Perpetually Missing from Tech Policy: ISPs And The IoT
from the broader-view dept
U.S legislators have drawn a bizarre line in the sand when exploring the invasive nature of technology companies and personal rights to privacy.
In Washington, D.C. there are regular hearings about the potential harms that “big tech” companies can cause because they have so much access to so much information. Facebook, Google, Apple, and Amazon testified before Congressional Subcommittees about their business practices, their data sharing between their own businesses, and the way that information gets used in relation to competition. What’s interesting about that, though, is the fact no consumer can share their personal information directly with any of them.
In order to reach any of the Big Tech companies that are generating immense amounts of policy discussion these days, a person must first have access to an internet service provider (ISP). This could be your home wireline connection from companies like AT&T, Verizon, Comcast, Frontier, Charter/Spectrum or a litany of other providers. It could also be your mobile service provider if you use a smartphone to browse the internet.
Who Sees What Data?
The big tech companies have historically obtained the majority of the data they have because people elected to use the services. Amazon knows your buying habits because they track what you order. Google knows what ads to show because it tracked what searches you were making. The ISPs, though, have a unique position in that they facilitate the connection between you and those edge services. They not only know that you elected to go to Google to perform a search, they also know that from that Google search, you then clicked a link and navigated to another website. While Google’s reach can be pretty extensive with the ability to track behavior from a search or any click on an ad that they provide, an ISP doesn’t need that secondary interaction. They know where you go online because they facilitate the connection between you and that end point.
There are ways to protect yourself against ISPs monitoring how munch they can see. First, HTTPS encrypts a lot of the actual data being transferred. This means that unless the website is encrypting DNS itself, the only thing the ISP might know is what websites you’re choosing to visit. You can also use a virtual private network (VPN). If you choose to do that, then the ISP will see only that you are connecting from your location to the secondary location. This allows you to mask your location to websites because all of the bidirectional browser traffic is between the websites and the secondary location you’ve tunneled into where the VPN is located.
The Internet is More than Browser Traffic
The problem with many of the policy considerations regarding how to protect consumers when so much of their data is accessible is that it repeatedly falls short. Think about all the devices in your life that connect to the internet. These include your phone, tablet, and laptop along with all of the ancillary devices – lights, outlets, home assistants, robot vacuums, and even the infamous toaster - that make up the world of the Internet of Things (IoT). These IoT devices require similar connectivity as your computer or phone, but without many of the security and safety measures in place.
IoT functions relatively simply. There is a sensor that connects to the network in order to communicate its status to a processor. When the sensor’s status changes, it sends that single to a processor. From there, the processor determines what that sensor’s status change means and sends out a command over the network to an actuator that performs a task. Consider the following example: You pull into your driveway, your house recognizes that you’re there and it opens your garage door, adjusts the temperature, turns on lights, starts your favorite evening playlist. Maybe it even brews you a fresh cup of decaf so you can kick off your shoes and settle in for whatever comes next.
That’s one sensor using merely the presence of your device to trigger a communication with the processor. That processor then reaches out over the network and provides commands for services provided by potentially five different manufacturers – the garage door controller, the thermostat, the lights, your preferred streaming music service, and your coffee pot. How much information has an ISP just potentially learned about you with you typing a single character?
They know that someone arrived home at that specific time because the sensor communicated over the network to the control processor. They know that you have each of those devices in your home provided by each of those manufacturers. They know what streaming music service you prefer.
Some of that information might seem innocuous. Who cares if the ISP knows what coffee maker you have? Why does it matter if the ISP knows what time you got home? Everyone is going to have to get home at some point in time, aren’t they?
The value of an ISP being able to monitor that kind of information is not in the snapshot of one instance. Yes, they can use that information to help third-parties better target where they sell ads for your browsing behavior. The real value, though, is that these ISPs know what devices are connecting to your home, and that they can trace your habits and behavioral patterns from that information.
If you habitually arrive at home around that specific time each day, the ISP can track that information. If that data shows that every Thursday there’s no command, but there’s increased traffic from your home, the ISP can reasonably conclude that those are the days that you work from home. They might be able to glean that information from just the increased traffic, but the missing command when you arrive home gives them more verifiable data about your habits and practices.
