What’s the Big Deal About Internet Privacy (Part 4 – What happens next?)

This is the final installment of a series. Here are the links to part 1, 2, and 3.

Part 4: The future of internet privacy – what happens next?

The debate over the future of internet privacy is far from settled.  Privacy advocates have vowed to fight, while FCC Chairman Ajit Pai is doubling down on his anti-regulatory agenda, announcing his intention to overturn the FCC’s related but distinct net neutrality rules.  How will this play out?  Outcomes could be shaped by a number of regulatory and/or market forces.

  1. Regulation

Might the FCC reverse itself? 

Probably not…at least for the next five years.  Ajit Pai is at the beginning of his 5 year term, and his position on internet regulation is abundantly clear.

Could congress supersede FCC rules by strengthening or enacting new privacy laws? 

Yes, but they probably won’t, at least not within the next 4 years.  The 115th Congress clearly supports rolling back internet regulations.  The midterm elections could very well bring about significant changes, but even in the event that democrats regain control of congress, internet privacy won’t be a legislative priority unless it becomes a priority for the public.  While research shows broad public support for privacy regulations, few people would consider it the most important issue for them, and given congress’s dysfunction it will likely continue to be difficult to get anything done.  Any privacy bill is unlikely to be signed by a sitting president before 2021, so congress would need enough support to override a veto.  In the absence of a groundswell of vocal public support, neither the 115th nor the 116th Congress will enact privacy protections.

Could states enact privacy legislation?

Yes, and there is reason to believe this is more realistic.  Ten state governments (and now Maine) have put forward various legislation to protect consumers.  ISPs’ success at the federal level has created multiple new fronts that are likely to spread lobbying resources thin, and state governments tend to be more responsive to their constituents.  If even a handful of these laws pass it would make life very hard and expensive for ISPs, as they would need to track a patchwork of different regulatory codes. Perhaps ISPs are having a few pangs of regret about their strategy….

  1. Market-driven solutions

Will the free market rise to meet consumer demands for privacy?  Perhaps, for individuals who can afford to pay a premium, are technically savvy, or live in metro areas with competitive internet service markets.  Much of the U.S. population lives doesn’t fall into one of those categories, and that’s tough news for consumers.  On the other hand, the shift in privacy regulations is creating opportunities for ISPs and range of other businesses.

ISP Opportunities

The vast majority of ISPs will move aggressively to monetize consumer data, particularly in areas where the competition is sparse.  As these ISPs develop data monetization capabilities, they’ll begin serving new customers (advertising firms, or potentially brands) whose interests are often at odds with the interests of consumers.  This will limit consumers’ ability to influence ISPs, as consumers are more fragmented, spend less than advertisers on a per customer basis, and have fewer competitive alternatives compared to advertisers.

In more competitive markets, some ISPs are likely to use privacy as a differentiator to attract customers.  For example, Sonic and MonkeyBrains (both of which serve the San Francisco Bay area) are competing on the promise that it won’t sell customers’ data to marketers.  The viability and resilience of this business model still needs to be proven, but it could provide welcome relief for consumers in major metro areas.

Meanwhile, truly new ISPs are unlikely to play a significant role in the market, as barriers to entry are quite high.  Most new entrants would piggyback on the networks of other ISPs, and it’s possible that in this situation network operators would still be able to capture your data, even if your ISP promised not to collect it.

Opportunities Beyond the ISPs

Tools to limit what your ISP can see already exist, including VPNs, browser extensions, and third party DNS providers. However, these are all partial solutions with some limited efficacy and serious drawbacks:

  • They provide an incomplete solution. ISPs will still be able to collect and market some types of personal data.
  • They don’t have the “ease of use” most consumers want. These tools generally require a level of technical savvy to set up and use reliably.  They’re mostly sold or downloaded separately, placing the onus on the consumer to figure it out which combination of solutions makes sense.
  • Perhaps the biggest weakness is that some of these tools can slow down internet speeds – a problem that could get significantly worse as net neutrality is repealed.  Eliminating net neutrality means ISPs can now deliberately slow down internet traffic between you and, say, your VPN of choice.  This creates a significant disincentive to use a VPN. (Bear in mind, you will still be paying the ISP what you were before, but you’re receiving a significantly worse product….and that’s what deregulation gets you in a market that wasn’t free or competitive to begin with.)

