[Congressional Record Volume 163, Number 54 (Tuesday, March 28, 2017)]
[House]
[Pages H2489-H2501]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




  PROVIDING FOR CONGRESSIONAL DISAPPROVAL OF A RULE SUBMITTED BY THE 
                   FEDERAL COMMUNICATIONS COMMISSION

  Mrs. BLACKBURN. Mr. Speaker, pursuant to House Resolution 230, I call 
up the joint resolution (S.J. Res. 34) providing for congressional 
disapproval under chapter 8 of title 5, United States Code, of the rule 
submitted by the Federal Communications Commission relating to 
``Protecting the Privacy of Customers of Broadband and Other 
Telecommunications Services'', and ask for its immediate consideration 
in the House.
  The Clerk read the title of the joint resolution.
  The SPEAKER pro tempore. Pursuant to House Resolution 230, the joint 
resolution is considered read.
  The text of the joint resolution is as follows:

                              S.J. Res. 34

       Resolved by the Senate and House of Representatives of the 
     United States of America in Congress assembled, That Congress 
     disapproves the rule submitted by the Federal Communications 
     Commission relating to ``Protecting the Privacy of Customers 
     of Broadband and Other Telecommunications Services'' (81 Fed. 
     Reg. 87274 (December 2, 2016)), and such rule shall have no 
     force or effect.

  The SPEAKER pro tempore. The joint resolution shall be debatable for 
1 hour equally divided and controlled by the chair and ranking minority 
member of the Committee on Energy and Commerce.
  The gentlewoman from Tennessee (Mrs. Blackburn) and the gentleman 
from Pennsylvania (Mr. Michael F. Doyle) each will control 30 minutes.


                             General Leave

  Mrs. BLACKBURN. Mr. Speaker, I ask unanimous consent that all Members 
may have 5 legislative days to revise and extend their remarks and to 
include extraneous material on S.J. Res. 34.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from Tennessee?
  There was no objection.
  Mrs. BLACKBURN. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, I do rise today in support of S.J. Res. 34, which 
disapproves of the rule submitted by the Federal Communications 
Commission relating to protecting the privacy of customers of broadband 
and other telecommunication services.
  I applaud Senator Flake's work on this issue, as S.J. Res. 34 was 
passed by the Senate last week. I also filed a companion resolution in 
the House.
  The FCC finalized its broadband privacy rules on October 27, 2016. At 
that time, they assured us that the rules would provide broadband 
customers meaningful choice, greater transparency, and stronger 
security protections for their personal information collected by 
internet service providers, but the reality is much different.
  There are three specific problems with which the FCC has gone about 
these rules. First, the FCC unilaterally swiped jurisdiction from the 
Federal Trade Commission. The FTC has served as our Nation's sole 
online privacy regulator for over 20 years.
  Second, having two privacy cops on the beat will create confusion 
within the internet ecosystem and will end up harming consumers.
  Third, the FCC already has authority to enforce privacy obligations 
of broadband service providers on a case-by-case basis. These broadband 
privacy rules are unnecessary and are just another example of Big 
Government overreach. The Competitive Enterprise Institute estimates 
that Federal regulations cost our economy $1.9 trillion in 2015.
  Since President Trump took office, Republicans have been working 
diligently to loosen the regulatory environment that is suffocating 
hardworking taxpayers.
  Here is what multiple House Democrats said in a letter to the FCC 
last May regarding the FCC's privacy rules:

       The rulemaking intends to go well beyond the traditional 
     framework that has guarded consumers from data practices of 
     internet service providers and ill-served consumers who seek 
     and expect consistency in how their personal data is 
     protected.

  Further, FTC Commissioner Joshua Wright testified before Congress 
that the FTC has unique experience in enforcing broadband service 
providers' obligations to protect the privacy and security of consumer 
data. He added that the rules will actually do less to protect 
consumers by depriving the FTC of its longstanding jurisdiction in the 
area. Once again, these rules hurt consumers.
  Incredibly, former FCC Chairman Tom Wheeler referred to the internet 
as the most powerful and pervasive network in the history of the planet 
before these rules were even created. I found this really odd because 
it implied that the FTC regulation had indeed been successful and ought 
to continue, ultimately undermining his own rationale for additional 
FCC privacy regulation.
  Now, there are a couple of myths that are going around that I want to 
take the time to dispel. Our friends claim there will be a gap for ISPs 
in the FCC privacy rules when they are overturned. This simply is 
false, and let me tell you why. The FCC already has the authority to 
enforce the privacy obligations of broadband service providers on a 
case-by-case basis.
  Pursuant to section 201 of the Communications Act, they can police 
practices of the ISPs that are unjust or unreasonable. Sections 202 and 
222 also protect consumers. It is already in statute. So I encourage my 
friends to read title II of the Communications Act. Also, the State 
attorneys general have the ability to go after companies for unfair and 
deceptive practices.
  Third, litigation is another avenue consumers can pursue against ISPs 
for mishandling personal data. Service providers have privacy policies. 
If they violate the policy, guess what? They can be sued. I know 
Democrats will certainly understand that, as they have many trial 
lawyer friends, and I urge them to speak to the trial bar.
  Fourth, the free market is another great equalizer. Can you imagine 
the embarrassment for an ISP that is caught unlawfully selling data? We 
have all seen the economic fallout from something such as a data 
breach. Companies have a financial incentive to handle your personal 
data properly because to do otherwise would significantly impair their 
financial standing.

[[Page H2490]]

  To my Democrat friends across the aisle, the bottom line is this: the 
only gap that exists is in these arguments that you have made.
  Consumer privacy is something we all want to protect, and consumer 
privacy will continue to be protected and will actually be enhanced by 
removing the uncertainty and confusion these rules will create, as the 
Democrats Rush, Schrader, and Green indicated in a letter to the FCC 
last May.
  I also want to speak, for just a moment, on the edge providers 
because there has been some question about who has visibility into your 
data. Clinton administration veteran privacy expert Peter Swire offered 
a report in February 2016 titled ``Online Privacy in ISPs.''
  ISP's access to consumer data is limited and often less than access 
to others. Swire found that ISPs have less visibility into consumer 
behavior online than search, social media, advertising, and big tech 
companies.
  Swire's study found that, as a result of advancing technologies, the 
rise of encryption, and the various ways and locations individuals 
access the internet, ISPs now have increasingly limited insight into 
our activities and information online.
  By contrast, however, so-called edge providers, like search engines, 
social media, advertising, shopping, and other services online, often 
have greater visibility into personal consumer data.
  Mr. Speaker, I reserve the balance of my time.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I yield myself 
such time as I may consume.
  Mr. Speaker, I rise today in strong opposition to S.J. Res. 34.
  Today, colleagues, we are waist deep in the swamp. The American 
people did not ask for this resolution.
  In fact, no company will even put its name behind this effort. 
Instead, this resolution is the result of an explicit written request 
from Washington lobbyists. These lobbyists make the bogus claim that 
having actual protections will confuse consumers and the only way to 
help clear up this information is to have no rules at all.
  No consumer has come forward to support this position. No consumer 
has said this argument even makes sense.
  I challenge every Member of this body at your next townhall meeting 
to have a show of hands of how many people think it is a good idea to 
allow your internet service provider to sell their personal information 
without their permission.

                              {time}  1600

  Then after you get that show of hands, ask them how many of them 
would vote for you if you support allowing corporations to do that.
  This resolution is of the swamp and for the swamp and no one else. 
The rules of this resolution would overturn rules that are simple and 
make common sense. They don't require much, only three things:
  One, internet service providers should ask permission before selling 
your private internet browsing history, app usage, or other sensitive 
information;
  Two, once they have your information, internet service providers 
should take reasonable measures to protect it; and
  Finally, if the information gets stolen, the company should quickly 
let you know.
  That is it. That is all that is being asked of them.
  These modest rules don't stop internet service providers from using 
data for advertising and profiling or whatever else so long as they ask 
first.
  ISPs have an obligation under these rules not to dive into the 
personal lives of Americans unless that is what those Americans want. 
They just need to ask first.
  This is particularly true because broadband providers see literally 
everything you do online, every website you visit, every app, every 
device, every time. By analyzing your internet usage and browsing 
history, these companies will know more about you than members of your 
own family, more than you tell your doctor, more than you know about 
yourself. Without these rules, these companies don't have to ask before 
selling all of that information, and they don't have to take reasonable 
measures to protect that information when they collect it.
  Make no mistake about this, colleagues: Anyone who votes for this 
bill is telling your constituents that they no longer have the freedom 
to decide how to control their own information. You have given that 
freedom away to big corporations. More importantly, there aren't rules 
to fall back on if Congress scraps these.
  Critics of the rules argue that the Federal Trade Commission should 
oversee the privacy protection for broadband providers, but, under 
current law, they have no authority to do so, and the CRA won't do a 
thing to fix that. Under a Federal court of appeals case, the FTC has 
no authority over mobile broadband providers at all.
  And to those that say the FCC can evaluate complaints on a case-by-
case basis using its statutory authority, the current Chairman--your 
current Chairman--stated that section 222 cannot be used to protect 
personal information and that rules are necessary to enforce this 
statute.
  Mr. Speaker, I include for the Record a statement by the FCC 
Commissioner.

             Dissenting Statement of Commissioner Ajit Pai

     Re TerraCom, Inc. and YourTel America, Inc., Apparent 
         Liability for Forfeiture, File No. EB-TCD-13-00009175.

       A core principle of the American legal system is due 
     process. The government cannot sanction you for violating the 
     law unless it has told you what the law is.
       In the regulatory context, due process is protected, in 
     part, through the fair warning rule. Specifically, the D.C. 
     Circuit has stated that ``[i]n the absence of notice--for 
     example, where the regulation is not sufficiently clear to 
     warn a party about what is expected of it--an agency may not 
     deprive a party of property.'' Thus, an agency cannot at once 
     invent and enforce a legal obligation.
       Yet this is precisely what has happened here. In this case, 
     there is no pre-existing legal obligation to protect 
     personally identifiable information (also known as PII) or 
     notify customers of a PII data breach to enforce. The 
     Commission has never interpreted the Communications Act to 
     impose an enforceable duty on carriers to ``employ reasonable 
     data security practices to protect'' PII. The Commission has 
     never expounded a duty that carriers notify all consumers of 
     a data breach of PII. The Commission has never adopted rules 
     regarding the misappropriation, breach, or unlawful 
     disclosure of PII. The Commission never identifies in the 
     entire Notice of Apparent Liability a single rule that has 
     been violated.
       Nevertheless, the Commission asserts that these companies 
     violated novel legal interpretations and never-adopted rules. 
     And it seeks to impose a substantial financial penalty. In so 
     doing, the Commission runs afoul of the fair warning rule. I 
     cannot support such ``sentence first, verdict afterward'' 
     decision-making.
       To the extent that the circumstances giving rise to today's 
     item merited the Commission's attention, there was a better 
     (and lawful) path forward. We could have opened a notice-and-
     comment rulemaking. This process would have given the public 
     an opportunity to speak. And in turn, the agency would have 
     had a chance to formulate clear, well-considered rules--rules 
     we then could have enforced against anyone who violated them. 
     Instead, the Commission proposes a forfeiture today that, if 
     actually imposed, has little chance of surviving judicial 
     review.
       One more thing. The Commission asserts that the base 
     forfeiture for these violations is nine billion dollars--
     that's $9,000,000,000--which is by far the biggest in our 
     history. It strains credulity to think that Congress intended 
     such massive potential liability for ``telecommunications 
     carriers'' but not retailers or banks or insurance companies 
     or tech companies or cable operators or any of the myriad 
     other businesses that possess consumers' PII. Nor can I 
     understand how such liability can be squared with the 
     Enforcement Bureau's recent consent decrees with these 
     companies. Under those consent decrees, the companies paid 
     the Treasury $440,000 and $160,000 for flouting our actual 
     rules and draining the Universal Service Fund by seeking 
     Lifeline support multiple times for the same customer.
       Consumer protection is a critical component of the agency's 
     charge to promote the public interest. But any enforcement 
     action we take in that regard must comport with the law. For 
     the reasons stated above, I dissent.