Your next thought, after reconsidering the position that the data isn’t that important might be to conclude that you have some protections to under United States privacy laws from an ISP monitoring your behavior online. Except, you'd be wrong.
ISPs Broadening Their Reach
This may not concern you, personally, because you figure there isn’t enough data there to be harmful. However, not everyone is a sophisticated tech user. Some people, would rather have one company provide them all of their smart tech and have that company manage it. This is the landscape we’re starting to find ourselves in today.
Comcast not only offers cable and internet to homes, they also offer security systems including cameras, window and door sensors, and more. They even tout the capabilities of being compatible with numerous smart home devices like door locks, thermostats, and lighting. AT&T is no different, offering to sell streaming media players, smart outlets, security cameras, and both Google or Amazon devices as the control.
The ISPs do not care what devices you connect to your network. In theory, any device should work just as well as any other. Though, given the repeal of federal net neutrality regulations. The ISPs have positioned themselves in the perfect spot to pick preferred vendors. Essentially, while they won’t state it openly, if you buy the products that they sell, now they know exactly what’s in your home, and you have an extra bit of confidence that it will work reliably, without any blocking or throttling, because you bought it from the service provider. This creates an advantage for any company willing to open up your information to the ISP because there’s a self-serving benefit. Provide more data to the ISP-reseller about the user and how the device is used and you’ll be included in the preferred vendor list.
Ties to Title II
It seems almost everything that has to do with telecom these days has to do with the net neutrality and reclassification battle, and the ability of the Federal Communications Commission (FCC) to make privacy rules is no different. The ability of the FCC to promulgate privacy regulation turns on the same point in the 1996 Telecommunications Act as net neutrality.
If telecommunications are classified as a Title I service, then they are subject to 47 U.S.C. §160 which states,
"...the Commission shall forbear from applying any regulation…if the Commission determines that (1) enforcement of such regulation or provision is not necessary to ensure that the charges, practices, classifications, or regulation by, for, or in connection with that telecommunications carrier or…service are just and reasonable and are not unjustly or unreasonably discriminatory; (2) enforcement of such regulation or provision is not necessary for the protection of consumers; and (3) forbearance from applying such provision or regulation is consistent with the public interest."
All this to say that the FCC, while having authority to make rules that govern privacy regulations under the Telecommunications Act has to deem that it’s required to do so. If the services are classified as Title I, then they lack the authority to regulate.
Even if the FCC was to consider acting, the ISPs could file petitions seeking that the FCC forebear from taking action. Once that petition is filed, then the FCC has one year to respond, with the ability to extend by 90 days under certain circumstances.
Under a Title II classification, the FCC has broad authority to act and regulate.
“It shall be unlawful for any common carrier to make any unjust or unreasonable discrimination in charges, practices, classifications, regulations, facilities, or services for or in connection with like communication service, directly or indirectly, by any means or device or to make or give any undue or unreasonable preference or advantage to any particular person, class of persons, or locality, or to subject any particular person, class of persons, or locality to any undue or unreasonable prejudice or disadvantage.”
There is no forbearance consideration required to be made, though one can still be petitioned.
In 2015, when the FCC reclassified broadband as a Title II service, it set up circumstances for greater broadband rules. It even passed privacy rules for broadband interactive service providers. However, when the current FCC passed the Restoring Internet Freedom Order (RIFO), it undid the Title II classification, returning broadband services to a Title I classification. As such, broadband is again outside the regulatory authority of the FCC.
While the logical conclusion, then, might be to restore the 2015 Open Internet Order, that would be incorrect. The 2015 order carved out specific exceptions for non-BIAS (Broadband Internet Access Services) that included devices like heart monitors, e-readers, energy consumption sensors, or other limited-purpose devices such as automobile telematics and scholastic applications providing content in schools. This was not an exhaustive list and, based on the type of communication involved, most if not all IoT devices would likely fall into this same gap. This means that even with a Title II reclassification, IoT would remain outside the protections.
