This is the final installment of a series. Here are the links to part 1, 2, and 3.
Part 4: The future of internet privacy – what happens next?
The debate over the future of internet privacy is far from settled. Privacy advocates have vowed to fight, while FCC Chairman Ajit Pai is doubling down on his anti-regulatory agenda, announcing his intention to overturn the FCC’s related but distinct net neutrality rules. How will this play out? Outcomes could be shaped by a number of regulatory and/or market forces.
Might the FCC reverse itself?
Probably not…at least for the next five years. Ajit Pai is at the beginning of his 5 year term, and his position on internet regulation is abundantly clear.
Could congress supersede FCC rules by strengthening or enacting new privacy laws?
Yes, but they probably won’t, at least not within the next 4 years. The 115th Congress clearly supports rolling back internet regulations. The midterm elections could very well bring about significant changes, but even in the event that democrats regain control of congress, internet privacy won’t be a legislative priority unless it becomes a priority for the public. While research shows broad public support for privacy regulations, few people would consider it the most important issue for them, and given congress’s dysfunction it will likely continue to be difficult to get anything done. Any privacy bill is unlikely to be signed by a sitting president before 2021, so congress would need enough support to override a veto. In the absence of a groundswell of vocal public support, neither the 115th nor the 116th Congress will enact privacy protections.
Could states enact privacy legislation?
Yes, and there is reason to believe this is more realistic. Ten state governments (and now Maine) have put forward various legislation to protect consumers. ISPs’ success at the federal level has created multiple new fronts that are likely to spread lobbying resources thin, and state governments tend to be more responsive to their constituents. If even a handful of these laws pass it would make life very hard and expensive for ISPs, as they would need to track a patchwork of different regulatory codes. Perhaps ISPs are having a few pangs of regret about their strategy….
- Market-driven solutions
Will the free market rise to meet consumer demands for privacy? Perhaps, for individuals who can afford to pay a premium, are technically savvy, or live in metro areas with competitive internet service markets. Much of the U.S. population lives doesn’t fall into one of those categories, and that’s tough news for consumers. On the other hand, the shift in privacy regulations is creating opportunities for ISPs and range of other businesses.
The vast majority of ISPs will move aggressively to monetize consumer data, particularly in areas where the competition is sparse. As these ISPs develop data monetization capabilities, they’ll begin serving new customers (advertising firms, or potentially brands) whose interests are often at odds with the interests of consumers. This will limit consumers’ ability to influence ISPs, as consumers are more fragmented, spend less than advertisers on a per customer basis, and have fewer competitive alternatives compared to advertisers.
In more competitive markets, some ISPs are likely to use privacy as a differentiator to attract customers. For example, Sonic and MonkeyBrains (both of which serve the San Francisco Bay area) are competing on the promise that it won’t sell customers’ data to marketers. The viability and resilience of this business model still needs to be proven, but it could provide welcome relief for consumers in major metro areas.
Meanwhile, truly new ISPs are unlikely to play a significant role in the market, as barriers to entry are quite high. Most new entrants would piggyback on the networks of other ISPs, and it’s possible that in this situation network operators would still be able to capture your data, even if your ISP promised not to collect it.
Opportunities Beyond the ISPs
Tools to limit what your ISP can see already exist, including VPNs, browser extensions, and third party DNS providers. However, these are all partial solutions with some limited efficacy and serious drawbacks:
- They provide an incomplete solution. ISPs will still be able to collect and market some types of personal data.
- They don’t have the “ease of use” most consumers want. These tools generally require a level of technical savvy to set up and use reliably. They’re mostly sold or downloaded separately, placing the onus on the consumer to figure it out which combination of solutions makes sense.
- Perhaps the biggest weakness is that some of these tools can slow down internet speeds – a problem that could get significantly worse as net neutrality is repealed. Eliminating net neutrality means ISPs can now deliberately slow down internet traffic between you and, say, your VPN of choice. This creates a significant disincentive to use a VPN. (Bear in mind, you will still be paying the ISP what you were before, but you’re receiving a significantly worse product….and that’s what deregulation gets you in a market that wasn’t free or competitive to begin with.)
VPNs are probably the most effective single privacy tool consumers can use at this time, but the business opportunity for this service is unclear. The existence of VPNs that appear to lack a profit motive (they promote lofty mission statements about the importance of privacy to a free and open internet, and charge relatively modest fees for their services) might keep some businesses from entering this space…after all, it would be difficult to charge more for a service that competitors deliver effectively at lower cost.
Other interested parties may recognize an opportunity to provide a more integrated and complete online privacy management solution. This approach would be much better aligned with a large demographic of older web users who want or need support selecting and deploying online privacy tools. For these customers, a user-friendly, managed service offering could be compelling, especially if delivered by a company they know and trust. Such a service would be a natural complement for antivirus, identity protection, and even credit monitoring companies. These vendors typically have a substantial customer base in this segment, as well as a high degree of trust and name recognition, and privacy services could present an attractive adjacent opportunity for them.
Regardless of which solutions emerge, consumers will almost certainly bear the cost of defending their privacy on an individual basis. While I find some small comfort that in the absence of regulatory action, private sector solutions will eventually emerge, the timing, quality, and cost of these options remains to be seen. Questions remain about what consumers would be willing to pay, how lucrative the privacy services market could become, and how federal and state regulations will evolve. The answers to these questions will likely shape how seriously companies and investors treat this opportunity, and which solutions emerge.