Peter Swire Discusses Internet Service Provider Access to Consumer Data at Senate Hearing

By TAP Staff Blogger

Posted on July 11, 2016


Share

Tomorrow (Tuesday, July 12, 2016), the U.S. Senate Committee on Commerce, Science, & Transportation will convene a hearing titled “How Will the FCC’s Proposed Privacy Regulations Affect Consumers and Competition?” The hearing will examine the Federal Communications Commission’s (FCC) Notice of Proposed Rulemaking (NPRM) on Internet service provider customer privacy.

 

The NPRM, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” was released in April by the FCC and is currently requesting comments. According to a news release from the FCC, the NPRM “proposes to establish privacy guidelines for broadband Internet Service Providers (ISPs).”

 

The proposal is designed to ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.

 

The NPRM proposes rules implementing the privacy requirements of Section 222 of the Communications Act for broadband ISPs. It proposes rules that would give broadband customers the tools they need to make informed decisions about how their information is used by their ISPs and whether and for what purposes their ISPs may share their customers’ information with third parties.

 

Privacy and cyberlaw scholar Peter Swire is scheduled as a witness at tomorrow’s hearing. His paper, “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others,” co-authored with Justin Hemmings and Alana Kirkland, provides insights about what Professor Swire may share with the Senate Committee. Below are excerpts from the Executive Summary.

 

Excerpts from the Executive Summary, “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others.”

 

This Working Paper provides a detailed, factual description of today’s Internet ecosystem for the United States, with attention to user privacy and the data collected about individual users. For two decades, there have been complex policy discussions about how to protect users’ privacy online while also enabling the provision of advertising-supported content and robust commercial activity on the Internet.

 

This Working Paper is intended to provide information useful to Congress, federal agencies, and the general public in consideration of online privacy issues. Among other relevant fora, in 2015 the Federal Communications Commission (“FCC”) issued its Open Internet Order, which brings Internet Service Providers (“ISPs”) under the common carrier requirements of Title II of the Telecommunications Act. Title II contains Section 222, which governs how telecommunications service providers use and disclose Customer Proprietary Network Information. In April 2015, the FCC held a hearing on broadband Internet privacy, for which one of the authors [Peter Swire] of this Working Paper was invited to testify.

 

This Working Paper grew out of the April hearing, where there were large factual disagreements about important aspects of online privacy for broadband services newly covered by Title II. At the hearing, FCC officials expressed interest in better understanding these facts. This Working Paper, in response, is intended to provide a factual and descriptive foundation for making public policy decisions about the privacy framework that should apply to ISPs and other companies that collect and use consumers’ online data.

 

The Working Paper addresses a widely-held, but mistaken view about ISPs and privacy. The view asserts that ISPs have comprehensive and unique access to, and knowledge about users’ online activity because they operate the last mile of the network connecting end users to the Internet. Certain consumer advocates and others have cited this view to suggest that ISPs’ collection and use of their customers’ online data may justify heightened privacy restrictions on ISPs.

 

This Working Paper takes no position on what rules should apply to ISPs and other players in the Internet ecosystem going forward. But public policy should be consistent and based on an up-to-date and accurate understanding of the facts of this ecosystem. The Working Paper addresses two fundamental points. First, ISP access to user data is not comprehensive – technological developments place substantial limits on ISPs’ visibility. Second, ISP access to user data is not unique – other companies often have access to more information and a wider range of user information than ISPs. Policy decisions about possible privacy regulation of ISPs should be made based on an accurate understanding of these facts.

 

Technological Developments Place Substantial Limits on ISPs’ Visibility into Users’ Online Activity

  1. From a single stationary device to multiple mobile devices and connections. In the 1990s, a typical user accessed the Internet from a single, stationary home desktop connected by a single ISP. Today, in contrast, the average Internet user has 6.1 connected devices, many of which are mobile and connect from diverse and changing locations that are served by multiple ISPs. By 2014, 46 percent of mobile data traffic was offloaded to WiFi networks, and that figure will grow to 60 percent by 2020. Any one ISP today is therefore the conduit for only a fraction of a typical user’s online activity.
  2. Pervasive encryption. We present new evidence about the rapid shift to encryption, such as the HTTPS version of the basic web protocol. Today, all of the top 10 websites either encrypt by default or upon user log-in, as do 42 of the top 50 sites. Based on analysis of one source of Internet backbone data, the HTTPS portion of total traffic has risen from 13 percent to 49 percent just since April 2014. An estimated 70 percent of traffic will be encrypted by the end of 2016. Encryption such as HTTPS blocks ISPs from having the ability to see users’ content and detailed URLs. There clearly can be no “comprehensive” ISP visibility into user activity when ISPs are blocked from a growing majority of user activity.
  3. Shift in domain name lookup. One integral function of ISPs has been to match the user’s web address request to the correct domain and specific Internet Protocol (“IP”) address. Today there is still a small, but growing, trend of Internet users utilizing proxy services that displace this traditional ISP function. Examples include Virtual Private Networks (“VPNs”) and new proxy services offered by leading Internet companies. When a user accesses the Internet through an encrypted tunnel to one of these gateways, ISPs cannot even see the domain name that a user is visiting, much less the content of the packets they are sending and receiving.
 

