The Broadband Consumer Privacy Rules, a set of protections that would require internet service providers to get permission before collecting sensitive data from customers, could be targeted for elimination under the Congressional Review Act (CRA), according to open internet advocacy group Public Knowledge.
The consumer privacy protections passed by the Federal Communications Commission last October are likely to be reviewed by the Senate as early as next week.
Under the Broadband Consumer Privacy Rules, internet service providers were required to ask permission from customers before collecting sensitive information from them.
Sensitive information was defined as any data related to a user’s finances, health, information from children, precise geolocation data, web browsing history and app usage history. It also included any content from unencrypted messages accessible to internet service providers.
Information not classified as sensitive could be collected by default, but internet service providers would still have to offer customers the option to opt out.
The Broadband Consumer Privacy Rules also put in place more stringent requirements for ISPs reporting potential data breaches that may have harmed customers or put their data at risk. The protections mandated ISPs inform users of a data breach within 30 days of identifying it, and would have required the carriers to alert the FBI of the breach within seven days.
The provision requiring improved data security practices was the first part of the rules set to go into effect, but was stayed by the FCC earlier this month. The data collection protections weren’t set to go into action until December 2017.
The rules have been subject to scrutiny under the new administration. The FCC has promised to roll back the protections, and Republican members of Congress and Senate have proposed legislation to undo the rules, including a suggestion last month to subject the rules to the CRA from Arizona Senator Jeff Flake.
Dallas Harris, a policy fellow and broadband privacy expert at Public Knowledge, advised against using the CRA to eliminate the rule.
Using the CRA would require a majority vote to kill the rule, and would effectively end the protections for good by preventing the agency that issued the rule from issuing a similar order again.
"I'm not entirely sure why Congress thinks it's a great idea for their first telecom act of this new administration to be wiping away consumer protection," she said.
She advised instead to allow the FCC, under the leadership of Donald Trump appointed chairman Ajit Pai, to review petitions of reconsideration to revisit and revise the rule instead of taking the more drastic measure.
"Because the Congressional Review Act is so untested, the most likely interpretation is that Chairman Pai would then not be able to act on the petitions for reconsideration because the goal of the CRA is to get rid of the rule completely," she told IBT.
Harris noted petitions from internet service providers haven’t called for a complete removal of the rules, but have rather asked for “a few minor tweaks.” In particular, the carriers want web browsing history and app usage not to be considered sensitive information unless the user is browsing a sensitive website like a bank or health care provider.
Public Knowledge disagrees with that assessment. Harris compared browsing history with call history, which has long been considered sensitive information.
“The reason [it’s sensitive] is because of the types of things that you can infer about someone based on that information alone. Political affiliation, sexual orientation, income level, race, gender; You can identify those exact same things using web browsing history. It's just the call history of the digital age," she said.
However, the organization holds that some protection is better than none, and eliminating the Broadband Consumer Privacy Rules would leave consumers with no protection.
While chairman Pai has stated his belief that the Federal Trade Commission should have jurisdiction over broadband providers but current law does not allow the FTC to regulate internet service providers, as they are classified as common carriers under the Open Internet order enacted in 2015 to protect net neutrality.
"Internet service providers are either held to account by the FCC or they aren't held to account at all,” Harris said, noting that if the goal is to return regulatory powers to the FTC, using the CRA will not accomplish that.