nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

As Trump signs away Americans' digital privacy, it's time to bring out the BS detector

Claim and counter-claim: What is the real deal?

By Kieren McCarthy, 4 Apr 2017

Analysis President Donald Trump has rescinded America's digital privacy protections over what ISPs can do with their subscribers' data, signing into law on Monday a joint resolution of Congress.

The resolution passed a controversial vote in the House last week by 215 votes to 205, which followed a vote in the Senate a few days earlier that passed 50 to 48.

The president's action makes official the "congressional disapproval" of rules passed by US consumer watchdog agency the FCC that were due to take effect last month. Those rules would have required ISPs to obtain users' consent before selling their personal data – including location, browser history, health and financial data and other sensitive information – to advertisers.

As has become increasingly common in American politics, however, the issue was decided almost entirely along partisan lines. That, combined with its high-profile nature – it was the lead topic for most late-night chat shows following the vote – meant that we were all subjected to a wave of misinformation masquerading as truth, and even to documents purporting to counteract "myths" that are themselves carefully worded works of fiction.

And so, since it is now the law, we have brought out The Register's patented bullshit detector to wade through the execrable arguments of the past few days and highlight the most significant and/or most inaccurate.

Let's start with the FCC

It was the FCC that had passed the rules, under the chairmanship of (Democrat) Tom Wheeler. And it was also the FCC that stopped them just days before they were due to take effect, under the chairmanship of (Republican) Ajit Pai.

Pai has this to say about the president's signing the joint resolution: "President Trump and Congress have appropriately invalidated one part of the Obama-era plan for regulating the Internet. Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers."

We call BULLSHIT on the last part of that sentence, that the rules were "designed to benefit one group of favored companies, not online consumers."

The rules were developed entirely and absolutely to protect online consumers. They required ISPs to get an opt-in from customers for sensitive information, to offer an opt-out for other uses of that data, and to ensure that they appropriately protected that data.

Now, the end result of those rules is that ISPs were put under stronger privacy rules than others. But not at the FCC. In fact the rules were developed from FCC rules covering telephone calls. Your telephone company cannot sell your personal data or who you called to advertisers.

The plan was to extend that to ISPs since the FCC decided that in 2016, the internet had become a utility rather than a service.

What the ISPs were upset about was that companies like Google and Facebook – who offer services on top of internet provision – would not be included in these rules but only the weaker rules run by consumer watchdog agency the FTC.

Now, there is a good argument to be had – and The Register has repeatedly made it – that Google and the FCC got far too chummy with one another, and that many of the FCC's decisions at the tail-end of the Wheeler FCC benefited Google to the detriment of Comcast, AT&T et al.

But that is a wholly different argument to claiming that the FCC privacy rules were "designed to benefit one group of favored companies, not online consumers." They weren't.

Pai Part 2

FCC chair Pai also said in response to Trump's signing: "In order to deliver that consistent and comprehensive protection, the Federal Communications Commission will be working with the Federal Trade Commission to restore the FTC's authority to police Internet service providers' privacy practices. We need to put America's most experienced and expert privacy cop back on the beat. And we need to end the uncertainty and confusion that was created in 2015 when the FCC intruded in this space."

That is largely TRUE, albeit a little misleading.

The FCC does in fact have very limited experience in consumer issues and the FTC is a much better bet in that sense. However, by deciding that the internet was effectively a utility, the FCC had little choice really but to pull ISPs under its privacy rules, which it did, largely using the rules it already had on the books.

That decision did create uncertainty (although "confusion" is pushing it a bit – who exactly was confused?). And, yes, Pai has announced that the FCC will work with the FTC to come up with "consistent and comprehensive protection."

But. Pai is being disingenuous about what is going to happen and how long it will take. First the FCC will have to unravel its legal authority over net neutrality, and then it will have to figure out how to persuade the FTC to adopt new rules.

The reality is that the FCC is going to have a hard time legally defining ISPs. It will be literally the third time that the regulator has tried to do so: the first was struck down by the courts, and the second was upheld, but the FCC itself has now decided to dismantle it.

Any change will have to go through another lengthy and painful process and the idea that the FCC will be able to forge a new data privacy agreement with the FTC at the same time is pure fantasy and everybody knows it.

Pai simply made the decision that it was better to kill off the privacy rules and give himself more room to play with than let them take effect and be boxed in. He made that decision in the full knowledge that every internet user in the US was losing regulatory oversight of what ISPs can do with their personal data.

Fellow FCC Republican take on things

The other Republican commissioner on the FCC, Mike O'Rielly, had his own statement that, unfortunately, layered bullshit upon bullshit.

"I applaud President Trump and Congress for utilizing the CRA to undo the FCC's detrimental privacy rules," he said. "The parade of horribles trotted out to scare the American people about its passage are completely fictitious, especially since parts of the rules never even went into effect. Hopefully, we will soon return to a universe where thoughtful privacy protections are not overrun by shameful FCC power grabs and blatant misrepresentations."

What O'Rielly does, however, is pinpoint the beating heart of the bullshit: the claim that since something hasn't happened yet, it means that it won't happen.

For someone who is a commissioner at a federal regulator, this willful blindness over how the real world works is borderline obnoxious.

Here is the absolute solid reality of what this decision to scrap the FCC rules means:

  • ISPs were previously able to do what they can do now, ie, sell their customers' private data.
  • But they were previously at risk of being investigated by the FTC and then, later, the FCC.
  • If they had been found to have broken data privacy rules, they faced huge fines and most likely the requirement to get prior approval from the FTC/FCC before doing anything similar in future.
  • Now, however, there is no backstop. The FTC does not have jurisdiction. And nor does the FCC. The ISPs currently exist in a regulatory-free world.