  Mr. MICHAEL F. DOYLE of Pennsylvania. Without these protections, 
there will be no clear rules of the road. At a time when foreign actors 
like the Russians, the Chinese, and everyone else under the sun are 
constantly trying to steal our data and compromise our security, it 
would be irresponsible to roll back the only Federal safeguards we 
have. I want my colleagues to think long and hard before you give 
corporations the ability to sell your information without their 
permission.
  Mr. Speaker, I include several articles in the Record by Free Press 
and the Open Technology Institute opposing the CRA, an op-ed from a 
current

[[Page H2491]]

FTC Commissioner opposing this CRA, and a memorandum from engineers at 
EFF opposing this CRA.

                    [From Free Press, May 10, 2016]

   Pay-for-Privacy Schemes Put the Most Vulnerable Americans at Risk

                           (By Sandra Fulton)

       The FCC has opened a proceeding on the rules and policies 
     surrounding privacy rights for broadband service. One 
     industry practice called into question in that proceeding 
     could have a devastating impact on our most vulnerable 
     populations.
       Internet service providers charge broadband customers a ton 
     for Internet access. ISPs are increasingly finding new 
     revenue streams too, by taking part in the multibillion-
     dollar market that's evolved out of selling users' personal 
     information to online marketers. As the debate around privacy 
     has heated up, ISPs have tried to placate the public's 
     growing interest in privacy protections while maintaining 
     revenues they can get when they auction off their customers' 
     valuable personal information.
       One proposed solution that AT&T has largely ``pioneered''? 
     Have customers pay to preserve their privacy.
       The potential harms and discriminatory implications of this 
     practice are obvious. It could mean that only people with the 
     necessary financial means could protect their privacy and 
     prevent their ISPs from sharing their personal information 
     with predatory online marketers. The FCC rulemaking 
     proceeding seeks comments on whether to allow such 
     ``financial inducements'' for the surrender of private 
     information. If the agency decides not to ban such practices 
     outright, it wants to know how it should regulate them.
       As our lives have moved online, ISPs have gained access to 
     our most sensitive personal information. Advanced 
     technologies allow companies to track us invisibly, 
     collecting and selling data on nearly every detail of what we 
     do online.
       But ISPs don't just stop at knowing what we're doing. The 
     location tracking that's needed to provide mobile service to 
     our phones lets the ISPs know when and where we do it too. 
     And they can figure out the people and organizations we 
     associate with by looking at who we talk to and which 
     websites we visit.
       As ISPs track their customers, they create comprehensive 
     dossiers containing sensitive information on each person's 
     finances, health, age, race, religion and ethnicity. Their 
     reach is so pervasive that information like a visit to a 
     website discussing mental health, a search on how to collect 
     unemployment benefits, or a visit to a church or Planned 
     Parenthood office could be swept up into their databases.
       How do you feel about your ISP selling such a personal 
     glimpse into your life to online advertisers? Under a pay-
     for-privacy scheme, you wouldn't need to worry about it so 
     long as you could afford to shell out the hush money. But 
     those who aren't so fortunate would have to relinquish any 
     control over how their personal data is spread across the 
     Web.
       The FCC raised concerns about this dynamic when it launched 
     its rulemaking proceeding, noting that such pay-for-privacy 
     practices might disadvantage low-income people and members of 
     other vulnerable communities. But it didn't make any specific 
     recommendations or issue any proposals on how to regulate in 
     this space.
       Long before the FCC launched this inquiry at the end of 
     March 2016, and even before the agency had clarified its 
     authority to protect broadband users in the February 2015 
     Open Internet Order, AT&T's GigaPower broadband service had 
     become one of the first pay-for-privacy plans on the market. 
     The AT&T deal allows customers to opt out of some information 
     sharing if they pay an extra $29 a month or more.
       For a struggling family, that could mean choosing between 
     paying for privacy and paying for groceries or the public 
     transportation needed to get to work. And while AT&T might be 
     the first to launch this kind of service, an article in 
     Fortune notes that other companies are eager to roll out 
     similar plans.
       Under pay-for-privacy models, consumers who are unable to 
     pay the higher broadband cost will likely see their ISPs 
     share their data with shadowy online data brokers who use 
     this information to tailor marketing messages. While 
     unregulated and unaccountable data brokers are a threat to 
     everyone's privacy, they're notorious for targeting low-
     income communities, people of color and other vulnerable 
     demographics.
       One particularly damning report from the Senate Commerce 
     Committee offered this glimpse into how these brokers 
     categorize and label these target audiences:
       The Senate committee's report notes, for example, that the 
     ``Hard Times'' category includes people who are ``Older, 
     down-scale and ethnically diverse singles typically 
     concentrated in inner-city apartments.''
       It continues: ``This is the bottom of the socioeconomic 
     ladder, the poorest lifestyle segment in the nation. Hard 
     Times are older singles in poor city neighborhoods. Nearly 
     three-quarters of the adults are between the ages of 50 and 
     75; this is an underclass of the working poor and destitute 
     seniors without family support . . .''
       These classifications can influence not just what kinds of 
     ads people see, but the interest rates they're offered or the 
     insurance premiums they pay. These targeted communities are 
     precisely the ones who can't pay extra to shield their 
     personal information from these dangerous companies.
       There may be some argument that if big companies are going 
     to profit from our data anyway, it's actually good if their 
     customers get a share of that. The FCC's rulemaking proposal 
     notes that brickand-mortar stores and websites alike offer 
     all sorts of ``free'' services, discounts and perks in 
     exchange for the data they mine from their customers and 
     users.
       But the nature of the broadband market--where users have no 
     real options when it comes to choosing their providers, and 
     no way to opt out short of staying offline--makes the 
     tradeoffs here especially worthy of attention. If users could 
     get fair value for their data, and if they got a real 
     discount on broadband and not just a privacy penalty, and if 
     they were providing truly informed consent with full 
     knowledge of all the pernicious uses data brokers have for 
     their information, then maybe we could have a conversation 
     about the fairness of such schemes. But those are some very 
     big ifs.
       We need better transparency rules for marketers and easy-
     to-use disclosures and opt-in mechanisms before we get there. 
     We also need strong baseline privacy protections guaranteed 
     for all, including rules that prohibit ISPs from using 
     discriminatory schemes that jeopardize the rights of their 
     most vulnerable customers.
       We applaud the FCC for taking this crucial first step to 
     protect privacy from broadband ISPs' overreach and abuse. As 
     gatekeepers to the Internet, ISPs hold a wealth of 
     information about their customers, and the Communications Act 
     commands the FCC to establish strong safeguards for that 
     private info. But the FCC also must also remember that our 
     rights are not for sale--and that privacy is not a luxury for 
     the wealthy.
                                  ____


                             ISPs Know All


         you deserve more privacy from your broadband provider

                             (By Eric Null)

       As you read this post, your internet service provider is 
     collecting information about you: what you're reading right 
     now on Slate, what URL you go to next, what time of day it 
     is, and whether you're on your home computer or your mobile 
     device, among many other data points. Your ISP has similar 
     data about apps you've used, how much data you consume at any 
     given time of day, and your other daily internet habits and 
     rhythms. Of course, your ISP has other up-to-date personal 
     information as well--things like your name, address, 
     telephone number, credit card number, and likely your Social 
     Security number. In this way, ISPs have access to a uniquely 
     detailed, comprehensive, and accurate view of you and every 
     other subscriber. All of this at a time when consumer concern 
     over privacy is increasing and has actually caused people to 
     refrain from engaging in e-commerce and other activities 
     online.
       To make matters worse, you are essentially powerless to 
     limit the data your ISP collects about you. While you may, in 
     some instances, defend yourself against tracking by websites 
     and apps by disallowing cookies or turning on ``Do Not 
     Track'' in your browser settings, in many cases there is no 
     way to protect against ISP tracking except by avoiding the 
     internet altogether.
       While there are some tools that can help consumers protect 
     themselves, they are not prevalent. For example, ISPs cannot 
     see full website addresses when that site uses encryption--
     denoted by a small lock icon in your browser bar. However, 
     the website--not you--decides whether it will use encryption. 
     And while Netflix traffic is encrypted (so your ISP only 
     knows you're watching videos, not specifically which ones 
     you're watching), WebMD traffic is not (so your ISP likely 
     knows every page you've visited on WebMD), even though 
     medical symptoms are clearly much more personal than your 
     favorite TV program.
       Another example of ways consumers can purportedly protect 
     themselves is through virtual private networks, or VPNs, 
     which route web traffic through another network and therefore 
     effectively ``hide'' the traffic from the person's ISP. But 
     VPNs are difficult to use and configure. They often cost 
     extra money, slow down your browsing, and simply send your 
     data through some other access provider that may be 
     collecting data about you, too. These options are not 
     practical defenses for most consumers.
       Currently, there are no rules to prevent your ISP from 
     using these data for almost any purpose, including 
     categorizing you and serving you advertisements based on 
     those categories. Targeted ads may even be based on whether 
     you have (or the ISP has inferred you have) a certain disease 
     or what your income level is. Recently, Cable One was found 
     to be using predictive analytics to determine which of its 
     customers were ``hollow'' (that is, had low credit scores) 
     and then offering them low-quality customer service. Cable 
     One technicians, the company's CEO stated, aren't going to 
     ``spend 15 minutes setting up an iPhone app'' for someone 
     with a low credit score. Of course, making decisions based on 
     credit scores is going to disproportionately affect 
     communities of color and other vulnerable populations. 
     Additionally, the data ISPs collect, often compiled into a 
     ``profile,'' might be sold to third parties (like advertisers 
     or data brokers) and used and reused for purposes for which 
     they were not initially collected--in ways that often annoy 
     people, such as when personal information is used to send a 
     ``barrage of unwanted

