Broadband Privacy and the FCC: Protect Consumers from Being Deceived and from Unfair Practices
Left to right: Jon Leibowitz, Davis Polk & Wardwell LLP, Former Chairman of the Federal Trade Commission, Professor Peter Swire, Huang Professor of Law and Ethics, Scheller College of Business, Georgia Institute of Technology, Katharina Kopp, Ph.D., Director of Privacy and Data Project, Center for Democracy & Technology, Debra Berlyn, President, Consumer Policy Solutions, and Jules Polonetsky, CEO, Future of Privacy Forum.
Yesterday, the Future of Privacy Forum hosted an event to discuss the direction the FCC could take to best advance consumer protections as it considers how to regulate broadband providers’ use of consumer data. The key question was whether the FCC should adopt the “no deception or unfairness” model successfully used by the FTC and many State Attorneys General for many decades. Even local consumer regulators use this model — as Consumer Affairs Commissioner of New York City under Mayor Giuliani, I enforced NYC’s “mini FTC act” to protect consumers. Or, as some have argued, should the FCC come up with its own privacy regime of rules specific to ISPs?
Some important concepts we examined at the event included the following:
Broad Privacy Regimes or a Sectoral Approach?
Privacy and consumer advocates have long criticized the US sectoral approach to privacy, arguing that it is confusing and less effective than a broad general set of privacy rules for all data. The Obama administration embraced this view when it proposed a broad based Consumer Privacy Bill of Rights, which would have promised protection for any online personal information collected about consumers. Globally, the trend towards comprehensive privacy regulation that started in Europe has spread throughout almost all of the Western world. Katharina Kopp of the Center of Democracy and Technology noted that CDT’s long term goal was comprehensive privacy legislation across all sectors.
Does adding an additional area of sector-specific privacy legislation take a step backwards and make achieving broad privacy legislation less likely? Likely so, in my view, but even more likely so if the path the FCC takes is out of sync with the general broad approach that is applicable across the rest of the economy.
Is the FTC an Effective Enforcer of Online Privacy?
The FTC has been an aggressive actor in using its broad Section Five authority to bring numerous actions against companies of every shape or size. Tech giants Google, Microsoft and Facebook are all subject to 20 year consent decrees following FTC enforcement actions. The FTC has been able to bring actions in cases of consumer harm or deception, even when the harm or deception has been fairly conceptual, as in the Nomi case where the company failed to provide an opt-out that it wasn’t required to provide. Despite an almost certainty that no consumer entering a store had ever heard of Nomi or read its policy, the FTC took action based on its very broad view of its Section 5 Authority. Former FTC Chairman Jon Leibowitz discussed the important lead role the FTC has played in successfully policing online practices using its deception and unfairness authority.
Are ISPs unique in the types or amount of data they collect?
One important consideration for regulators is the rapid pace of change in technology and the uses of data. A decade ago, the leaders in the world of ad tracking and targeting were the companies that had access to the most data. Today, data has been democratized. Data is available to any vendor with a credit card. Blue Kai, the key data provider in Oracle’s new data division, offers more than 80 comprehensive sources of data to its customers. Every online player, large or small, has access to detailed data about every American consumer.
Professor Peter Swire has published a new paper which provides an incredibly detailed and extensive review of the types of data collected by ISPs. Swire shows that some of the conventional wisdom which assumes that ISPs can access every bit of a consumer online activity is off base, as a number of factors limit the visibility ISPs have. Swire also shows that much of the data used by tracking and targeting companies is widely available via social networks, search engines, ad networks, app stores and other companies that collect cross-device and cross-context data about consumers.
Will Consumers See any Difference if the FTC takes a restrictive approach?
Today, any company with a budget can bid for data at advertising and data exchanges or can license “data as a service” from a wide number of providers. Restrictive FCC rules could keep ISPs out of the ad tech business, but consumers will see no change in their online experience – the ads they see will still be targeted based on data from the plethora of companies they interact with online.
Is the FTC deception and unfairness standard a license for ISPs to have wide liberty with consumer data?
The FTC deception and unfairness standards can be quite strict. They take into account context, sensitivity of data, risk of harm and a wide range of factors. But, the standard is flexible and allows the FTC to demand higher standards when appropriate and to allow more practical uses of data when appropriate.
How can the FCC promulgate consumer friendly rules here that help simplify the intertwined and complex ad tech environment?
