What’s the Big Deal About Internet Privacy (Part 4 – What happens next?)

This is the final installment of a series. Here are the links to part 1, 2, and 3.

Part 4: The future of internet privacy – what happens next?

The debate over the future of internet privacy is far from settled.  Privacy advocates have vowed to fight, while FCC Chairman Ajit Pai is doubling down on his anti-regulatory agenda, announcing his intention to overturn the FCC’s related but distinct net neutrality rules.  How will this play out?  Outcomes could be shaped by a number of regulatory and/or market forces.

  1. Regulation

Might the FCC reverse itself? 

Probably not…at least for the next five years.  Ajit Pai is at the beginning of his 5 year term, and his position on internet regulation is abundantly clear.

Could congress supersede FCC rules by strengthening or enacting new privacy laws? 

Yes, but they probably won’t, at least not within the next 4 years.  The 115th Congress clearly supports rolling back internet regulations.  The midterm elections could very well bring about significant changes, but even in the event that democrats regain control of congress, internet privacy won’t be a legislative priority unless it becomes a priority for the public.  While research shows broad public support for privacy regulations, few people would consider it the most important issue for them, and given congress’s dysfunction it will likely continue to be difficult to get anything done.  Any privacy bill is unlikely to be signed by a sitting president before 2021, so congress would need enough support to override a veto.  In the absence of a groundswell of vocal public support, neither the 115th nor the 116th Congress will enact privacy protections.

Could states enact privacy legislation?

Yes, and there is reason to believe this is more realistic.  Ten state governments (and now Maine) have put forward various legislation to protect consumers.  ISPs’ success at the federal level has created multiple new fronts that are likely to spread lobbying resources thin, and state governments tend to be more responsive to their constituents.  If even a handful of these laws pass it would make life very hard and expensive for ISPs, as they would need to track a patchwork of different regulatory codes. Perhaps ISPs are having a few pangs of regret about their strategy….

  1. Market-driven solutions

Will the free market rise to meet consumer demands for privacy?  Perhaps, for individuals who can afford to pay a premium, are technically savvy, or live in metro areas with competitive internet service markets.  Much of the U.S. population lives doesn’t fall into one of those categories, and that’s tough news for consumers.  On the other hand, the shift in privacy regulations is creating opportunities for ISPs and range of other businesses.

ISP Opportunities

The vast majority of ISPs will move aggressively to monetize consumer data, particularly in areas where the competition is sparse.  As these ISPs develop data monetization capabilities, they’ll begin serving new customers (advertising firms, or potentially brands) whose interests are often at odds with the interests of consumers.  This will limit consumers’ ability to influence ISPs, as consumers are more fragmented, spend less than advertisers on a per customer basis, and have fewer competitive alternatives compared to advertisers.

In more competitive markets, some ISPs are likely to use privacy as a differentiator to attract customers.  For example, Sonic and MonkeyBrains (both of which serve the San Francisco Bay area) are competing on the promise that it won’t sell customers’ data to marketers.  The viability and resilience of this business model still needs to be proven, but it could provide welcome relief for consumers in major metro areas.

Meanwhile, truly new ISPs are unlikely to play a significant role in the market, as barriers to entry are quite high.  Most new entrants would piggyback on the networks of other ISPs, and it’s possible that in this situation network operators would still be able to capture your data, even if your ISP promised not to collect it.

Opportunities Beyond the ISPs

Tools to limit what your ISP can see already exist, including VPNs, browser extensions, and third party DNS providers. However, these are all partial solutions with some limited efficacy and serious drawbacks:

  • They provide an incomplete solution. ISPs will still be able to collect and market some types of personal data.
  • They don’t have the “ease of use” most consumers want. These tools generally require a level of technical savvy to set up and use reliably.  They’re mostly sold or downloaded separately, placing the onus on the consumer to figure it out which combination of solutions makes sense.
  • Perhaps the biggest weakness is that some of these tools can slow down internet speeds – a problem that could get significantly worse as net neutrality is repealed.  Eliminating net neutrality means ISPs can now deliberately slow down internet traffic between you and, say, your VPN of choice.  This creates a significant disincentive to use a VPN. (Bear in mind, you will still be paying the ISP what you were before, but you’re receiving a significantly worse product….and that’s what deregulation gets you in a market that wasn’t free or competitive to begin with.)

