Posted by: Lauren Stewart
April 20, 2015
Regardless of whether the FCC’s Open Internet Order is effective in regulating net neutrality, the reality is that the Internet is a free market, not free. It’s easy to agree with net neutrality: to want network operators to treat all content the same and not prioritize and broker in online traffic, but so long as the entities that run the Internet are not public utilities, they need to turn profits to keep the cables and servers connected. If competitively monetizing traffic is not an option, what is?
Selling online data is much like the still commercially available bulk mailing lists that fill our mailboxes with junk circulars and catalogs. Use of this information has many benefits: it’s efficient, passive, and customizable. But unlike your mailbox, the information obtained from online data can be very detailed and reveal much more than your basic demographics and geo-location.
We know that companies collect and sell our data to third parties. We hopefully understand by now that this is the basis of the bargain in using online services, particularly with the ones that are free. We expect and trust that our personal information is reasonably protected and hope and assume that the law and the government will protect us when service providers overstep our boundaries. These boundaries, however, are shifting in the age of big data.
Internet privacy generally involves the control and authorized use of Personally Identifiable Information (PII). This is “information that can be used to distinguish or trace an individual’s identity, either alone or when combined . . .”—the definition admits that there is no clear line where information starts being personal because combination with other information can turn otherwise benign information into a puzzle piece that identifes a specific person.
Unfortunately we can’t use the Internet without disclosing at least some information. At a minimum, to have data delivered to our computers and devices, we have to tell it where we are. This is done on our computers using the Internet Protocol (IP) address and on our phones using unique device IDs. In isolation, IP addresses or a device ID is not personal data, and having this information without more doesn’t reveal who we are. Our ISP’s and telcos, however, know who we are and this direct relationship with us means that, combined, their data is likely “the most accurate and complete.”
When we talk about who collects our data, we primarily think about the media portals, websites we shop from, and online services we use. Theses are the places online where we have user profiles, make purchases with our credit cards, and click around enough to realize that cookies and trackers have taken an interest in what we do online. We seem mostly comfortable with data transactions on these sites and at least generally know that there are privacy policies and terms of service addressing what data is being collected and that when we click on that “accept” button, we agree to be watched and recorded. These polices and terms “both protect customers and convince them it is in their best interest to share their data.” Similarly, we imagine that in setting up Internet access and purchasing new phones, we permit our ISPs and telcos to do the same.
Fortunately, by contracting and paying for these services, market forces generally maintain our data disclosure desires. Or at least, we are comfortable with our service providers collecting, storing, and selling to third parties, information that is anonymized or not-clearly PII. But there are more service providers in the network chain and they’re not clearly restricted from disclosing PII.
Downstream Data Monetization
The NSA surveillance scandal revealed that information could be collected from wiretaps off of the backbone fiber optic cables operated by telcos and upstream network operators. In other words, data collected was from your Gmail account, but the NSA got it from a company that Google uses to carry information across the Internet. These are companies you may not have heard of, and did not sign a contract with. Their terms of service and privacy policies read loosely like the ones you might find on Google or Facebook, but there’s a gap. The “customer” or “you” in these terms is the downstream entity, not the end user. Thus, you are not in privity with them and as they carry your data, they can log it, and sell it, without your permission. Further, these entities aren’t regulated and aren’t included in the FCC reclassification to be regulated (see para. 26).
This is speculative, but if there’s an interest in monetizing data like there may have been an interest in monetizing traffic, the network operators could get into the big data business and be insulated from both the end user-facing privacy discussion and government regulation.
In contracting with network operators, service providers likely swop non-disclosure terms and that should prevent each party from data uses unrelated to delivering the service. The network operator is liable for contract breach if the service provider were to enforce them, but unless a significant scandal occurs, they likely won’t enforce them. The end user might bring a violation of privacy claim against the network operator. Although the information was obtained from a third party, the user could ague that the contract breach results in the content being unlawfully obtained by the network operator.
Fortunately, so long as companies are collecting disclosed data, software tools will keep being developed to combat it. For example, dynamic IP addresses provide security by assigning a new IP address each time an end user logs into the network. Dynamic IP addresses, though, are less reliable and inefficient than their static counterparts—suggesting that to protect our data, we might have to sacrifice speed. Another option is for service providers to separate content onto different domains and send our data through multiple network operators. This possibly limits a particular network operator’s ability to identify an end user with the information disclosed. Perhaps too, net neutrality itself could level the playing field for network operators and new players will be able to enter the field. New players might decentralize your data by carrying it through more network operators.
The FCCs net neutrality decision denies the reality that ISPs and OSPs need to make money to keep information flowing. If net neutrality is squared away, traffic itself is no longer a commodity, but the content underlying traffic, your data, could become increasingly valuable and you probably have a decreased say in who gets you data than you do now. It hasn’t yet, but if the problem escalates, data monetization could have chilling effects on online conduct and Internet innovation by overstepping tenuous privacy boundaries.