Data security is an issue that we take seriously here at the National Consumers League. As consumers, we are inundated with news of our children’s toys being hacked, restaurants and hotels compromising our credit card information, and email and networking sites like Yahoo!, Linkedin and Myspace getting breached. Ignoring this ongoing avalanche of data breaches, President Trump approved a Congressional resolution repealing the FCC’s Broadband Privacy Rule. This, despite bipartisan support for the protections in Congress and the general public.
There is simply no good reason to repeal these important protections.
To begin with, the Federal Communication Commission’s rules were modest in scope and sensible in aim. For example, the rules merely required Internet service providers to obtain their customers’ permission before collecting and selling sensitive personal information. Absent these rules, ISPs will be free to collect and sell their paying customers’ precise geolocation as well as their financial, health, and browsing histories, just to name a few of the types of sensitive information consumers send over ISP networks. Notice and consent has been a core tenet of modern privacy law. Without it, ISPs will have incentives to sell their users’ sensitive information to the highest bidder with little oversight by our nation’s consumer protection agencies.
Opponents of the rules argued that the regulations needed to be repealed because websites like Google and Facebook already collect and sell your information. Preventing ISPs from doing the same, they say, would be unfair. This is a false dichotomy. It is far easier for consumers to simply not use services like Facebook or Google than it is for them to avoid using an ISP. Conversely, the vast majority of consumers have only one or two choices when it comes to broadband ISPs. This puts ISPs in a unique position in the Internet ecosystem where it’s practically impossible for their users to avoid being tracked. Consumers also pay for Internet access. They therefore reasonably expect and deserve a bigger say over how ISPs use and protect their data.
As if the privacy concerns raised by the Broadband Privacy Rule’s repeal weren’t enough, this action also threatens to put consumers’ data at greater risk of breaches. Consider the recent data breaches at Yahoo! that affected as many as 1.5 billion accounts, compromising users’ names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords.
As bad as those breaches were, they only affected the users of one online service. Now imagine what the fallout would be if a similar hack occurred at a major ISP, which now has the ability to collect practically any data sent over its networks. Such a breach could put at risk not just usernames and passwords, but potentially the content of emails, browsing histories, and location data.
The FCC’s Broadband Privacy Rule would have required ISPs to take reasonable precautions to secure that sensitive data and alert their users if a breach occurred. Without those common-sense regulations, ISPs will have fewer incentives to invest in the kind of robust security that the sensitivity of consumers’ data demands.
As privacy advocates, we will continue to press for a comprehensive privacy and data security standard at the state and federal level—and to undo the damage Congress and President Trump have inflicted on consumers.