[[Page H2492]]

     emails.'' And as the number of entities who hold your data 
     increases, so too does the chance those data will be 
     compromised by a leak or hack.
       So you may find yourself between a rock and a hard place: 
     Use the internet and give up your privacy, or forego internet 
     access entirely--something that's not exactly reasonable. But 
     there is good news. The Federal Communications Commission is 
     trying to make sure that you and all other ISP customers 
     don't have to confront this choice. In 2015, as part of 
     decision to uphold net neutrality, the FCC ruled that ISPs 
     are ``common carriers.'' (The U.S. Court of Appeals for the 
     District of Columbia Circuit recently upheld that ruling.) 
     Since then, the FCC has had a statutory obligation to protect 
     the data ISPs collect about their customers. To accomplish 
     that, the FCC recently proposed a new rule that would require 
     ISPs, in most cases, to seek opt-in consent from customers 
     before using data collected for purposes other than to 
     provide service, such as to deliver certain kinds of ads or 
     to sell to data brokers. That means that if the rule passes, 
     your ISP would have to notify you of any new intended use of 
     the data and give you the opportunity to say ``yes, that is 
     OK with me'' or ``no, that is not OK with me.'' Of key 
     importance in this rule is that if you said ``no,'' your ISP 
     couldn't just refuse to serve you--it would have to respect 
     your wishes and still provide you with service.
       The FCC's proposal should be enacted, because you should 
     not have to trade your privacy to access the internet. (New 
     America's Open Technology Institute, where I work, has been 
     actively engaged on this issue and has submitted comments in 
     the record. New America is a partner with Slate and Arizona 
     State University in Future Tense.) It should go without 
     saying, but it's important enough that I will say it anyway: 
     Internet access is imperative for personal and professional 
     success in today's digital world. Yet to gain access to the 
     most important tool of the 21st century, you have to allow 
     your ISP access to incredibly rich and private information 
     about what you do online. You should get to control what it 
     does with that data. Consumers deserve real choice when it 
     comes to protecting their data, and the opt-in regime 
     proposed by the FCC is a huge step in the right direction.
       Yet--perhaps unsurprisingly--ISPs and several House 
     committees have responded to the FCC's proposal as if the sky 
     is falling. They have mounted an all-out assault on the idea 
     that you should have the right to choose how ISPs use your 
     data. Their arguments range from the highly dubious (the 
     proposal exceeds the FCC's authority) to the downright silly 
     (consumers will be confused by having different privacy rules 
     for ISPs as compared with other companies, like search 
     engines and social networks). Chances are your ISP is telling 
     the FCC that you don't need protections against exploitation 
     of your data. (If you're interested, you can see exactly what 
     your ISP is saying--here are the responses from AT&T, 
     Comcast, CenturyLink, T-Mobile, Verizon, and Sprint; unnamed 
     ISPs may be represented by various trade associations like 
     the National Cable and Telecommunications Association and 
     CTIA for wireless.) However, as with the net neutrality 
     debate that led to this proposal, consumers may feel 
     differently.
       The FCC has proposed a very strong rule that will help 
     protect ISP customers from exploitative uses of their data. 
     This battle for consumer choice will be ongoing for many 
     months, but soon, you may finally be able to choose both 
     having internet access and protecting your privacy.
                                  ____



                               Electronic Frontier Foundation,

                                                San Francisco, CA.

Five Ways Americans' Cybersecurity Will Suffer If Congress Repeals the 
                           FCC Privacy Rules

       If the House votes to repeal the FCC's recent privacy 
     rules, Americans' cybersecurity will be put at risk. That's 
     because privacy and security are two sides of the same coin: 
     privacy is about controlling who has access to information 
     about you, and security is how you maintain that control. You 
     usually can't break one without breaking the other, and 
     that's especially true in this context. To show how, here are 
     five ways repealing the FCC's privacy rules will weaken 
     Americans' cybersecurity.
       1. Internet providers will record our browsing history, and 
     the systems they use to record that information (not to 
     mention the information itself) will become very tempting 
     targets for hackers. (Just imagine what would happen if a 
     foreign hacker thought she could blackmail a politician or a 
     celebrity based on their browsing history.)
       2. In order to record encrypted browsing history (i.e. 
     https websites), Internet providers will start deploying 
     systems that remove the encryption so they can inspect the 
     data. Although US-CERT (part of DHS) just put out an alert 
     saying that this is extremely dangerous for Americans' 
     cybersecurity, FCC Chairman Pai just decided not to enforce 
     rules that keep Internet providers from doing this.
       3. Internet providers will insert ads into our browsing, 
     but that could break the existing code on webpages. That 
     means security features might be broken, which could expose 
     Americans to a greater risk of attack.
       4. Internet providers will insert tracking tags into our 
     browsing--and that means every website will be able to track 
     you, not just your Internet provider, and there's nothing you 
     can do to stop them.
       5. Internet providers will pre-install software to record 
     information directly from our mobile phones (after all, it's 
     just one more source of information they can monetize). But 
     if the software that does that recording has bugs or 
     vulnerabilities, hackers could break into that software, and 
     then access everything the Internet provider could see. Do 
     you trust your Internet provider, which can't even keep an 
     appointment to fix your cable, to write completely bug-free 
     software?
       The net result is simple: repealing the FCC's privacy rules 
     won't just be a disaster for Americans' privacy. It will be a 
     disaster for America's cybersecurity, too.

  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I reserve the 
balance of my time.
  The SPEAKER pro tempore (Mr. Rogers of Kentucky). The gentleman is 
reminded to address his remarks to the Chair.
  Mrs. BLACKBURN. Mr. Speaker, I will remind my colleagues across the 
aisle that, again, section 222 of the Communications Act covers the 
authority that the FCC needs. Traditionally, online privacy has been 
handled by the FTC. That is an authority that we have designated to 
them.
  Mr. Speaker, I yield 5 minutes to the gentleman from Oregon (Mr. 
Walden), chairman of the Energy and Commerce Committee.
  Mr. WALDEN. Mr. Speaker, I thank my colleagues for their good work on 
this legislation.
  As we increasingly rely on technology in nearly every area of our 
lives, one of Congress' most important responsibilities is to strike 
the right balance between protecting consumers' privacy while also 
allowing for private sector innovation and the new jobs and economic 
growth that accompany it.
  The resolution before us today reverses overreaching, shortsighted, 
and misguided rules adopted by unelected bureaucrats at the Federal 
Communications Commission. These rules do little to enhance privacy, 
but clearly add a new layer of Federal red tape on innovators and job 
creators. This is exactly the type of government overreach that the 
Congressional Review Act was meant to stop.
  The Federal Communications Commission, frankly, overstepped its 
bounds on many issues during the Obama administration, including 
privacy regulations. After stripping the Federal Trade Commission of 
its authority over the privacy practices of internet service providers, 
ISPs, the FCC adopted shortsighted rules that only apply to one part of 
the internet. Despite the FTC's proven case-by-case approach to privacy 
enforcement that, frankly, has protected consumers, while 
simultaneously allowing ISPs to innovate, the FCC opted to abandon this 
model in favor of an approach that assumes the Federal Government knows 
best what consumers want.
  Simply put, the rules that the FCC applied to ISPs are illogical. The 
regulations would require companies to apply the same privacy 
protections to consumer data, regardless of its importance or 
sensitivity. It hardly makes sense to treat a local weather update and 
personal financial information the same way.
  In addition, the FCC's approach only protects consumer data as far as 
the internet service provider is involved. An entirely separate set of 
rules applies to providers of edge services. That means the giant 
search corporations, one of which controls up to 65 percent of your 
searches on the internet, don't live by the same set of privacy rules 
as your small town ISP.
  What America needs is one standard, across-the-internet ecosystem, 
and the Federal Trade Commission is the best place for that standard.
  The impact of these rigid regulations has the potential to stifle one 
of the most innovative sectors of our Nation's economy, and it is 
consumers who will suffer. These rules, which Congress will repeal, 
only lead to higher costs, less competition, and fewer service 
offerings. This approach is particularly burdensome for small 
businesses, which do not have hallways full of lawyers to navigate 
these tedious and unnecessary rules.
  The benefits of the FCC's privacy regulations are questionable, but 
the harms are certain, which is why I urge my colleagues to support 
this resolution. And once these rules are reversed, the FCC can turn 
back to working together with the FTC to ensure that our privacy 
framework allows the internet

[[Page H2493]]

to flourish while truly protecting consumers.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I would remind my 
friends that, under current law, the FTC has no authority to regulate 
ISPs and that it was your Commissioner, your current FCC Commissioner, 
that said that they can't do it under section 222 also, which I have 
submitted for the record.
  Mr. Speaker, I yield 4 minutes to the gentlewoman from California 
(Ms. Eshoo).
  Ms. ESHOO. Mr. Speaker, I thank my friend, Mr. Doyle, for both his 
leadership and for yielding time to me.
  America, listen up today. There may not be that many people on the 
floor of the House, but this is a big one. This is really a big one. 
Congress is poised today to betray the American people on one of the 
issues they care the most about: their privacy--their privacy. Every 
single one of us cares about it, and so do the American people. I often 
say that every American has it in their DNA: Keep your mitts off my 
privacy, what I consider to be private.
  Now, the consequences of passing this resolution are clear. Broadband 
providers like AT&T, Comcast, and others will be able to sell your 
personal information to the highest bidder without your permission, and 
no one will be able to protect you, not even the Federal Trade 
Commission that our friends on the other side of the aisle keep talking 
about. It is like open the door and there is no one there. That is what 
this thing creates.
  The Republicans are blowing a gaping hole in Federal privacy 
protections by barring the FCC from ever adopting similar protections 
in the future. So, if it is gone today, it is gone, period.
  The FCC rules are simple. They require broadband providers to get the 
permission of their customers--including all of us--before they can 
sell their web browsing history, their location information, and other 
sensitive data to third parties.
  The majority claims that we need to repeal these protections because 
they treat broadband providers differently than other online service 
providers, edge providers. Broadband providers are in the unique 
position of seeing everything we do on the internet. This is the 
reason, and it is reason enough, to put privacy protections in place; 
but it is also important to keep in mind that consumers, all of us, pay 
a high monthly fee to broadband providers, and they face serious 
barriers if they want to switch. If I want to switch, if you want to 
switch, you have to, many times, pay early termination fees.

  This is completely different from other online services that collect 
consumer data. Consumers don't pay to use search engines or social 
media applications like Google and Facebook. If they don't like 
Google's privacy policy, they can switch over to Bing without paying 
any fees. But consumers can't do this with broadband providers, and 
therein lies the difference.
  Last week, we heard the Republicans bemoan the lack of choice in the 
healthcare market. They should take a closer look at the state of the 
broadband market, particularly in rural America, where only 13 percent 
of consumers have access to more than one high-speed broadband 
provider.
  So the majority is telling Americans today, particularly those in 
rural areas, that they need to choose between their privacy and their 
access to the internet. If this resolution passes, people across the 
country will certainly not have both.
  This resolution is--excuse the phrase--repeal without replace. The 
Republicans have not put forward any privacy proposal at all to replace 
the FCC's rules, despite knowing that repealing these rules will leave 
a gap in the Federal protections.
  So the message to the American people is clear: Your privacy doesn't 
matter, and your web browsing history should be available to anyone who 
will pay the highest price for it.
  For all these reasons, I urge my colleagues to stand up for privacy 
rights and oppose this joint resolution.
  Mrs. BLACKBURN. Mr. Speaker, I yield the balance of my time to the 
gentleman from Texas (Mr. Flores), and I ask unanimous consent that he 
may control that time.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from Tennessee?
  There was no objection.
  Mr. FLORES. Mr. Speaker, I yield myself such time as I may consume, 
and I thank the gentlewoman for yielding the balance of her time to me.
  Mr. Speaker, as an original cosponsor of the House companion to S.J. 
Res. 34, I rise to strongly urge my colleagues to support the 
resolution before us today. Like all of my colleagues in the House, I 
care deeply about protecting the privacy of our constituents, but I 
cannot support the Federal Communications Commission's 
counterproductive rules that will actually harm consumers and stifle 
innovation.
  For 20 years, the Federal Trade Commission--or the FTC, as we call 
it, frequently--oversaw consumer privacy for the entire internet 
ecosystem: content providers, advertisers, and internet service 
providers, or ISPs. The FTC's privacy program focused on preserving 
sensitive consumer data and took the context of a consumer's 
relationship with businesses into consideration. The FTC's experience 
in implementing a wide range of rules and regulations has resulted in 
over 500 cases protecting consumer information, ensuring their privacy 
online.
  In a flawed political move, absent any finding, complaints, or 
investigations to determine whether broadband providers have violated 
consumers' privacy or that the FTC had failed at doing its job, the FCC 
proceeded with a partisan vote to target ISPs and to expand its 
regulatory footprint.
  After stripping the FTC of its authority over the privacy practices 
of internet service providers, the FCC subsequently adopted rules that 
would harm consumers and split the internet, creating an uneven playing 
field between service providers and content providers. Congress must 
fix this overreach so the new administration can create a 
comprehensive, consistent set of privacy protections.

