When the Federal Communications Commission (FCC) voted last Thursday (Oct. 27) to accept new privacy rules for ISPs, the move was heralded by many as an important step forward in U.S. privacy protections. But a closer look at the particulars shows a decision that has so many exceptions — and and that makes it easy for ISPs to hide customer permission deep within lengthy terms and conditions documents — it amounts to a big backward step for privacy, one that will likely embolden any ISPs that was inclined to violate privacy anyway.
The FCC made changes to the privacy requirements of Section 222 of the Communications Act for broadband ISPs. On the bright side, here’s part of a statement of FCC Commissioner Mignon Clyburn, who voted for these changes: “Why has this Commission, received more than a quarter of a million filings, of which the vast majority show support for the adoption of strong privacy rules? Because consumers care deeply about their privacy — and so should we. Ninety-one percent of Americans believe, consumers have lost control of how their personal information is collected, and used by companies. That’s ninety-one percent. With news seemingly breaking every week, about a cyberattack, massive data breaches, and companies collecting and selling customer data to government agencies, that number should come as no surprise to anyone. So when faced with the question, of should I support requiring companies to give consumers more notice, more choice, and more transparency, you hear no double speak from me. Simply put, additional consent here means, that consumers will have more of a say, in how their personal information is used — and I for one, think that is a good thing.”
I applaud the sentiment, but what came forth from the commission will do little to nothing to advance privacy. Yes, ISPs must now get explicit permission from consumers to release their data, but nowhere is there a prohibition on such permission being hidden in a 29-page T&C form that requires a one-click acceptance to begin the ISP service.
In short, it’s either “accept this agreement” or get ISP service elsewhere — which will be hard to do if every major ISP insists on similar language. If the FCC wanted to truly protect privacy, it would have prohibited ISPs from including this opt-in as part of the agreement to provide services — it should have given consumers the right to reject such data sharing and still retain the right to have broadband service. Alas, that didn’t happen.
Here’s how the FCC described the core changes regarding opt-in: “ISPs are required to obtain affirmative ‘opt-in’ consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.”
Sign up for Computerworld eNewsletters.