Home
The Uncertain Future of Internet Service Provider Regulation

The Uncertain Future of Internet Service Provider Regulation

By: Richard Cogan

During the final weeks of the Obama Administration, outgoing Federal Communications Commission (“FCC”) Chairman Tom Wheeler[1] adopted a major internet privacy rule[2] mandating greater privacy protection of consumer data by Internet Service Providers (“ISPs”).  The most significant provision of this regulation is the Opt-In provision (the “ISP Privacy Rule”), which requires consumers to provide informed consent before ISPs can collect and use contextual user data for advertising and other purposes . Another major provision  (the “ISP Security Rule”) was scheduled to go into effect March 3rd and required ISPs to take “reasonable steps” to protect customer’s proprietary information from unauthorized use, disclosure, or access.

 

On March 3rd, however, the FCC issued a temporary stay of the ISP Security Rule rather than allowing the regulation to go into effect.  The new FCC Chairman, Ajit Pai,[3] indicated that he would like to completely transfer security and privacy oversight of ISPs to the Federal Trade Commission (“FTC”) and that implementing new rules outside of that vision will create needless and temporary compliance costs.  Chairman Pai’s desire to shift oversight to the FTC casts significant doubt over whether the ISP Privacy Rule will be implemented in December, its scheduled effective date.[4] Transferring ISP oversight to the FTC will streamline internet regulation and create a single set of internet privacy rules but will likely result in a repeal of net neutrality and provide less consumer protection than Wheeler’s ISP Privacy Rule.

 

The FTC generally has broad enforcement authority over competition and consumer protection matters[5] and is responsible for most enforcement actions related to consumer protection against internet companies.[6] However, regulation of ISPs currently rests with the FCC, as the FTC no longer possesses enforcement authority in this market.  The Federal Trade Commission Act,[7] the statutory source[8] of the FTC’s enforcement authority, expressly excludes firms classified as “common carriers”[9] from FTC enforcement.  “Common carriers” is a broad category that includes a wide range of public utilities, including ISPs.  ISPs were reclassified as common carriers in 2015[10] after the prior net neutrality rules were struck down by the DC Circuit.[11] The ISP Privacy Rule is one of several rules adopted by former FCC Chairman Wheeler to modernize consumers’ privacy rights within the new net neutrality framework.

 

The ISP Privacy Rule requires ISPs to obtain consent from customers before using contextual usage data for advertising and other purposes, and disallows ISPs from forcing customers to consent to their data collection policy as a condition of use.[12] The rule does not preclude “pay for privacy” offerings and allows ISPs to charge customers a higher fee if they want to opt out of data analysis programs.[13] The rule, therefore, would not impede ISPs’ ability to offer low cost plans subsidized by advertising revenue.[14] Chairman Pai argues that these rules would only confuse consumers by setting separate privacy standards for websites and ISPs and would simultaneously make it more difficult for ISPs to create new innovations.[15]

 

Chairman Pai’s proposal assumes that websites and ISPs pose the same risks to consumer privacy, but this assumption is arguably flawed.  In reality, many regional ISP markets are either monopolies or oligopolies in which consumers are unable to switch to a new ISP if they disagree with their ISP’s data collection practices.[16] ISPs’ physical infrastructure needs and general service offerings ISPs more analogous to that of a landline telephone provider than a search engine or other online content provider and present a much greater potential for abuse than other internet firms.[17] An ISP’s primary purpose is to connect consumers to the internet via an expansive network of routers and data cables.[18] The massive infrastructure investment required to start a new ISP is a large barrier to entry that inherently encourages monopolies or oligopolies to emerge and to dominate regional markets.[19] This is an important distinction from a website.  The adequately informed consumer can choose to no longer use predatory websites that collect personal data about him or her. .  However, in many parts of the country, particularly in more rural regions, Internet users simply cannot choose to use a different ISP because of the lack of available alternatives.[20] They can only choose to either remain with their ISP or stop using the internet.

 

Opponents of the ISP privacy rule further contend that the rule is unnecessary, since tech firms are continually increasing their use of encryption for sensitive internet traffic and encrypted internet traffic cannot be read by ISPs.[21] As tech companies increasingly encrypt data sent to and from their customers, the total percentage of encrypted web traffic continues to rise annually.[22] While some contend that this trend renders the ISP Privacy Rule superfluous, the argument ignores the large amount of information that ISP’s can gather by collecting user’s web browsing history[23], and is less convincing in light of the Ninth Circuit’s recent decision in Federal Trade Commission v. AT&T Mobility LLC.[24]

 

In AT&T, the Ninth Circuit held that common carrier designations are status-based rather than activity-based.  The FTC challenged AT&T’s data throttling on iPhone unlimited data plans.  In ruling for AT&T, the court emphasized that AT&T held the status of a common carrier and that the FTC does not have enforcement authority over common carriers, even for activities unrelated to AT&T’s common carrier business segment.[25] As a result, ISPs may now be able to avoid FTC authority over ancillary business activity in addition to their ISP activities due to their general status as a common carrier.  In an age of increasing mergers among technology firms, many large media providers could potentially be classified as common carriers due to their ownership of an ISP business.[26] For example, Comcast, one of the nation’s largest ISPs, also offers a variety of other services, such as home monitoring and media content creation.[27] Under AT&T’s logic, Comcast’s status as a common carrier could prevent FTC enforcement of data handling issues within Comcast’s other business segments.  While it is unclear how far this enforcement gap extends, AT&T’s language creates ambiguity as to how vertically-integrated ISPs can be regulated going forward.[28] If the FTC completely loses enforcement authority over these companies, then current FCC regulations will be insufficient to protect consumers from abusive data collection and storage practices.