                              {time}  1615

  Consumers expect their privacy to be protected the same way no matter 
what type of entity holds their data. Having two sets of requirements 
creates confusion for consumers and may jeopardize their confidence in 
the internet.
  Our internet economy has thrived under the privacy regime created by 
the FTC. Yet the FCC, under its previous Chairman, Tom Wheeler, wanted 
to undermine that success by bifurcating privacy protections to serve 
outside political interests, not the American consumer.
  By contrast, the FCC's approach did not base its requirements on 
consumers' preferences about sensitive information and to set opt-in 
and opt-out defaults. Accordingly, its overall approach was top-down, 
heavyhanded regulation in stark contrast to the FTC's greater reliance 
on markets and consumer preferences.
  The FCC's rule has a number of problematic issues:
  The first is that the opt-in/opt-out regime reduces consumer choice 
and would be detrimental to the survival of many businesses in this 
country.
  The second is that the FCC would have prohibited unforeseeable future 
uses of collected data regardless of what consumers actually preferred 
and businesses may need.
  Third, the FCC would also have unjustly applied its heavyhanded 
approach to broadband providers, treating them more harshly than other 
players in the internet ecosystem.
  In sum, the FCC's broadband privacy protection approach would have 
rejected free markets and ignored sound economics.
  Alternatively, the FTC private enforcement is market oriented and 
flexible and adaptable to changes in consumer preferences and markets. 
It also treats companies and players neutrally, fostering an 
environment of competition and innovation.
  This resolution rescinds the FCC's rule, but it does provide the FCC 
the opportunity to provide oversight more in line with the FTC, which 
has been successfully regulating online privacy for nearly two decades.
  This joint resolution does not lessen or impede privacy and data 
security standards that have already been established. We are simply 
restoring a more stable regulatory playing field to ensure that 
consistent, uniform privacy security standards are maintained to 
protect consumers and future innovation.
  Once Congress rejects these rules, the FCC can turn back to 
cooperating with

[[Page H2494]]

the FTC to ensure that both consumer privacy across all aspects of the 
internet is provided through vigorous enforcement and also that 
innovation is allowed to flourish.
  I urge my colleagues to support this resolution.
  Mr. Speaker, I reserve the balance of my time.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I would just 
remind my colleague, once again, that the FTC has no authority to 
regulate ISPs once this bill is implemented; and consumers will not be 
protected, and their current FCC Commissioner has stated that.
  Mr. Speaker, I yield 1\1/2\ minutes to the gentlewoman from Colorado 
(Ms. DeGette).
  Ms. DeGETTE. Mr. Speaker, I oppose this resolution because it would 
remove consumers' right to control their online privacy and put it in 
the hands of corporations.
  Every time people go online, they create trails of data that have 
tremendous commercial value. This creates incentive for the ISPs to 
sell web history to a third party, be it an advocacy group, a for-
profit company, or even a foreign government.
  Late last year, the FCC put Americans in charge of how ISPs use and 
share their consumer data. The FCC's rule also required that the ISPs 
engage in reasonable data security practices.
  Even if people believe that the FCC's rule went too far and should be 
modified, it is unclear how the FCC could move forward with such a plan 
given the constraints of the Congressional Review Act. Furthermore, as 
several people have mentioned, the FCC, which is charged with 
protecting consumers' privacy, does not even have the authority to 
oversee ISP practices.
  Given the number of data breaches in recent years at companies such 
as Yahoo, we should, frankly, be strengthening data retention 
requirements, not weakening them. At its core, S.J. Res. 34 weakens 
consumer protections today and makes them harder to implement in the 
future, which is why I urge my colleagues to oppose it.
  Mr. FLORES. Mr. Speaker, I yield 2 minutes to the gentleman from Ohio 
(Mr. Johnson).
  Mr. JOHNSON of Ohio. Mr. Speaker, when the FCC reclassified the 
internet as a common carrier, utility-style service and adopted their 
rules regulating the use of consumer data by internet service 
providers, it represented a monumental shift in the way we view 
privacy.
  Instead of a uniform, technology-neutral standard that balanced data 
protection with consumer choice, internet users were stuck with a two-
sided approach that causes confusion and dampens competition. There is 
one set of rules for service providers, and one set for the rest of the 
internet ecosystem. But how often do consumers really recognize the 
difference between where their data is accessed and where it is stored?
  Ultimately, consumers are actually harmed by the artificial sense of 
protection created by these rules. It is essential that we take steps 
to restore the time-tested framework embraced by the Federal Trade 
Commission.
  We have talked a lot about protecting consumer privacy and data, but 
I haven't heard a lot about allowing the consumer to decide how their 
information is used. Consumers deserve to have the autonomy to control 
their information and their internet experience.
  As Acting Chairman of the FTC Maureen Ohlhausen pointed out:

       The FTC approach reflects the fact that consumer privacy 
     preferences differ greatly depending on the type of data and 
     its use.

  There is widespread agreement that sensitive data, like financial or 
health information, should be strongly protected and opt-in 
appropriate. But what about other types of nonsensitive data? Let's not 
forget the ways that consumers benefit from allowing ISPs access to 
that kind of information.

  Consumers should retain the ability to make the decisions that make 
sense for them when it comes to how their nonsensitive data is used and 
obtain the discounts or lower prices that can result. This vote isn't 
about reducing the level of privacy protection for consumers; it is 
about an FCC decision that ignored the preferences of consumers in 
favor of a regulatory power grab.
  The SPEAKER pro tempore. The time of the gentleman has expired.
  Mr. FLORES. Mr. Speaker, I yield an additional 15 seconds to the 
gentleman.
  Mr. JOHNSON of Ohio. The FCC's privacy rules are an overreaching 
regulatory mess that create confusion and inconsistency for consumers, 
harm competition, and upend internet privacy as we know it.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, might I inquire as 
to how much time remains on both sides?
  The SPEAKER pro tempore. The gentleman from Pennsylvania has 19 
minutes remaining. The gentleman from Texas has 11\3/4\ minutes 
remaining.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I would remind my 
colleagues that, whether it is nonsensitive information or sensitive 
information, the ISP should ask for your permission to use it.
  Mr. Speaker, I yield 5 minutes to the gentleman from New Jersey (Mr. 
Pallone), the ranking member of the Energy and Commerce Committee.
  Mr. PALLONE. Mr. Speaker, nearly every day now, we hear about new 
ways our enemies are trying to steal Americans' information. Just a 
couple weeks ago, two Russian hackers were indicted for stealing 
personal information from millions of us.
  American consumers visit billions of internet destinations through a 
multitude of devices. Broadband providers potentially have access to 
every bit of data that flows from a consumer. The American people are 
rightfully concerned about companies selling their personal 
information, including sensitive information like their location, 
financial and health information, Social Security numbers, and 
information about their children.
  Late last year, the FCC took steps to protect every American 
citizen's data and privacy, and the rules were simple: first, broadband 
providers had to ask their customers before selling any data; second, 
the companies had to take reasonable measures to protect that data; and 
third, the companies had to let people know if their data was stolen.
  That was a good first step, Mr. Speaker. But Congress also has a role 
in protecting our data, and we should be working in a bipartisan 
fashion to discuss ways we can better protect the American people's 
data. Instead, the Republicans have decided to spend this time wiping 
out the few privacy safeguards that we already have.
  The FCC's cybersecurity rules are, in my opinion, not burdensome. 
They simply tell the network providers to be reasonable when protecting 
the data. That is all. The FCC left it to the companies, themselves, to 
use their best judgment about how to get the job done. They just needed 
to be reasonable.
  It seems being reasonable is still too much for the Republicans--
first in the Senate, and now here in the House. This resolution tells 
the companies charged with running the country's broadband networks 
that they no longer have to be reasonable when it comes to their 
customers' data.
  So I say, Mr. Speaker, make no mistake: This resolution is a gift to 
countries like Russia who want to take our citizens' personal 
information. And if the House passes this resolution, it will go 
straight to the President's desk, a President who will be more than 
happy to sign his name to this gift to the Russians.
  This resolution also gives large corporations free rein to take 
customers' data without anyone's permission. This debate is about 
whether Americans have the freedom to decide on our privacy.
  We hear all kinds of complicated arguments about jurisdiction, 
implementation dates, and who knows what else, but these arguments just 
muddy the water.
  Republicans will say that the FCC's rules are confusing to consumers, 
people won't know what to do if they are asked first before broadband 
companies sell their sensitive information. If that were the case, we 
would have heard from people who oppose the rules, but we simply have 
not heard any of those concerns. The facts speak for themselves. 
Consumers want more privacy protection, not less.
  Seventy-four percent of Americans say it is very important that they 
be in control of information, and 91 percent of people feel they have 
lost control

[[Page H2495]]

over their own information. There are real consequences to these 
feelings. Nearly half of Americans say they limit their online activity 
because they are worried about their privacy and security. That is why 
they overwhelmingly support stronger protections.
  The FCC listened to the American people and adopted reasonable rules. 
Despite Republican claims to the contrary, the rules were not hard to 
follow. The rules still allow broadband companies to offer services 
based on their customers' data, and they can still customize ads or 
send reminders.
  The FCC's rules simply required companies to ask people first before 
selling their sensitive information. That is it. In fact, I had hoped 
the FCC would have gone even further, but the agency chose this more 
moderate approach.
  So as this debate proceeds, we should be asking one simple question: 
Should the American people have the freedom to choose how their 
information is used or should the government give that freedom away?
  I think the answer is clear. I stand with the American people, and, 
therefore, I strongly oppose this legislation.
  Mr. FLORES. Mr. Speaker, I yield 3 minutes to the gentleman from Ohio 
(Mr. Latta).
  Mr. LATTA. Mr. Speaker, I thank the gentleman for yielding.
  Mr. Speaker, I rise today in support of the resolution and want to 
address an issue created by the Federal Communication Commission's 
misguided privacy rule in a recent Ninth Circuit case.
  For decades, the Federal Trade Commission has been the privacy cop on 
the beat for most industries, including the technology sector, 
protecting consumers from unfair or deceptive acts or practices. The 
Federal Trade Commission has brought over 500 privacy and data security 
cases to protect consumers. These include cases against internet 
service providers and some of the largest edge providers.
  The Federal Communications Commission is a regulatory body focused on 
regulating interstate and international communications by radio, 
television, wire, satellite, and cable.
  The Federal Trade Commission's work in privacy and data security has 
long been held up as a model by both parties, praising the agency for 
strong enforcement without overly burdensome regulations. During 
negotiations with the European Union to finalize the U.S.-European 
privacy shield, the Obama administration held up the Federal Trade 
Commission as the premier privacy enforcement agency.
  Unfortunately, in a midnight action, the Federal Communications 
Commission jammed through its own privacy rule that is very different 
from the framework that the Federal Trade Commission has been enforcing 
for decades.
  While we can reverse the poorly constructed FCC rule today, we must 
still address a recent court ruling. The Ninth Circuit recently ruled 
that the common carrier exemption in the Federal Trade Commission Act 
exempts an entity in its entirety from the Federal Trade Commission's 
jurisdiction if it engages in any common carrier activities, even if 
the company also engages in non-common carrier activity.
  I have introduced legislation to address the court's ruling with the 
gentleman from Texas (Mr. Olson). It is my hope that our colleagues 
will join us.
  S.J. Res. 34 makes clear that the Federal Trade Commission has 
authority over common carriers when they are acting outside the scope 
of the common carrier.
  The repeal of the Federal Communications Commission's misguided 
privacy rule in the Ninth Circuit's opinion creates a gap and an 
irrational approach to privacy for consumers and would leave portions 
of the internet ecosystem completely outside the Federal Trade 
Commission's jurisdiction. This bill makes clear that the common 
carrier exemption is important to ensure that no duplication regulation 
occurs. At the same time, there are no loopholes left for certain 
companies to be outside the jurisdiction of the Federal Trade 
Commission.

