The US Senate yesterday voted to eliminate privacy rules that would have forced ISPs to get your consent before selling Web browsing history and app usage history to advertisers. Within a week,Â the House of Representatives couldÂ follow suit and the rules approved by the Federal Communications Commission last year wouldÂ be eliminated by Congress.
So what’s changed for Internet users? In one sense, nothing changed this week, because theÂ requirement to obtain customer consent before sharing or selling data is not scheduled to take effect until at least December 4, 2017.Â ISPs didnâ€™t have to follow the rules yesterday or the day before, and they wonâ€™t ever have to follow them if the rules are eliminated.
But the Senate vote is nonetheless one big step toward a major victory for ISPs, one that would give them legal certainty if they continue to make aggressive moves into the advertising market.Â The Senate vote invoked the Congressional Review Act, which lets Congress eliminate regulations it doesn’t like and prevent the agency from issuing similar regulations in the future. For ISPs, this is better than the FCC undoing its own rules, because it means a future FCC won’t be able to reinstate them.
Unless the House or President Donald Trump oppose the Senate’s action, ISPs will not have to worry about any strong privacy rules getting in the way of using your browsing history for profit. There wonâ€™t be any specific rules requiring them to get opt-in consent before sharing browsing history, even if that data isÂ related to just one customer instead of being aggregated with other customersâ€™ data in order to anonymize it.
Senate Democrats warned before yesterdayâ€™s vote that ISPs will be able to â€œdraw a mapâ€ of where families shop and go to school, detect health information by seeing which illnesses theyÂ use the Internet to gather information on, and build profiles of customers’Â listening and viewing history.
The Senate vote was 50-48, with every Republican senator voting to kill privacy rules and every Democratic senator voting to preserve them.
ISPs canâ€™t see encrypted traffic, so if you visit an HTTPS site, ISPs will see only the top-level domain rather than each page you visit. But thatâ€™s still plenty, said Dallas Harris, an attorney who specializes in broadband privacy and is a policy fellow at consumer advocacy group Public Knowledge.
ISPs might be able to figure out where you bank, your political views, and your sexual orientation based on what sites you visit, Harris told Ars.
â€œYou donâ€™t need to see the contents of every communicationâ€ to develop efficient ad tracking mechanisms, she said. “The fact that youâ€™re looking at a website can reveal when youâ€™re home, when youâ€™re not home.â€
An ISP might notice that a particular tablet often visits childrenâ€™s websites. From that, â€œthey can infer that this tablet then belongs to a child,â€ and deliver advertising targeted to kids. â€œThe level of information that they can figure out is beyond what even most customers expect,â€ Harris said.
How the rules haveÂ changed
The legal changes all stem from the FCC’s decision in February 2015 to reclassify home and mobile ISPs as common carriers. The reclassification had numerous effects: It allowed the FCC to impose net neutrality rules, but it also stripped the Federal Trade Commission of its authority over ISPs because the FTC’s charter from Congress prohibits the agency from regulating common carriers.
Before the February 2015 reclassification, ISPs could have been punished by the FTC for violatingÂ customers’ privacy. But following the FTC rules wasn’t too onerousâ€”the FTC recommends opt-in consent before selling or sharing the most sensitive information, like Social Security numbers, financial information, and information about children. But ISPs could use an opt-out system for everything else, including Web browsing history.
ISPs â€œwant to be the advertisingÂ powerhouse.â€
The FCC’s reclassification of ISPs removed FTC authority but imposed privacy requirements from Title II, Section 222Â of the Communications Act. The problem is that Section 222 was written in 1996 for telephone service, so the FCC said it would write new broadband-specific rules explaining exactly how Section 222 would be enforced on ISPs. Those rules, including the opt-in requirements, were finalized in October 2016.
Theoretically, Congress and the FCC could return jurisdiction to the FTC by eliminating the privacy rules and eliminating the ISPs’ common carrier classification. But even that might not work, because a federal appeals court ruling in August 2016 said that any company with a common carrier business cannot be regulated by the FTC at all, even when they’re offering non-common carrier services. The common carrier designation is also used for landline phone and mobile voice service; that means ISPs like AT&T, Verizon, T-Mobile, and Sprint could be entirely exempt from FTC oversight. Comcast and other cable companies are only common carriers forÂ Internet service, so they could more easilyÂ go back under FTC oversight.
But even if the FTC regains jurisdiction, its guidelines are weaker than the FCC’s privacy rules. Thus,Â yesterday’s Senate vote could leave us with no rules preventing ISPs from selling your Web browsing histories to advertisers and data brokers without obtaining opt-in consent.
When AT&T charged extra for privacy
The most prominent example of an ISP monetizing customers’ browsing history comes from AT&T. Starting in 2013, AT&T charged fiber Internet customers at least $29 extra each month unless they opted into a system that scanned customers’ Internet traffic in order to deliver personalized ads.
AT&T killed this “Internet Preferences” program shortly before the FCC finalized its privacy rules. But that doesn’t mean ISPs are giving up on advertising.
ISPs â€œwant to be the advertising powerhouse, which is why they fought so hard against these rules,â€ Harris said. â€œThey want to compete with Google and Facebook and other edge providers in the advertising space. This is going to be their new frontier, a new way for themÂ to increase their profits.â€
ISP lobby groups have argued that privacy rules would prevent them from showing Internet users more relevant advertising via â€œdata-driven services,â€ and would prevent ISPs from competing in the online advertising market. Theyâ€™ve argued that WebÂ browsing and app usage history should not be classified as â€œsensitiveâ€ information.
Advertising lobby groups, knowing that they could end up working more closely with ISPs, recently thanked Republican lawmakers for taking steps to kill the privacy rules.
AT&T sells advertising via its AdWorks division, which boasts of â€œmore targetedâ€ ads to â€œmore screens,â€ via TV set-top boxes and online video. Comcast sells online advertising that can appear on xfinity.com and NBC sites. Verizon boosted its online advertising technology when it purchased AOL, and is trying to finalize a purchase of Yahoo.
â€œTheyâ€™ve already begun marketing [to advertisers], explaining how they have the ability to track you on four devices,â€ Harris said. â€œBecause theyâ€™re also your cable [TV] providers, they can combine what youâ€™re watching on TV with what youâ€™re doing on the Internet and looking at on your phones and your tablets. Theyâ€™re heavily invested in this idea that they have a lot of data that can be valuable to advertisers and want to build up that part of their business.â€
from Ars Technica http://ift.tt/2odGK2H