Tag: privacy

ISP privacy rules. What’s next is what matters.

Photo by onephoto

If we merely politicize the issue of privacy, we’ll never have any.

When my first kid was born, I didn’t even have an internet account yet.  But somehow, multiple advertisers knew that there was a new baby because we were inundated with direct mail offers for every infant-related product under the sun.  Within a couple of years, I joined millions of Americans who got online for the first time and was present in more than a few meetings with advertising wonks talking about how much more effectively they would be able to “target” consumers via the web. These discussions invariably included a lot of speculation about how much privacy consumers would be willing to give up for the sake of convenience or savings.

It turns out we were willing to pretty much abandon privacy, but not quite in the way it was being discussed in the early 90s.  Instead, Web 2.0 evolved differently from the way it was imagined in those days, and I think it’s fair to say that for many people, using the major online platforms is only barely optional.  Shop online without Amazon, have a social media presence without Facebook, or do any number of things without Google?  Not likely.

So, rather than make conscious choices to allow platforms to harvest and sell data about our online activities, I think we just passively accepted or ignored this reality for the sake of using platforms and apps.  Who really reads Terms of Service or pauses to seriously contemplate that opt-in moment when an app wants access to various data?  And with mobile apps, opt-in is typically not optional at all; it’s either integrated with some amount of personal data, or it just doesn’t work.

Of course, it’s no surprise that the internet lit up with headlines decrying the GOP’s overturning the ISP privacy rules that were put in place under Obama’s FCC Chairman Tom Wheeler.  And there’s no question this is an issue to watch, but I predict that nobody really will watch it as long as it remains politicized through an Obama/good v. Trump/bad lens.  Because let’s cut to the chase here. Under Obama, we did not really address online privacy in any meaningful way.  Under Trump, we may continue to drop this ball, but for the moment, let’s at least try to keep our eyes on the ball and watch where it goes.

Ultimately, if we hope to have any kind of substantive privacy regulation, then consumers need to be shielded from certain practices conducted by both ISPs and “edge providers,” meaning platforms like Google and Facebook.  During the Obama administration, NetNeutrality rules placed ISPs under the ambit of the FCC while the “edge providers” remained governed by the FTC.  Then in October 2016, Chairman Wheeler introduced the privacy rules — rules different from those governing edge providers — for ISPs, which were just overturned, resulting in much scorn and fear.

The headline issue for consumers is that the ISPs can now sell your data without permission.  This is true. But with or without this rule, Google and friends have been free to sell your data without permission for years—and they have certainly been doing so.  According to FCC Chairman Ajit Pai’s own testimony, the discrepancy between ISP rules and edge-provider rules were at the heart of his initial criticism of the rules proposed by Wheeler last October.  Pai has stated that he agrees with the goals of privacy regulation but that he was opposed to having two separate and inconsistent set of rules governed by two different agencies.  I noted this in a previous post citing Pai’s dissent over adoption of that proposal.

So, what now? 

It seems to me that if we actually care about privacy—and I’m not entirely convinced we do—that it’s what happens next that really matters.  Does the FCC, and the GOP leadership, stop here, merely eliminate the ISP rules and move on? Or does Chairman Pai live up to the promise inherent in his past criticism and seek to forge new and better protections that uniformly govern both ISPs and edge providers? It could certainly go either way, but my cynical prediction is that consumers will continue to read this story through the lens of politics and (frankly) a fairly lazy press, while both ISPs and edge providers do whatever the hell they want with our data.

I see a lot of comments stating that an important distinction to make is that we have a choice to use one platform or another but no choice other than to connect to the internet via a single ISP—often one ISP in a particular market.  This is true to an extent, but I have to say that it also seems like a self-soothing delusion to suggest that the world of edge providers is filled with choices.  Google dominates search and a massive share in mobile, and there is only one Facebook.  Are you planning to abandon either platform for the sake of privacy? And what happens in a market where a platform like Google becomes both ISP and edge provider?  Which rules govern privacy then?

Moreover, as Pai observes in his dissenting opinion, people connect via multiple ISPs throughout the day; but that doesn’t mean our online activities are not identifiable by edge providers no matter where we go.  Log into your Google account, Facebook, or Amazon, and it doesn’t really matter whose WiFi or mobile service you’re using in that moment—you’re visible as you; and all of these platforms are collecting and selling data about you.

