The FCC’s Important Move for Online Privacy

The FCC is on the verge of creating sensible privacy rules for ISPs

The postal service is not allowed to open your letters to read what you’ve written inside. It’s also not permitted to develop a list of your correspondents to sell to advertisers. Your telephone company is forbidden from listening in on your phone calls or selling the list of numbers you dial to marketers, at least not without your permission.

It may surprise you to learn that these common sense privacy rules may not yet apply to your Internet service provider (ISP). The good news is that the Federal Communications Commission (FCC) plans to vote in a few weeks on sensible, modest rules of the road to give you the kind of privacy protections you probably already assume you have.

Your ISP owes you legally binding privacy protections for the same reason you expect privacy from your phone company and the postal service. We have long applied special rules to so-called “common carriers.” These rules, including heightened obligations to respect privacy, reflect the idea that, in a modern world of communications and transportation, you can rely on trusted third parties to bring valuable things and information from Point A to Point B. You pay these common carriers for their important, infrastructural service, and, in return, we legally obligate them to protect what they carry.

ISPs jeopardize your privacy in ways that even the phone company and postal service (and other common carriers like railroads) do not. The genius of the Internet is its intrinsically-distributed design. In any given hour you spend clicking on a browser or tapping on a smartphone, your messages, pictures, and reading and viewing habits get scattered across dozens or maybe hundreds of different websites, apps, and social networks. You enjoy a small measure of privacy from the fact that no single company can easily monopolize a view of your activities.

The exception is your ISP. Your ISP is the mandatory first hop to the rest of the Internet, and everything you do while connected to a particular ISP flows first through its servers. Your ISP can develop a nearly-comprehensive picture of what you do that other companies would pay a king’s ransom to be able to access.

Terrified of the FCC’s sensible and modest proposal, the ISPs have argued that instead of creating rules to govern their behavior, it would be better if you were required to spend your time, energy, and money fighting back against their 24/7 surveillance. How?

  • By switching between work, mobile, and home accounts,
  • Avoiding websites that don’t use encryption,
  • Subscribing to a privacy-shielding (often expensive and difficult to configure) virtual private network and
  • Surfing from a coffee shop.

It’s preposterous to suggest that privacy requires this kind of extraordinary effort. Even worse, the landscape of privacy self-protection is always shifting, so what works for you today won’t work for you tomorrow. You would need to be an expert with enough time to keep up with every technological twist-and-turn to engage in the kind of self-help the ISPs have in mind. Case in point? The “private browsing” or “incognito mode” in your browser that you have come to rely on to protect your privacy does nothing to limit your ISP’s view of what you do online.

ISPs would need to get your permission before they engage in privacy-piercing conduct

Given all of the risks to your privacy from your ISP, I wish I could report that the FCC has proposed to ban ISPs from collecting your surfing habits or selling your preferences to advertisers. In an ideal world, it would do so. But instead, it has offered a far-weaker but still meaningfully privacy-protective alternative: ISPs would need to get your permission before they engage in privacy-piercing conduct. Rather than the opt-out surveillance rule that governs most Internet actors, the FCC would turn the privacy dial up just a teensy amount, subjecting ISPs to an opt-in surveillance rule.

In response to this minor new obligation, ISP lobbyists have, to use a technical term, pitched a fit. They have clogged the FCC’s notice-and-comment record, and inundated FCC offices with visits, in both cases spewing exaggerated fears of economic doom.

Inside their expensive briefcases, these lobbyists have brought the FCC talking points memos that are simply silly. Among their arguments is their feigned concern that you, frail consumer, will be confused by this rule. They should give you more credit: ISPs will need to ask you for permission before they can sell your habits and interests to advertisers. Other companies will not be subject to this rule. Confused? I doubt it.

They also argue that consumers demand that all companies should be governed by precisely the same (very low) privacy rules. Yet consumers have long understood that hospitals have one set of privacy rules, schools another, and banks a third. Consumers have long understood that special privacy rules apply to the postal service and the telephone company. Privacy shifts with context, and it makes sense that our privacy rules should do the same.

There is one argument from the ISP lobby that I agree with wholeheartedly. ISPs are not the only threat to privacy online. Your social network has the power to significantly diminish your privacy. So does the company that writes software for your smartphone, the search engine you use to discover new information online, the app that tracks your location, and the third-party advertiser that builds a dossier of your reading habits. We ought to have new privacy rules, including modest FCC-style opt-in rules, covering many of these companies, too.

But Congress hasn’t written laws to cover these companies, at least not yet. That is a great shame, one I chalk up to a paralyzed Congress’s general inability to address all sorts of problems that it ought to fix. But Congress did write a privacy law for telecommunications carriers in 1996, the law the FCC has decided covers your ISPs.

If the problem is that the Internet lacks enough regulation and that your privacy has been sacrificed as a result, the solution isn’t to be timid about regulating the one part of the Internet that Congress has already acted to protect. The solution is to put in action Congress’s decision by enacting a strong privacy rule for ISPs, restoring a meaningful, but modest, amount of privacy, before we turn to other privacy problems. One step at a time.

If the FCC’s commissioners hold on to their commitments over the next few weeks and resist the continuing barrage from those urging them to water down the new privacy rules, they will accomplish something truly important. They will long be remembered and celebrated for protecting the kind of privacy we need to ensure safe, dynamic, and innovative online spaces.

Paul Ohm is a Professor of Law at the Georgetown University Law Center. He specializes in information privacy, computer crime law, intellectual property, and criminal procedure. He serves as a faculty director for the Center on Privacy and Technology at Georgetown.