I recently came across the announcement and the agenda for the First Annual Privacy and Data Protection Summit on May 2001. The event was presented by the 50 member strong Privacy Officers Association, the predecessor of today’s 15,000 member International Association of Privacy Professionals. The small group of us who gathered debated the best ways to provide consumer protection at a time when internet business models were still developing.
Speaking at the event, I explained to the audience how easy it was to decline web tracking and ad targeting. Just use your browser’s cookie settings! Block all cookies, block just third party cookies, or clear your cookies and ad networks would no longer recognize your browser. Consumer controls were fairly basic and effective.
How things have changed.
Today, meaningful control for consumers has become incredibly complex. Cookie controls are increasingly meaningless, because companies that fingerprint consumer devices track without cookies. Central ad industry opt-outs are effective to decline ads targeted based on web surfing, but allow continued tracking, as well as targeting based on appended data. Apps don’t use cookies for tracking, so users who want to use the industry opt-out program need to download a special app to opt-out of app related ad targeting. Or consumers can use the”Limit Ad Tracking” settings that iOS and Android provide, but not every ad network cooperates. And the Do Not Track option offered by web browsers? Only about a dozen or so companies respect that setting. If you live in California, online companies need to tell you whether they respect the Do Not Track setting, unless they cooperate with the central industry opt-out program, in which case they do not need to tell you.
Has your head exploded yet? No, then let’s keep going.
If you don’t want your home WiFi IP address linked to your home location, please add to the name of your home router the letters “_NOMAP”. Google and Mozilla will then opt you out of their location services data bases. But for Skyhook, Microsoft and many others, find your home router MAC address and submit it at each of the opt-out pages provided by those companies.
Today, ISPs are part of the equation, as they have entered the advertising technology market. Digital signage increasingly includes tracking capabilities, as do in store Wi-Fi networks and more.
I could go on, but it should be abundantly clear that today’s online tracking and targeting options are likely only understood by a handful of experts who work at the intersection of ad tech and privacy.
Today, most of this ad targeting activity is subject to FTC jurisdiction, no matter the source of the data so an unhappy consumer can complain to that agency, regardless of the technology involved. But the FCC is extending its privacy rules to ISPs, which would mean that consumers will need to turn to that agency if an ad was targeted with tracking or targeting enabled by an ISP. Since ad targeting involves multiple actors, the FTC and FCC will need to cooperate on ad tech investigations, but each regulator will have a different standard for the same activity if the FCC comes up with its own regime.
The FCC proposal has been released as I write this post and seems to take a more regulatory restrictive approach, although it invites comments on other more consumer friendly paths to accomplish its consumer protection goal. I hope the FCC will take the time to understand the complex ad tech ecosystem and will consider the strong but flexible deception and unfairness rules that could provide its enforcement staff with tools that have stood the test of time.
Jules Polonetsky is CEO of the Future of Privacy Forum. He is a former Chief Privacy Officer of AOL and DoubleClick, and was the Consumer Affairs Commissioner of New York City under Mayor Guiliani.
March 10th Event : A Path Forward for Broadband Privacy
As the FCC begins to consider its role in regulating broadband provider data practices, how should it proceed? What are the practices that are at issue? What aspects of the current online ecosystem can the FCC impact? Please join us for a panel discussion to explore the issues.
Privacy and the Connected Vehicle: A Global Event, March 9 in Detroit
The Future of Privacy Forum and EY are hostingan event to advance the conversations around the management and use of personal information in the vehicle ecosystem. We will have a half day of panel discussions led by our team of privacy professionals and colleagues from the privacy and automotive space in the US and EU. If you work in the connected car ecosystem in automotive privacy, security, or compliance management, contact Lauren Smith at [email protected] to request an invitation.
Wednesday, March 9, 2016 from 8:00 AM to 12:00 PM (EST)
Detroit, Michigan
The program will include:
Welcome Remarks
Bill Schaumann, Senior Manager, Advisory, EY
Jules Polonetsky, CEO and Executive Director, Future of Privacy Forum
Panel 1: Legal and Self-Regulatory Standards for Automotive Privacy
This panel discusses steps companies are taking to adopt the Auto Alliance and Global Automakers Consumer Privacy Protection Principles, data issues in the automotive ecosystem, international considerations and practices, and the privacy impact of emerging technologies such as V2V, V2I.
