Tuesday, December 13, 2016

MPP alum Ido Sivan Sevilla on FCC privacy regulations

The FCC’s Latest Privacy Regulations: A New Stance on Private-Sector Protections?
Posted on December 12, 2016

Editor’s Note: This post was written by guest contributor Ido Sivan Sevilla, a Ph.D Candidate in Public Policy & Information Security at the Hebrew University in Jerusalem. Mr. Sevilla earned his Master’s degree in Public Policy Analysis as a Fulbright Scholar at the University of Minnesota – Twin Cities, and served as a Legislative Fellow for Congressman Ami Bera of California’s 7th Congressional District. Mr. Sevilla’s research focuses on cyber security in national defense and the public sector.

The Federal Communication Commission’s (FCC) recently published regulations for Internet Service Providers (ISP) are significantly different from previous federal privacy regulations. To some extent, these new regulations follow a trend of increased privacy protections in the post-Snowden era.[1] Nonetheless, in many aspects, these privacy protections are qualitatively different than other privacy regulations that have emerged in the last few years. They are aimed at key private stakeholders; pose unified data breach notification and data security requirements to advance both privacy and cyber-security; and advance consumer privacy at the expense of corporate revenue. Are we at the brink of a new regulatory model for private-sector privacy protections in the United States?

ISPs are everyone’s gateway to the Internet. They exist at a critical junction between our personal devices and the websites and services we choose to explore. Potentially, they can learn about our browsing history, the nature of our search queries, the efforts we put to hide ourselves online, and the applications we use to connect with the world. As private companies, they hold metadata based on our online behavior that even the most sophisticated encryption solutions cannot hide[2] and then translate this valuable data into revenue.[3] Data analysts can easily deduce our dreams, fears, desires, and personality by applying big-data analytics to this sensitive information.[4] That is why this information is worth a fortune. It is the fuel that powers both our information economy and our surveillance society.[5] Governments and corporations are equally interested in using this data to accurately profile individuals[6] and both view ISPs as an easily-accessible gold mine of information that can be used to serve their interests.

The U.S. government recognized the importance of ISPs a decade ago. In 2006 the FCC required ISPs to design ‘surveillance-friendly’ infrastructures that would allow law enforcement agencies to easily wiretap their desired network traffic given an authorization from a court.[7] Ten years later, the FCC has finally moved on from ensuring that ISPs permit government surveillance to requiring ISPs to protect the privacy of their customers.

The new FCC rules are innovative for three main reasons. First, these regulations are no longer based on the content of the information at stake. Thus far, cyber-security and privacy regulations that protect personal information have only applied to the medical, financial, and federal government sectors. By targeting ISPs broadly, the government has signaled that the previous paradigm, which was reluctant to impose any kind of restrictions on private players in the Internet economy, is starting to change.[8] Regulating privately owned companies that handle all types of personal information is something the United States has never seen before. FCC regulators were probably influenced by their colleagues in the European Union, who embraced an even broader approach and tackled ‘Digital Service Providers’ (DSPs) across the financial, health, transport, and digital infrastructure sectors through the recently enacted Network Information Security (NIS) Directive.[9]

Second, the new rules require up-to-date data security practices and impose federal data breach notification requirements on all ISPs. The issue of breach notification, despite its importance to the cyber-security of a firm and the privacy of its customers,[10] has struggled to gain Congressional support for almost a decade.[11] The U.S. currently has forty-seven breach notification laws at the state level, but no national data breach law. This new FCC requirement brings us closer to a unified notification standard that increases the privacy of customers and the cyber-security of organizations at the same time.[12]

Third, the new rules break the standard Internet business model fueled by processing and selling of personal information in exchange for ‘free’ services.[13] ISPs that benefit significantly from accessing and using personal information must now become more transparent and obtain user consent prior to processing their information. This elevates consumer privacy over ISPs’ business interests, which may require them to rethink their business model altogether. This might even pave the way for ISPs to offer incentives to consumers for sharing their personal data. In 1996, Kenneth Laudon, a professor of information systems in NYU, published a seminal paper in which he embraced a market-based approach to privacy and suggested that privacy may be protected through market mechanisms.[14] Laudon suggested establishing ‘banks of personal information’ that would control all our data and collect benefits for us each time we agreed to let an entity use our personal information. The FCC’s new regulations, twenty years later, might be the first step toward embracing this innovative model.

Unsurprisingly, 91% of Americans strongly believe that they do not have control over the way their personal information is collected.[15] Do these rules increase our digital privacy and security? As always, the devil is in the details. The compliance and enforcement of these regulations will set the tone. However, we can already see how these rules apply broadly to information holders across sectors, take us one step closer to a unified data breach notification standard, and prioritize individual privacy over corporate revenue. These new regulations are a significant step towards tackling privacy threats from the private sector, even if they do not address ISP cooperation in government surveillance.