VPNs are probably the most effective single privacy tool consumers can use at this time, but the business opportunity for this service is unclear.  The existence of VPNs that appear to lack a profit motive (they promote lofty mission statements about the importance of privacy to a free and open internet, and charge relatively modest fees for their services) might keep some businesses from entering this space…after all, it would be difficult to charge more for a service that competitors deliver effectively at lower cost.

Other interested parties may recognize an opportunity to provide a more integrated and complete online privacy management solution. This approach would be much better aligned with a large demographic of older web users who want or need support selecting and deploying online privacy tools. For these customers, a user-friendly, managed service offering could be compelling, especially if delivered by a company they know and trust. Such a service would be a natural complement for antivirus, identity protection, and even credit monitoring companies. These vendors typically have a substantial customer base in this segment, as well as a high degree of trust and name recognition, and privacy services could present an attractive adjacent opportunity for them.

Regardless of which solutions emerge, consumers will almost certainly bear the cost of defending their privacy on an individual basis. While I find some small comfort that in the absence of regulatory action, private sector solutions will eventually emerge, the timing, quality, and cost of these options remains to be seen.  Questions remain about what consumers would be willing to pay, how lucrative the privacy services market could become, and how federal and state regulations will evolve.  The answers to these questions will likely shape how seriously companies and investors treat this opportunity, and which solutions emerge.

What’s the Big Deal About Internet Privacy (Part 2)

This is part 2 of a series. Here’s the link to part 1, in case you missed it.

 

Part 2: The FCC rule and current policy – what’s the argument, and why does it matter?

The argument in favor of the FCC ruling:

Supporters of the FCC’s Broadband privacy rules (including 3/5 FCC Commissioners, 2/3 appellate judges, and a host of industry and non-profit organizations) generally cite the following to justify the rule change:

  1. The internet is an essential service

At this point it would be hard to argue that a person can conduct commerce or go about their daily lives in the 21st century without utilizing broadband networks. As I pointed out in Part 1, reliance on the internet for essential economic, health, regulatory, and personal activities is only continuing to grow. If you want to buy and airline ticket, you might pay a penalty for not booking it online. Many private and state agencies have eliminated or greatly scaled back over-the-phone support as they move increasingly to an online-only model.

Nobody who understands the difference between an ISP and an internet platform is actually contesting this point, so let’s move on.

  1. ISPs are fundamentally different than internet companies in important ways

Internet platforms (i.e. Google, Microsoft, Facebook) provide siloed services, the use of which is voluntary. You can access online banking or government websites without using Google Chrome. You can send messages without Facebook Messenger. There is competition, however weak, in the market. People have a choice about whether to use these services, and which service to use.  In contrast, most consumers rely on ISP networks for all internet activity, and outside of metro areas many ISPs have effective monopolies.

Internet platforms are typically free to consumers.  Consumers are willing to provide access to personal data and deal with ads – giving up this data is the price we pay for access to high quality search engines and social media platforms.  In contrast, consumers pay sometimes ridiculous prices for internet service.  We are getting nothing in return for sharing our personal data (especially now, as congress removed any need for ISPs to incentivize consumers to allow their data to be monetized).

  1. Collection of personal data through these networks should be voluntary and transparent

The data these companies want to monetize belongs to you and me. That data has a value, and you and I should be able to recognize that value. Reversing the FCC decision removed any incentive for ISPs to develop a brokerage or rebate system that would actually compensate consumers. The result is that we not only lose control of our data (they can sell it whomever they wish), we also lose the monetary value of that data. (Some people might argue that if ISPs are allowed to generate advertising revenue, the cost of Broadband will go down for you and me. Such an argument would be comical. I would bet everything I own that we never see a decrease in the cost of internet services proportional to the value created by selling our personal data.)

On the transparency side, we deserve to know what data is being collected, how it’s being packaged, and to whom it is sold.

