Privacy Expert: ISP Access to Info Is Already Limited

Privacy expert Peter Swire is suggesting advocacy groups should look at the facts before attempting to persuade the FCC to impose new regulations on Internet service providers. There are, he says, already protocols on those ISPs’ ability to gain information about their broadband subs.

To make his case, Swire is preparing a report, which he says should be ready for public consumption this month.

Swire, a privacy official who served in both the Clinton and Obama administrations, says claims made by some groups that ISPs have “‘unique’ or ‘comprehensive’ access to user data must be tested against [those] facts.”

There are two instances in which the conventional wisdom about ISPs and data are incorrect, says Swire. “The first has to do with encryption. Many people have claimed that ISPs have ‘comprehensive visibility’ into user Internet activity,” he says. “My point is that encryption really changes that.”

That encryption—the “https” in a URL signals the link is encrypted—is widespread, and Swire says it means ISPs can’t do the sort of data examination of customer information ISPs are accused of being able to do.

“The ISPs have no technological way to see the content so they can’t do deep packet inspection,” says Swire, a professor at Georgia Tech. He also says encryption prevents ISPs from seeing the “deep links,” meaning they could see that a surfer was using a search engine, but not what sites they were accessing, he says.

Encryption applies to e-banking and e-commerce, search and social networking and text messaging, and most major e-mail providers.

What he is challenging, he says, is the “conventional wisdom” in the letter from privacy groups that ISPs have comprehensive visibility into users’ Internet activity. “ISPs are blocked from a large portion of the Web thanks to encryption.”

As to the activists’ claim that there is no way to “avoid data collection” by ISPs, Swire points to virtual public networks (VPNs).

“When I go on my Georgia Tech VPN, all my ISP sees is that I am connected to Georgia Tech. They don’t see any details about what I am doing on the Internet, and that is a tool available to consumers,” he explains.

Private Property

“Providers of consumer services should not expect users to have a PhD in computer science,” says Marc Rotenberg, president of the Electronic Privacy Information Center and a supporter of muscular FCC privacy protections. “ A communications service must necessarily assure privacy.”

Two weeks ago, five-dozen privacy groups wrote to the FCC asking it to open a rulemaking proceeding to insure the FCC was a “brawny cop” on the privacy beat, including opening a rulemaking ASAP and including notice of data breaches, disclosure of data collection and protection practices and disclosure of where data is being shared.

When it reclassified Internet access under Title II common carrier regs in its new Open Internet order, the FCC assumed authority over broadband CPNI (customer proprietary network information).

In November, the FCC got together with the Federal Trade Commission on a memorandum of understanding (MOU) on how to divvy up said oversight. (To read the memo, go to fcc-ftc-team-consumer-protection/145844.)

While the FCC now has privacy oversight over broadband CPNI that used to be the province of the FTC, the MOU says the agencies don’t believe the FTC’s common carrier exemption precludes it from stepping in to address non-common carrier conduct by common carriers, such as deceptive ads for their services.

The FCC held an April 28 public workshop on broadband privacy—Swire was on the panel—and is working on a new broadband CPNI framework, but has yet to open a rulemaking.

The FCC did put out a general advisory to ISPs (to read, go to on protecting privacy while it worked on its framework, but the privacy groups believe that is not enough.

In addition to responding to the letter, Swire said he is following up on the testimony on privacy he gave last April, where he says FCC officials told him the facts were unclear, given that some people said the ISPs could see everything (which ISPs denied).

Swire said he is not suggesting any particular regulatory approach. “I am doing a factual study, not making policy recommendations,” he says, adding that he’s doing this report, “to try to get the facts right.”

John Eggerton

Contributing editor John Eggerton has been an editor and/or writer on media regulation, legislation and policy for over four decades, including covering the FCC, FTC, Congress, the major media trade associations, and the federal courts. In addition to Multichannel News and Broadcasting + Cable, his work has appeared in Radio World, TV Technology, TV Fax, This Week in Consumer Electronics, Variety and the Encyclopedia Britannica.