from the actually-doing-your-job dept
Back in 2008, Verizon proclaimed that broadband services didn’t need additional consumer privacy protections because “public shame” would keep the broadband industry honest. But in late 2014, Verizon found itself at the center of a privacy scandal after security researchers discovered the company was embedding stealth tracking technology in every packet sent by the company’s wireless users. These “stealth cookies” were being used by Verizon for two years before they were even discovered, and it took another six months of public and press outrage for Verizon to let users opt out.
In other words, public shame didn’t work, because even security researchers weren’t able to detect what Verizon was doing. Verizon’s behavior specifically prompted the FCC to use its new Title II authority to begin crafting marginally-tougher consumer privacy protections. Under Title II, ISPs are now subject to Title II’s Section 222 privacy protections regarding “customer proprietary network information” (CPNI). But since those rules were crafted for older phone companies, the FCC’s looking to modernize them for the smartphone and “Internet of Things” age.
This has, as you might expect, been met with renewed annoyance by the broadband industry. Most of the broadband industry’s major lobbying organizations have fired off a letter to the FCC (pdf) that basically urges the FCC to pass rules that aren’t all that clear or tough, since tough rules might just hurt the industry’s incredible love of innovation and competition:
If the courts determine that the FCC has authority to regulate broadband privacy, we encourage you to develop a framework that offers consumers robust privacy protection, while at the same time allowing broadband providers to continue to innovate and compete…Our member companies recognize that ensuring robust privacy protection is important and have devoted substantial capital, resources and personnel to develop, maintain, and enhance meaningful data privacy and security programs. Indeed, our companies have strong incentives to earn and maintain their customers’ loyalty by protecting their data.
Except that hasn’t really proven to be the case.
Verizon’s incentive certainly wasn’t consumer loyalty when it designed a super cookie that ignored all consumer privacy preferences and browser settings. And that kind of thinking has been more the norm than aberrant behavior, given that ISPs have been selling user clickstream data for more than a decade (and lying about it). Similarly, the kind of “innovations” consumers have grown used to have included being forced to pay a premium for privacy, such as how AT&T forces U-Verse broadband customers to pay $44 to $64 more per month if they want to opt out of AT&T’s deep packet inspection snoopvertising.
And that’s just fixed-line broadband. Privacy essentially doesn’t exist when it comes to wireless, where both usage and location data is shared with absolutely anybody ready to write the major wireless carriers a check. And as the major broadband players push into smart home, security, automation, connected vehicle and other fields, you can be absolutely sure that their total lack of privacy principles will be coming along for the ride. That’s why more than fifty privacy-focused groups including the EFF sent their own letter (pdf) to the FCC last month urging it to become a “brawnier cop on the beat” on broadband privacy.
And while the broadband industry’s myriad of mouthpieces are sure to whine incessantly about “over regulation” here, the industry had absolutely every opportunity over the last decade to self-regulate and avoid “tougher” (read: any) privacy protections. Instead, as Verizon’s super cookies perfectly exemplify, the industry thought that lifting a giant middle finger to consumers was the smarter option.