This Week's Wireless Warnings
This Week's Wireless Warnings
The Federal Communications Commission, the Federal Trade Commission and the United Kingdom’s Ofcom all weighed in on wireless Internet issues this week. The three big takeaways: 1) Wi-Fi is important; 2) the Internet of Things has some trust issues to work out; and 3) throttled Internet is not unlimited Internet. As Warner Wolf used to say, “Let’s go to the tape.”
Give Us More Wi-Fi – And Don’t Block What We Got
Federal Communications Commissioner Jessica Rosenworcel delivered a speech at the State of the Net conference on January 27. Her focus: Wi-Fi. “We need more Wi-Fi. We need more Wi-Fi because it is an essential on-ramp for Internet connectivity. We need more Wi-Fi because unlicensed spectrum is our best bet for wireless innovation. We need more Wi-Fi because in a world of constant connections it is responsible for billions of dollars of economic activity -- and growth.”
Commissioner Rosenworcel asked to make Wi-Fi a spectrum policy priority and offered three ideas:
- More spectrum for Wi-Fi and unlicensed activity: Commissioner Rosenworcel said the FCC has the opportunity to bring more unlicensed spectrum to market through the smart use of guard bands in the 600 MHz band.
- Revalue unlicensed spectrum: Currently, the Congressional Budget Office assigns value to spectrum when it is licensed and sold at auction so bills that direct the FCC to sell licensed spectrum get high grades, while legislation that creates more spectrum for Wi-Fi gets low marks. Rosenworcel suggested a new accounting method, a “multiplier that accounts for the billions of dollars of activity that new unlicensed spectrum can generate in the economy.” (Of course, with the FCC raising billions by auctioning spectrum, it may be hard to convince policymakers ti change course.)
- End Interference: In 2014, Commissioner Rosenworcel noted, “a bunch of hotels banded together and filed a petition with the FCC. They asked the agency to bless their ability to block hotel guests from using their own Wi-Fi connections under the guise of network security concerns. There are other ways to address legitimate security concerns -- but this is a bad idea.” Wi-Fi blocking, Rosenworcel said, limits the choices and productivity of guests. She called on her fellow commissioners to dismiss the petition without delay.
Later on January 26, the FCC released an enforcement advisory warning that Wi-Fi blocking is prohibited. “Wi-Fi blocking violates Section 333 of the Communications Act,” the FCC reminded and noted that its Enforcement Bureau is “aggressively investigating” the intentional interference by hotels and other commercial establishments. The Commission stressed:
"No hotel, convention center, or other commercial establishment or the network operator providing services at such establishments may intentionally block or disrupt personal Wi-Fi hot spots on such premises, including as part of an effort to force consumers to purchase access to the property owner’s Wi-Fi network. Such action is illegal and violations could lead to the assessment of substantial monetary penalties."
The FCC also reiterated that Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with Wi-Fi, cellular, or public safety communications.
Finally, the FCC provided consumers with information about how to file a complaint if they believe their personal Wi-Fi hotspot has been interfered with.
FCC Chairman Tom Wheeler released a statement accompanying the advisory saying, “Consumers must get what they pay for. The Communications Act prohibits anyone from willfully or maliciously interfering with authorized radio communications, including Wi-Fi. Marriott’s request seeking the FCC’s blessing to block guests’ use of non-Marriott networks is contrary to this basic principle. Protecting consumers from this kind of interference is a priority area for the FCC Enforcement Bureau. The Enforcement Bureau recently imposed a $600,000 fine on Marriott for this kind of conduct, and the FCC will continue to enforce the Communications Act if others act similarly.”
Trusting the Internet of Things
Six years ago, the number of “things” connected to the Internet outnumbered the number of people. The Internet of Things (“IoT”) refers to the ability of everyday objects to connect to the Internet and to send and receive data. The Federal Trade Commission defines the Internet of Things as devices or sensors -- other than computers, smartphones, or tablets -- that connect, store or transmit information with or between each other via the Internet.
On January 27, the FTC released a report, Internet of Things: Privacy and Security in a Connected World, following up on a public workshop held on the issue in November 2013. At that workshop, participants noted that the IoT presents a variety of potential security risks that could be exploited to harm consumers by:
- enabling unauthorized access and misuse of personal information;
- facilitating attacks on other systems; and
- creating risks to personal safety.
Participants also noted that privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. In particular, some panelists noted that companies might use this data to make credit, insurance, and employment decisions. Others noted that perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.
The new FTC report recommends steps that businesses can take to enhance and protect consumers’ privacy and security, as Americans start to adopt Internet-connected devices. The report includes the following recommendations for companies developing IoT devices:
- Build security into devices at the outset, rather than as an afterthought in the design process;
- Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
- When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network; and
- Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
FTC staff also recommend that companies consider data minimization -- that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely. The report notes that data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.
FTC staff also recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations. It acknowledges that there is no one-size-fits-all approach to how that notice must be given to consumers, particularly since some Internet of Things devices may have no consumer interface. FTC staff identifies several innovative ways that companies could provide notice and choice to consumers.
The FTC concluded that any Internet of Things-specific legislation would be premature at this point in time.
The FTC also released a new publication for businesses containing advice about how to build security into products connected to the Internet of Things. Careful Connections: Building Security in the Internet of Things encourages companies to implement a risk-based approach and take advantage of best practices developed by security experts, such as using strong encryption and proper authentication. The report describes four ongoing initiatives:
- Law enforcement: The FTC enforces -- among other statutes -- the FTC Act, the Fair Credit Reporting Act, the Children's Online Privacy Protection Act (COPPA), and the health breach notification provisions of the HI-TECH Act.