What this means is significant and it is the source of (Democrat) claims that ISPs will soon be selling your private data and the counter-claims (by Republicans) that people are fear-mongering and inventing problems.

Simple question: Who do you trust?

Where you stand on the issue can be determined by answering this simple question: do you trust companies to do what they say, or do you believe they will do whatever they can get away with in order to make more profit?

If you believe the former, then the claims by Comcast and AT&T and the very carefully worded "myth versus reality" document put out by The Internet & Television Association (NCTA) trade association that they would never do such a thing as sell personal data will no doubt provide you some comfort and sufficient "evidence" to ignore the other side.

If you don't trust corporations and think they will do anything for a buck, then the fact that there is now literally no regulatory backstop will fill you with dread and have you running quickly to set up your own secure VPN.

At The Register, on the question of trusting corporations, we fall down on the "don't trust" side, mostly out of experience and cynicism from years of tech, business and legal reporting. And we would also promote the view of Republican godhead Ronald Reagan when he quoted a Russian proverb: Trust, but verify.

The big issue with the removal of the FCC rules is that there is no one to verify that the ISPs will do what they say they will do. And there is no one to punish them if they don't.

So, with all that in mind, a quick list:

  • From the NCTA: "Congress's repeal of the FCC's misguided rules will not allow ISPs to sell sensitive data to the highest bidder without their customers' knowledge or consent." BULLSHIT. Yes, they will. There is nothing to stop big broadband providers from doing so beyond a series of vague "principles" that the ISPs have voluntarily signed up to. There is nothing to stop those ISPs from redefining those principles at any time. And, critically, ISPs will not be obliged to tell anyone they have done so. There is also no way to punish ISPs if they break their own principles.
  • From Comcast and AT&T: They already let you opt-out of having your data sold and will continue to do so. HALF TRUE, HALF BULLSHIT. Yes, you can opt-out of some uses of your data. If you can find the right link (Comcast appears to have two). But even if you do that, your ISPs can still sell other forms of data on you, and it claims it can't do anything about third parties also gathering your data through your ISP's connection. Comcast's privacy policies, as an example, are very lengthy and make it plain how much your ISP gathers about you. But note this – Comcast informs you: "Even if you opt out, you will still receive advertising and we will continue to send you Comcast marketing messages based on the way you use our products and services and the information we have collected about you."
  • From numerous Republican Congressmen: The FTC's privacy rules will still apply and can be used to prevent abuse of data by ISPs. BULLSHIT. No they can't.
  • From Republican Congressmen and policy wonks: Section 222 of the Communications Act still applies and will prevent ISPs from mishandling customer data. HIGHLY DEBATABLE/BULLSHIT. This section was used as the foundation for the FCC rules that Congress has just voted against. As such, it is very uncertain that it could be used against ISPs. Even if it were possible, the fact is that the current FCC chair has repeatedly said he is opposed to the sort of proactive regulation that has used Section 222 in the past. It is possible, though unlikely, that the FCC could come down on ISPs on a case-by-case basis. But the reality is that it is open season on customer data for ISPs.

At the end of the day, the reality is this: ISPs can now, very easily and without fear of being discovered or fined, sell their users' personal data. And it is worth billions of dollars to them if they do so.

The real argument, put forward dozens of times by politicians and FCC commissioners in recent weeks, is that there is not a "level playing field" and some have even given up the pretense and named Google and Facebook as being the companies that ISPs mean when they complain about different rules for different companies.

Facebook and Google make tens of billions of dollars from selling ads using the targeted user data they possess. And ISPs want some of that money. But here's the difference: Gmail is free, Google Search is free; Facebook is free.

They offer services, for no cost, that ride on top of your internet connection. You don't have to use their services. There are literally dozens of other email providers and search engines and social media platforms.

ISPs, however, charge you for your internet access – and they charge a lot. And there is very limited competition. If Facebook started charging people $25 a month for its service, it would be dead within a year. If Google charged you 10 cents for every search, Bing would steal the market within weeks. But ISPs want their cake and they want to eat it.

Money talks, incessantly

If ISPs genuinely didn't want the opportunity to make billions of dollars selling their users' data, then why did Big Cable flood Congress with its lobbyists arguing for exactly that to happen?

It may also be worth noting that the telecom industry is the 10th-largest-spending industry in terms of lobbying, putting no less than $87.6m into Washington, DC, in 2016. The "Telephone Utilities" put in an additional $35.7m.

Last year, AT&T was the 9th-largest lobbying company in the country, spending $16.3m. Comcast came 12th with $14.3m. And that's just in official lobbying spend.

While many love to personalize issues such as this and flag up the enormous additional funds that Big Cable has spent on giving to the campaigns of Congressman, the sad truth is that Washington has become so corrupted by money that there is no clear line between contributions and votes.

What contributions get companies is a foot in the door and a meeting with the legislator. Then it's up to the lobbyists to make sure that their company's version of events is heard loud and clear and as many times as possible.

And that is exactly what happened in the case of getting rid of the FCC's data privacy rules: the bullshit was spread so thick and so wide that it swamped reasoned debate and analysis. The bullshit detector's alarm became so persistent that people started ignoring it altogether.

At least within the Washington, DC, bubble. The tech media and the late-night TV shows are having none of it. But then, as you will have noticed, only politicians get to vote in Congress. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing