In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services
WC Docket No. 16-106
Reply Comments of
Thomas A. Schatz President Citizens Against Government Waste
June 27, 2016
Citizens Against Government Waste (CAGW) is a private, nonprofit, nonpartisan organization dedicated to educating the American public about waste, mismanagement, and inefficiency in government. On behalf of the more than 1.2 million members and supporters of CAGW, I offer the following reply comments to the March 31, 2016 notice of proposed rulemaking (NPRM) on Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.
In undertaking setting privacy regulations for internet service providers (ISPs), the first criteria the Federal Communications Commission (FCC) should consider is whether its privacy regime is harmonized with the existing regulatory framework used by the Federal Trade Commission (FTC). As noted by Verizon in its comments to the FCC, “Over the last decade, the FTC has successfully regulated privacy and data-security practices of all participants within that ecosystem, including ISPs.”[1] On June 8, 2016, FTC Commissioner Maureen K. Ohlhausen stated, “FTC experience demonstrates that more onerous privacy regulations does not always benefit consumers. … Yet because privacy preferences vary widely, regulation can impose significant costs on consumers.”[2]
Other commenters have also noted the importance of ensuring that the FCC’s rules be harmonized with the FTC’s privacy protections. AT&T wrote:
Information is the fuel of the modern economy. Recognizing that fact, federal privacy policy has long struck an important balance that targets potentially harmful uses of consumer data but does not interfere with beneficial data uses that power the commercial Internet. Led by the FTC, this balanced regime stresses two issues: (1) is individually identifiable information unusually sensitive (e.g., financial or medical data), and (2) is it shared with third parties?
When the answer to both questions is no, as it is for almost all data uses at issue in this proceeding, federal policy has adopted a permissive approach. For two decades, the FTC has applied this regime to the Internet ecosystem and has protected the privacy interests that consumers value most while fostering the Internet’s dynamic growth. And the U.S. government as a whole has staunchly defended this regime as the appropriate regulatory model for all consumer online data.[3]
Rather than follow the proven standard set by the FTC, the NPRM would to reinvent the wheel, which will create an uncertain and confusing framework. As Commissioner Ohlhausen noted, “Obtaining or giving consent can be burdensome, not only for businesses, but also for consumers. Reading a notice and making a decision takes time that, in the aggregate, can be quite substantial. To maximize consumer benefits, regulation should minimize these costs.”[4]
Comments submitted by CTIA – The Wireless Association cited the inconsistencies of the NPRM with the existing FTC model: “The Commission claims that its proposals are firmly rooted in the FTC’s work and other models. Quite the contrary. The FTC expects companies to follow commercially reasonable standards of care.”[5]
CTIA further noted that, “The FTC recognizes there ‘is no[] such thing as perfect security; that reasonable security is a continuous process of assessing and addressing risks; that there is no one-size-fits-all data security program; and that the mere fact that a breach occurred does not mean that a company has violated the law.’”[6]
The National Cable and Telecommunications Association (NCTA) wrote that “the Commission has proposed an asymmetric privacy framework that unlawfully and unfairly singles out ISPs for burdensome treatment” and raised concerns about the harm to consumer welfare because it will be more difficult for ISPs to use data analytics to improve products and customer service.[7]
Some proponents of the NPRM have suggested that broadband providers have “access to vast quantities of valuable personal information.”[8] However, a study published on February 19, 2016, by Georgia Tech found that edge providers, who are correctly not covered by the NPRM, but are instead subject to the FTC’s framework for privacy protections, hold even greater quantities of personal information, and leverage that information for targeted advertising, generating consumer sentiment, and other purposes.[9] FTC Commissioner Ohlhausen said that “the FTC staff has offered a less restrictive alternative modeled on the FTC’s highly successful approach, which properly reflects consumers’ preferences about sensitive information. … In addition to adopting a FTC-like approach, the FCC should also permit consumers to make well-informed choices about discounted broadband offerings.”[10]
In developing final rules regarding the protection of privacy for broadband and telecommunications customers, the FCC need look no further than to the FTC as a model to formulate the regulations. On behalf of the members and supporters of Citizens Against Government Waste, I urge you to work toward harmonizing the NPRM with the FTC’s framework in order to ensure a consistent application of privacy protections, and provide the opportunity for consumers to make educated choices on how their personal information is used.
