The privacy practices of four major broadband service providers and one big disruptor are getting a hard look from the Federal Trade Commission. Comcast, AT&T, Verizon, T-Mobile and Google Fiber were given 45 days to produce detailed information about their business practices and subscribers, with particular emphasis on how they collect information about customers, whether it’s done with genuine permission, and what they do with it.
The information demanded by the FTC includes statistics on how many people actually read privacy policies, along with what promises to be a tall stack of those policies – every single one that’s been written by the companies, including copies that might be “different from the original because of notations on the copy”.
One particular concern of the FTC is whether the companies treat customers differently based on the degree of privacy they’re willing to surrender…
Has the Company ever offered different levels of service, quality of service, rates, pricing, rewards, or other incentives for consumers who opt-in to the collection of information about themselves, their Devices, their communications, their viewing history, or their online activities? If so, Describe in Detail such practices and produce Each materially different notice provided to consumers concerning the practice…
Has the Company ever denied service, or otherwise degraded the quality of service, for consumers who fail to opt-in to the collection of information about themselves, their Devices, their communications, their viewing history, or their online activities, beyond information that is necessary for the provision of Internet or cable services? If so, Describe in Detail such practices and produce Each materially different notice provided to consumers concerning the practice.
AT&T and Verizon will have to produce information about both their wireline and mobile subsidiaries. It’s probably a good assumption that Comcast will have to submit data about its wireless business practices too. One company that’s notably absent from the list is Charter Communications, which has nearly as big a market share as Comcast. Sprint is missing too, but it’s the smallest of the major mobile carriers and might not be around much longer anyway.
Intentional or not, the FTC’s fishing – whaling – expedition is a welcome response to a damning assessment by the federal general accounting office assessment that the agency is largely clueless about the online world.
The federal government’s primary consumer protection agency – the Federal Trade Commission – doesn’t think too hard about policing online privacy violations, according to a report by the General Accounting Office. Generally, the FTC can act when a company engages in unfair or deceptive business practices. Figuring out what’s fair and what’s not in cyberspace is a complete puzzle, and impenetrable terms of service and other digital fine print typically give companies a get out of jail free card to companies, the report notes…
The report notes that both California and the European Union have online consumer privacy laws in place, but there’s no federal equivalent in the U.S. It concludes with a recommendation to congress that it “should consider developing comprehensive legislation on Internet privacy”, including identifying which agency is responsible for what and, somehow, balancing “consumers’ need for Internet privacy with industry’s ability to provide services and innovate”.
There’s also an interesting list of FTC privacy enforcement actions at the end of the report. It summarises 101 cases over ten years, between 2008 and 2018. Most ended with no penalties or other meaningful result at all, although a rumored multibillion dollar smack at Facebook would, if true, change that calculus. A few resulted in million dollar-plus penalties but the remainder ended with relative slaps on the wrist. It’s a clear illustration of why the FTC needs better direction and motivation if it’s to be the “nation’s premier consumer protection cop”.
Comcast and Charter Communications want the Federal Trade Commission to preempt California’s data privacy law, and any other state laws regarding broadband service. In comments filed last week, the National Cable and Telecommunications Association (NCTA), which serves as a Washington, D.C. lobbying front for Comcast, Charter and other cable companies, ask the FTC to tell state lawmakers and officials that they can’t enforce broadband service rules beyond what federal regulators think is appropriate (h/t to Jon Brodkin at Ars Technica for the pointer)…
The FTC should ensure that the Internet is subject to uniform, consistent federal regulations, including by issuing guidance explicitly setting forth that inconsistent state and local requirements are preempted…
California’s recently enacted California Consumer Privacy Act of 2018 imposes numerous requirements that differ from, and even conflict with, federal law.174 Moreover, a patchwork of state-level rules applying only to BIAS providers would undercut existing federal policy basing enforcement on what information is collected and how it is used, rather than on who is collecting the information. Any FTC guidance to state entities on the need to ensure consistency with FTC and FCC policy and precedent in the Internet arena thus should cover privacy and data protection issues as well.
NCTA argues, falsely, that the market for broadband service is “substantially” and “increasingly”. That’s true in a few isolated areas, but overall the trend is toward greater monopolisation of the Internet service industry. The minimum speed level necessary to take advantage of what NCTA calls “a wide array of Internet-delivered video offerings” continues to rise. More and more, cable operators are the sole source of broadband service that meets contemporary needs.