As stated in other contexts, the web we have is not driven by altruistic principles like freedom, sharing, and speech; it’s driven by advertising and data mining.  That the ISPs want to share the market with the edge providers is not in itself unreasonable. But the entire ecosystem should be subject to uniform privacy protections for all consumers.  Chairman Pai may indeed fail to pursue his stated intent to achieve that goal, but it seems to me that’s the agenda to watch.  Certainly, we’re unlikely to achieve effective regulations by “debating” the issues through the fog of politics and scary headlines.

How Bad is the FCC Pause on Privacy Rules?

Photo by kentoh

By now, you may have encountered a handful of headlines stating that the new, Trump-appointed FCC Chairman Ajit Pai has temporarily halted new privacy rules passed under Obama’s Chairman Tom Wheeler.  As a general takeaway, you’re also likely to see statements like “Republicans favor corporations over consumer privacy,” and as with all things under the Trump imprimatur, trust is not going to be the default position for many of us. But, then, viewing every issue through the lens of Trumpism is also another way of distorting reality, making ourselves bananas, and failing to compartmentalize issues, which is almost always necessary.

On the subject of consumer privacy and the FCC, any criticism that Wheeler’s policies favored companies like Google and Facebook over other companies should be at least considered.  As readers know, I and others criticized Wheeler’s so-called “set-top-box” proposal as an attempted hand-out to Google at the expense of television creators.  So, when this story about privacy broke, I wasn’t prepared to take every headline at face value just because Pai is a Republican in the Trump administration. He was in the FCC before the election and would likely still be there regardless of who became president.

Let me jump to the main point here:  we consumers want and deserve control over the gathering, selling, and use of our data.  We do not have this control yet. There is no comprehensive, uniform body of law that is adequately protecting privacy in cyberspace for American citizens.  And these facts are central to Pai’s criticisms of Wheeler’s rules of October 2016.

With the adoption of NetNeutrality—another topic for another day—the FCC was empowered to regulate ISPs like AT&T and Verizon in the same way it regulates telephone carriers.  As a result, it was then empowered to establish rules for these ISPs regarding the manner in which they may gather and use consumer data.  This is fine in principle, but critics, including Pai, argued that these FCC rules were not consistent with the rules set by the Federal Trade Commission, which apply to data gathering and use by companies like Google and Facebook, referred to here as “edge providers.”

Because the ISPs hope to compete in online advertising with the “edge providers,” they argued that the disparity in rules creates an unfair advantage for the likes of Google in the market. And that’s when I will at least give these critics some benefit of the doubt. Because as much as I may admire President Obama on a wide range of topics, his administration consistently tilted in Google’s favor across many areas of governance.

In his dissenting opinion regarding the FCC rules now on hold, Pai quoted the Electronic Privacy Information Center in rebuttal to Wheeler’s assertion that providers like Google and Facebook only see a “slice” of our data:

The FCC describes ISPs as the most significant component of online communications that poses the greatest threat to consumer privacy. This description is inconsistent with the reality of the online communications ecosystem. Internet users routinely shift from one ISP to another, as they move between home, office, mobile, and open WiFi services. However, all pathways lead to essentially one Internet search company and one social network company. Privacy rules for ISPs are important and necessary, but it is obvious that the more substantial threats for consumers are not the ISPs.

That certainly jibes with my own experience as a consumer. Regardless of how I get online—whether at home, through my mobile device, or via my local coffee house WiFi—all of my substantive activity occurs on web platforms.  So, yeah, I think privacy rules governing ISPs and “edge providers” should be both robust and consistent. But are they either robust or consistent?

That’s the nitty gritty we’re going have to try to follow in the coming months; and the task is not made easier when editorials fall into the trap of reporting this matter as Republican = corporate favoritism and Democrat = consumer protection.  When it comes to the interests of the Big Data companies, that narrative just does not hold up.  Chairman Pai’s core complaint about Wheeler’s FCC privacy rules is that the providers with the most detailed view of our data (.e.g. Google) would have far more lenient governance than the providers who have less insight into our private lives (e.g. Verizon). So, to the extent that Pai is correct in this assessment, I have to agree that consumer protection is best served by consistent rules governing the entire internet ecosystem.