                              {time}  1630

  We need to be consistent in our approach to privacy and focus on 
consumer-oriented enforcement. This approach has been the foundation 
not just of Silicon Valley, but innovators across the country; and the 
S.J. Res. 34 sets right the decades of innovation that has spurred job 
growth in the United States and greater online services for consumers.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I remind my 
friend, since he acknowledges the court decision does not allow FTC 
jurisdiction and that he wants to introduce a bill, perhaps the 
Republicans should have done that first, before scrapping the rules 
that leave ISPs with no rules.
  Mr. Speaker, I yield 2 minutes to the gentlewoman from California 
(Ms. Matsui).
  Ms. MATSUI. Mr. Speaker, I rise in strong opposition to S.J. Res. 34. 
This is just the latest attempt from our Republican colleagues to use 
the Congressional Review Act to gut critical protections for American 
consumers.
  The internet is increasingly intertwined with our daily lives, and 
nearly every American family uses the internet to access and share 
personal and sensitive information. The business we conduct online 
includes financial information, details about our medical history, and 
even information on our kids.
  If this resolution of disapproval passes today, there will be no 
rules on the books to stop internet service providers from selling that 
browsing history without your permission. Because our Republican 
colleagues are using the Congressional Review Act to overturn these 
critical consumer protections, the FCC can't go back and write new 
rules in the future.
  Despite what my colleagues on the other side of the aisle have said, 
the Federal Trade Commission cannot bring cases against broadband 
providers. That is why the FTC supported these rules when the FCC 
adopted them last year.
  Even if you think the FCC did not get these rules right, this 
resolution effectively eliminates the FCC from ever acting to protect 
consumer privacy in the future. We should be working together to 
address any real shortcomings if these rules need to be fixed. That is 
not what the resolution before us will do.
  Mr. Speaker, I urge my colleagues to vote against this damaging 
resolution.
  Mr. FLORES. Mr. Speaker, I yield 2 minutes to the gentleman from New 
Jersey (Mr. Lance).
  Mr. LANCE. Mr. Speaker, I rise to support S.J. Res. 34, which seeks 
to halt agency overreach of the Federal Communications Commission 
concerning the way broadband internet service providers handle their 
customers' personal information.
  The FCC's broadband privacy rule, a midnight regulation adopted by 
executive order in the waning days of the Obama administration, 
unnecessarily targets internet service providers and does very little 
to protect consumer privacy.
  The rule adds costly and unnecessary innovation-stifling regulations 
to the internet and is another example of the Federal Government's 
picking winners and losers.
  When passed, the FCC claimed that the rule would provide broadband 
customers meaningful choice, greater transparency, and strong security 
protections for their personal information collected by internet 
service providers.
  In reality, the FCC's rules arbitrarily treat ISPs differently from 
the rest of the internet, creating a false sense of privacy.
  Consumer data privacy is of significant concern to every American. 
The proper parties should address the issue. In this area, the Federal 
Trade Commission has historically held authority on the establishment 
and enforcement of general online privacy rules.
  Repealing the FCC's privacy action is a critical step toward 
restoring a single, uniform set of privacy rules for the internet. This 
legislation puts all segments of the internet on equal footing and 
provides American consumers with a consistent set of privacy rules to 
permit the FCC and the FTC to continue to work to ensure consumer 
privacy through enforcement.
  The FTC, the premier agency in this regard, has the experience to 
protect the privacy of the American people regarding the internet--at 
least 20 years of experience. Bifurcation between the FTC and the FCC 
is not productive. A good question to ask the FTC: Why did it wait 
until the last minute of the

[[Page H2496]]

Obama administration to promulgate its regulation?
  Mr. Speaker, I believe it is important that we pass S.J. Res. 34, and 
I rise to ask all of my colleagues to support it.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I have heard about 
this last-minute dropping and late at night. Just for the other side's 
information, after a 7-month rulemaking process, this rule was adopted 
midday on October 26. So let's get the record straight.
  Mr. Speaker, I yield 3 minutes to the gentleman from California (Mr. 
McNerney).
  Mr. McNERNEY. Mr. Speaker, first, I thank Mr. Doyle for his 
opposition to S.J. Res. 34. I rise in opposition as well.
  The FCC's broadband privacy rules are commonsense rules. These rules 
give consumers the ability to choose how their information is used and 
shared by their internet service providers.
  According to the Pew Research Center, a large majority of Americans 
say it is very important that they control who has access to their 
information. Despite a loud cry from the American people that they want 
to be able to choose how their information is used, S.J. Res. 34 strips 
consumers of the power to choose how their ISPs use and share their 
information.
  This resolution also leaves consumers more vulnerable to attacks 
because their ISP will no longer be required to make reasonable steps 
to secure their personal information.
  In recent years, we have seen numerous data breach incidents that 
have jeopardized consumers' personal information. Some examples are 
Yahoo, Target, Home Depot, LinkedIn, and Anthem. The list goes on.

  Given the growing cyber threats that our Nation faces, it is critical 
that we do more, not less, to secure consumers' data. Strong data 
security practices are critical for protecting our consumers' 
confidentiality.
  This resolution would make consumers' data more susceptible to being 
stolen and used for identity theft and other harmful unauthorized 
purposes.
  Consumers want to be heard. They want more privacy. They want their 
information to be secure. We have an obligation to respond to their 
requests.
  I am appalled that one of the Republicans' first acts in this 
Congress after trying to take health coverage away from 24 million 
people is to attack consumer protections and weaken data security. 
Americans are just now hearing about this legislation, and my phones 
are ringing off the hook in opposition.
  I have to rhetorically ask the other side: Why are you pushing this?
  Americans don't want it. Your voters are beginning to pay attention. 
This is just after your humiliating defeat with the ACA repeal. I ask 
that you withdraw this bill and start listening to your constituents.
  Mr. Speaker, I urge my colleagues to reject S.J. Res. 34.
  Mr. FLORES. Mr. Speaker, I yield 2 minutes to the gentleman from 
Louisiana (Mr. Scalise), the GOP whip.
  Mr. SCALISE. Mr. Speaker, I thank the gentleman from Texas for 
bringing forward this legislation.
  The FTC's light touch in case-by-case enforcement had fostered an 
internet economy that has become the envy of the world, much to the 
benefit of all American families and consumers across this country.
  But rather than following the FTC's proven framework of privacy 
protection, the FCC came in and overreached and missed the mark with 
these rules, injecting more regulation into the internet ecosystem. 
With all due respect, the internet was not broken and did not need the 
Federal Government to come in and try to fix it.
  The bottom line is that families expect and deserve to be protected 
online with a set of robust and uniform privacy protections. These 
rules simply do not live up to that standard.
  Rather than regulating based on the sensitivity of our data, these 
rules are applied unevenly, based on what type of company you are or 
what kind of technology you use.
  Consumers should feel assured online that there is a cop on the beat 
with a track record of success, not an agency with a history of 
regulatory overreach. These midnight rules are harmful, inconsistent, 
and should be repealed.
  Mr. Speaker, I urge my colleagues to adopt this important resolution.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, may I inquire how 
much time is remaining on both sides?
  The SPEAKER pro tempore. The gentleman from Pennsylvania has 10\3/4\ 
minutes remaining. The gentleman from Texas has 5 minutes remaining.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I remind the 
gentleman that these heavy-handed regulations that he speaks of are 
simply: ask permission, protect people's data, and tell them if it gets 
stolen.
  That doesn't sound too heavy-handed to me.
  Mr. Speaker, I yield 2 minutes to the gentleman from New York (Mr. 
Tonko).
  Mr. TONKO. Mr. Speaker, I rise today in opposition to S.J. Res. 34, a 
bill that would strike most of the internet privacy guarantees 
protecting the American people today.
  I have grave concerns with this effort. Our agenda here should be 
working on behalf of our constituents to protect their privacy and give 
them, not their service providers, data security. Instead, this effort 
would eviscerate any real online privacy protections and would limit 
data security.
  Some of my colleagues have claimed that this commonsense rule has 
created challenges for consumers. I have found just the opposite. My 
office has been inundated with calls demanding that Congress protect 
their privacy and data security by opposing S.J. Res. 34. To everyone 
who has called, I hear you and I stand with you in opposing this 
harmful and misguided effort.
  Back at home in New York's capital region, I have been hearing from 
many people who are frightened by the thought that S.J. Res. 34 will 
become law and the last shred of their online privacy will be lost 
forever.
  They know how much information their internet service provider has 
mined from their search and browsing history, including financial, 
medical, and other very personal and sensitive details. They rightly 
believe that they should have a say in when that information can be 
bought and when it can be sold.
  They understand that gutting these privacy protections would mean 
that internet service providers could sell their private information 
without their permission. It means their private internet browsing and 
search history, the text of their emails, and their mobile app usage 
can all be sold without their permission.
  They have a right to control what they search for, their financial 
information, their health insurance, and information about their 
children. They have a right to protect their Social Security numbers 
and the contents of their emails. These rights are enshrined in our 
Constitution.
  Privacy rules also require providers to use reasonable measures to 
protect consumers' personal information, a clear and commonsense 
standard that all who do business online should be required to uphold.
  Finally, internet service providers must notify customers if hackers 
breach the system and may have access to their private data. With 
hackers from Russia and elsewhere running rampant across the net, this 
is a critical provision for our American families.
  This is not too much to ask. The American people deserve to know that 
their data will be protected and that they will be notified if their 
data is compromised.

  Mr. FLORES. Mr. Speaker, I yield 1\1/2\ minutes to the gentleman from 
Texas (Mr. Olson).
  Mr. OLSON. Mr. Speaker, I rise today in support of S.J. Res. 34, 
which will protect consumers and the future of internet innovation.
  The internet is changing the way we communicate, shop, learn, and 
entertain. It is changing how we control our homes, our cars, and many 
other parts of our lives, including my two teenage kids. These changes 
give us certain expectations of privacy on the internet.
  Until last year, the Federal Trade Commission provided a robust, 
consistent privacy framework for all companies in the internet services 
market. Their holistic and consistent approach struck the right 
balance. Consumers' use of internet services continues to increase and 
their privacy has been protected.
  The resolution we are voting on today puts all segments of the 
internet on equal footing. It provides consumers with a consistent set 
of privacy rules.

[[Page H2497]]

  Mr. Speaker, I urge my colleagues to vote for S.J. Res. 34.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I remind my 
friends once again that this does not put us on equal footing. The FTC 
has no power to regulate ISPs under current law.
  Mr. Speaker, I yield 3 minutes to the gentleman from Massachusetts 
(Mr. Capuano).

