Privacy is absolute, security is relative. Or so FCC hints

7 October 2016 by Steve Blum
, , , ,

Sûreté, non pas tant.

Internet service providers – mobile, wireline and fixed wireless – will finally have well defined privacy protection standard to meet if the Federal Communications Commission approves new rules proposed yesterday by chairman Tom Wheeler. Naturally, he only released his own summary; the actual draft rules weren’t released. The FCC keeps details of decisions secret from the public until after they vote. And until after they’ve discussed those details with deep pocketed lobbyists stakeholders.

If you take Wheeler’s summary at face value, the new privacy regulations will apply to all ISPs. There’s no specific mention of lower standards for smaller providers, just that the rules “reflect careful consideration of the needs of smaller ISPs”. Security standards, on the other hand, will definitely depend on “the size of the provider” as well as “the sensitivity of the underlying data” and “technical feasibility”.

The gist of Wheeler’s summary is that security standards, and consumer notification of breaches, will be generally consistent with National Institute of Standards specifications and those already laid down by the Federal Trade Commission.

FTC, rather than FCC, rules will also continue to apply to content companies and other edge providers, “like Twitter or Facebook”.

But assuming commissioners don’t opt to punt on a big decision again, ISPs will have something better than the no lobbyist left behind case by case privacy policy review system currently in place.

As explained by Wheeler’s summary, ISPs will need positive permission from customers in order to share their “sensitive information”, which is defined as

  • Geo-location
  • Children’s information
  • Health information
  • Financial information
  • Social Security numbers
  • Web browsing history
  • App usage history
  • The content of communications

Lobbyists and lawyers won’t be completely left behind. Although ISPs can’t deny service to customers who opt out, they can charge higher prices. How much higher isn’t defined – that’s something the commission will still “determine on a case-by-case basis”.

The FCC is scheduled to vote on the new privacy regulations at its meeting at the end of this month.