Paul Ohm is a professor at Georgetown University Law Center and faculty director of the Georgetown Center on Privacy and Technology.
Many are outraged about congressional efforts to eviscerate Internet privacy regulations set by the Federal Communications Commission under President Barack Obama. But a frightening aspect to the bill remains underappreciated: If signed, it could result in the greatest legislative expansion of the FBI’s surveillance power since 2001’s Patriot Act.
Don’t believe anyone who suggests that the law merely returns us to the state of the world before the FCC finalized its landmark privacy rules in October. The obvious reason Internet service providers burned through time, money, political capital and customer goodwill to push for this law was to ask for a green light to engage in significantly more user surveillance than they had ever before had the audacity to try.
This must be the reason, because on paper, the law accomplishes little. President Trump’s handpicked choice to head the FCC, Ajit Pai, already began work to roll back these rules in a more orderly fashion. Make no mistake: ISPs aren’t just asking for relief from a supposedly onerous rule; they want Congress’s blessing. Once Trump signs the bill, diminishing the FCC’s power to police privacy online, ISPs will feel empowered — perhaps even encouraged — by Republicans (no Democrats voted for this measure) to spy on all of us as they never have before. And spy they will.
How, then, does this law — which would directly affect only private behavior — benefit the FBI? From 2001 to 2005, I worked for the Justice Department and spent a lot of my time advising law-enforcement agents and prosecutors who wanted to track Internet behavior. Many of our investigations led directly to a specific IP address — the identifier for a particular computer or device — which then prompted a request to an ISP for more information. Tens of thousands, if not hundreds of thousands, of these requests arrive at ISPs around the country every year.
Many — perhaps most — of these requests do not involve criminals; instead, they lead to victims of crimes, mere witnesses or otherwise innocent people. These requests have typically sought only information about the identity of the person associated with the IP address because the FBI understands that this is the only information ISPs tend to collect.
But because of the way ISPs are likely to react to this law, FBI agents and other law-enforcement officials will understand that ISPs will be able to reveal much more about every one of us. By adding a single short paragraph to an application for a court order through the Stored Communications Act (this wouldn’t even a require a search warrant), the FBI would be able to order your ISP to divulge every website you have contacted and every app you have used. In cases in which the FBI has obtained a search warrant, it could ask your ISP to reveal every single piece of content that it has a record of you having viewed — over the course of years. Our government-access laws do not require the FBI to tell you about these requests, and the FBI almost always forces a gag order on ISPs, ensuring that you will never find out.
To be clear, nothing in this new law would expressly give the FBI any new power. But old, outdated laws such as the Electronic Communications Privacy Act tend to expand FBI power whenever a private actor begins to track our behavior in new ways. What the new law would do is give ISPs the incentive and the congressional and presidential seal of approval to construct the richest database of Web surfing and app-usage behavior the world has ever seen. This will be a honeypot attracting the FBI and other law-enforcement agencies like flies.
A little less than a decade ago, I introduced the idea of the “Database of Ruin” — a digital dossier containing one fact about each of us that we wouldn’t want anyone else to know. Since I coined this phrase, I have watched with concern as this database has continued to grow and take shape. Companies such as Google, Facebook, Amazon, Uber and many others have each constructed their own pieces of it.
But never has one industry been cut loose to generate one spine of information that could serve the needs of law enforcement so well — until now. Congress just approved the single greatest expansion of the Database of Ruin to date — and Verizon, Comcast, AT&T, Time Warner, CenturyLink and the rest of our broadband providers are racing to build it.