[1] Since the Snowden revelations, we have witnessed several court rulings that have strengthened privacy (see, e.g., FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016), Klayman v. Obama, 957 F. Supp. 2d 1 (D.D.C. 2013)) and an increasing amount of pro-privacy legislation and proposals in Congress in rates that are comparable to the 1970s and early 1980s in the U.S. federal arena.

[2] The inability to hide meta-data is explained in a Berkman Center report from last February. See Don’t Panic: Making Progress on the “Going Dark” Debate, The Berkman Ctr. for Internet & Soc’y (Feb. 1, 2016), https://cyber.harvard.edu/pubrelease/dont-panic/Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf). The debate over the significance of information held by ISPs is still ongoing. Some argue that it is not that unique and sensitive. See Peter Swire et al., Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others Inst. for Info. Sec. & Privacy (Feb. 29, 2016), http://www.iisp.gatech.edu/sites/default/files/images/online_privacy_and_isps.pdf. Others, including myself, disagree and believe that such personal information is indeed significant. Nick Feamster, What Your ISP (Probably) Knows About You, Freedom to Tinker (Mar. 4, 2016), https://freedom-to-tinker.com/2016/03/04/what-your-isp-probably-knows-about-you/.

[3] Bruce Schneier has accurately described how the Internet’s economy works. See Bruce Schneier, Surveillance as a Business Model, Schneier on Sec. (Nov. 25, 2013), https://www.schneier.com/blog/archives/2013/11/surveillance_as_1.html.

For information on the marketing uses of personal information by ISPs, see Stephen Northcutt, ISPs monitor what you do on the Internet and sell the information for marketing purposes,SANS Tech. Inst. (last visited Dec.10, 2016, 10:58 PM), http://www.sans.edu/research/security-laboratory/article/superclick-privacy.

[4] Jon Brodkin, AT&T’s plan to watch your Web browsing—and what you can do about it, ArsTechnica (Mar. 27, 2015), http://arstechnica.com/information-technology/2015/03/atts-plan-to-watch-your-web-browsing-and-what-you-can-do-about-it/3/.

[5] See David Lyon, Surveillance, Power and Everyday Life, Oxford Handbook of Info. and Comm. Tech. (2009), http://www.sscqueens.org/sites/default/files/oxford_handbook.pdf.

[6] Although they differ on their reasoning, governments are interested in increased control over the citizens to prevent threats while private companies want to predict the interests of potential customers and sell products.

[7] Communications Assistance for Law Enforcement Act, FCC (June 29, 2016), https://www.fcc.gov/public-safety-and-homeland-security/policy-and-licensing-division/general/communications-assistance.

[8] For an overview of the lack of privacy and cyber-security regulations on the private-sector in the U.S., see Amitai Etzioni, The Private Sector: a Reluctant Partner in Cybersecurity, Inst. for Communitarian Pol’y Studs., (Dec. 19, 2014), https://icps.gwu.edu/private-sector-reluctant-partner-cybersecurity.

[9] The Network and Information Security Directive – who is in and who is out?, The Register (Jan. 7, 2016), http://www.theregister.co.uk/2016/01/07/the_network_and_information_security_directive_who_is_in_and_who_is_out/

[10] Linda Musthaler, Why Prompt Breach Notification is Important, Corero, (July 15, 2014) https://www.corero.com/blog/579-why-prompt-breach-notification-is-important.html.

[11] Since 2003, Members of Congress have been unsuccessful in passing a federal breach notification law. See Alissa M. Dolan, Data Security and Breach Notification Legislation: Selected Legal Issues, Cong. Res. Servs. (Dec. 28, 2015), https://www.fas.org/sgp/crs/misc/R44326.pdf

[12] When facing costly notification requirements, companies are incentivized to invest in cyber-security.

[13] Shoshana Zuboff has called this phenomena ‘surveillance capitalism’ – the accumulation of data by the private market. See Shoshana Zuboff, Big Other: Surveillance Capitalism and the Prospects of an Information Civilization, J. of Info. Tech. 75 (2015), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2594754

[14] See Kenneth C. Loudon, Markets and Privacy, Ass’n for Computing Machinery. Comms. of the ACP 92 (1996).

[15] See Statement of Commissioner Mignon L. Clyburn Approving in part and Concurring in Part, FCC (last visited Dec. 10, 2016, 11:16 PM), http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db1027/DOC-341937A3.pdf.

Reprinted from Columbia Science and Technology Law Review: http://stlr.org/2016/12/12/the-fccs-latest-privacy-regulations-a-new-stance-on-private-sector-protections%3F/

© 2015 Regents of the University of Minnesota. All rights reserved. The University of Minnesota is an equal opportunity educator and employer. Privacy Statement