                              {time}  1645

  Mr. CAPUANO. Mr. Speaker, we all know that our cell phones are 
tracking every move we make and keeping a record of it. Many people 
don't know, but your automobile is also doing the same thing. They keep 
a record of where you go. They keep a record of whether you wore your 
seatbelt. They keep a record of whether you applied the brakes or 
turned the turn signal on. Okay. That is your automobile. You don't 
have to drive.
  Just recently, in the last couple months, we have learned that our 
televisions and children's dolls are doing the same thing. Last month, 
it was revealed that Vizio had spied on 11 million consumers by 
listening to them while their TV was off because they can do it.
  Also, last month, a child's doll called My Friend Cayla for little 
girls or boys was banned in Germany--banned in Germany--because that 
doll listens and responds. It goes into the internet, and the doll's 
owner keeps and sells that information.
  This month--this month--a teddy bear manufactured by a company called 
CloudPets was exposed for collecting more than 2 million voice 
recordings of children talking to their teddy bear.
  Now, maybe we accept that. I know that those are not the items that 
this resolution would address, but the problem is you are taking an 
item for ISPs and reducing it down to this level. You say your privacy 
is protected. I just gave you three examples in the last 2 months where 
your privacy is not protected. Neither is your children's. Neither is 
your family's.
  In 2012, a giant international company--international ISP company, by 
the way--filed for a U.S. patent for a cable box that would sit in your 
house. It would watch you. It would record you. It contained an 
infrared sensor and even take your body temperature with a 
thermographic--and that is a quote--thermographic camera. It would do 
all this without telling you and would work whether the cable box was 
on or not. If you don't believe me, if you still have the courage to go 
on the internet, go find patent application number--now, write this one 
down--2012/0304206. That is the patent application number. It is still 
online.
  I want to read you one small segment from that 25-page patent 
application. This is a direct quote. I am not making up a single word. 
The device ``may detect . . . that two users are cuddling on a couch 
during the presentation of the television program and prior to an 
advertisement break. Based on the detected . . . action . . . the 
device would select a commercial associated with cuddling.''
  The SPEAKER pro tempore. The time of the gentleman has expired.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I yield an 
additional 30 seconds to the gentleman from Massachusetts.
  Mr. CAPUANO. For example: ``a commercial for a romantic getaway 
vacation, a commercial for a contraceptive, a commercial for flowers . 
. . et cetera.''
  I didn't make up a single word of what I just read, and every one of 
you is sitting there with your mouth open that this might happen in 
your world. That is what this resolution will allow, and you can't turn 
it off. You can't say: Don't watch my children. Don't watch my wife.
  This is a terrible resolution. As I asked earlier today, what are you 
thinking?
  Mr. FLORES. Mr. Speaker, we are thinking that the gentleman's 
comments do not pertain to this resolution, that this resolution in no 
way is going to allow any of the activities that were described, 
whether it is cuddling or anything that is going to get in the way of 
any of that or allowed to be sold.
  Mr. Speaker, I yield 2 minutes to the gentleman from New York (Mr. 
Collins).
  Mr. COLLINS of New York. Mr. Speaker, I would like to thank the 
people who worked to make this legislation a reality. As we become 
increasingly concerned with cyber threats, online privacy is a critical 
concern for every American.
  Unfortunately, in October of last year, the FCC issued regulations 
titled, ``Protecting the Privacy of Customers of Broadband and Other 
Telecommunications Services,'' also known as broadband privacy rules. 
These titles do not actually accurately reflect the impact these 
regulations are having on constituents' electronic privacy.
  These broadband privacy rules took internet service providers, ISPs, 
which you subscribe to for TV and internet access, and edge providers 
that deliver online applications, services, and website content, and 
separated them into two different groups. This has caused confusion 
among businesses trying to adhere to this change.
  While writing this regulation, the FCC had the opportunity to employ 
FTC precedent in drafting the broadband privacy rules, but instead 
chose to ignore existing precedent and create additional and onerous 
regulations. The FCC believed that these new rules would give consumers 
more choice and heightened transparency; however, this has not been the 
case.
  This legislation does not remove privacy protections for consumers, 
and it does not expose consumer information. Both the FCC and the FTC 
will retain authority over consumer privacy on a case-by-case basis. 
ISPs will continue to be subject to the Communications Act of 1934, 
which protects all consumer proprietary network information. This is in 
addition to the many other existing Federal and State privacy rules 
that ISPs must continue to follow.
  This proposed system, separating edge providers from ISPs, creates 
confusion for both consumers and business operations. This legislation 
works to reduce the confusion that has been created from this 
unnecessary regulation that has stifled competition and impeded 
innovation. I am happy to support this legislation which will provide 
much-needed clarity to the ongoing debate.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, may I inquire how 
much time remains on both sides?
  The SPEAKER pro tempore. The gentleman from Pennsylvania has 5\1/4\ 
minutes remaining. The gentleman from Texas has 2 minutes remaining.

  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I just remind my 
friend, you can say it as many times as you want, but the fact of the 
matter is that, under current law, the FTC has no authority to regulate 
the FCC, and the FCC Commissioner has said that you cannot do this 
without a rule in section 222.
  I yield 1 minute to the gentlewoman from California (Ms. Pelosi), our 
House Democratic leader, the magic minute.
  Ms. PELOSI. Mr. Speaker, on behalf of my five children and my nine 
grandchildren and everyone I know, as a matter of fact, I thank the 
gentleman for being a champion for privacy for the American people. I 
thank the gentleman from Pennsylvania (Mr. Michael F. Doyle) for his 
leadership. I thank the gentleman from New Jersey (Mr. Pallone) for his 
leadership. The gentlewoman from California (Ms. Eshoo) has been a 
champion on this issue as well.
  Mr. Speaker, Americans turn to the internet for so many things these 
days: buying books, filing taxes, learning about why they are feeling 
sick. The Republicans want this information to be sold without your 
permission: the websites you visit, the apps you use, your search 
history, the content of your emails, your health and financial data. 
Overwhelmingly, the American people do not agree with the Republicans 
that this information should be sold, and it certainly should not be 
sold without your permission.
  Our broadband providers know deeply personal information about us and 
our families: where we are, what we want, what we are looking for, what 
information we want to know, every site we visit, and more. Our 
broadband providers can even track us when we are surfing in private, 
browsing in a private browsing mode.

[[Page H2498]]

  Americans' private browser history should not be up for sale. Yet 
Republicans are bringing S.J. Res. 34 to the floor to allow internet 
service providers to profit--to profit; this is about profit--from 
America's most intimate personal information without our knowledge or 
our consent. Republicans' use of the Congressional Review Act will do 
permanent damage to the FCC's ability to keep Americans' personal 
information safe.
  As FCC Commissioner Clyburn and FTC Commissioner McSweeny warned: 
``This legislation will frustrate the FCC's''--the Federal 
Communications Commission's--``future efforts to protect the privacy of 
voice and broadband customers.''
  It is important for our constituents to know that, if the Republicans 
had a problem with this particular policy, they might tweak it and say 
we don't like it this way or that in regular legislation so that we 
could have a debate on it. It could go back to the Federal 
Communications Commission. They could revise it and send it back if it 
were a legitimate presentation of concerns. But it is not about a 
legitimate presentation of concerns. It is about increasing profits at 
the expense of the privacy of the American people.
  So, as I say, the Republicans' use of the Congressional Review Act 
does permanent damage and also damages the FCC's ability to keep 
America's personal information safe. With this measure, Republicans 
would destroy Americans' right to privacy on the internet--we made that 
clear--and forbid any effort to keep your personal information safe. 
Republicans are bending over backwards.
  Think of it. Think of the context of all of this.
  Since Gerald Ford was President, every candidate for President, every 
nominee of a major party, every candidate for President of the United 
States, Democrat and Republican, has released their income tax returns 
out of respect for the American people--out of respect for the American 
people. Week in and week out--in fact, sometimes day in and day out--in 
committee as well as on the floor, the Republicans have kept the 
President's income tax returns private when the public has a right to 
know that, that the public has always known that about every President 
since Gerald Ford--in fact, since Richard Nixon; although, in his case, 
it wasn't voluntary.
  So while they are hiding President Trump's tax returns, some discrete 
piece of information that the public has a right to know, they are 
selling your most personal, selling your most personal and sensitive 
information--again, your browsing history, your children's location, 
everything--to anyone with the money to buy it.
  Incognito tabs or private browsing modes will not protect you from 
the internet service providers watching and selling, as Mr. Capuano 
pointed out, watching and selling. Republicans have picked the week 
after Russian spies were caught hacking into half a billion American 
email accounts to open the floodgates, overturning the requirement that 
internet service providers keep their sensitive data secured from 
cybercriminals.
  The American people deserve to be able to insist that intimate 
details and information about their browser history be kept private and 
secure.
  So how is this?
  We have this magnificent technology that science has made available 
to people to facilitate commerce, to learn about different subjects, to 
privately pursue, in a way that they may not even want their families 
to know, what symptoms they have and what illness that might tell them 
about.
  Most Americans have no or limited choices for broadband providers and 
no recourse against these invasions of their privacy because, with this 
measure, Republicans turn their back on the overwhelming number of 
Americans who want more control over their internet privacy.
  Americans can choose who represents them in Congress. Americans are 
paying close attention. They want to know who is taking a stand with 
them in opposing efforts to sell the private information of the 
American people.
  This is staggering. This is almost a surrender. If the Republicans 
are allowed to do this, we have surrendered all thoughts of privacy for 
the American people.
  Privacy is a value that the American people treasure. It is about 
their dignity. It is about their dignity. We cannot allow the 
Republicans to sell the dignity of the American people. I hope that 
everyone will vote ``no'' on this most unfortunate assault on the 
dignity of the American people.

                              {time}  1700

  Mr. FLORES. Mr. Speaker, I reserve the balance of my time.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I yield 1 minute 
to the gentlewoman from Illinois (Ms. Schakowsky).
  Ms. SCHAKOWSKY. Mr. Speaker, I thank the gentleman for yielding.
  Last week, Republicans tried to take away your health care; and, 
today, they are trying to take away your privacy.
  Republicans have said broadband providers and other internet 
companies should be under the same privacy rules. But oddly enough, 
when the committee considered an amendment to give the FTC, the Federal 
Trade Commission, rulemaking authority like the FCC, a change that 
would allow the agencies to adopt the same privacy protection, every 
single Republican voted no. In fact, Republicans proposed making it 
harder for the FTC to pursue privacy and data security cases.
  The protections that the FCC adopted last year were very simple: 
consumers should know what data is being collected, opt in to sharing 
of sensitive data, have their data reasonably protected, and receive 
notice when their data is compromised. But this dangerous resolution 
puts America's privacy and data security at risk.
  Mr. Speaker, I urge all of my colleagues to stand up for consumers 
and vote ``no.''
  Mr. FLORES. Mr. Speaker, I continue to reserve the balance of my 
time.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I yield 1 minute 
to the gentleman from Rhode Island (Mr. Langevin).
  Mr. LANGEVIN. Mr. Speaker, I thank the gentleman for yielding.
  Mr. Speaker, I rise in strong opposition to this resolution of 
disapproval, which would repeal broadband privacy rules being 
implemented by the FCC.
  As co-chair of the Congressional Cybersecurity Caucus, I hope I can 
offer some additional perspective on this debate. Studying the many 
threats our country faces in cyberspace, I have become deeply aware of 
how ingrained the internet is in every aspect of our lives and our 
economy. And that has also helped me understand the unique role of 
broadband service providers to grant access to the great potential of 
the Information Age.
  By necessity, ISPs see every bit of traffic that leaves your network 
for the broader internet. Even when you use encryption, ISPs can still 
capture data about whom you are talking to or what sites you are 
visiting. These data are sensitive, and consumers have a right to 
decide whether or not they can be shared or monetized. Unfortunately, 
the resolution of disapproval under consideration would strip consumers 
of that right and presumptively allow sharing and selling without your 
permission.
  Mr. Speaker, the resolution before us today that the Republicans have 
proposed is downright creepy. It is going to allow potentially 
unprecedented abuse of personal or private information be shared 
without your permission. This cannot stand. I urge my colleagues to 
oppose it.
  Mr. FLORES. Mr. Speaker, I continue to reserve the balance of my 
time.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, may I inquire how 
much time I have remaining?
  The SPEAKER pro tempore. The gentleman from Pennsylvania has 2 
minutes remaining. The gentleman from Texas has 2 minutes remaining.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I yield 1 minute 
to the gentlewoman from Florida (Mrs. Demings).
  Mrs. DEMINGS. Mr. Speaker, please stop me if you have heard this one 
before and know how it ends. My colleagues on the other side are once 
again trying to sell the American people a broken alternative to 
something that is working pretty much as it was intended to.
  The FCC privacy rule just says that customers must opt in before 
internet

