American privacy in the digital era should not be for sale

On March 31, The Federal Communications Commission will vote to start the process of updating the rules protecting the privacy of our phone calls to include the protection of our broadband connections.

While the FCC has no jurisdiction over websites like Google or Facebook, the FCC’s proposal would require broadband providers like Comcast and AT&T to follow the same basic security practices to protect your online information that phone companies use today to protect your phone information, including asking your permission before selling that information to others.

Unsurprisingly, the broadband industry has fiercely resisted even beginning the process to update the FCC’s phone privacy rules for broadband.

Internet Service Providers have done everything they can to water down the FCC’s attempts to protect digital privacy. Rather than require ISPs to respect user privacy, they propose that consumers should pay extra for “privacy services” such as Virtual Private Networks (VPNs), or learn how to use encryption on their own.

No one can doubt how much we expose ourselves online by completing homework assignments, applying for jobs, banking, and performing a myriad of other daily tasks.

The details around your Internet behavior (e.g. what sites you visit, how long you stay, and whether you upload or download something) give ISPs a comprehensive view of your behavior.

In the era of “big data,” broadband providers do not need to look at the actual content you stream or download to learn about the likes and dislikes of everyone in your home.

The details around your Internet behavior (e.g. what sites you visit, how long you stay, and whether you upload or download something) give ISPs a comprehensive view of your behavior.

The information your ISP collects on the number of Internet connected “smart” devices, and how they behave, allows anyone with the information to construct a frighteningly accurate picture of your private life.

Princeton professor, Nick Feamster, in a letter to FCC Chairman Tom Wheeler, succinctly points to all of the information ISPs can see:

“The traffic that an ISP can observe from such a gateway contains a significant amount of private information about user behavior. The same study from 2013 finds that network traffic can reveal significant information about user activity, including information about when a user is home; the number, type, and manufacturer of devices that they have connected to the network; and in some cases even the waking and sleeping patterns of users in the home. It is worth noting that we can observe these features of user activity even when traffic is encrypted.”

The amount of information ISPs have access to multiplies when an ISP is also the customer’s cable provider. Cable companies can and do collect information from a customer’s set-top cable box. Your mobile phone tracks your location information.

An entire industry has grown around buying all this information, combining it with information collected from websites like Google and Facebook, to produce detailed information on your daily habits in order to sell you more stuff.

The industry response is divided between reassuring the public that this data collection is harmless, while at the same time telling worried consumers that if they want privacy, they’ll just have to buy it.

In a paper partially funded by Broadband for America, a coalition whose members include AT&T, Comcast, and Verizon, Peter Swire alleges that a user can shield herself from an ISP’s prying eyes by using encryption or Virtual Private Networks.

But these services carry an additional cost not everyone can pay.

“Lifeline” subscribers — consumers part of the Federal phone subsidy program that the FCC may extend to broadband — will likely struggle to afford a VPN. Even as the FCC debates modernizing Lifeline, some groups protest the agency protecting Lifeline subscriber privacy at all, which could have grave consequences when it comes to protecting privacy online.

In other words, if you can’t afford to buy a VPN or know how to build one yourself, you don’t deserve protection.

Privacy for a price is by no means what Congress intended. Privacy is a right to expect in your communications. Strong privacy protection of communications has been the standard since Congress established The Post Office Department (now the United States Postal Service.)

There are strong privacy protections for telephone communications. Broadband is today’s dominant form of communication and consumers should receive the same level of privacy communications in the 21st century as they did in the 1800’s. The FCC, as the primary “cop on the beat” for telecommunications, needs to enforce the consumer’s long established right to privacy.

As the FCC prepares to release its notice on March 31, we face a fundamental question: Does digital privacy belong to those who can pay for it and who can encrypt their traffic, or is privacy a right as Congress intended?

The FCC should follow the law and propose rules that recognize that consumers have the same right to privacy when visiting a website as they do when making a phone call. Privacy isn’t just for those who can afford it.