VPNs are probably the most effective single privacy tool consumers can use at this time, but the business opportunity for this service is unclear.  The existence of VPNs that appear to lack a profit motive (they promote lofty mission statements about the importance of privacy to a free and open internet, and charge relatively modest fees for their services) might keep some businesses from entering this space…after all, it would be difficult to charge more for a service that competitors deliver effectively at lower cost.

Other interested parties may recognize an opportunity to provide a more integrated and complete online privacy management solution. This approach would be much better aligned with a large demographic of older web users who want or need support selecting and deploying online privacy tools. For these customers, a user-friendly, managed service offering could be compelling, especially if delivered by a company they know and trust. Such a service would be a natural complement for antivirus, identity protection, and even credit monitoring companies. These vendors typically have a substantial customer base in this segment, as well as a high degree of trust and name recognition, and privacy services could present an attractive adjacent opportunity for them.

Regardless of which solutions emerge, consumers will almost certainly bear the cost of defending their privacy on an individual basis. While I find some small comfort that in the absence of regulatory action, private sector solutions will eventually emerge, the timing, quality, and cost of these options remains to be seen.  Questions remain about what consumers would be willing to pay, how lucrative the privacy services market could become, and how federal and state regulations will evolve.  The answers to these questions will likely shape how seriously companies and investors treat this opportunity, and which solutions emerge.

What’s the Big Deal About Internet Privacy (Part 3)

This is the third installment of a four part series on the recent repeal of the 2015 FCC privacy rule. Here are links to Part 1 and Part 2.

Part 3: Stakeholder concerns – who are the winners and losers?


The Winners – ISPs and Retailers

ISPs are the only real winners of the FCC rule roll-back, and honestly, they had a lot at stake. Targeted ads have become an essential component of ISP growth strategies, for very good reason: the market for cellular connectivity isn’t really growing – everyone basically has a provider, which means the game is less about finding new customers and more about getting them to switch, usually by offering heavily reduced prices; Fiber to the home (FTTH) and cable markets are growing, but network build-outs are costly and slow, limiting near term profitability; ISPs are faced with dwindling options for growth: they can either get customers to buy more services, or find other ways to monetize the value of their customer base. The former is a tough proposition – you can’t just raise prices on basic services or customers will switch providers. Offering new services to consumers (think TWC’s “intelligent home” offering) will only get you so far, as it requires the customer to value the service enough to reallocate their disposable income away from something else. That basically leaves monetizing customer data as the most viable option, and certainly the most profitable one. The U.S. advertising market was worth ~$200 billion in 2016 (by far the largest in the world), with over $50B spent on digital advertising. ISPs want a piece of that pie, and the FCC rule would have made it more difficult to compete by requiring customers to consent to the collection and sale of their data.

ISPs are well positioned to compete in certain segments of the digital ad market, in particular with targeted ads. Somewhere around $22B will be spent on programmatic ad buys in 2016, and that number is widely expected to grow aggressively through 2020.  (“Programmatic” advertising is basically another term for targeted advertising, where an automated platform matches the brand/buyer with the desired target audience).  Types of programmatic advertising include audience (targeted based on demographics), behavioral (targeted based on online activity), retargeting (targeted based on search history), and geotargeting (location-based targeting). A great summary of these categories can be found here.

