One year ago, President Trump signed legislation repealing a Federal Communications Commission regulation that would have forced Internet service providers to seek customer consent before selling their browsing data to advertisers.
The ISPs and Republicans in Congress had argued it was unfair to shackle companies such as Comcast and Verizon with an opt-in rule when Facebook and Google had no such limits on turning user data into ad revenue.
That argument is losing appeal as lawmakers respond to British company Cambridge Analytica using Facebook data surreptitiously taken from nearly 90 million accounts for 2016 election targeting.
“I think the dam is broken,” said Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation, a group that advocates for user control over browsing data. “The question becomes, what are legislatures going to do?”
Last year, the EFF supported unsuccessful state efforts to pass ISP privacy bills. In California, the effort died amid concern about the effect on companies such as Facebook. Falcon believes that’s no longer a concern, but a selling point.
“It’s made privacy personal again,” Falcon said. “There’s no reason to not think there are other Cambridge Analyticas out there that will use ISPs in the exact same way as Facebook.”
Falcon believes bills creating privacy rules for ISPs and companies such as Facebook and Google “are going to be inextricably linked” as “people are going to feel it’s incomplete to move on privacy for one without the other.”
At the federal level, bills to address privacy issues treat the two classes of tech companies differently. But in a telling sign, Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., are lead sponsors on bills to resurrect ISP rules and force consent on websites such as Facebook.
Markey needled Facebook CEO Mark Zuckerberg last week on whether he would support his CONSENT Act covering social networks, but received support only in principle.
“This issue of online security and privacy is more relevant now than ever,” said Rep. Jacky Rosen, D-Nev., a computer programmer and lead sponsor of the Restoring American Privacy Act to bring back the ISP opt-in rule.
The repeal happened largely along party lines, however, and it’s unclear there’s been enough of a shift to breathe new life into the effort. Still, Rosen has one Republican cosponsor — Rep. Ileana Ros-Lehtinen, R-Fla. — and optimism.
“Restoring these rules should be a key priority in the next Congress if it doesn’t happen this year,” she said.
Falcon said he believes the partisan divide may fade, and that momentum may grow with action by a large state such as California or New York.
What actually happened?
After Trump signed the ISP privacy repeal in April 2017, nearly 20,000 outraged Internet users donated money to buy the browsing histories of members of Congress.
One fundraiser, created by software developer Adam McElhaney, raised $208,742 on a vow to buy and publish Internet records showing lawmakers’ “medical, pornographic … financial and infidelity” browsing habits.
Another drive, by “Supernatural” actor Misha Collins, raised $85,939 to buy the records of members of Congress and Trump.
In a third effort, Cards Against Humanity co-founder Max Temkin offered to pay whatever was needed, noting $1 million in gifts to the EFF and the Sunlight Foundation as an indication of resources available. The idea attracted more than 80,000 upvotes on Reddit.
“We’re keeping an eye on this and waiting for the opportunity to purchase this data if and when it becomes available,” Temkin told the Washington Examiner. “To my knowledge, it’s not available to purchase yet.”
Indeed, ISPs said they would not sell browsing data for lawmakers. They don’t sell the individual records of anybody, instead packaging the data as anonymized records for bulk-advertising purposes.
“They should probably issue refunds to whoever donated!” said Brian Dietz, senior vice president for strategic communications at NCTA – The Internet & Television Association, a trade group that represents ISPs.
Last week’s congressional appearance by Zuckerberg “certainly demonstrates how rules that target only ISPs would have been largely ineffective and not at all reflect the real consumer Internet experience,” he said.
Dietz said ISPs are committed to protecting customer privacy and noted the FCC regulation that was repealed never took effect, meaning that the repeal simply maintained the status quo.
“We don’t have a formal position yet on possible new rules,” Dietz said. “[But] the [Federal Trade Commission] has long been the agency of record regarding consumer privacy issues, and their authority over ISPs will be restored as part of the Title II [net neutrality] repeal.”
FTC action is insufficient, Falcon countered, arguing the commission largely focuses on companies being straightforward about their practices.
“I think that argument’s nonsense because the FTC is what we have today with Facebook. It’s what we had with Equifax,” he said. “It’s the idea that as long as we make sure that these companies don’t lie to us about their privacy practices we’re OK. I think that argument’s laughable.”
There is no uniform belief that privacy protections will pass, at least, not federally.
McElhaney, the software developer behind the most successful crowd-funding drive to buy lawmaker records, said he’s worried about complacency, even after the Cambridge Analytica revelations. He gave his GoFundMe haul to EFF to support advocacy on the issue.
“I don’t think that the Facebook privacy issue will do anything. Much in the same way that Equifax released our SSNs/DOBs, etc. and they barely got a slap on the wrist,” McElhaney wrote in an email.
“Facebook, sadly, is what keeps a lot of people connected. I’m afraid that the ‘I have nothing to hide’ mentality is strong with a majority of Facebook users — at least the ones I talk to. Moreover, I think that the younger generation is just conditioned into accepting that someone is always looking, and they have no privacy, which will only erode more of our privacy rights as time goes on,” he said. “Sometimes, I feel like we live in the darkest timeline.”
With or without privacy laws, tech-savvy customers can limit the information they allow ISPs to take. Users of the Tor anonymizing browser or a virtual private network can keep providers in the dark, though as Ars Technica noted, each option has drawbacks. Websites that use HTTPS still allow ISPs to see websites visited, but not specific pages.
Despite doubts, Falcon said he believes change will come, particularly at the state level, where many bills are pending. He said federal action seems likely too, and that he believes more Republicans will join largely Democratic-led efforts. Currently, Minnesota and Nevada have laws requiring ISPs to get user consent for use of private data, according to the National Conference of State Legislatures.
Falcon said the lesson of Cambridge Analytica is that vast amounts of data can be misused, even if the large corporation that accumulated the data has no malicious intent beyond showing ads.
Even with anonymized data, “the technology to reconnect the dots is really sophisticated,” Falcon said, and cybersecurity is impossible to guarantee against state actors such as China and Russia.
“The Cambridge Analytica story is instrumental because it demonstrates that even when they have no intention to [use] information in a certain way, once it’s accessible and the tools are built for them to do it, some third party will do it,” he said. “It’s not a matter that the core industries will behave nicely. It’s once they created that repository of information and access to information, there’s risk.”