- Consumer and business education. The FTC is continuing efforts to provide advice for businesses.
- Participation in multi-stakeholder groups. The FTC is already working with groups considering guidelines and best practices -- and those efforts will continue.
- Advocacy. The FTC will look for opportunities to share its perspectives with other government agencies, state legislatures, and courts to promote protections in this area.
FTC Commissioner Terrell McSweeny penned an op-ed for Recode concluding: “Now is the time to insure there is a clear set of ground rules for the security of [IoT] products -- before the marketplace and our homes fill with exploitable devices. Congress should pass comprehensive data security legislation establishing the basic requirements for how to notify consumers when breaches occur and creating a technology-neutral security framework that will provide clarity to consumers and innovators.”
Writing for GigaOm, Stacey Higginbotham digests the FTC’s Internet of Things: Privacy and Security in a Connected World and with an eye on innovation. She sees hints that the next innovation isn’t built around how fast a company can code or iterate, but on its data streams and the quality and defensibility of its algorithms. And in that world, Higginbotham suggests, the threat of legislation around data privacy and even some of the more-reasonable consumer opt-ins or disclosure suggestions around user data found in the FTC report are an existential threat. She realizes, however, that responsible data analysis can bring great societal and personal benefits. But the threat of misuse of data will be enough to turn some people way from adopting some of these technologies. “The hard part will be convincing the industry to make the internet of things a great experience,” she concludes, “perhaps by teaching it to see the public as human beings rather than just consumers.”
Interestingly, Ofcom, the UK’s telecommunications regulator, this week called for international industry standards on privacy in the Internet of things. Ofcom identified data privacy and consumer literacy as the primary areas of concern.
“We have concluded that a common framework that allows consumers easily and transparently to authorize the conditions under which data collected by their devices is used and shared by others will be critical to future development of the IoT sector,” Ofcom wrote. “If users do not trust that their data is being handled appropriately there is a risk that they might withhold its use.”
Throttled Internet is Not Unlimited Internet
On January 28, the FTC released word that prepaid mobile provider TracFone, owned by Mexican billionaire Carlos Slim, had agreed to pay $40 million to settle charges that it deceived millions of consumers with hollow promises of “unlimited” data service. The FTC’s complaint against TracFone alleges that since 2009, TracFone has advertised prepaid monthly mobile plans for about $45 per month with “unlimited” data under various brands, including Straight Talk, Net10, Simple Mobile, and Telcel America. But despite emphasizing unlimited data in its advertisements, TracFone drastically slowed or cut off consumers’ mobile data after they used more than certain fixed limits in a 30-day period.
Counter to the marketing promises, the FTC alleges that TracFone regularly either slowed down consumers’ data speeds – known as throttling – or cut off their data entirely when they used more than certain fixed amounts of data in a 30-day period. TracFone even terminated all the services (talk, text, and data) of some consumers. As described in the FTC’s complaint, throttled customers often experienced slow-downs of at least 60% and sometimes even 90%, significantly impairing their ability to engage in online activities like streaming video.
The FTC alleges that TracFone varied its data limits, but generally slowed data service when a customer used one to three gigabytes, and suspended data service at four to five gigabytes. When consumers approached TracFone’s limits, they would often receive a call that warned them for the first time about their “excessive data usage” but did not disclose TracFone’s data limits, according to the agency’s complaint.
The complaint states that there was no technical reason for TracFone to limit data, such as to reduce network congestion; rather, internal documents showed that the company’s data policies were created to “reduce the high costs associated” with providing the unlimited data that it had promised.
In addition to the $40 million in consumer refunds that it must pay under its settlement with the FTC, TracFone is prohibited from making further deceptive advertising claims about its mobile data plans, and must clearly and conspicuously disclose any limits on the speed or quantity of its data service.
What can other companies take from the TracFone settlement? The FTC’s Lesley Fair writes:
- Mobile products and services may be new(ish), but there’s nothing new about the truth-in-advertising principles that apply. And one of those central tenets is that the FTC looks at representations from the consumer’s perspective. That’s why – to use an obvious example – it’s unwise to make the express claim that a service is unlimited if what you really mean by “unlimited” is, well, “limited.”
- If the disclosure of information is necessary to prevent an ad from being deceptive, the disclosure must be clear and conspicuous. If you advertise a service as unlimited, don’t bury key restrictions in blocks of fine print placed where consumers aren’t likely to see them. What principles should companies consider in their approach to disclosures? The FTC staff guide, .com Disclosures: How to Make Effective Disclosures in Digital Advertising, is a good place to start. (Do you advertise on TV or in print? It's still worth a read.)
- Like some other recent cases, the TracFone refund program will be coordinated with a pending class action. Of course, that case is separate from the FTC's law enforcement action, but when it’s in consumers’ interest to have refunds administered that way, the FTC will work with all parties to streamline the process.
We had an exciting week for wireless – but also for wired broadband, too. The FCC released a finding that broadband deployment in the U.S. -- especially in rural areas -- is failing to keep pace with today’s advanced, high-quality voice, data, graphics and video offerings. The FCC also adopted a new definition of broadband, one meant to reflect advances in technology, market offerings by broadband providers, and consumer demand. We promise to give you a more complete look at the FCC’s findings after we get a look at its report. So, ‘til next week, we’ll see you in the Headlines.