I would wager that demographic-based targeting isn’t particularly exciting for ISP’s, nor is retargeting, where search and social media platforms will likely continue to be better positioned.  ISPs have terrific ability to deliver location-based ads on both mobile and in-home devices, which up to this time has been done primarily through application or O/S software, and no doubt they will wade into these waters.  But even this pales in comparison to the opportunity presented by behavioral targeting. There is growing consensus among advertising professionals that behaviorally-tailored as are among the most effective ways to motivate a purchase, but internet platforms are still developing and refining their tools and trying to prove that they’re effective. It’s a growth market with very strong demand for a quality product, and plenty of room for new entrants.  ISPs have a significant potential competitive advantage, in that their networks could provide unparalleled visibility into the online activity of individuals across multiple devices.  ISPs simply have access to more data points about an individual, and these data points are the raw material from which they, or their advertising partners, can build a nuanced a picture of who that person is. Social media platforms (i.e. Facebook) can provide valuable insights about some users, but what about the population that rarely or never uses social media?  ISPs can provide similar or potentially better insight into the habits and mindsets of these consumers. Think about what the sum of your online activity, television viewing habits, and other interactions with connected devices could reveal about you, and what that would be worth to advertisers.

Retail brands seeking effective marketing channels stand to gain as well, as increased competition in the digital advertising space will lead to lower prices and better products.


The Losers – Internet Platforms and American Consumers

Search and social media platforms had a clear financial interest in keeping ISPs out of the targeted advertising market, as ISPs are now a competitive threat in their core advertising markets.  This isn’t the first time Internet giants and ISPs have butted heads on policy – they stood on opposite sides of the net neutrality debate as well, for similar reasons (primarily financial).  But once again, the policy interests of Internet Platforms happen to align with the interests of consumers.

The business model these companies use – providing free, high quality services that consumers want, paid for by advertising revenue – is a model that consumers have more or less accepted, depending on the service.  If you don’t want to see ads, some sites and apps allow consumers to pay for an ad-free version of the service. If a site or app insists on collecting cookies, you can always find an alternative or choose not to use the service at all.  ISP’s business models, and the nature of the services they provide, are different. People pay for internet connectivity – sometimes quite a high monthly rate.  And now every service people use, all the data that flows back and forth on that network is visible to a single company.

I would argue there should be greater privacy protections for consumers everywhere – whether it’s a search engine, a social media platform, a mobile app, or an ISP collecting the data.  Right now, either you use the internet as part of modern society and allow your data to be mined, or you lead an ascetic life.  It’s not a real choice for most people. Recent research into consumer sentiment revealed that if people were given a real choice, a majority would limit the sharing of their personal data. The FCC rule wasn’t perfect, but it was a first step toward correcting this situation, and would have afforded consumers more control over their privacy.

In addition to taking away consumer choice, repealing the FCC rule blocked the chance for an alternative business model to emerge. This third business model would have actually compensated consumers for their data, which philosophically, I believe each individual rightfully owns.  The FCC rule didn’t prohibit ISPs from competing in the digital ad market, it simply required them to get permission first.  Given that consumers don’t feel the current trade-off is fair, ISPs probably would have need to find a way to incentivize people to participate. A rebate on your monthly internet bill, for example.  Perhaps a platform connecting data brokers with individuals that fit a certain profile.  Maybe even tools that can track personal data after it’s sold, can ensure the data isn’t resold or repurposed without authorization, and can destroy the data after it is used.  There were numerous possibilities, but Congress removed any inventive for ISPs to pursue these models by making personal data collection involuntary.

Consumers also have much to lose as targets of behavioral advertising – the end result of this data collection.  Behaviorally-targeted ads, when done well, have great power to manipulate our opinions, actions, and even how we see ourselves.  It’s important to remember that these same tools will have applications in politics, and with no limits on election spending we can be assured they will be used extensively. Far too few people are even aware of what data is being collected and how it’s being used, but even with that visibility, the impact of a clever ad can be hard to recognize.


The fourth and final installment in this series will look at what is likely to come next, and what can be done about it.

What’s the Big Deal About Internet Privacy? (Part 1)

If you follow the news, you might be aware that the 115th Congress just changed some rules around internet privacy.  If you’re aware of the potential implications for consumers you’re probably in the minority.  If you’re able to explain what exactly happened and what it means for the stakeholders involved, you’re in a small group indeed. The lack of public understanding of this issue is forgivable: Broadband internet regulations are a complex issue, and truly understanding the policy implications of this move requires time and effort that most people simply don’t have. But it’s also a shame, because this rule change will impact everyone, whether we realize it or care.

