did in
privacy. He made one horrible misstep while he was there, he
hired me----
Mr. Leibowitz. Not at all.
Mr. Ohm.--to be a Senior Policy Advisor for privacy issues.
I witnessed an agency that is operating at the top of its game,
and it's developed a well-earned reputation for being one of
the savviest privacy enforcers probably globally. At the same
time, there is nothing that the FCC is trying to do here which
is inconsistent with the FTC rules. There is no company that is
going to be told X by the FCC and Y by the FTC. In fact, some
companies will actually have engagement with both of the
agencies in a way that's complementary, not contradictory.
There's an MOU that the staff of the two agencies entered into
that kind of reflects this.
I think people have read far too much into this staff
comment, which 99 percent of it was supportive and offered
little tweaks, and there was one sentence in there which I
totally concede was mildly critical of the FCC.
And then the last thing I'll say, because I'm so glad you
brought us back to the HIPAA analogy, one way to I think, I
think, fairly characterize the way this debate has unfolded is
to say we have this law, it protects health information, it
obligates doctors and hospitals to respect it because we think
they ought to respect it, but in today's online ecosystem, it
turns out Fitbit knows a lot of health information about you.
Is the argument, is the result, really that we should now say,
you know what, there is no use regulating privacy of hospitals
and doctors any longer, that we ought to lower the standard of
privacy just because there are online actors who now have
comparable sets of information? I don't think so. I think that
would be an odd argument to try and make in the health context,
and I think it's equally odd in the online context.
Mr. Garfield. And the argument is not to lower, the
argument is to respect and recognize the work that's been done
from the agency that's well versed in this area.
Mr. Leibowitz. Yes, and I would just add one thing. You
have both probably read the FTC comment. You cited it, Chairman
Thune, at the beginning of the hearing. All I would say is go
back and read the FTC comment to the FCC. It uses the phrase,
and it's diplomatic, as it should be, but it uses the phrase
``not optimal,'' and I counted 28 separated instances where
they're in disagreement or where they question a potential
policy of the FCC. Don't take my word for it, don't take
Professor Ohm's word for it, don't take the very smart--don't--
--
[Laughter.]
Mr. Leibowitz.--I mean, listen to us because I think
collectively we have something to say, but go back and just
listen to the FTC.
The Chairman. I think it would be incredibly complicated to
have to answer to multiple agencies on this issue, but you
pointed out, Mr. Leibowitz, that the law clearly prohibits the
FTC from regulating communications common carriers. Is there
any clear limitation in law that prevents the FCC from
regulating the privacy practices of so-called edge providers?
Mr. Leibowitz. You would have to have a very expansive view
of Section 706 to try to do that and----
Mr. Garfield. You may get some arguments from us.
[Laughter.]
Mr. Leibowitz.--we would get some arguments from Mr.
Garfield about that.
Mr. Swire. Yes, I was going to say it may be challenged.
Mr. Leibowitz. I don't want to say they couldn't do it, and
I don't want to say this FCC couldn't do it. I think it would
be a bad policy, and I don't--you know, and I think it would be
just an extension of what we believe now is a flawed policy at
the FCC, and you would extend it from a small group of
collectors of information on the Internet to the vast and
overwhelming majority. So I think we have agreement on that.
Mr. Garfield. Yes, we do.
The Chairman. All right. Well, with that, we'll wrap up. We
thank you all very much for your insights and your input. And
we'll keep the hearing record open for 2 weeks during which
time Members are encouraged to ask or submit questions for the
record, and upon receipt, we're asking witnesses if they would
submit their answers to the Committee as soon as possible.
Thank you all very much. This hearing is adjourned.
[Whereupon, at 12:09 p.m., the hearing was adjourned.]
A P P E N D I X
Response to Written Question Submitted by Hon. Deb Fischer to
Paul Ohm
Question. Professor Ohm, you have said that it is important to keep
privacy protections in mind for rural Americans, because they may have
access to only one broadband provider. Living on a ranch in Cherry
County, Nebraska, I certainly understand the challenges facing rural
America when it comes to broadband availability. That said, I am not
clear how the number of broadband providers in a given area is related
to the level of privacy protection that is needed. Are you suggesting
that the providers that offer service to rural America should be
subject to more stringent privacy protections than other providers? It
seems like that would only hurt broadband deployment where we need it
most.
Answer. I did not mean to suggest that the privacy protections for
providers should vary based on the amount of choice consumers have in a
given region. I am sorry if I was not clearer about this. I think the
limited choice that most American consumers have for broadband service
strongly supports the need for special privacy rules for broadband
providers, such as those proposed by the FCC. A consumer who is unhappy
with the privacy practices of his or her broadband provider can often
not switch to a more privacy-respecting competitor, because there often
is no viable alternative on the market. This is especially a problem
for the millions of Americans with only one choice for broadband, a
population that includes many rural Americans and Americans living on
tribal lands.
The lack of choice in broadband service is only one justification
for the FCC's privacy rules. My testimony supplies at least three
others (history, visibility, and sensitivity). These reasons justify a
privacy rule for all providers, large and small, urban and rural, and
irrespective of whether consumers in a covered region have one
provider, two providers, or more. I once again applaud the FCC for
proposing a strong privacy rule, one that implements Congress's intent
in Section 222 of the Communications Act.