Alan Prescott, Attorney, Office of the General Counsel, Ford Motor Company
Alma Murray, Senior Counsel, Privacy, Hyundai Motor America
Jason Wagner, Associate Transportation Researcher, Texas A&M Transportation Institute
Jessica Simmons, Senior Attorney, Alliance of Automobile Manufacturers
Tim Tobin, Partner, Hogan Lovells
Panel 2: Practical Considerations and Compliance
This panel discusses managing privacy in a distributed ecosystem, critical issues in managing the supply chain, responsibility for good privacy practices, and ensuring the Privacy Principles are integrated into new technologies.
Harry Lightsey, Executive Director, Global Connected Customer, Public Policy, General Motors
Karen Zacharia, Chief Privacy Officer, Verizon
Michelle Fleury, Data Protection Officer, Corporate Senior Director, Cisco Systems, Inc.
Paula Bruening, Senior Counsel, Global Privacy Policy, Intel Corporation
Valerie Shuman, Vice President, Industry Programs, Connected Vehicle Trade Association
Panel 3: Communications and Policy
This panel discusses managing consumer communications around privacy, security, and new features, the challenges of ensuring policymakers understand the complexity of data flows, legislative actions in the short term, and critical questions about autonomous technologies, ethics and privacy considerations.
David Strickland, Partner, Venable LLP
Brad Miller, Director, Legal and Regulatory Affairs, National Automobile Dealers Association (NADA)
Erinn DePorre, Senior Staff Counsel, Product Litigation, Fiat Chrysler Automotive
Jeff Brueggeman, Vice President, Global Public Policy, AT&T
This program is invitation-only and closed to press.
Important logistical information:
Time: Registration opens at 7:30am. Breakfast refreshments will be served. The program begins promptly at 8:00am. Lunch will be provided following closing remarks.
This live event will be available for videoconferencing in select EY offices throughout Europe: Sweden, Germany, France, and the UK.
Consider the data on your iPhone for a moment. Emails, pictures, passwords, credit cards, location history, contacts and more. Imagine your phone unlocked in the hands of a criminal who snatched it, or someone who wanted to embarrass you who peeked at it, or a hacker who remotely accessed it.
Today, if you have a good password protecting your phone, none of this is easy to do. Encryption ensures that without a password, your data is locked up, even if your phone was taken apart or attacked while it was booting up. Rate limiting ensures that it isn’t possible to brute force attack the phone by entering thousands of passwords. A small delay required in between password attempts ensures thousands of attempts will take a very long time. And another security feature, if enabled, will delete all the data on an iPhone, after 10 failed password attempts. With iCloud Activation, as a deterrent for thieves, if the iPhone is remotely wiped and locked then the original owner’s username and password are required to reactivate the phone for use with a wireless carrier. Without these credentials the iPhone remains encrypted and locked preventing anyone from using it. The iPhone is so secure, that even Apple has no way to get in to the phone, even if you bring it in to visit a Genius at a local Apple store or if you sent the phone back to Apple headquarters.
These protections ensure that your phone is not an easy target for thieves, anymore. iPhone thefts have plummeted by as much as 50% in some cities, after these features were introduced.
Unfortunately, the FBI now wants to put the safety of all iPhone users at risk. The FBI wants access to the iPhone of one of the San Bernardino killers. Phones used by the killers were destroyed, but a phone reportedly provided by an employer is in the hands of the FBI, but locked. The FBI has the iPhone back ups stored with Apple, until late October, but hasn’t been able to break into the iPhone to determine if there any clues stored on the device. The FBI wants Apple to devise a method of breaking in to iPhones that can be used here.
But – if Apple does so, this method will be used by others. Once Apple creates a bypass, the methodology will be analyzed, studied and exploited by sophisticated criminals at first, and then by others. There may or may not be any useful clues on the iPhone of the San Bernardino killers, but it is for certain that many criminals in the future will find data they want on the iPhones of consumers, if an exploit is created to bypass passwords, encryption and other protections.
Of course, there are many other negative implications, if iPhone security is circumvented. Repressive governments will seek to force Apple to unlock iPhones, investigating and persecuting those who oppose them. As Future of Privacy Forum Senior Fellow Peter Swire explained, “I wish there was some magic way to break security for exactly one phone, without breaking security for millions of smartphones. There isn’t.” Former White House Deputy CTO put it clearly, noting that once those back doors are there for the FBI, “all of our private communications become much more vulnerable to attack by malicious criminals and terrorists.”
The FBI needs every tool it can get to investigate terror attacks and prevent them in advance. But forcing Apple to create a tool that risks the security and privacy of every iPhone in the world is asking for a tool that will cause more harm than it prevents.