[[Page H2499]]

companies can sell their web browsing history, and that those companies 
must make reasonable efforts to protect customers' sensitive 
information. These are not unreasonable requirements.
  The internet is our gateway to the world. Whether we connect through 
our mobile phone or our home computer, we pay companies for access. If 
those companies want to sell information about what we do on the 
internet, they should have to get our permission first. It is the right 
thing to do.
  Mr. Speaker, I urge my colleagues on the other side to simply do the 
right thing.
  Mr. FLORES. Mr. Speaker, I continue to reserve the balance of my 
time.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I include in the 
Record letters from a coalition of small ISPs, a coalition of civil 
rights organizations, the Consumers Union, and an article by Terrell 
McSweeny all opposing this CRA.

                               Electronic Frontier Foundation,

                                                San Francisco, CA.
     Re Oppose S.J. Res 34--Repeal of FCC Privacy Rules.

       Dear U.S. Representatives: We, the undersigned founders, 
     executives, and employees of ISPs and networking companies, 
     spend our working lives ensuring that Americans have high-
     quality, fast, reliable, and locally provided choices 
     available when they need to connect to the Internet. One of 
     the cornerstones of our businesses is respecting the privacy 
     of our customers, and it is for that primary reason that we 
     are writing to you today.
       We urge Congress to preserve the FCC's Broadband Privacy 
     Rules and vote down plans to abolish them. If the rules are 
     repealed, large ISPs across America would resume spying on 
     their customers, selling their data, and denying them a 
     practical and informed choice in the matter.
       Perhaps if there were a healthy, free, transparent, and 
     competitive market for Internet services in this country, 
     consumers could choose not to use those companies' products. 
     But small ISPs like ours face many structural obstacles, and 
     many Americans have very limited choices: a monopoly or 
     duopoly on the wireline side, and a highly consolidated 
     cellular market dominated by the same wireline firms.
       Under those circumstances, the FCC's Broadband Privacy 
     Rules are the only way that most Americans will retain the 
     free market choice to browse the Web without being surveilled 
     by the company they pay for an Internet connection.
           Signed,
       Sonic, MonkeyBrains, Cruzio Internet, Etheric Networks, 
     Aeneas Communications, Digital Service Consultants Inc., 
     Hoyos Consulting LLC, Om Networks, Motherlode Internet, 
     Goldrush Internet, Credo Mobile, Andrew Buker (Director of 
     Infrastructure Services & Research computing, University of 
     Nebraska at Omaha), Tim Pozar (co-founder, TwoP LLC), Andrew 
     Gallo (Senior Network Architect for a regional research and 
     education network), Jim Deleskie (co-founder, Mimir 
     networks), Randy Carpenter (VP, First Network Group), Kraig 
     Beahn (CTO, Enguity Technology Corp).
                                  ____

                                                 January 27, 2017.
     Hon. Paul D. Ryan,
     Speaker of the House, House of Representatives, Washington, 
         DC.
     Hon. Mitch McConnell,
     Senate Majority Leader, U.S. Senate, Washington, DC.
     Hon. Nancy Pelosi,
     Minority Leader, House of Representatives, Washington, DC.
     Hon. Charles Schumer,
     Minority Leader, U.S. Senate,
     Washington, DC.
       Dear Speaker Ryan, Senator McConnell, Representative 
     Pelosi, and Senator Schumer: The undersigned media justice, 
     consumer protection, civil liberties, and privacy groups 
     strongly urge you to oppose the use of the Congressional 
     Review Act (CRA) to adopt a Resolution of Disapproval 
     overturning the FCC's broadband privacy order. That order 
     implements the mandates in Section 222 of the 1996 
     Telecommunications Act, which an overwhelming, bipartisan 
     majority of Congress enacted to protect telecommunications 
     users' privacy. The cable, telecom, wireless, and advertising 
     lobbies request for CRA intervention is just another industry 
     attempt to overturn rules that empower users and give them a 
     say in how their private information may be used.
       Not satisfied with trying to appeal the rules of the 
     agency, industry lobbyists have asked Congress to punish 
     internet users by way of restraining the FCC, when all the 
     agency did was implement Congress' own directive in the 1996 
     Act. This irresponsible, scorched-earth tactic is as harmful 
     as it is hypocritical. If Congress were to take the industry 
     up on its request, a Resolution of Disapproval could exempt 
     intemet service providers (ISPs) from any and all privacy 
     rules at the FCC. As you know, a successful CRA on the 
     privacy rules could preclude the FCC from promulgating any 
     ``substantially similar'' regulations in the future--in 
     direct conflict with Congress' clear intention in Section 222 
     that telecommunications carriers protect their customers' 
     privacy. It could also preclude the FCC from addressing any 
     of the other issues in the privacy order like requiring data 
     breach notification and from revisiting these issues as 
     technology continues to evolve in the future. The true 
     consequences of this revoked authority are apparent when 
     considering the ISPs' other efforts to undermine the rules. 
     Without these rules, ISPs could use and disclose customer 
     information at will. The result could be extensive harm 
     caused by breaches or misuse of data.
       Broadband ISPs, by virtue of their position as gatekeepers 
     to everything on the intemet, have a largely unencumbered 
     view into their customers' online communications. That 
     includes the websites they visit, the videos they watch, and 
     the messages they send. Even when that traffic is encrypted, 
     ISPs can gather vast troves of valuable information on their 
     users' habits; but researchers have shown that much of the 
     most sensitive information remains unencrypted.
       The FCC's order simply restores people's control over their 
     personal information and lets them choose the terms on which 
     ISPs can use it, share it, or sell it. Americans are 
     increasingly concerned about their privacy, and in some cases 
     have begun to censor their online activity for fear their 
     personal information may be compromised. Consumers have 
     repeatedly expressed their desire for more privacy 
     protections and their belief that the government helps ensure 
     those protections are met. The FCC's rules give broadband 
     customers confidence that their privacy and choices will be 
     honored, but it does not in any way ban ISPs' ability to 
     market to users who opt-in to receive any such targeted 
     offers.
       The ISPs' overreaction to the FCC's broadband privacy rules 
     has been remarkable. Their supposed concerns about the rule 
     are significantly overblown. Some broadband providers and 
     trade associations inaccurately suggest that this rule is a 
     full ban on data use and disclosure by ISPs, and from there 
     complain that it will hamstring ISPs' ability to compete with 
     other large advertising companies and platforms like Google 
     and Facebook. To the contrary, ISPs can and likely will 
     continue to be able to benefit from use and sharing of their 
     customers' data, so long as those customers consent to such 
     uses. The rules merely require the ISPs to obtain that 
     informed consent.
       The ISPs and their trade associations already have several 
     petitions for reconsideration of the privacy rules before the 
     FCC. Their petitions argue that the FCC should either adopt a 
     ``Federal Trade Commission style'' approach to broadband 
     privacy, or that it should retreat from the field and its 
     statutory duty in favor of the Federal Trade Commission 
     itself All of these suggestions are fatally flawed. Not only 
     is the FCC well positioned to continue in its statutorily 
     mandated role as the privacy watchdog for broadband telecom 
     customers, it is the only agency able to do so. As the 9th 
     Circuit recently decided in a case brought by AT&T, common 
     carriers are entirely exempt from FTC jurisdiction, meaning 
     that presently there is no privacy replacement for broadband 
     customers waiting at the FTC if Congress disapproves the 
     FCC's rules here.
       This lays bare the true intent of these industry groups, 
     who also went to the FCC asking for fine-tuning and 
     reconsideration of the rules before they sent their CRA 
     request. These groups now ask Congress to create a vacuum and 
     to give ISPs carte blanche, with no privacy rules or 
     enforcement in place. Without clear rules of the road under 
     Section 222, broadband users will have no certainty about how 
     their private information can be used and no protection 
     against its abuse. ISPs could and would use and disclose 
     consumer information at will, leading to extensive harm 
     caused by breaches and by misuse of data properly belonging 
     to consumers.
       Congress told the FCC in 1996 to ensure that 
     telecommunications carriers protect the information they 
     collect about their customers. Industry groups now ask 
     Congress to ignore the mandates in the Communications Act, 
     enacted with strong bipartisan support, and overturn the 
     FCC's attempts to implement Congress's word. The CRA is a 
     blunt instrument and it is inappropriate in this instance, 
     where rules clearly benefit internet users notwithstanding 
     ISPs' disagreement with them.
       We strongly urge you to oppose any resolution of 
     disapproval that would overturn the FCC's broadband privacy 
     rule.
           Sincerely,
       Access Now, American Civil Liberties Union, Broadband 
     Alliance of Mendocino County, Center for Democracy and 
     Technology, Center for Digital Democracy, Center for Media 
     Justice, Color of Change, Consumer Action, Consumer 
     Federation of America, Consumer Federation of California, 
     Consumer Watchdog, Consumer's Union, Free Press Action Fund, 
     May First/People Link, National Hispanic Media Coalition, New 
     America's Open Technology Institute, Online Trust Alliance, 
     Privacy Rights Clearing House, Public Knowledge.
                                  ____

                              ConsumersUnion', Policy &


                                 Action From Consumer Reports,

                                                   March 27, 2017.
     House of Representatives,
     Washington, DC.
       Dear Representative: Consumers Union, the policy and 
     mobilization arm of Consumer

[[Page H2500]]