Charter and Comcast are preparing a new line of attack against state-level privacy and network neutrality rules. If, as some legal experts believe, the Federal Communications Commission has taken itself out of the broadband regulation business, then the FTC is their best hope to kill those laws. Particularly California’s new consumer privacy law and its pending resurrection of network neutrality standards.
The Federal Trade Commission can apply consumer protection laws to broadband service, even when a telephone company is delivering it. A federal appeals court in San Francisco made that clear on Monday when it rejected AT&T’s argument that the FTC’s authority doesn’t extend to telephone companies or other providers that have “common carrier” status.
The case came about because AT&T began throttling broadband speeds on iPhones with unlimited mobile data plans. The FTC sued AT&T, saying it was an “unfair and deceptive” practice. It’s the kind of enforcement action that the Federal Communications Commission assumed the FTC would take when it scrapped network neutrality rules and declared that broadband is not a common carrier service.
It’s good news to the extent that telephone companies will have to follow the same consumer protection rules as other ISPs. But the case also highlight a major problem with giving the enforcement job to the FTC. Unlike the FCC, the FTC doesn’t directly enforce anything – it has to rely on federal courts, which takes a lot of time. The sin AT&T is accused of committing happened in 2011 and the FTC didn’t sue until 2014. It’s now 2018, with no end in sight.
Death threats kept Federal Communications Commission chair Ajit Pai away from CES, but the acting chair of the Federal Trade Commission, Maureen Ohlhausen, sat down for an interview on Tuesday with Consumer Technology Association CEO Gary Shapiro. Her agency is responsible for broadband consumer protection enforcement, after the FCC bucked the job over last month. Appropriately, Shapiro opened with a couple of questions about network neutrality.
Ohlhausen said her concern is transparency – service can be pretty much anything so long as terms are disclosed – and the FTC will look at one basic question: whether consumers get what they’re promised. She made vague references to anti-trust laws and the FTC’s reacquired authority over telecoms companies, now that broadband is no longer reckoned to be a common carrier service (although she neglected to mention that her new found authority is under challenge in court). Ohlhausen’s expertise and jurisdiction are clearly not broadband-specific.
Nevertheless, Shapiro tried to draw Ohlhausen out on broadband issues, noting there are “a hundred different telecommunications companies in Europe” that offer lower priced broadband at a variety of speeds, while the U.S. telecoms market is dominated by four players. Ohlhausen said mobile carriers would provide competition in the future, pointing out that they’re now delivering broadband at speeds that consumers would have considered to be adequate a few years ago.
True. But expectations are higher now and will continue to rise. The 5G networks that Ohlhausen is banking on may deliver speeds that consumers likewise consider adequate today. But those upgrades are many years away for most U.S. residents, and their expectations and their bandwidth consumption will continue to rise. Ohlhausen also forgot to mention that the two biggest mobile companies – AT&T and Verizon – belong to Shapiro’s gang of four.
“Good practice, when it comes to handling data, is not something new, it’s something we’ve already done well”, said Marc Rogers, an Internet security researcher. “We have to be careful we don’t get paralysed by worrying about exotic threats”. He was speaking on a panel this morning at CES that looked at the need, or not, for regulating the so-called Internet of things (IoT). When a device in a home, a thermostat for example, automatically sends information to a private company – an electric utility, say – it might not be done with the same degree of privacy and consent that’s involved when a person manually enters data on a website.
Regulations are coming. Federal trade commissioner Maureen Ohlhausen made it very clear that the FTC has consumer privacy and data security at the top of its agenda, although she tried to reassure everyone that it’ll come with a dose of “regulatory humility”.
“We should adopt a regulatory regime that allows innovation, even disruptive innovation, to thrive”, she said, pointing out that federal regulators already have a well-packed tool box, but they’re not quite sure what to do with it. “How do we insure that consumers get the benefits and minimise the risk, without an undue burden on business?”
“You can have a very serious negative impact if you regulate prematurely”, countered Robert Pepper, VP for global technology policy at Cisco. It’s better to wait for people to arrive at their own rules and expectations by social consensus if possible. “Etiquettes are not developed through regulation, they’re developed bottom up by users”.