Should you have any questions, please feel free to contact either myself or Deborah Collier, CAGW Director of Technology & Telecommunications Policy.
[1] Comments of Verizon, In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Federal Communications Commission, May 27, 2016, p. 6, https://ecfsapi.fcc.gov/file/60002078934.pdf.
[3] Comments of AT&T Services Inc., In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Federal Communications Commission, May 27, 2016, p. 5, https://ecfsapi.fcc.gov/file/60002080023.pdf.
[5] Comments of CTIA, In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Federal Communications Commission, May 26, 2016, p. 155, https://ecfsapi.fcc.gov/file/60002064853.pdf.
[7] Comments of the National Cable & Telecommunications Association, In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Federal Communications Commission, May 27, 2016, p. 4, https://www.fcc.gov/ecfs/filing/60001975123/document/60002081030.
[8] Harold Feld, Charles Duan, John Gasparini, Tennyson Holloway, and Meredith Rose, “Protecting Privacy, Promoting Competition: A Framework for Updating the Federal Communications Commission Privacy Rules for the Digital World,” Public Knowledge, February 2016, p. 46, https://ecfsapi.fcc.gov/file/60002080007.pdf.
BEFORE THE FEDERAL COMMUNICATIONS COMMISSION
Washington, D.C.
In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services
WC Docket No. 16-106
Reply Comments of
Thomas A. Schatz
President
Citizens Against Government Waste
June 27, 2016
Citizens Against Government Waste (CAGW) is a private, nonprofit, nonpartisan organization dedicated to educating the American public about waste, mismanagement, and inefficiency in government. On behalf of the more than 1.2 million members and supporters of CAGW, I offer the following reply comments to the March 31, 2016 notice of proposed rulemaking (NPRM) on Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.
In undertaking setting privacy regulations for internet service providers (ISPs), the first criteria the Federal Communications Commission (FCC) should consider is whether its privacy regime is harmonized with the existing regulatory framework used by the Federal Trade Commission (FTC). As noted by Verizon in its comments to the FCC, “Over the last decade, the FTC has successfully regulated privacy and data-security practices of all participants within that ecosystem, including ISPs.”[1] On June 8, 2016, FTC Commissioner Maureen K. Ohlhausen stated, “FTC experience demonstrates that more onerous privacy regulations does not always benefit consumers. … Yet because privacy preferences vary widely, regulation can impose significant costs on consumers.”[2]
Other commenters have also noted the importance of ensuring that the FCC’s rules be harmonized with the FTC’s privacy protections. AT&T wrote:
Information is the fuel of the modern economy. Recognizing that fact, federal privacy policy has long struck an important balance that targets potentially harmful uses of consumer data but does not interfere with beneficial data uses that power the commercial Internet. Led by the FTC, this balanced regime stresses two issues: (1) is individually identifiable information unusually sensitive (e.g., financial or medical data), and (2) is it shared with third parties?