Jules Polonetsky is Executive Director of the Future of Privacy Forum.
Google Responds to Sen. Franken
Google provided a response this week to Senator Franken’s request for information on their policies and practices with regards to their Google Apps For Education (GAFE) suite of services. Ed Week reviewed Google’s letter, and asked FPF to comment on the response.
ACLU, Tenth Amendment Center Join Forces on Data Privacy
“In consultation with the center—a think tank that advocates strict limits on federal power—the ACLU wrote model legislation that both organizations are urging legislators around the country to support. …
“The Future of Privacy Forum—a Washington-based think tank and a co-author of the Student Privacy Pledge, a commitment by ed-tech companies to safeguard data—offered a measured endorsement of the provisions in the ACLU’s model bill.
“The forum applauded the model legislation’s language on parental-release mechanisms and its calls for teacher professional development on basic data-privacy issues, but is worried that an overly strict definition of “personally identifiable information” and the risk of personallegal liability for teachers who make mistakes could undermine both the ed-tech industry and the work of classroom educators.”
FPF Supports Connect Safely for Safer Internet Day
Our friends at Connect Safely have put together an amazing program to support student awareness and education as part of Safer Internet Day on Tuesday, February 9, 2016. Below is their writeup – we invite you all to participate and spread the word – particularly to the students in your life and their educational institutions – this is too good to miss!
They’ve built a stellar agenda for the 300+ students attending Safer Internet Day at Universal Studios Hollywood, and fortunately, for those of us who can’t make it in person,we can watch the live stream. Along with a professional video crew, the LA Unified School District has arranged for student journalists to use Periscope as roving reporters to live stream the offstage action including when the students are in small groups answering the tough questions and as they interact with the exhibits and walk the red carpet.
There is an exciting lineup of great speakers assembled with help from the Yale Center for Emotional Intelligence and Facebook. Young panelists from Beyond Differences, #ICANHELP, and IspirED will discuss the topic “Rejecting Hate, Building Resilience & Growing the Good Online,” moderated by college filmmaker, Instagram personality and transgender activist Leo Sheng.
Professional wrestler and reality TV star Mike “The Miz” Mizanin will speak about how it’s possible to play a bad guy on TV but be a gentle soul in real life with messaging about his own experiences with bullying.
LA Media personality Tshaka Armstrong, a parent and founder of Digital Shepards, will inspire the kids to take responsibility for making the world a better place.
Connect Safely’s newest team member – K-12 education director Kerry Gallagher – will lead the students as they break into small groups with the help of distinguished coaches and judges who will pick the top student proposals for special recognition.
Finally, Connect Safely brings in Zoë Quinn founder of Crash Override who works hard to fight the online harassment that she herself faced as “patient zero of Gamergate.”
Join the live stream and Periscope webcasts, and when you do, be part of the discussion – tweet using #SIDUS16, #SID2016 and #SaferInternetDay.
Congratulations and thanks to Connect Safely for their excellent work to keep children and students safe on-line. See you Tuesday!
SXSW Edu – FPF and Colleagues Take on "Trust" Question
I am heading to SxSW Edu to join the US Department of Education Chief Privacy Officer Kathleen Styles, Common Sense Media’s Bill Fitzgerald, Data Quality Campaign’s Aimee Guidera, and several other distinguished education and privacy speakers for this session on student data privacy. Sponsored by CoSN, this is not just a panel but a full 3-hour session to dig into the top issues, questions, and challenges of how to maximize the benefits of ed tech for our school children while protecting their data, their interests, and their future. It can only happen if we can find a way to inspire and maintain trust among and between all the players. As advertised, this session will cover:
“Concerns around the privacy of student data have been rising and educators are increasingly on the defensive as parents believe too much data is collected about their children, it is not secure and too often inappropriately used for commercial gain. Trust is at the heart of the privacy debate. Last year the Student Data Principles were endorsed by 40 education associations, and over 200 companies have signed a Student Privacy Pledge. Learn how we can build trust through better educator training, improved review of education apps, clearer vendor agreements and building a “seal” validating trusted learning environments. Participate in an interactive forum on what else is needed.”
The key word there is “participate”! This session is about listening and learning and considering – all points of view, all ideas and suggestions. If you can’t be there – reach out to one of the speakers in advance with your thoughts and inputs. We’ll take it all!
