News outlets around the world proclaimed the final deathblow to privacy with President Trump signing a request by the Republican congress to annul privacy restrictions for internet service providers (ISPs). Friends and family were sending me messages of despair, wondering what can be done about their ISP selling their browsing history to whomever may want to see it. Of course, reality is a bit more complex than headlines would like to you to believe. This blog is based on a recent panel organized at the Center for Information Technology Policy, my department in Princeton.
Privacy in the US is mostly regulated and enforced by the Federal Trade Commission (FTC), who can fine and impose rules on companies like Facebook and Google. The FTC does not regulate telecom companies and ISPs (so-called “common carriers”), since the Federal Communications Commission (FCC) exists for this purpose. However, ISPs were only reclassified as common carriers recently, so the Obama-era FCC decided to draw up new privacy obligations for the companies that handle all Internet traffic to people’s homes. These rules would ban ISPs from collecting, storing, and selling their customer’s Internet browsing and communications data without their consent. Many homes in the US do not have a real choice over which ISP to use, as only limited competition exists in the telecom market. Internet privacy can therefore not be left to the market.
The new Republican-led US Congress and President Trump moved to kill this new privacy through a rarely used ‘Congressional Review Act.’ This rarely used procedural rule allows the US Congress to annul regulations from government agencies, such as the Federal Communication Commission’s review of privacy obligations – the regulation in question. Rather than enabling ISPs to sell everyone’s data, the government nullified the new FCC obligations before they could go into effect.
The US regulates privacy with a huge patchwork of separate laws that are sector specific. The FCC tried to patch things up further with these new rules, but the current government has maintained the glaring gap in privacy regulation that resulted from the FCC’s newly gained oversight of ISPs. While, indeed, there seems to be no real regulation of Internet user’s privacy at the ISP level, it is hoped that the renewed interested in Internet privacy will play a major part in the 2018 Congressional elections, possibly leading to proposals for a new and all-encompassing US privacy law. I wouldn’t count on it, though.
ISPs are happy with this development, because they can sell data or access on the lucrative market of people’s internet browsing habits, that reveal much about their personalities. This information is valuable for direct advertising purposes. However, many predict that ISPs will not want to lose their consumers’ trust by selling detailed profiles or browsing histories. Privacy scholars will keep a close and critical eye on how ISPs will monetize this gap in privacy regulation.