______
Response to Written Questions Submitted by Hon. Deb Fischer to
Dean C. Garfield
Question 1. Mr. Garfield, as you know, the number of mobile devices
in this country is growing at an exponential rate. The Internet of
Things has the potential to grow our economy and make our workforce
more productive. As we talk about the Internet of Things, concerns are
inevitably raised about how we can protect the privacy of the data that
is sent from device to device. While these are important concerns, I
also worry that overly restrictive privacy regulations will stifle
development of the Internet of Things. Do you believe that is the case
for the FCC's proposed regulations?
Answer. I would like to begin by thanking you for your leadership
on the Internet of Things and the DIGIT Act. That legislation
recognizes the important and transformational impact the IoT will have
in our communities, our economy, and society at large when we consider
safety, health, and other applications we cannot yet fathom. We would
agree that overly restrictive privacy regulations could, and likely
will, prevent investment, innovation, and experimentation in the IoT.
As you know given your significant work on IoT, in applications
where data that identifies individuals is collected, the collection,
use, sharing, and protection of such data are already subject to
existing laws. For instance, IoT manufacturers fall within the
jurisdiction of the Federal Trade Commission (FTC) and are thus subject
to its unfair or deceptive acts or practices authority under Section 5
of the Federal Trade Commission Act. Grounded in Fair Information
Practices Principles (FIPPs), the FTC's approach to privacy helped
enable the Internet to thrive and, as a consequence, ITI companies have
been able to offer an expanding range of services and applications
(including IoT applications), often times free or at a nominal expense
to consumers. Depending on the data collected and the actors involved,
other statutory authorities may also be applicable to IoT products or
services. There are certain protections for health information under
the Health Insurance Portability and Accountability (HIPAA) Act and the
Health Information Technology for Economic and Clinical Health (HITECH)
Act, while the Graham-Leach-Bliley (GLB) Act and the FTC's Safeguards
Rule govern the protection of information held by financial
institutions.
In addition to being overly prescriptive and not grounded in the
FIPPS, which guides privacy frameworks around the globe, the FCC's
proposed rule also subjects the same data to different requirements
based on which sector collects the data. We believe this is a bad
precedent and will limit not just IoT development but innovation by
companies that may operate in multiple spaces such as broadband
Internet access service providers who may also offer IoT products or
applications, or online content or services.
Question 2. Mr. Garfield, in your testimony you describe how the
FTC and state attorneys general work together to create a meaningful
system of enforcement and consumer protection. For example, state
attorneys general typically enforce laws addressing ``unfair or
deceptive acts or practices'' at the state level, while the FTC will do
the same on the Federal level. Under the new privacy regime proposed by
the FCC, what will be the role of state attorneys general? Will their
authority be changed in any way?
Answer. The NPRM specifically proposes to ``preempt state laws only
to the extent they are inconsistent with any rules adopted by the
Commission.'' \1\ If a state regulation or law conflicts with the
Commission's final rule, the role of that state's Attorney General
would be significantly diminished in that he or she would no longer be
able to bring an enforcement action against broadband providers for
violations of such existing state regulation or law until the state
regulator or legislature acts to bring the rule or law into alignment
with the FCC's rule. Further, states may continue to enforce or adopt
new regulations or laws that are more restrictive than the FCC's rule
so long as compliance with both the state regulation or law and the
Federal regulation is feasible.
---------------------------------------------------------------------------
\1\ Protecting the Privacy of Customers of Broadband and Other
Telecommunications Services, WC Docket No. 16-106, Notice of Proposed
Rulemaking, FCC 16-39, �� 276-77 (Apr. 1, 2016).
---------------------------------------------------------------------------
______
Response to Written Question from Hon. Deb Fischer to
Matthew M. Polka
Question. Mr. Polka, in his written testimony, Professor Ohm said
that it is important to keep privacy protections in mind for rural
Americans, because they may have access to only one broadband provider.
Living on a ranch in Cherry County, Nebraska, I certainly understand
the challenges facing rural America when it comes to broadband
availability. That said, I am not clear how the number of broadband
providers in a given area is related to the level of privacy protection
that is needed. It seems like putting more stringent requirements on
rural providers would only hurt broadband deployment where we need it
most. Do you have thoughts on this point?
Answer. As a threshold matter, Professor Ohm is incorrect that
rural consumers may have access to only one broadband provider. In
virtually every community and in all but the most remote areas,
consumers can access at least two wireline broadband providers, four
wireless broadband providers, and two satellite broadband providers. In
addition, as I discussed at the hearing, the question is not whether or
not consumers get privacy protections. Of course, they do. The question
is how to develop and implement robust privacy protections for customer
proprietary network information consistent with other public interest
objectives, including, as you state, enhancing broadband deployment.
Broadband Internet access providers have been subject to the Federal
Trade Commission's privacy regime for many years, and it has
successfully protected consumers and proven workable for providers.
Rather than create extensive new requirements from whole-cloth, the
Federal Communications Commission should use this model as the basis
for its rules.
[all]
This page intentionally left blank.
This page intentionally left blank.
This page intentionally left blank.