Here are some of my thoughts on the background of the discussion I hope that we’ll be having:
At the point of impact, there are two primary actors: the school and the vendor. Schools and vendors generally want the same thing – good outcomes for students; and the DQC-sponsored Student Data Principles (values from the educator perspective) the FPF/SIIA-led Student Privacy Pledge (commitments by ed tech companies) reflect that priority. Ideally, they work in partnership – the vendor providing a useful product or service which then allows the school to offer strong educational opportunities. But as with any relationship, “it’s complicated.”
Which vendors should schools choose to incorporate – how do they know who to trust? Screening platforms, Seals, Pledges – all these and more are available, but from the school’s perspective there’s no silver bullet or easy way through the wickets of writing a contract or selecting an app and being completely sure you’re doing the right thing.
Even before that point, though, schools are making choices. What counts as a vendor and who should be able to incorporate the product – an app the teacher tells everyone to download? – only an account the school requires the student to create? What role should school IT offices play – and what about the many, many districts where there simply aren’t resources for this type of oversight? What is the burden on teachers – let’s try not to conclude they have to be IT specialists now too!
Even when schools and vendors work together efficiently toward a productive result, their job isn’t done. They operate as the agents, but the true “stakeholders” are the parents and students for whom this process takes place. They must be made aware of the decisions being made, the controls in place for them to exercise, and their own responsibilities.
Of course, we can never skip over the legal implications – some laws put the burden schools; some on vendors, and in either case, how do we control the risks without limiting the ability of either to function most effectively? New laws are considered out of the public debate about how much limitation over student data is the right amount; who should have access and when; what are those controls should parents have.
I’m sure you’ve noticed more questions than answers here – and I know, despite my immense respect for my co-speakers, we will not solve them all in one session! But if trust is part of the answer – and I think we all believe it must be – then we have to start somewhere, and this session is a “next step” in this on-going process to implement ed tech smartly, responsibly, and thoughtfully to minimize risk and prevent harm so we can enjoy the tremendous benefits data and technology offer to our schools and our students.
Hope to see you there!
Chris Wolf at Data Privacy Day
At Thursday’s Data Privacy Day event in Washington, Passcode joined privacy and security experts to explore US consumers’ evolving attitudes about digital privacy.
“Consumers will not do business with companies that don’t respect their privacy, companies they don’t trust,” said Chris Wolf, cochair of the Future of Privacy Forum. Mr. Wolf spoke on a panel Thursday at the National Cyber Security Alliance’s “Data Privacy Day” event of which Passcode was a media partner.
FPF is proud to welcome its newest Senior Fellow, Ira Rubinstein. Ira will be working with FPF staff, fellows and members on a number of cross-Atlantic privacy issues and will be collaborating with EU academics and institutions on projects focused on de-identification, ethics, big data, and other issues.
Ira Rubinstein is a Senior Fellow at the Information Law Institute (ILI) of the New York University School of Law. His research interests include Internet privacy, electronic surveillance law, big data, and voters’ privacy. Rubinstein lectures and publishes widely on issues of privacy and security and has testified before Congress on these topics on several occasions. Recent papers include a study of Voter Privacy in the Age of Big Data; a research report on Systematic Government Access to Personal Data: A Comparative Analysis, prepared for the Center for Democracy and Technology and co-authored with Ron Lee and Greg Nojeim; Big Data: The End of Privacy or a New Beginning; published in International Data Privacy Law in 2013 and presented at the 2013 Computer Privacy and Data Protection conference in Brussels; and Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents, co-authored with Nathan Good, which won the IAPP Privacy Law Scholars Award at the 5th Annual Privacy Law Scholars Conference in 2012.
Prior to joining the ILI, Rubinstein spent 17 years in Microsoft’s Legal and Corporate Affairs department, most recently as Associate General Counsel in charge of the Regulatory Affairs and Public Policy group. Before coming to Microsoft, he was in private practice in Seattle, specializing in immigration law. From 2010-2016, he joined the Board of Directors of the Center for Democracy and Technology. He also serves on the Board of Advisers of the American Law Institute for the Restatement Third, Information Privacy Principles; the Organizing Committee of the Privacy by Design Workshops sponsored by the Computing Research Association; and he served as Rapporteur for the EU-US Privacy Bridges Project, which was presented at the 2015 International Conference of Privacy and Data Protection Commissioners in Amsterdam. Rubinstein graduated from Yale Law School in 1985.
We are excited and proud to have Ira on the FPF team!
