Expert: ISPs Don’t Have Free Rein

WASHINGTON — Privacy expert Peter Swire suggests advocacy groups should look at the facts before leaping to impose new regulations on Internet-service providers, saying there are already governors on the ability of ISPs to access their broadband customers’ personal information.

He is preparing a report, which he said should be ready for public consumption this month, to make that case.

Swire, a privacy official in both the Clinton and Obama administrations, said claims made by some groups that ISPs have “ ‘unique’ or ‘comprehensive’ access to user data must be tested against facts.”

There are two instances in which the conventional wisdom about ISPs is incorrect, said Swire, the Huang Professor of Law and Ethics at Georgia Tech’s Scheller School of Business.

ENCRYPTION ‘CHANGES THAT’

“The first has to do with encryption,” he said. “Many people have claimed that ISPs have ‘comprehensive visibility’ into user Internet activity. My point is that encryption really changes that.”

Encryption — the “https” in a URL signals the link is encrypted — is widespread, and Swire said that means that ISPs can’t conduct the sort of deep-packet inspection of customer information they are accused of.

“The ISPs have no technological way to see the content, so they can’t do deep-packet inspection,” Swire said. He also asserted that encryption prevents ISPs from seeing the “deep links.” That means they can see that a Web surfer is using a search engine, but not what sites the user is accessing.

Encryption applies to e-banking, e-commerce and search sites, social networking, text messaging and most major email providers.

Swire said what he is challenging is the “conventional wisdom” in a letter some five dozen privacy groups sent to the Federal Communications Commission two weeks ago, urging the agency to be a “brawny cop” on the privacy beat. The letter claimed ISPs have comprehensive visibility into users’ Internet activity, but ISPs are blocked from a large portion of the Web thanks to encryption, Swire said.

As to activists’ claims there is no way to “avoid data collection” by ISPs, Swire pointed to virtual public networks (VPNs).

“When I go on my Georgia Tech VPN, all my ISP sees is that I am connected to Georgia Tech,” he said. “They don’t see any details about what I am doing on the Internet, and that is a tool available to consumers.”

Mark Rotenberg, president of the Electronic Privacy Information Center and a supporter of muscular FCC privacy protections, countered: “Providers of consumer services should not expect users to have a PhD in computer science. A communications service must necessarily assure privacy.”

In their letter, the privacy groups asked the FCC to open a rulemaking on privacy ASAP, and mandate notice of data breaches, disclosure of data collection and protection practices, and disclosure of how data is being shared.

When it reclassified Internet access under Title II common-carrier regulations in its new Open Internet order, the FCC assumed authority over broadband customer proprietary network information (CPNI).

In November, the FCC and the Federal Trade Commission collaborated on a memorandum of understanding (MOU) on how to divvy up their oversight.

While the FCC now has privacy oversight over broadband CPNI that used to be the province of the FTC, the MOU said the agencies don’t believe that the FTC’s common-carrier exemption precludes it from stepping in to address non-common carrier conduct by common carriers, such as deceptive advertising for their services.

BROADBAND PRIVACY ACTIVITY

The FCC held an April 28 public workshop on broadband privacy — Swire was on the panel — and is working on a new broadband CPNI framework. But it has yet to open a rulemaking.

The FCC did put out a general advisory to ISPs on protecting privacy while it worked on its framework, but the privacy groups say that is not enough.

In addition to responding to the letter, Swire said he is following up on the testimony on privacy he gave last April. Then, he said FCC officials told him the facts were unclear given that some people said the ISPs could see everything and the ISPs said they couldn’t. “I am doing this report to try to get the facts right,” Swire said.

Swire also said he is not suggesting any particular regulatory approach. “I am doing a factual study, not making policy recommendations,” he said.

John Eggerton

Contributing editor John Eggerton has been an editor and/or writer on media regulation, legislation and policy for over four decades, including covering the FCC, FTC, Congress, the major media trade associations, and the federal courts. In addition to Multichannel News and Broadcasting + Cable, his work has appeared in Radio World, TV Technology, TV Fax, This Week in Consumer Electronics, Variety and the Encyclopedia Britannica.