By Jael Makagon
Today, and for the foreseeable future, Internet Service Providers (ISPs) in California – the Comcasts, AT&Ts, and Verizons of the world – can use, share and sell the details of their customers’ browsing habits without first obtaining consent to do so. That is because the California legislature failed on September 16, 2017, to vote on Assembly Bill 375, which would have required customer permission before sharing or selling this information. The failure of the bill, which was endorsed by the LA Times, and the Sacramento Bee, among other newspapers, raises important questions about the control ISP customers want to exercise over this information. It is important for Californians to consider these questions because AB 375 can still be heard next year.
ISPs are the corporations we pay to obtain access to the internet. Whether through cable, DSL, dial-up, or some other method, ISPs connect our computers to other computers and servers so that we can use the internet to book flights, do research, and access news. ISPs are in a unique position. The average customer must use an ISP to access the internet, and as a result ISPs can see every web address and – depending on the level of security offered by the website – even the page content of every website that their customers visit. There are ways to prevent this, for example by using the Tor Browser or a virtual private network (VPN), but these tools are not a panacea and they make browsing the web more complicated.
It’s important to underscore the omniscience of ISPs in this context. ISPs also serve as cellular phone providers, which means they have access to browsing activity people conduct on their mobile phones. For those who use the same ISP for home broadband and cell service, the ISP will be able to track essentially all online activity.
Recognizing the unique position ISPs occupy, the Federal Communications Commission (FCC) issued a formal rule on December 2, 2016, to, among other things, 1) obtain customer approval to use and share information, and 2) take reasonable measures to secure customer information (this latter requirement seems particularly salient in light of the recent Equifax hack). However, before the rule could enter into effect, Republican lawmakers used their authority under the Congressional Review Act to pass a resolution in March 2017 nullifying the rule. Not only that, the March resolution also prevented the FCC from issuing similar rules in the future.
It was this action in Congress that led to the development of AB 375. Like the FCC’s rule, AB 375 would require customer approval before ISPs could use, share, or sell customer information. Additionally, it would prohibit ISPs from charging a higher fee to customers who refused to grant that permission.
Why Does it Matter?
Our browsing history can reveal a lot about who we are. It can reveal our health issues, our fears, the things we find interesting, what we like to read, and where we like to travel (it can also provide distorted information if we conduct searches on behalf of other people or conduct research on a specific topic for a class we’re taking). This is not necessarily information that we want to hide from others, but it may be information that we want to share selectively, such as with our partners, family, friends, or colleagues. In other words, it may be information over which we want to exercise the maximum amount of control. And it may be information that we would prefer ISPs not use to turn a profit or for another purpose.
According to the FCC, maintaining privacy in our online browsing history helps to keep us free from identity theft, financial loss, and other economic harms. It can also reduce the potential for intimate, personal details becoming “grist for the mills of public embarrassment or harassment or the basis for opaque, but harmful judgments, including discrimination.” Again, this is not necessarily information that we would consider to be “secret.” But consumers may want the option of giving or withholding permission from ISPs to share or sell this information.
The ISPs’ Argument
Given these important reasons for giving customers the maximum amount of control over their browsing history, how were the ISPs able to stall the progress of AB 375? Aggressive lobbying according to the Electronic Frontier Foundation (EFF), a nonprofit civil liberties organization focused on digital technologies.
ISPs have used a variety of arguments against the FCC’s rule and AB 375, but their main argument is that it is not fair to require them to seek customer permission to sell information when those same requirements do not apply to the Googles and Facebooks of the world. But there are two critical differences between ISPs and other large technology companies. First, we cannot avoid ISPs; we have to use them in order to access the internet. Although the average user will encounter Google or Facebook at some point, these and similar companies do not automatically have insight into online activity that doesn’t involve them, such as researching medical issues, reading political blogs, or accessing government services, including food stamps or the courts. As gatekeepers of the internet, ISPs are automatically in this position.
Second, we pay ISPs every month to use their services. Google and Facebook, on the other hand, offer their services for “free” in the sense that we generally do not give them a monthly payment to access their services. Of course, we pay those companies using a different currency: our data. In that sense, their services are decidedly not free. But ISPs want to both charge us a monthly fee and sell our data to marketers and other companies without first asking for permission.
In the U.S., our current privacy regime is based to a large extent on the concept of notice and consent: give customers the information they need to make an informed decision. AB 375 is consistent with this concept. It does not prevent ISPs from using and selling the information they collect from their customers, but it does require customers’ permission in order to do so. When that information is our online browsing history, the ability to choose is extremely important.
At the same time, the notice and consent regime only goes so far. As UC Berkeley Professor Chris Hoofnagle writes in his book, Federal Trade Commission Privacy Law and Policy, research has shown that mandated disclosure, including privacy notices, often does not work for several reasons: the notices may be difficult to understand, rational to ignore, and more helpful to the affluent than to the poor. Additionally, they have a take-it-or-leave-it aspect: even if you do understand the notice, there is not much choice. Your only option is to not use the service altogether, which, in today’s world, is often not an option at all.
For now, however, AB 375 is an important vehicle that customers can use to maintain a privacy interest in their online browsing information. California is not alone in considering this approach; several other states, including Alaska, New York, and Washington, have also considered similar bills. As in so many other policy areas, in 2018 California could again be a leader on an issue that has repercussions on a nationwide level.
Jael Makagon is a Master of Public Policy candidate at the Goldman School of Public Policy.