The single biggest data story this week has undoubtedly revolved around Congress allowing Internet Service Providers (ISPs) to collect, sell, and use people's data without needing their permission, or at least that’s how the bill has been described. It has caused uproar amongst the population, with a HuffPost/YouGov poll finding that just 6% of the population support the bill and 74% believe that Trump should have vetoed the bill.
What has been portrayed across various media outlets as a bill that gives ISPs permission to collect, sell, and use this data as they wish isn’t quite accurate though. In truth, the bill is actually one that prevents protections against this kind of activity which were enacted in the closing weeks of the Obama administration.
According to TechCrunch, the basic rules that this late Obama bill were:
- ISPs are required to be transparent about what data they collect, how they use it and with whom they intend to share it.
- ISPs must get advance permission from consumers (i.e. users must opt in) before using “customer proprietary information.” That’s a category defined by the FCC and encompasses what you would normally expect to be protected — medical data, social security number — and adds information that is not inherently personal but the large-scale tracking of which most people would disapprove of: web browsing history and application usage history. (This is the part that’s gotten the most coverage.)
- ISPs must take “reasonable measures” in security terms to protect that information, and in the event of a major breach (more than 5,000 accounts affected) must inform various parties, and the affected consumers, within a week.
- No providing price breaks for lower privacy measures — for instance, lowering monthly charges if a consumer agrees to be tracked.
- Notice was given (but no actual rule yet proposed) that the practice of forced arbitration, which limits the legal means consumers have for redress to companies’ internal processes, was soon to be reviewed as well.
So essentially, all this move should do is mean that somebody else just needs to pass the same bill again. However, this has become complicated. This is because the Congressional Review Act (CRA) which was used to make this change states that nobody can put forward a bill that takes ’substantially the same form’ as that which was cancelled through this procedure. This means that these rules cannot be re-enacted, which leaves real issues for both the government and the general population.
The reason this bill was passed in the first place was because oversight of ISPs used to fall under the Federal Trade Commission (FTC), but was previously moved away from the Federal Communications Commission (FCC). After the Consumer Privacy Bill of Rights was passed, it meant that neither had oversight of ISP data collection and the bill that was just killed was a simple regulatory fix whilst it was in transition. Instead, it means that both the FTC and FCC are now barred from making privacy rules for ISPs, so they can do more or less anything they like with the data.
This isn’t an ideal situation for data privacy advocates, but equally puts ISP and the very concept of big data in the dock again. The truth is that companies like Facebook, Google, Twitter, or any one of the thousands of sites people regularly use will collect swathes of data about people, but it can be chosen to be turned off by simply not using these services. If you just use the internet, your ISP can see what you’re doing, even if it’s being used in incognito modes.
Unfortunately, it has once again brought the media descending on an negative issue surrounding the collection of data. It is undoubtedly a poor decision from Congress, giving little thought to the potential consequences and how this decision is going to be viewed by the public. However, the decision isn’t a license for ISPs to act recklessly with people’s data, rather it gives them the opportunity to do so if they want. This doesn’t mean that bad things will happen or that ISPs won’t inform their customers and sell their data, but it has created a certain level of anxiety around the very concept of data collection.
Ultimately this bill seems to have been about the destruction of an Obama legacy, given that the CRA was enacted in 1996 and only successfully used once before 2017 (although it is worth noting that it went through Congress 5 times, but vetoed by the President each time) but has been used 11 times in the past 2 months. It suggests that the new administration is simply destroying everything they can from Obama with little regard for what the implications will be, which in this case could be incredibly destructive for individuals and the widely held view of big data.