When the answer to both questions is no, as it is for almost all data uses at issue in this proceeding, federal policy has adopted a permissive approach. For two decades, the FTC has applied this regime to the Internet ecosystem and has protected the privacy interests that consumers value most while fostering the Internet’s dynamic growth. And the U.S. government as a whole has staunchly defended this regime as the appropriate regulatory model for all consumer online data.[3]
Rather than follow the proven standard set by the FTC, the NPRM would to reinvent the wheel, which will create an uncertain and confusing framework. As Commissioner Ohlhausen noted, “Obtaining or giving consent can be burdensome, not only for businesses, but also for consumers. Reading a notice and making a decision takes time that, in the aggregate, can be quite substantial. To maximize consumer benefits, regulation should minimize these costs.”[4]
Comments submitted by CTIA – The Wireless Association cited the inconsistencies of the NPRM with the existing FTC model: “The Commission claims that its proposals are firmly rooted in the FTC’s work and other models. Quite the contrary. The FTC expects companies to follow commercially reasonable standards of care.”[5]
CTIA further noted that, “The FTC recognizes there ‘is no[] such thing as perfect security; that reasonable security is a continuous process of assessing and addressing risks; that there is no one-size-fits-all data security program; and that the mere fact that a breach occurred does not mean that a company has violated the law.’”[6]
The National Cable and Telecommunications Association (NCTA) wrote that “the Commission has proposed an asymmetric privacy framework that unlawfully and unfairly singles out ISPs for burdensome treatment” and raised concerns about the harm to consumer welfare because it will be more difficult for ISPs to use data analytics to improve products and customer service.[7]
Some proponents of the NPRM have suggested that broadband providers have “access to vast quantities of valuable personal information.”[8] However, a study published on February 19, 2016, by Georgia Tech found that edge providers, who are correctly not covered by the NPRM, but are instead subject to the FTC’s framework for privacy protections, hold even greater quantities of personal information, and leverage that information for targeted advertising, generating consumer sentiment, and other purposes.[9] FTC Commissioner Ohlhausen said that “the FTC staff has offered a less restrictive alternative modeled on the FTC’s highly successful approach, which properly reflects consumers’ preferences about sensitive information. … In addition to adopting a FTC-like approach, the FCC should also permit consumers to make well-informed choices about discounted broadband offerings.”[10]
In developing final rules regarding the protection of privacy for broadband and telecommunications customers, the FCC need look no further than to the FTC as a model to formulate the regulations. On behalf of the members and supporters of Citizens Against Government Waste, I urge you to work toward harmonizing the NPRM with the FTC’s framework in order to ensure a consistent application of privacy protections, and provide the opportunity for consumers to make educated choices on how their personal information is used.
Should you have any questions, please feel free to contact either myself or Deborah Collier, CAGW Director of Technology & Telecommunications Policy.
[1] Comments of Verizon, In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Federal Communications Commission, May 27, 2016, p. 6, https://ecfsapi.fcc.gov/file/60002078934.pdf.
[2] Reactions to the FCC’s Proposed Privacy Regulations, Remarks of Maureen K. Ohlhausen, Commissioner, U.S. Federal Trade Commission, 2016 Advertising and Privacy Law Summit, June 8, 2016, p. 5, https://www.ftc.gov/system/files/documents/public_statements/955183/160608kellydrye.pdf.
[3] Comments of AT&T Services Inc., In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Federal Communications Commission, May 27, 2016, p. 5, https://ecfsapi.fcc.gov/file/60002080023.pdf.
[4] Ohlhausen, p. 5.
[5] Comments of CTIA, In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Federal Communications Commission, May 26, 2016, p. 155, https://ecfsapi.fcc.gov/file/60002064853.pdf.
[6] Ibid.
[7] Comments of the National Cable & Telecommunications Association, In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Federal Communications Commission, May 27, 2016, p. 4, https://www.fcc.gov/ecfs/filing/60001975123/document/60002081030.
[8] Harold Feld, Charles Duan, John Gasparini, Tennyson Holloway, and Meredith Rose, “Protecting Privacy, Promoting Competition: A Framework for Updating the Federal Communications Commission Privacy Rules for the Digital World,” Public Knowledge, February 2016, p. 46, https://ecfsapi.fcc.gov/file/60002080007.pdf.
[9] Peter Swire, Justin Hemmings, and Alana Kirkland, “Online Privacy and ISPS: ISP Access to Consumer Data is Limited and Often Less than Access by Others,” The Institute for Information Security and Privacy at Georgia Tech, February 29, 2016, http://www.iisp.gatech.edu/sites/default/files/images/online_privacy_and_isps.pdf.
[10] Ohlhausen, p. 10.