5 things you should know about the FCC’s proposed privacy rules
It stops Verizon’s zombie cookie in its tracks, but allows AT&T to keep charging customers extra if they want privacy.
By Julia Angwin
Last week, the Federal Communications Commission proposed new privacy rules for Internet providers. The proposal was immediately praised by privacy advocates as “a major step forward” and lambasted by AT&T as an effort to place a “thumb on the scale in favor of Internet companies.”
FCC Chairman Tom Wheeler stopped by our offices to explain the proposal, which will be voted on by the commission later this year after a period of public comment. Here is what you need to know about the proposed rules.
1. The new rules would prohibit Internet providers from sharing information with third parties about a customer’s name, address, location and Internet activity, unless they have opted in to having their data shared.
It is meant to provide the same level of privacy protection to Internet customers’ data that companies must, by law, apply to telephone customers’ data.
2. The rules also broaden the types of data that are protected, Wheeler said. The old rules for telephone operators covered “Customer Proprietary Network Information” – such as the duration and frequency of calls placed by customers and where they were placed from.
Wheeler said the proposal includes Internet activities tied to a unique identifying number rather than a person’s actual name or phone number. Under the proposed rules, Internet providers could not, without consent, track customers using a unique number tied to a customer’s Internet activity or phone location.
3. The new rules would prevent Verizon from continuing to use its “zombie cookie” on behalf of its subsidiary AOL. Last week, Verizon agreed to pay $1.35 million to settle FCC charges that it violated customers’ privacy when it used a hidden unkillable (therefore “zombie”) number to track cellphone users.
As part of the settlement, Verizon agreed to allow customers to opt in to any future uses of the tracking technique. But the settlement did not apply to Verizon subsidiary AOL’s use of the tracking number.
Wheeler said that the proposed privacy rules “would overrule the consent decree.” The proposal only allows subsidiaries to use an Internet provider’s customer data to market “communications related services,” and so AOL’s use of the tracking number for advertising purposes would need to be opt in.
4. The new rules, however, would allow AT&T to keep marketing its privacy-invading Gigapower high-speed Internet service in dozens of cities. Gigapower costs $70 a month for customers who agree to let AT&T view the Web pages they visit and the queries they type into search engines. Those who want to protect their privacy must pay $100 a month for the Gigapower service.
Wheeler said he was concerned about privacy becoming a luxury service. But he said, “At this point in the debate, we have to deal with what we can deal with today.”
5. The proposal doesn’t cover content, only metadata. That means if a customer visits an unencrypted website, the Internet provider could still view and share the contents of that website without consent.
As encryption becomes more common, that loophole will get smaller. But regardless of whether Internet traffic is encrypted, Wheeler said that it is important to protect information about what websites a person visits.
“I might be getting encrypted data,” he said, “but if I visit a cancer center, just the fact that I’m going to the cancer center is of interest to an insurance company.”
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.