The FCC’s Important Move for Online Privacy

The FCC’s Important Move for Online Privacy

The FCC is on the verge of creating sensible privacy rules for ISPs
The postal service is not allowed to open your letters to read what you’ve written inside. It’s also not permitted to develop a list of your correspondents to sell to advertisers. Your telephone company is forbidden from listening in on your phone calls or selling the list of numbers you dial to marketers, at least not without your permission.
Professor Paul Ohm
Professor Paul Ohm

It may surprise you to learn that these common sense privacy rules may not yet apply to your Internet service provider (ISP). The good news is that the Federal Communications Commission (FCC) plans to vote in a few weeks on sensible, modest rules of the road to give you the kind of privacy protections you probably already assume you have.

Your ISP owes you legally binding privacy protections for the same reason you expect privacy from your phone company and the postal service. We have long applied special rules to so-called “common carriers.” These rules, including heightened obligations to respect privacy, reflect the idea that, in a modern world of communications and transportation, you can rely on trusted third parties to bring valuable things and information from Point A to Point B. You pay these common carriers for their important, infrastructural service, and, in return, we legally obligate them to protect what they carry.

ISPs jeopardize your privacy in ways that even the phone company and postal service (and other common carriers like railroads) do not. The genius of the Internet is its intrinsically-distributed design. In any given hour you spend clicking on a browser or tapping on a smartphone, your messages, pictures, and reading and viewing habits get scattered across dozens or maybe hundreds of different websites, apps, and social networks. You enjoy a small measure of privacy from the fact that no single company can easily monopolize a view of your activities.

The exception is your ISP. Your ISP is the mandatory first hop to the rest of the Internet, and everything you do while connected to a particular ISP flows first through its servers. Your ISP can develop a nearly-comprehensive picture of what you do that other companies would pay a king’s ransom to be able to access.

Terrified of the FCC’s sensible and modest proposal, the ISPs have argued that instead of creating rules to govern their behavior, it would be better if you were required to spend your time, energy, and money fighting back against their 24/7 surveillance. How?

  • By switching between work, mobile, and home accounts,
  • Avoiding websites that don’t use encryption,
  • Subscribing to a privacy-shielding (often expensive and difficult to configure) virtual private network and
  • Surfing from a coffee shop.

It’s preposterous to suggest that privacy requires this kind of extraordinary effort. Even worse, the landscape of privacy self-protection is always shifting, so what works for you today won’t work for you tomorrow. You would need to be an expert with enough time to keep up with every technological twist-and-turn to engage in the kind of self-help the ISPs have in mind. Case in point? The “private browsing” or “incognito mode” in your browser that you have come to rely on to protect your privacy does nothing to limit your ISP’s view of what you do online.

ISPs would need to get your permission before they engage in privacy-piercing conduct

Given all of the risks to your privacy from your ISP, I wish I could report that the FCC has proposed to ban ISPs from collecting your surfing habits or selling your preferences to advertisers. In an ideal world, it would do so. But instead, it has offered a far-weaker but still meaningfully privacy-protective alternative: ISPs would need to get your permission before they engage in privacy-piercing conduct. Rather than the opt-out surveillance rule that governs most Internet actors, the FCC would turn the privacy dial up just a teensy amount, subjecting ISPs to an opt-in surveillance rule.

In response to this minor new obligation, ISP lobbyists have, to use a technical term, pitched a fit. They have clogged the FCC’s notice-and-comment record, and inundated FCC offices with visits, in both cases spewing exaggerated fears of economic doom.

Inside their expensive briefcases, these lobbyists have brought the FCC talking points memos that are simply silly. Among their arguments is their feigned concern that you, frail consumer, will be confused by this rule. They should give you more credit: ISPs will need to ask you for permission before they can sell your habits and interests to advertisers. Other companies will not be subject to this rule. Confused? I doubt it.

They also argue that consumers demand that all companies should be governed by precisely the same (very low) privacy rules. Yet consumers have long understood that hospitals have one set of privacy rules, schools another, and banks a third. Consumers have long understood that special privacy rules apply to the postal service and the telephone company. Privacy shifts with context, and it makes sense that our privacy rules should do the same.

There is one argument from the ISP lobby that I agree with wholeheartedly. ISPs are not the only threat to privacy online. Your social network has the power to significantly diminish your privacy. So does the company that writes software for your smartphone, the search engine you use to discover new information online, the app that tracks your location, and the third-party advertiser that builds a dossier of your reading habits. We ought to have new privacy rules, including modest FCC-style opt-in rules, covering many of these companies, too.

But Congress hasn’t written laws to cover these companies, at least not yet. That is a great shame, one I chalk up to a paralyzed Congress’s general inability to address all sorts of problems that it ought to fix. But Congress did write a privacy law for telecommunications carriers in 1996, the law the FCC has decided covers your ISPs.

If the problem is that the Internet lacks enough regulation and that your privacy has been sacrificed as a result, the solution isn’t to be timid about regulating the one part of the Internet that Congress has already acted to protect. The solution is to put in action Congress’s decision by enacting a strong privacy rule for ISPs, restoring a meaningful, but modest, amount of privacy, before we turn to other privacy problems. One step at a time.

If the FCC’s commissioners hold on to their commitments over the next few weeks and resist the continuing barrage from those urging them to water down the new privacy rules, they will accomplish something truly important. They will long be remembered and celebrated for protecting the kind of privacy we need to ensure safe, dynamic, and innovative online spaces.

Paul Ohm is a Professor of Law at the Georgetown University Law Center. He specializes in information privacy, computer crime law, intellectual property, and criminal procedure. He serves as a faculty director for the Center on Privacy and Technology at Georgetown.


Paul Ohm has been a lobbyist for the corporate interests of Google since he worked at Silicon Flatirons, the University of Colorado Law School's Google-funded "stink tank." You will notice that he never highlights the true threat to privacy: edge providers and advertisers such as Google which scan users' e-mail (ISPs cannot see this because it is encrypted) and link it to Web browsing behavior (which edge providers such as Google and Facebook monitor across the majority of Web sites).

Paul is paid to attack hard working ISPs such as my own, which actually uses privacy as a SELLING POINT (we encrypt EVERY user's connection), so as to protect Google's advertising monopolies from competition by ISPs and to hamstring ISPs with needless and onerous regulation. Take what he says with a pound of salt.

LBrettGlass on October 28, 2016 - 3:15pm.

Somebody is "pitching a fit" alright, but it's not the ISP lobbyists as much as the apologists for the Internet advertising duopoly. Google and Facebook collect 85% of new spends on Internet ads today. This is because they view our web surfing activity in unencrypted form on all the web pages that feed their ad networks, which is nearly all of them.

Ohm and the others who feed at trough of the duopoly refuse to deal with present day reality of the web because their arguments sound so much better when couched in terms of appeals to emotion and quaint 19th century analogies.

We live in the age of information. Those who would deny information to responsible parties who can process it for the good of the people deny us the benefits of the information age, such as the power of prediction. Armed with Big Data, it's possible to predict weather patterns, food shortages, disease contagions, and much more. But if the duopoly has its way only two firms will provide these services and reap their benefits.

Imposing 19th century standards on the 21st century information business is profoundly regressive. We need a new generation of progressives who actually value progress.

BubbaDude on October 20, 2016 - 11:35pm.