Tough Broadband Privacy Proposal Draws Support From Former FTC Official
Internet service providers and other critics of proposed broadband privacy rules have spent a lot of time arguing that the potential regulations will place ISPs at a disadvantage to companies like Google and Facebook.
The possible regulations would require broadband providers — but not companies like Google or Facebook — to seek consumers’ explicit consent before tracking their Web activity for ad purposes. Google, Facebook and other so-called “edge providers” tend to use Web-surfing data about consumers for ad purposes, unless they opt out.
ISPs and other critics argue that the proposal will confuse consumers, and will make it harder for broadband providers to gain a foothold in online advertising.
This week, privacy expert and legal scholar Paul Ohm, a former senior advisor to the Federal Trade Commission, will tell lawmakers why ISPs are wrong on both points.
“In narrowly circumscribed contexts, Congress has seen fit to create heightened privacy obligations,” he states in written testimony he has submitted to Congress in advance of tomorrow’s hearing about the possible rules. “HIPAA protects the privacy of some health information, FERPA does the same for some education records, and the Fair Credit Reporting Act protects some credit reports, to name only three examples.”
Ohm adds there are several reasons why online gatekeepers — meaning Internet service providers — also should be subject to heightened privacy rules.
Among others, according to Ohm, Internet service providers have “a unique vantage point” into consumers’ behavior, because ISPs are the only player capable of seeing all of a customers’ traffic.
“If you are a habitual user of the Google search engine, Google can watch you while you search, and it can follow you on the first step you take away from the search engine. After that, it loses sight of you, unless you happen to visit other websites or use apps or services that share information with Google,” he writes. “Habitual Facebook users are watched by the company when they visit Facebook or use websites, apps or services that share information with Facebook, but they are invisible to Facebook at all other times.”
He adds that even when sites are encrypted, ISPs still can learn a great deal. “When you visit a website protected by the most widespread form of encryption in use … even though your [broadband access] provider cannot tell which individual page you are visiting on the website, it still can tell the domain name of the website you are communicating with, how often you return, roughly how much data you send and receive, and for how long each visit lasts,” he says.
Ohm also says that ISPs can always compete with companies like Google by developing their own search engines. “A broadband Internet provider that launches a search engine will be able to use the information it takes from its search engine customers in the relatively unrestricted manner the law currently provides for that industry,” he says.
Ohm has long warned that collecting data about Web users could hurt them. In a widely circulated 2012 blog post for the Harvard Business Review, Ohm urged companies to avoid creating a “Database of Ruin.”
He warned that companies are building “digital dossiers” that potentially will contain tens of thousands of facts about people. “I’ve argued that these databases will grow to connect every individual to at least one closely guarded secret. This might be a secret about a medical condition, family history, or personal preference,” he wrote at the time. “It is a secret that, if revealed, would cause more than embarrassment or shame; it would lead to serious, concrete, devastating harm.”
In his testimony supporting the potential privacy rules, he builds on that theme. “The list of websites an individual visits … reveals so much more than a member of a prior generation would have revealed in a composite list of every book she had checked out, every newspaper and magazine she had subscribed to, every theater she had visited, every television channel she had clicked to, and every bulletin, leaflet, and handout she had read,” he states. “No power in the technological history of our nation has been able until now to watch us read individual articles, calculate how long we linger on a given page, and reconstruct the entire intellectual history of what we read and watch on a minute-by-minute, individual-by-individual basis.”
“Providers might respond that they want this information only to reduce us into marketing categories to sell and resell,” he adds. “I derive no comfort from that justification.”