In order to really understand what just happened and what it means, we need to consider the following:

  • Historical context – how did we get here?
  • The FCC rule and current policy – why does it matters?
  • Stakeholder concerns – who are the winners and losers?
  • The future of the industry – what happens next?

This post is the first of a four-part series in which we examine these questions one at time, beginning with a brief overview of the historical context for the FCC rule.

Historical Context – How did we get here?

The Communications Act of 1934

To understand where we are, we need go all the way back to the Communications Act of 1934, which established the Federal Communications Commission (FCC). This act effectively consolidated prior regulatory frameworks and created a single enforcement body to “regulate interstate and foreign commerce in communication by wire and radio so as to make available, so far as possible, to all the people of the United States a rapid, efficient, nationwide, and worldwide wire and radio communication service with adequate facilities at reasonable charges….”

The Communications Act of 1996

The Communications Act stood largely unaltered until 1996, when Congress updated the law. It’s safe to say that the 1996 update is where our current internet policy has its roots: In addition to addressing local and long distance telephony and cable regulations, the act addressed for the first time how internet services companies would be treated. At the time the internet was still largely a novelty, and it would have stretched the imagination to call it an essential service. Ultimately lawmakers, heavily shaped by the telecoms industry but also not wrong, decided to reduce regulatory barriers on internet service providers in order to increase competition and accelerate private sector innovation and investment.  They executed this goal by creating a separate class of communication services company: the “information services” provider.  This action released internet service providers from the stricter regulations governing telephony and traditional telecoms companies.

Times changed…quickly

Do you remember what the internet was like in 1996?  The world changed quickly over the past twenty years.  As a result, the FCC began considering reclassifying ISPs as common carriers under Title II as far back as 2010.  Proponents for change argued that individuals and businesses had come to rely on broadband services for all manner of public and private communications of varying sensitivity: email, banking, commerce, and even government functions like license renewal and tax filings.  None of this was top of mind for lawmakers in 1996, although it was foreseen by some in industry.

Common carriers

As the shift in use began to accelerate, so did discussions of how policy should evolve.  The industry fought this shift, ramping up lobbying spending over the course of the past decade.  Despite fierce opposition from service providers, in February 2015 FCC Commissioners voted 3-2 to designate Broadband ISPs as “common carriers” under Title II of the Communications Act. This meant broadband ISP would be required to act in the public interest on issues of privacy, security, and fair access. The shift manifested in new rules requiring ISPs to:

  1. Get permission from customers to collect, use, and sell their personal data
  2. Strengthen broadband network security

Following the FCC rule change, ISPs launched a legal challenge that was rebuffed in a 2015 appellate court decision which agreed with the FCC majority view that broadband is an essential service.

A side note: ISP trade groups have fueled a misperception that the FCC rule change would treat broadband like a “utility”. The 2015 FCC rule did NOT classify broadband as a utility. “Common carrier” status is different from “utility” status, and Title II governs both. Common carriers are not subject to regulation of price, service quality, and customer service responsiveness, unlike utilities.  Common carriers are regulated on privacy, security, and fair access.  It’s an important distinction, and the misrepresentation of the FCC rule change has distracted from real debate on the merits of the policy.

Congressional action

The rule change provided for a transition period, essentially giving ISPs until 2018 to meet requirements.  As such, the rule hadn’t even taken effect when the 115th Congress convened, and in March used its powers under the Congressional Review Act to dismiss the FCC rule.


To sum up, the FCC has owned regulation of ISPs since such regulation began.  Initially, the FCC correctly decided to limit regulation of ISPs in order to accelerate investment and innovation.  The world changed, and the FCC attempted to update policy to reflect the role that the internet plays in our lives and in the economy.

Part 2 builds on this historical primer and explore the merits of arguments for and against the 2015 FCC rule change.