 

Chairman Pai’s proposal to move regulatory authority of ISPs from the FCC to the FTC will remove the uncertainty created by the AT&T decision, but will likely end net neutrality and provide less consumer protections than the framework established under Wheeler’s plan.  Only time will tell whether ISPs will use this change to spur new innovations and whether the FTC can establish a framework that provides similar protection with the benefit of greater enforcement authority.

 

[1]                      FCC Chairman Tom Wheeler is stepping down, setting the stage for a GOP majority on Trump’s first day, Washington Post (Dec. 15, 2016), https://www.washingtonpost.com/news/the-switch/wp/2016/12/15/fcc-chairman-tom-wheeler-announces-hes-stepping-down/?utm_term=.be78cec93eab

[2]                      F.C.C. 16-148 (2016), https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-148A1_Rcd.pdf.

[3]                      https://www.fcc.gov/about/leadership/ajit-pai.

[4]                      Jon Brodkin, Broadband lobbyists celebrate as FCC halts data security requirements, Arstechnica (Mar. 2, 2017, 1:53PM), https://arstechnica.com/tech-policy/2017/03/isps-cheer-pause-of-rule-that-guards-private-data-from-security-breaches/.

[5]                      15 U.S.C. §§ 41-58.

[6]                      William E. Kovacic, Prepared Statement of the Federal Trade Commission Before the Committee on the Judiciary United States Senate on FTC Jurisdiction Over Broadband Internet Access Services, FTC (June 14, 2006), https://www.ftc.gov/sites/default/files/documents/public_statements/prepared-statement-ftc-jurisdiction-over-broadband-internet-access-services/p052103commissiontestimonyrebroadbandinternetaccessservices06142006senate.pdf

[7]                      15 U.S.C. §§ 41-58.

[8]                      Id.

[9]                      15 U.S.C. §§ 45(a)(2), 44.

[10]                    Kovacic. footnote 1.

[11]                    Edward Wyatt, Rebuffing F.C.C. in ‘Net Neutrality’ Case, Court Allows Streaming Deals,N.Y. Times (Jan 14, 2014), https://www.nytimes.com/2014/01/15/technology/appeals-court-rejects-fcc-rules-on-internet-service-providers.html?_r=0.

[12]                    Kate Cox, FCC Adopts New Privacy Rule Limiting What ISPs Can Do With Your Personal Data, Consumerist (Oct. 27, 2016, 10:42 AM), https://consumerist.com/2016/10/27/fcc-adopts-new-privacy-rule-limiting-what-isps-can-do-with-your-personal-data/.

[13]                    Id.

[14]                    Id.

[15]                    Jon Brodkin, Broadband lobbyists celebrate as FCC halts data security requirements, Arstechnica (Mar. 2, 2017, 1:53 PM), https://arstechnica.com/tech-policy/2017/03/isps-cheer-pause-of-rule-that-guards-private-data-from-security-breaches/.

[16]                    Richard Greenfield, How the cable industry became a monopoly, Fortune (May 19, 2015), http://fortune.com/2015/05/19/cable-industry-becomes-a-monopoly/.

[17]                    The FCC’s Role in Protecting Online Privacy: An Explainer, Open Technology Institute (Jan. 2016),  https://static.newamerica.org/attachments/12325-the-fccs-role-in-protecting-online-privacy/CPNI__web.d4fbdb12e83f4adc89f37ebffa3e6075.pdf

[18]                    Id.

[19]                    Richard Greenfield, How the cable industry became a monopoly, Fortune (May 19, 2015), http://fortune.com/2015/05/19/cable-industry-becomes-a-monopoly/.

[20]                    The FCC’s Role in Protecting Online Privacy: An Explainer, Open Technology Institute (Jan. 2016),  https://static.newamerica.org/attachments/12325-the-fccs-role-in-protecting-online-privacy/CPNI__web.d4fbdb12e83f4adc89f37ebffa3e6075.pdf

[21]                    Id.

[22]                    Larry Downes, Industry Groups Beg Congress, FCC to Restore Scrambled Internet Privacy Rules, Forbes (Jan. 30, 2017, 6:00 AM), https://www.forbes.com/sites/larrydownes/2017/01/30/industry-groups-beg-congress-fcc-to-restore-scrambled-internet-privacy-framework/3/#5043a8765905.

[23]        The FCC’s Role in Protecting Online Privacy: An Explainer, Open Technology Institute (Jan. 2016),  https://static.newamerica.org/attachments/12325-the-fccs-role-in-protecting-online-privacy/CPNI__web.d4fbdb12e83f4adc89f37ebffa3e6075.pdf

[24]                    No. 15-16585 (Ninth Cir. 2016).

[25]        Dee Bansal et al., FTC v. AT&T Mobility: Ninth Circuit “Throttles” FTC Jurisdiction, Lexology (Sept. 12, 2016),http://www.lexology.com/library/detail.aspx?g=99f253e3-16a9-4fb5-9084-227a437b8392.

[26]                   Jon Brodkin, Broadband lobbyists celebrate as FCC halts data security requirements, Arstechnica (Mar. 2, 2017, 1:53 PM), https://arstechnica.com/tech-policy/2017/03/isps-cheer-pause-of-rule-that-guards-private-data-from-security-breaches/.

[27]        Comcast Corp. Company Profile, Reutrers, http://www.reuters.com/finance/stocks/companyProfile?symbol=CMCSA.O

[28]                    Calli Schroeder, The AT&T v. FTC common carrier ruling creates a regulatory ‘blind spot’, iapp (Sept. 2, 2016),https://iapp.org/news/a/the-att-v-ftc-common-carrier-ruling-and-how-it-changes-common-carrier-regulation/.