Can the FCC’s Open Internet Order Really Increase Consumer Safety?

On January 17, the Federal Communications Commission (FCC) is scheduled to report on its Notice of Proposed Rulemaking on Safeguarding and Securing the Open Internet. If it proceeds, broadband internet access services, provided by Internet Service Providers (ISPs) will be reclassified as telecommunications services subject to Title II of the Communications Act 1934. Broadband providers will be considered “common carriers” of internet traffic subject to a number of regulatory provisions, including (inter alia): prevention of blocking and throttling of lawful content, applications, services, and non-harmful devices; prevention of paid and/or affiliated prioritisation; and, transparency requirements. These are deemed necessary in order to “safeguard and secure broadband infrastructure, protect consumers, and ensure that the Internet remains open and available to all content providers and consumers.”

Chairwoman Jessica Rosenworcel justified the rulemaking because “broadband is an essential service.” “It is no longer nice-to-have; it’s need-to-have for everyone, everywhere.” Furthermore, it would increase the FCC’s ability to address public safety, national security and privacy issues. Specifically, it would require broadband internet access providers to be subject to the same provisions as voice telephony providers requiring them to “protect the confidentiality of the proprietary information of their customers.”

Yet it is the inequity, not the increased protection of consumer information confidentiality offered by the rule, that underpins this justification. Those privacy protections currently extend to voice customers but not broadband subscribers. According to Rosenworcel,

The law requires telecommunications providers to protect the confidentiality of the proprietary information of their customers. That means that these providers cannot sell your location data, among other sensitive information. Does that really make sense? Do we want our broadband providers selling what we do online?

The problem is that Title II applied to a telecommunications service where one operator was responsible for providing an end-to-end service supporting just one application—voice calling. Privacy, confidentiality and all other such requirements could be enforced because a single provider was responsible for all aspects of a call (including the agreements with the provider) at the “other end” of the connection, and all links in between. This is far from the case for the modern internet.

An ISP is responsible for only one small part of internet data carriage: the link from the application the consumer uses to create or consume data to the nearest interconnection point with the internet. This data is utilized by an array of applications serving many different purposes and may be stored in different locations far from the point at which the ISP hands the data over to another carrier in the chain. In most cases, the ISP has no control over how the data travels on its journey, or any powers over the ultimate recipient or content generator. The proposed rules will have the effect of governing only the activities of the pick-up truck taking the package prepared by the end consumers’ staff to the depot where it will be taken on the next stage of the journey.

So how effective will the rule really be in just one of the claimed areas of increased protection— privacy and confidentiality?

The effects will be negligible. The real risks to privacy and confidentiality occur not when the data is on this very short journey, but at all the other points in the internet ecosystem where personal data is generated, stored, and consumed. The risk that data on consumers can be scraped and sold by ISPs while data is on this journey is negligible compared to the opportunities presented at every other stage of its generation, transportation and storage. And the evidence that this has actually been attempted by ISPs is non-existent. Consumers’ real vulnerabilities reside with the applications used on the devices which convert their information into digital data—those residing on their cell phones and computers and which they use to communicate with parties all over the world.

Put simply, the privacy and other contractual protections offered under Title II never really pertained to the transmission of data, but to the application it supported—voice telephony. Risks attend predominantly to the content of the message, not the identity or nature of the messenger.

So, the question is begged: aside from the blocking and throttling provisions, which have been in place from 2010, is the appropriate “information service” to be considered not that provided by ISPs, but those of the array of internet platforms that form the basis of most consumers’ engagement with the online world? Indeed, some commentators have suggested that the Act’s definition of information provision could be sufficiently broad enough as to already capture internet platforms as common carriers, at least as far as Section 230 protections apply.

Ironic given that internet platforms have been amongst the most ardent supporters of the proposed rulemaking.