ISPs say your Web browsing and app usage history isn’t “sensitive”

ISPs that want the federal government to eliminate broadband privacy rules say that your Web browsing and app usage data should not be classified as "sensitive" information.

"Web browsing and app usage history are not 'sensitive information,'" CTIA said in a filing with the Federal Communications Commission yesterday. CTIA is the main lobbyist group representing mobile broadband providers such as AT&T, Verizon Wireless, T-Mobile USA, and Sprint.

The FCC rules passed during the Obama administration require ISPs to get opt-in consent from consumers before sharing sensitive customer information with advertisers and other third parties. The FCC defined Web browsing history and app usage history as sensitive information, along with other categories such as geo-location data, financial and health information, and the content of communications. If the rules are overturned, ISPs would be able to sell this kind of customer information to advertisers.

The opt-in rules are scheduled to take effect on or after December 4, 2017, but ISPs have petitioned the FCC to eliminate the rules before that happens. The latest CTIA filing was a reply to groups that opposed the petition to overturn the rules.

In making its argument that Web browsing and app usage history are not sensitive information, CTIA said that the Federal Trade Commission has taken a different stance than the FCC.

"To justify diverging from the FTC's framework and defining Web browsing history as 'sensitive,' the commission and the [privacy rule supporters] both cherry-picked evidence in an attempt to show that ISPs have unique and comprehensive access to consumers' online information," CTIA wrote. "As the full record shows, however, this is simply not true. Indeed, even a prominent privacy advocacy organization asserted that it is 'obvious that the more substantial threats for consumers are not ISPs,' but rather other large edge providers."

That last statement quotes a filing by the Electronic Privacy Information Center, which nonetheless supports privacy rules for ISPs. "Privacy rules for ISPs are important and necessary, but it is obvious that the more substantial privacy threats for consumers are not the ISPs," the advocacy group said. The bigger threat is posed by "the largest email, search, and social media companies," the group said.

Those "edge providers" are regulated by the FTC, but the FTC is not allowed to regulate home and mobile Internet service providers because of their status as common carriers. The ISPs' common carrier classification could be changed by the FCC or Congress, but even then the FTC might not be able to regulate ISPs such as AT&T and other CTIA members because they would still be common carriers via their mobile voice services.

Consumer advocates protest, but privacy rules unlikely to survive

Public Knowledge and other consumer advocacy groups argued that the FCC was correct to classify Web browsing and app usage history as sensitive information.

"It is clear that even with encryption, ISPs can glean information about political views, sexual orientation, and other types of sensitive information," the advocacy groups wrote in an FCC filing on March 6. "As is true with call history and video viewing history, Web browsing history is sensitive and should require affirmative consent before use by ISPs." The groups also argued that this approach is "consistent with the FTC's framework."

The privacy rules are unlikely to survive, as they are opposed both by the new FCC chairman, Republican Ajit Pai, and Republicans in Congress. What's less clear is whether the FCC will have any authority over ISPs' privacy practices after the rules are eliminated.

According to Morning Consult, Pai told senators at a recent hearing that "carriers would still have their obligations under Section 222 [of the Communications Act] in addition to other federal and state privacy, data security, and breach notification requirements." Section 222 governs common carriers generally, but it was written for telephone networks in 1996 and makes no mention of Internet service.

CTIA argued that the FCC and privacy rule supporters "ignored facts and arguments in the record that Section 222 cannot be extended to broadband service." Moreover, CTIA claims that Section 222's use of the phrase "customer proprietary network information" demonstrates that the regulation doesn't necessarily cover "personal" information. Section 222 provisions "apply only to commercially valuable—not personal—information," the group said.

NCTA-The Internet & Television Association, which represents cable companies, also argued that Section 222 doesn't cover broadband or customers' "personally identifiable information."

Even if the FCC asserts some authority over ISPs via Section 222, it's clear that in the long run Chairman Pai does not want the FCC regulating broadband privacy. He recently issued a joint statement with acting FTC Chairwoman Maureen Ohlhausen that said, "jurisdiction over broadband providers' privacy and data security practices should be returned to the FTC."