Non-ISPs Often Have Access to More and a Wider Range of User Information than ISPs:

  1. Non-ISP services have unique insights into user activity. At the same time that the above technological and marketplace developments are reducing the online visibility of ISPs, non-ISPs are increasingly gathering commercially valuable information about online user activity from multiple contexts, such as: (1) social networks; (2) search engines; (3) webmail and messaging; (4) operating systems; (5) mobile apps; (6) interest-based advertising; (7) browsers; (8) Internet video; and (9) e-commerce. This Working Paper explains the data flows and mechanisms for advertising for each of these contexts, many of which gather insights about users that are not available to ISPs. ISPs are not market leaders in any of these major areas; rather, they are just starting to compete in some of them.
  2. Non-ISPs dominate in cross-context tracking. Each of the above-listed services and platforms gathers volumes of data about users, often with insights into content (social networks, webmail, etc.) and other information often characterized as sensitive in privacy debates. While it is analytically instructive to understand each service/platform, the real insights come from combining information from multiple services/platforms – what we call “cross-context tracking” linked to a particular user device or across devices. The 10 leading ad-selling companies earn over 70 percent of online advertising dollars, and none of them has gained this position based on its role as an ISP.
  3. Non-ISPs dominate in cross-device tracking. Yesterday’s desktop has evolved into today’s tablets and smartphones, and tomorrow’s innumerable devices in the Internet of Things. A growing share of advertising tracking targets the user across multiple devices. Market leaders are companies for whom users log-in across multiple devices, such as smartphones, tablets, and laptops. Today, cross-device log-in is led by non-ISPs.
 

In summary, based on a factual analysis of today’s Internet ecosystem in the United States, ISPs have neither comprehensive nor unique access to information about users’ online activity. Rather, the most commercially valuable information about online users, which can be used for targeted advertising and other purposes, is coming from other contexts such as social networks and search. Market leaders are combining these contexts for insight into a wide range of activity on each device and across devices.

 

Chapter 10: Conclusion

In summary, based on detailed analysis of today’s Internet ecosystem in the United States, this Working Paper concludes in Chapter 10 that the evidence does not support a claim that ISPs have “comprehensive” knowledge about their subscribers’ Internet activity, for encryption and other technological reasons. Similarly, ISPs lack “unique” insight into users’ activity, given the many contexts where other players in the ecosystem gain insight but ISPs do not, and the leading role in cross-context and cross-device tracking played by non-ISPs.

 

This Working Paper takes no position on what rules should apply to ISPs, or to providers of services in the other contexts (often called “edge providers”). However, public policy should be consistent and based on an accurate understanding of the facts. The following Chapters provide details and citations to further explain today’s online ecosystem.

 

Read the full paper: “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others.”

 

 

Peter Swire is the Nancy J. and Lawrence P. Huang Professor in the Law and Ethics Program at the Scheller College of Business at the Georgia Institute of Technology, with courtesy appointments in the School of Public Policy and the College of Computing. Professor Swire has been a leading privacy and cyberlaw scholar, government leader, and practitioner since the rise of the Internet in the 1990’s. He is a Senior Fellow with the Future of Privacy Forum, and a Policy Fellow with the Center for Democracy and Technology. Additionally, he is senior counsel with the law firm of Alston & Bird LLP.

 

Professor Swire has served several times in the White House as a policy official. In 2013, he served as one of five members of President Obama’s Review Group on Intelligence and Communications Technology. Prior to that, in 2012, he was co-chair of the global Do Not Track process for the World Wide Web Consortium. Under President Clinton he was the Chief Counselor for Privacy, in the Office of Management and Budget. He is the only person to date to have U.S. government-wide responsibility for privacy policy. In that role, his activities included being White House coordinator for the proposed and final HIPAA medical privacy rules, chairing a White House task force on how to update wiretap laws for the Internet age, and helping negotiate the U.S.-E.U. Safe Harbor agreement for trans-border data flows. Under President Obama, he served as Special Assistant to the President for Economic Policy, working in the National Economic Council under Lawrence Summers. In addition to technology issues, he worked extensively on housing and housing finance issues.

 


Share