  1. Broadband service providers should secure their networks to protect customer data

This is in the national and public interest.  Economic espionage, identify theft, and online fraud are very real problems, and they will only get worse. The only real argument against this rule is a free market one: “Let the free market dictate how secure these networks are.” This might be the case if there was actual competition, but unfortunately for many Americans, they’re stuck with whatever ISP services their area. Even if they have 2 or 3 options, the chances are good that they are shopping on price, not security features.  Without a mandate to secure their networks it’s unlikely ISPs will make they investments needed to counter these threats.

 

The argument against the FCC ruling:

Opponents (2/5 FCC commissioners, the telecoms industry) argued the following:

  1. The FCC does not have the legal authority to regulate Broadband
  2. Allowing ISPs to sell personal data to advertisers would increase competition in the digital advertising market
  3. The new rules will be burdensome and confusing to consumers.

Let’s unpack the merits of each argument in turn:

  1. The FCC doesn’t have the legal authority to regulate internet service providers.

I’m no lawyer, but this one seems obvious to me. Broadband internet carries interstate and international communications, which clearly fall under the FCC’s purview.  (Spoiler alert – this argument was lost in court., with a ruling that resoundingly agreed broadband is an essential service.) The simple fact that overlapping and/or competing regulations exist does not in itself create cause to oppose this rule change.

  1. Allowing ISPs to sell personal data to advertisers would increase competition in the digital advertising market

I can’t argue this.  It’s absolutely true.  ISPs desperately want to compete here – the reasons for which we’ll explore in more depth in the next installment. Could someone just explain to me how ISPs competing in the target ad market is good for consumers?  “Yay! More ads! And they’re even creepier!”

Many companies have claimed targeted ads are less annoying, even helpful to consumers.  Perhaps a percentage of them are.  However, I haven’t been able to locate any data that suggests consumers suddenly like advertisements because they’re targeted, or that they’re willing to trade their privacy for targeted ads.  In fact, there is data supporting the opposite.  This data aligns with my anecdotal experience, as I haven’t heard many people embracing and applauding targeting advertising that’s already happening.  Mostly I’ve heard complaints about how creepy it is.

This argument also requires us to ignore the very real potential that targeted ads are harmful to consumers. After all, the goal of targeted advertising is to reach the target demographic for a product at the time when they are most likely to purchase that product.  It’s not difficult to imagine scenarios in which this actively runs against consumer interests:

  • A dieter see an ad for a value meal when he/she is stressed and hungry
  • A gambling addict is targeted with an ad for a casino just as they are passing by one
  • Someone sees something they want but can’t afford at a time when they are most likely to use it

Many will argue that this is still a choice, that people have will power, etc., but it’s hard to argue that the deck isn’t getting stacked a little more against consumers every day.  At best, more/more effective targeted ads will be an annoyance for consumers, and at worst it’s harmful. The only stakeholders who actually benefit as a result of this reality are ISPs and marketers.

  1. The new rules will be burdensome and confusing to consumers.

Basically, telecoms companies (and their allies in the FCC) made the argument that asking customers’ permission to collect and sell their personal data would be burdensome…for their customers?  I suppose this might be true if the ISPs deliberately misled customers about what was happening, but if they framed it in a transparent, clear, and accurate way…well, I don’t see how this argument holds up. Also, the link to the study above suggest consumers actually want this.

On the flip side, it would certainly be burdensome for ISPs.

This particular argument stood out as cynical to me, but without it there would have been no argument that the FCC rule was bad for you and me.  It provides a fig leaf’s worth of coverage for congressional action that is blatantly contrary to the interests of American consumers.

Next up, we’ll look a more closely at why ISPs, internet platforms (“edge providers”), and privacy advocates care so much about this issue, and why consumers really ought to care more.

What’s the Big Deal About Internet Privacy? (Part 1)

If you follow the news, you might be aware that the 115th Congress just changed some rules around internet privacy.  If you’re aware of the potential implications for consumers you’re probably in the minority.  If you’re able to explain what exactly happened and what it means for the stakeholders involved, you’re in a small group indeed. The lack of public understanding of this issue is forgivable: Broadband internet regulations are a complex issue, and truly understanding the policy implications of this move requires time and effort that most people simply don’t have. But it’s also a shame, because this rule change will impact everyone, whether we realize it or care.

