FCC Chairman Tom Wheeler has declined to say when the agency might formally launch a rulemaking process. But if the FCC ultimately approves its new privacy policies for Internet providers, it could powerfully affect the industry's business model — and even how consumers buy their Internet packages. AT&T, for instance, recently rolled out a broadband plan in Kansas City, Mo., and Austin, Tex., that gives customers a discount in exchange for allowing the company to track their Web history, the links that they see and click on and the amount of time they spend on a site. Mining this data would allow AT&T to serve better targeted ads.
Under a more stringent privacy rule, the FCC could move to limit practices like these. Whether it should is going to be the subject of the next big battle in Internet policy.
When the FCC made the big step to regulate Internet providers like phone companies in February, the so-called net neutrality rules gave the agency a whole new set of regulatory tools for policing broadband companies. Among those is a part of the law known as Section 222 of the Communications Act, which lays out what phone companies can and can't do with the information they take down on all of your phone calls.
This CPNI, or "customer proprietary network information," includes things like how long you spent on the phone, who you're calling and at what times. This is sensitive information that, in the wrong hands, could expose you to unwanted marketing, spam or even identity theft. And phone companies aren't allowed to share it with advertisers or other third-parties without getting your explicit permission first.
As you can guess, the rules governing CPNI don't just apply to phone companies anymore. With the FCC's net neutrality decision, Section 222 now applies to Internet providers like Comcast, too. There's just one problem: Comcast's broadband business isn't focused on phone calls — meaning all the legalese that was written for the legacy phone system doesn't quite fit.
So the FCC says it will reinterpret what CPNI — and Section 222 more broadly — should mean for Internet providers.
"This is an important issue," Wheeler told reporters this month. "This is an issue we need to make sure everybody has their voice heard on."
If CPNI used to mean all the details about your phone traffic, the Web parallel could mean all the details about your Internet traffic. The FCC isn't laying down any specifics yet, but it's possible to imagine CPNI someday referring to things like IP addresses, Web browsing history, app-usage statistics and other details that can be used to sum up your Internet lifestyle.
Anyone who's visited an indiscreet Web site knows how private that activity can be. Should access to that information be protected by federal law?
Some consumer advocates say it should, but opponents argue that it isn't within the FCC's power to do so.
"[Sec.] 222 is fairly narrowly written — it deals with telephone records" and not the Internet, said Republican FCC Commissioner Michael O'Rielly this week at a conference hosted by the Technology Policy Institute in Aspen, Colo. "I have extreme problems on that side, and we're heading on a collision course [with Democrats] later this fall."
It isn't just CPNI that could be adapted for Internet providers. Democrats at the commission want to expand what kind of information could be covered under such a policy to include sensitive data like Social Security numbers.
"They are going to go further than … CPNI," said David Redl, a Republican policy staffer for the House Energy and Commerce Committee. But in doing so, he said, the FCC would be overstepping its authority. "Personally identifiable information has not been in the FCC's bailiwick," he said.
Still, the agency appeared to set a precedent last year when it punished two telecom companies for improperly storing this information, including Social Security numbers, dates of birth, addresses and driver's license numbers, and allowing it to leak.
Thanks to poor data security practices, a group of reporters stumbled upon the personal data with nothing more than a simple Google search. News of the flaw resulted in the FCC's first-ever case against a telecom company for failing to prevent a data breach, leading to a $10 million fine for YourTel and TerraCom, which share the same owners.
"To me, it affirmed our duty to protect proprietary information," said Democratic FCC Commissioner Mignon Clyburn. "What's more proprietary than your social security number?"
With the FCC looking to fight data breaches more aggressively, agency critics are pointing out that this might tread on the turf of another agency, the Federal Trade Commission. The FTC has actively prosecuted dozens of data breach cases in the last few decades. The idea that two federal agencies could soon be policing privacy is worrying to conservatives concerned about government overreach.
So far, however, a strict wall has prevented the FTC from regulating telecom companies. By law, the agency leaves those decisions to the FCC. Other differences, such as the fact that the FCC has greater power to make new rules while the FTC mainly enforces anti-trust and consumer protection laws, mean their powers are more complementary than overlapping, the FTC's defenders say.