FCC Rules Reconcile Speech and Privacy, Must Support Security Research

The guest writer who joined Rita for this blog is Apratim Vidyarthi, Google Policy Fellow.

Last week, CDT submitted its second set of comments to the Federal Communications Commission (FCC) as it considers a new rulebook for protecting consumer privacy in the use of broadband. The FCC’s Notice of Proposed Rulemaking (NPRM) on this issue is an important first step towards providing broadband consumers with the assurance they need that their ISP will not track their online activities – the websites they frequent, the apps they download, the searches they perform – or sell that information to third parties without their knowledge and consent. CDT previously submitted comments in this rulemaking process.

In our reply comments, we respond to the arguments raised by those concerned with the impact the FCC’s proposed rules could have on ISPs’ right to use and share information about their customers’ internet habits for targeted or behavioral advertising. We also call on the FCC to allow security researchers to access broadband data unless customers opt out, clarify ambiguities about data aggregation and deep-packet inspection, and weigh in on data breach notifications and a number of definitional issues. The following are key issues we address in the reply round.

The FCC’s Rules Properly Reconcile Privacy and First Amendment Interests

ISPs and advertisers raised concerns about how limitations on their use of customers’ broadband data might impair their ability to target ads based on customers’ behavior online. But within the framework of Section 222 of the Communications Act, the First Amendment question is actually quite narrow: Whether asking customers to opt in to targeted advertising unrelated to their broadband services unnecessarily burdens commercial speech – instead of using or selling their broadband data but allowing them to opt out if they disapprove.

Under the intermediate standard of review, the FCC’s rules will be found consistent with the First Amendment if they are proportionate to the substantial interest in consumer privacy, if the choice between the alternatives supports the Commission’s decision to prefer opt-in consent, and if commercial speech is not unnecessarily restricted by the rules.

CDT argues that the proposed rules satisfy these constitutional mandates. The FCC’s interest in the privacy of internet users is a proper concern of the Commission and will encourage broadband adoption among Americans rightly concerned about privacy and security threats. The record developed by numerous commenters in the NPRM proceeding support the Commission’s concerns that large numbers of broadband customers are unaware and unable to opt out of unexpected privacy intrusions by their providers, and that opt in is the only realistic way of preserving their expectations of privacy. But for those customers who are made aware of unexpected data practices, the rules ensure that they can approve of providers’ extra data sharing and targeted advertising through opt-in consent.

Finally, seeking opt-in consent for unexpected data uses that are not implied by the broadband service relationship does not disproportionately burden commercial speech. CDT discusses the many instances of ISPs’ use, collection, and communication of data that remain unaffected by this proposal, including direct marketing to customers’ emails of record, marketing related to the customer’s subscription and therefore subject to opt-out consent, use and sharing of de-identified aggregate customer data, and managing traffic across their networks. And because opt-in consent is so closely tethered to consumer expectations and choice, it furthers the Commission’s privacy protection goals without unnecessarily limiting consumers’ access to information about new products and services. Such a carefully tailored rule fully satisfies the requirements of intermediate First Amendment scrutiny.

Security Research Should Be Excluded from Opt-In Consent Requirement

The internet’s appeal as a medium for free expression and information is in constant danger due to malicious actors who exploit bugs and vulnerable users. The average consumer is generally incapable of protecting themselves from these threats. Instead, broadband providers rely on security researchers to make online services and applications resilient and better protected. Security researchers require access to customer data including data that may be considered individually identified consumer proprietary network information (CPNI) and personally identifiable information (PII) – which we define in our reply comments – in order to identify large groups of infected computers (“botnets”), root out sources of spam and malicious advertising, and develop new internet protocols.

While the proposed rule permits sharing customer data for network management purposes without opt-in consent, it does not provide security researchers with sufficient access to CPNI and PII in order to protect customers’ safety and security online. CDT argues that a narrow exemption for researchers to access CPNI and PII without customer approval is necessary to keep the Internet in good health. Such an exemption could be narrowly crafted to limit the amount of sensitive data accessed by researchers and requiring researchers to protect research data, ensuring that broader consumer privacy rationales are not undermined. We think it’s important for the FCC to provide an explicit security research exception to send a clear signal that protecting our broadband network infrastructure and applications is valuable and should continue in the future.

If the internet is to remain a platform for users to freely communicate, associate, and exchange knowledge, opinions, and ideas, then their connection to the internet must be stable and secure. The constant discomfort or fear of having our private browsing and communications activities accessed without permission, or lost to malicious actors in data breaches, can exert a powerful chill on our ability to use the internet to its fullest effect – as internet users in Iran or China would attest.

With carefully delineated rules for access, use, and data breaches, we believe that the FCC can properly regulate the data practices of internet access providers – the gatekeepers of the internet – in line with First Amendment values and global free expression norms.