Stay tuned. Much more to follow I’m sure.

Patent Hypocrisy Raises Privacy Concerns

A few posts ago, I reported that the major lobbying muscle in the Internet industry backs a patent “reform” bill (HR 9) called the Innovation Act. I argued in that post that while this reform claims to eliminate nuisance “patent trolls” from clogging up the system with dubious claims, what it really does is eliminate competition from the market.  Because, while the Silicon Valley PR hydra continues to sell the message that intellectual property is an outdated concept in the digital age — one that is chilling the general public’s civil liberties no less — they don’t actually mean that IP is outdated for them, just for everyone else.

Not surprisingly, a web search is no way to get a quick answer as to how many patents these companies hold. Most especially, typing “How many patents does Google have?” into a Google search yields a rather opaque set of first results from the “organizer of all data.” I had to use Bing to get to this article from 2013 in MIT Technology Review, which indicates that since 2007, Google has accelerated its patent activity to the tune of over 1,500 awards per year.  This is still far behind IBM, but not bad for a company that keeps telling the public the USPTO is “overwhelmed” by applications and flimsy claims. This 2012 article from ZD Net estimates that Facebook owned 812 patents at the time of publication, nearly all of these purchased from IBM in a single week as an apparent move to build up its defensive position against litigation from Yahoo! and Mitel.  And this 2014 article in IP Watchdog offers some praise to Facebook for its “more developed” patent strategy in contrast to Twitter vis-a-vis market valuation.

I mention this final example to make the point that there is nothing inherently wrong with these companies availing themselves of IP protections; what’s wrong is the hypocrisy of backing policy change that would create an uneven playing field for big vs small.  To put that in brass tacks, if one of these big boys infringed some IP you created, it isn’t enough that you’d be at a financial disadvantage in a lawsuit, but they’d also rewrite the law to possibly label you a “troll” in order to invalidate your claim in the first place.

But so what? These are the real innovators, right?  They’re innovating a brighter future for everyone and doing it all for free in the name of freedom and open freeness and free openness and disruptive free open innovation and freedom. Right?  Yeah.  So, here’s one of Facebook’s latest patents, Patent No. 9,100,400, which this excerpt from a post by the law firm of Gottlieb Rackman & Reisman explains clearly:

“In the patent, Facebook explains that it has invented a system by which, among other things, it can take the data, specifically your list of friends or your “social network,” and examine the credit ratings of those in your social network. The data is then used to provide information about YOU to lenders, presumably under the theory that “birds of a feather flock together.” If your friends collectively have a good credit rating, the lender might give you loan. If your friends collectively have a poor rating, the lender can close its file on your application. The point here that that lenders who might see some benefit in having data about your social network to judge the likelihood of your ability to pay the loan, or even your willingness to pay it back, will likely be paying Facebook (or any company that Facebook licenses) for the data.”

At the top of the list of magical thinkers I distrust are religious zealots followed closely by actuaries, the latter being too often engaged in devising some alchemical rationale to correlate, for instance, your choice of wardrobe with the insurance premium you should pay.  And we should not be surprised at all — in fact we have already seen other evidence — that social media profiles can become part of your unintended resume, your medical history, your credit-worthiness, your insurability; in short, your worthiness to live among the haves instead of the have nots according to someone’s data-driven decision process.

Now it is possible, that Facebook and lenders will not be able to implement this patented system as described without running afoul of the Equal Credit Opportunity Act, but if adopted, how is this credit based on the company you keep not a potential digital-age means of helping the rich stay rich and the poor stay poor?  When an entity like an insurer, creditor, or potential employer wants to disenfranchise a type of person — black, gay, Mexican, women who have premarital sex! — they devise criteria to avoid direct conflict with anti-discrimination laws.  “We didn’t deny you that loan because you’re black, we denied it because your friends (who didn’t manage to escape the impoverished neighborhood you did) all have bad credit scores.”

So, it’s not hard to imagine a future with a variety of creative, actuarial schematics by which any individual or group may be disenfranchised simply because we have voluntarily made what we used to call “private life” a matter of public record. And because this is the new normal, perhaps we ought to be drawing new legal boundaries regarding personal information and discrimination, but that doesn’t seem to be the kind of reform any of the digital-age leaders want to talk about.