     Reports, writes regarding House consideration of S.J. Res. 
     34, approved by a 50-48 party line vote in the Senate last 
     week.
       This resolution, if passed by the House and signed into law 
     by President, would use the Congressional Review Act (CRA) to 
     nullify the Federal Communication Commission's (FCC) newly-
     enacted broadband privacy rules that give consumers better 
     control over their data. Many Senators cited ``consumer 
     confusion'' as a reason to do away with the FCC's privacy 
     rules, but we have seen no evidence proving this assertion 
     and fail to understand how taking away increased privacy 
     protections eliminates confusion. Therefore, we strongly 
     oppose passage of this resolution--it would strip consumers 
     of their privacy rights and, as we explain below, leave them 
     with no protections at all. We urge you to vote no on S.J. 
     Res. 34.
       The FCC made history last October when it adopted consumer-
     friendly privacy rules that give consumers more control over 
     how their information is collected by internet service 
     providers (ISPs). Said another way, these rules permit 
     consumers to decide when an ISP can collect a treasure trove 
     of consumer information, whether it is a web browsing history 
     or the apps a consumer may have on a smartphone. We believe 
     the rules are simple, reasonable, and straightforward.
       ISPs, by virtue of their position as gatekeepers to 
     everything on the internet, enjoy a unique window into 
     consumers' online activities. Data including websites 
     consumers visit, videos viewed, and messages sent is very 
     valuable. Small wonder, then, that ISPs are working so hard 
     to have the FCC's new privacy rules thrown out through use of 
     the Congressional Review Act. But we should make no mistake: 
     abandoning the FCC's new privacy rules is about what benefits 
     big cable companies and not about what is best for consumers.
       Many argue the FCC should have the same privacy rules as 
     those of the Federal Trade Commission (FTC). FCC Chairman 
     Ajit Pai went so far as to say ``jurisdiction over broadband 
     providers' privacy and data security practices should be 
     returned to the FTC, the nation's expert agency with respect 
     to these important subjects,'' even though the FTC currently 
     possesses no jurisdiction over the vast majority of ISPs 
     thanks to the common carrier exemption--an exemption made 
     stricter by the Ninth Circuit Court of Appeals in last year's 
     AT&T Mobility case. We have heard this flawed logic time and 
     time again as one of the principal arguments for getting rid 
     of the FCC's strong privacy rules. Unfortunately, this is 
     such a poor solution that it amounts to no solution at all.
       For the FTC to regain jurisdiction over the privacy 
     practices of ISPs, the FCC would first have to scrap Title II 
     reclassification--not an easy task which would be both time-
     consuming and subject to judicial review, and jeopardize the 
     legal grounding of the 2015 Open Internet Order. Congress, in 
     turn, would have to pass legislation to remove the common 
     carrier exemption, thus granting the FTC jurisdiction over 
     those ISPs who are common carriers. We are skeptical Congress 
     would take such an action. Finally, the FTC does not enjoy 
     the same robust rulemaking authority that the FCC does. As a 
     result, consumers would have to wait for something bad to 
     happen before the FTC would step in to remedy a violation of 
     privacy rights. Any fondness for the FTC's approach to 
     privacy is merely support for dramatically weaker privacy 
     protections favored by most corporations.
       There is no question that consumers favor the FCC's current 
     broadband privacy rules. Consumers Union launched an online 
     petition drive last month in support of the Commission's 
     strong rules. To date, close to 50,000 consumers have signed 
     the petition and the number is growing. Last week, more than 
     24,000 consumers contacted their Senators urging them to 
     oppose the CRA resolution in the 24 hours leading up to the 
     vote. Consumers care about privacy and want the strong 
     privacy protections afforded to the them by the FCC. Any 
     removal or watering down of those rules would represent the 
     destruction of simple privacy protections for consumers.
       Even worse, if this resolution is passed, using the 
     Congressional Review Act here will prevent the FCC from 
     adopting privacy rules--even weaker ones--to protect 
     consumers in the future. Under the CRA, once a ride is 
     erased, an agency cannot move forward with any 
     ``substantially similar'' rule unless Congress enacts new 
     legislation specifically authorizing it. Among other impacts, 
     this means a bare majority in the Senate can void a rule, but 
     then restoration of that rule is subject to full legislative 
     process, including a filibuster. The CRA is a blunt 
     instrument--and if used in this context, blatantly anti-
     consumer.
       We are more than willing to work with you and your fellow 
     Representatives to craft privacy legislation that affords 
     consumer effective and easy-to-understand protections. The 
     FCC made a step in that direction when it adopted the 
     broadband privacy rules last year, and getting rid of them 
     via the Congressional Review Act is a step back, not forward. 
     Therefore, we encourage you to vote no on S.J. Res. 34.
           Respectfully,
     Laura MacCleery,
       Vice President, Consumer Policy & Mobilization, Consumer 
     Reports.
     Katie McInnis,
       Policy Counsel, Consumers Union.
     Jonathan Schwantes,
       Senior Policy Counsel, Consumers Union.
                                  ____


                    [From wired.com, Mar. 22, 2017]

           Congress Is About To Give Away Your Online Privacy

               (By Terrell McSweeney and Chris Hoofnagle)

       The resolution that could come to a Congressional vote this 
     week aims to tackle differences in how the FCC rule treats 
     ISPs compared with other internet companies. Your broadband 
     provider has to offer you a choice about what information it 
     shares about you, but ecommerce sites and search engines do 
     not.
       Advocates for repealing the current protections--the 
     resolution is sponsored by Senator Jeff Flake (R-AZ)--argue 
     that Congress should void the FCC's rule using the 
     Congressional Review Act. They contend that in order to 
     properly govern privacy and avoid confusing consumers, the 
     FCC should maintain consistent rules across the internet 
     ecosystem. But inconsistent standards pervade privacy and 
     consumer law. Furthermore, consistent standards militate in 
     favor of increasing protections for privacy, rather than 
     unraveling them as the current proposal would do.
       An alphabet soup of state and federal laws set the privacy 
     requirements for everything from our financial information to 
     data about our children. That's largely because privacy is 
     both essential to and sometimes in conflict with our most 
     deeply held value, liberty. So, legislators have never been 
     able to craft omnibus privacy protections. Instead, they've 
     developed frameworks informed by prevailing norms, 
     incentives, political economy, and ways the information might 
     be used.
       As we connect more devices in our home and on our bodies, 
     the array of technologies that raise data privacy and 
     security concerns is expanding. The privacy landscape will 
     likely continue to be shaped as technologies evolve.
       Different consumer technologies may justify different 
     approaches. For example, the safety issues inherent in cars 
     and medical devices may warrant particularly strong privacy 
     and security protections. In the future, privacy rules could 
     come from the FCC as well as the Department of Commerce, 
     National Highway Traffic Safety Administration, Food and Drug 
     Administration, and other agencies.
       Consider that your bank can--and probably does--sell your 
     contact and financial information unless you opt out. Yet if 
     you rent a movie, online or off, the rental service can't 
     sell information about your media consumption without your 
     consent, and it must delete your rental history after it's no 
     longer needed. Congress enacted those protections to shield 
     intellectual freedom, so that one can enjoy controversial 
     movies without fear of one's curiosity resulting in extortion 
     or embarrassment.
       This brings us to our second point: If consistency and 
     reducing consumer confusion is the goal, consumers should 
     demand stronger internet privacy norms. Given the animating 
     purpose of protecting movie rental information, why not 
     require consumers to consent to the sharing any information 
     about their online behavior? After all, our web activity is 
     the ultimate manifestation of our intellectual curiosity, 
     representing second-by-second decisions about consuming news 
     and entertainment.
       In addition to existing federal laws, legislators could, as 
     professor Helen Nissenbaum has suggested, look to offline 
     contexts, such as the strong privacy norms governing 
     searching for a book in a library, to guide the privacy rules 
     we ought to enjoy when using a search engine. The government 
     also could take a page from the confidentiality standards 
     patients enjoy when conversing with physicians and apply 
     those same norms to medical information websites. 
     Policymakers could look to the last two centuries of privacy 
     in the postal mail to guide rules for commercial scanning of 
     email. Yet in all these contexts, web business models drive 
     design decisions that have turned social and personal 
     behaviors into marketplace transactions.
       Left standing, the FCC rule offers an opportunity for a 
     meaningful debate about how to better translate our analog 
     privacy norms into the digital world. Broadband ISPs are 
     essentially utilities, like postal mail and the telephone. 
     Subscribers have little or no competitive choice as to which 
     provider to use. ISPs know our identities, and their position 
     gives them the technical capacity to surveil users in ways 
     that others cannot. It makes sense to ensure consumers can 
     choose whether to share data related to their Internet usage.
       The majority of consumers--91 percent in a recent survey--
     feel they've lost control of their personal information. Yet, 
     paradoxically, the late, great privacy researcher and 
     historian Alan Westin consistently found that Americans 
     expect companies to handle personal data in a 
     ``confidential'' way. In reality, the modern internet is like 
     a one-way mirror, where users are often unaware that they are 
     being silently watched by third parties. The FCC rule exposes 
     this one-way mirror and allows people to decide whether to 
     draw a curtain on it.
       Maintaining the current rules would make ISP practices more 
     consistent with consumers' expectations of confidentiality. 
     Congress should spend time examining the

[[Page H2501]]

     strengths and weaknesses of our current approach, instead of 
     using consistency arguments to eviscerate the FCC's rule.

  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I yield 1 minute 
to the gentlewoman from California (Ms. Lofgren), my colleague from the 
class of '94.
  Ms. LOFGREN. Mr. Speaker, a ``yes'' vote exempts all broadband 
service providers from all rules on user privacy and all limitations on 
how they use your data. They are in a unique position to see every 
place you go, every website you visit, they can do deep packet 
inspection and see what is in your emails.
  What protects your privacy?
  This rule that is about to be repealed.
  If you have problems with the privacy policies of your email provider 
or social network, you have got competition to go to. But most 
Americans have just one or, at most, just two choices for their 
broadband provider. And, interestingly enough, all of those providers 
are supporting the repeal of this privacy rule.
  Why?
  They are going to make money selling your information.
  The idea that we could have an FTC solution is an interesting one, 
but there is no way to do it. In the Ninth Circuit's 2016 ruling of 
AT&T v. FTC, they ruled that the FTC is barred from imposing data 
breach rules. So vote ``no'' and protect your constituents' privacy.
  Mr. FLORES. Mr. Speaker, I continue to reserve the balance of my 
time.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, I ask my 
colleagues to vote against this horrible resolution, and I yield back 
the balance of my time.
  Mr. FLORES. Mr. Speaker, I yield myself the balance of my time.
  We have heard a lot of interesting claims today in the discussion 
about this fairly simple resolution to roll back overreaching 
regulation from the FCC that were passed late in the Obama 
administration's time.
  I would remind everybody, Mr. Speaker, that this CRA has nothing to 
do with the President's tax return, it has nothing to do with Russian 
hacking, and there have been some gross mischaracterizations of what 
this resolution does.
  Why do we need this resolution?
  The three reasons are, as Chairwoman Blackburn opened up at the 
beginning:
  First of all, the FCC swiped jurisdiction from the FTC.
  Second, two cops on the beat create confusion among consumers and 
among the ISP providers.
  Third, the FTC already has jurisdiction over this space.
  Let me close with this: this resolution of disapproval only rescinds 
the FCC's rule, but it still provides the FCC the opportunity to 
provide more oversight more in line with the Federal Trade Commission, 
which has successfully been regulating online privacy for nearly 2 
decades.
  This resolution does not lessen or impede the privacy and data 
security standards that we already have established. We are simply 
restoring a more stable regulatory playing field to ensure that 
consistent uniform privacy standards are maintained to protect 
consumers and future innovation.
  Once Congress rejects these rules, the FCC can turn back to 
cooperating with the FTC to ensure both the consumer privacy across all 
aspects of the internet is protected through vigorous enforcement and 
that innovation is allowed to flourish.
  I urge all of my colleagues to support this commonsense resolution.
  Mr. Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore. All time for debate has expired.
  Pursuant to the rule, the previous question is ordered on the joint 
resolution.
  The question is on the third reading of the joint resolution.
  The joint resolution was ordered to be read a third time, and was 
read the third time.
  The SPEAKER pro tempore. The question is on the passage of the joint 
resolution.
  The question was taken; and the Speaker pro tempore announced that 
the ayes appeared to have it.
  Mr. MICHAEL F. DOYLE of Pennsylvania. Mr. Speaker, on that I demand 
the yeas and nays.
  The yeas and nays were ordered.
  The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further 
proceedings on this question will be postponed.

                          ____________________