In order to really understand what just happened and what it means, we need to consider the following:

  • Historical context – how did we get here?
  • The FCC rule and current policy – why does it matters?
  • Stakeholder concerns – who are the winners and losers?
  • The future of the industry – what happens next?

This post is the first of a four-part series in which we examine these questions one at time, beginning with a brief overview of the historical context for the FCC rule.

Historical Context – How did we get here?

The Communications Act of 1934

To understand where we are, we need go all the way back to the Communications Act of 1934, which established the Federal Communications Commission (FCC). This act effectively consolidated prior regulatory frameworks and created a single enforcement body to “regulate interstate and foreign commerce in communication by wire and radio so as to make available, so far as possible, to all the people of the United States a rapid, efficient, nationwide, and worldwide wire and radio communication service with adequate facilities at reasonable charges….”

The Communications Act of 1996

The Communications Act stood largely unaltered until 1996, when Congress updated the law. It’s safe to say that the 1996 update is where our current internet policy has its roots: In addition to addressing local and long distance telephony and cable regulations, the act addressed for the first time how internet services companies would be treated. At the time the internet was still largely a novelty, and it would have stretched the imagination to call it an essential service. Ultimately lawmakers, heavily shaped by the telecoms industry but also not wrong, decided to reduce regulatory barriers on internet service providers in order to increase competition and accelerate private sector innovation and investment.  They executed this goal by creating a separate class of communication services company: the “information services” provider.  This action released internet service providers from the stricter regulations governing telephony and traditional telecoms companies.

Times changed…quickly

Do you remember what the internet was like in 1996?  The world changed quickly over the past twenty years.  As a result, the FCC began considering reclassifying ISPs as common carriers under Title II as far back as 2010.  Proponents for change argued that individuals and businesses had come to rely on broadband services for all manner of public and private communications of varying sensitivity: email, banking, commerce, and even government functions like license renewal and tax filings.  None of this was top of mind for lawmakers in 1996, although it was foreseen by some in industry.

Common carriers

As the shift in use began to accelerate, so did discussions of how policy should evolve.  The industry fought this shift, ramping up lobbying spending over the course of the past decade.  Despite fierce opposition from service providers, in February 2015 FCC Commissioners voted 3-2 to designate Broadband ISPs as “common carriers” under Title II of the Communications Act. This meant broadband ISP would be required to act in the public interest on issues of privacy, security, and fair access. The shift manifested in new rules requiring ISPs to:

  1. Get permission from customers to collect, use, and sell their personal data
  2. Strengthen broadband network security

Following the FCC rule change, ISPs launched a legal challenge that was rebuffed in a 2015 appellate court decision which agreed with the FCC majority view that broadband is an essential service.

A side note: ISP trade groups have fueled a misperception that the FCC rule change would treat broadband like a “utility”. The 2015 FCC rule did NOT classify broadband as a utility. “Common carrier” status is different from “utility” status, and Title II governs both. Common carriers are not subject to regulation of price, service quality, and customer service responsiveness, unlike utilities.  Common carriers are regulated on privacy, security, and fair access.  It’s an important distinction, and the misrepresentation of the FCC rule change has distracted from real debate on the merits of the policy.

Congressional action

The rule change provided for a transition period, essentially giving ISPs until 2018 to meet requirements.  As such, the rule hadn’t even taken effect when the 115th Congress convened, and in March used its powers under the Congressional Review Act to dismiss the FCC rule.

Recap

To sum up, the FCC has owned regulation of ISPs since such regulation began.  Initially, the FCC correctly decided to limit regulation of ISPs in order to accelerate investment and innovation.  The world changed, and the FCC attempted to update policy to reflect the role that the internet plays in our lives and in the economy.

Part 2 builds on this historical primer and explore the merits of arguments for and against the 2015 FCC rule change.