FCC ushers in a troublesome new world for online privacy
By David J. Farber & Christopher S. Yoo
Nov 7 2016
In late October, the Federal Communications Commission passed new rules that take the unprecedented step of imposing stricter privacy regulation on one specific set of actors in the Internet ecosystem.
Along party lines, the FCC voted to impose onerous limitations on Internet service providers’ use of web browsing information without regard to whether the information is sensitive or not, which differs greatly from the guidelines governing all other online companies, like search engines and mobile apps.
Not only are these rules based on an inaccurate understanding of the underlying technology, they also create a fragmented privacy framework that deviates from the approach established by the Federal Trade Commission that has proven so effective in supporting innovation.
The Internet was relatively simple when it first exploded into the public’s consciousness during the mid-1990s. The typical user relied on a personal computer connected to their home telephone line to send an email or browse the World Wide Web.
A wide range of technologies and companies emerged that rely on personal data to provide a dazzling new array of free (or, more properly, advertising-supported) services.
To best protect consumers, the Federal Trade Commission created a privacy regime that provides the greatest protection for the most sensitive data, such as health care and financial information, while adopting a more permissive approach to less sensitive data, such as the use of purchase histories to make product recommendations.
The modern Internet has become far more complex and decentralized. A much larger number of users are employing a far broader range of devices and network technologies to run a greater variety of applications.
A decade or two ago, networks were able to learn about end users since they typically accessed the Internet from a fixed location, such as their homes.
Today users access the Internet from everywhere via mobile devices, which scatters information about individuals’ usage across a wide range of network providers and locations. Simultaneously, the increasing use of encryption is limiting networks’ ability to view the content of the traffic they are carrying.
In addition, modern operating systems and applications require that users identify themselves prior to using them. This practice permits operating systems and applications to track users across devices and locations, whether inside or outside the home and to use personal information in ways that many users do not anticipate.
Even browsing the web is now fundamentally different. For example, HTML version 5 added an API for geolocation. Web pages are now also designed to observe when a user using a mouse is hovering over particular content without clicking on it.