The California net neutrality law does a little better in potentially offering some protection in that it focuses its efforts on the behavior of the ISPs when it comes to blocking, throttling, or forcing paid prioritization for the devices on a network. However, the emphasis of the devices needing to be non-harmful may defeat any IoT protections because nowhere in the bill did it define what a non-harmful device was. Considering the lack of security measures and the common use of IoT in botnet or Distributed Denial of Service (DDoS) attacks, it may be difficult to confidently state that the devices are non-harmful.
Federal Privacy laws
In October 2016, the FCC passed new privacy rules that required the ISPs to get their customers to opt-in to before the data that the ISPs acquired was shared with third parties. The scope of information, as defined by the FCC was the, “statutory definition of customer proprietary network information (CPNI),” meaning, “individually identifiable CPNI, personally identifiable information (PII), and content of communications.”
Even examining those terms, it’s still difficult to see how IoT would have seen any coverage. Perhaps an argument could have been made for devices that were tracking personal health information, but it’s hard to say what identifiable information could be gained from an individual IoT device that raises and lowers a garage door. In aggregate it’s a different story, but that would have required the ISPs to be collating the data to sell in a package about a consumer household, which may have been deemed a violation of the rules, or to be doing it themselves.
It’s a moot point, though, because a few short months after the rules were passed, when Congress went into session at the beginning of 2017, they utilized the Congressional Review Act to repeal the rules. This had two effects. First, it treated the rules as though they had never taken effect. (See 5 U.S.C. §801(f)). The second, and arguably more important part, this disapproval resolution made it so that the FCC could not reissue privacy rules in “substantially the same form” nor could they issue a “new rule that is substantially the same…unless the reissued or new rule is specifically authorized by a law enacted after the date of the joint resolution disapproving the original rule.” (See 5 U.S.C. §801(b)(2).
What this means is that the federal agency tasked with overseeing communications by wire and the companies that operate in that space have now been specifically restricted from enacting any kind of rulemaking in regards to how those companies gather, store, and share data from their customers.
State Privacy Laws
To date, there are only three states that have passed consumer privacy laws – California, Maine, and Nevada. There are several other states that either have bills in process or have assembled task forces in lieu of a comprehensive privacy bill. Since there is only a small offering of laws, it’s worth taking a look at the contents to each bill to see if they cover ISP activity.
California: The California Consumer Privacy Act (CCPA) applies to any business that has annual gross revenues in excess of $25 million, or that annually deals with personal information from 50,000 or more households in California, or that gets 50% or more of its annual revenues from selling consumers’ personal information. The larger ISPs will certainly fall under the first category and would likely be subject to the second as well.
Where this hits the IoT space would be Section 1798.135(o)(1)(F) which covers “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.” Alternatively, Section 1798.135(o)(1)(K) includes “Interferences drawn from any of the information in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Of course, there’s a strange loophole. The CCPA does not protect “consumer information that is deidentified or aggregate consumer information.” (See Section 1798.135(o)(3)). This seems to means that if the ISP is able to piece little bits of deidentified data together to offer a more comprehensive view, then it’s not in violation of the CCPA.
Maine: The Maine legislature went a different direction with their privacy law when it passed the Broadband Internet Access Service Customer Privacy. Instead of focusing on the edge service providers collecting data, Maine’s law specifically targets the ISPs. The key points in relation to IoT are §9301(1)(C)(g), protecting “The customer’s device identifier, such as a media access control address, international mobile equipment identity or Internet protocol (IP) address;” and §9301(1)(C)(i) covering “The origin and destination Internet protocol addresses.”
In order for the IoT devices to communicate with other devices on the network or “phone home” and provide data to the manufacturer they have to have an IP address. For the device to provide useful information to the ISP, it would need to know the destination where the device was communication – the destination IP address. Both are protected under the law.
Much of the Maine law is what the FCC rules tried to implement before being subject to the disapproval resolution from Congress.
Nevada: The Nevada law has the most limited protections of the three enacted laws. It only protects personal information if it includes first initial or name and the last name along with either a social security number; or driver’s license or identification card number; or a bank or credit card number with the required security code or password to provide financial account access; or medial identification or health insurance identification number; or “a user name, unique identifier, or email address in combination with a password, access code or security question and answer permitting access to an online account.”
This law is useful from the perspective of keeping personal account information secured, but the sensor and actuator data that IoT is dealing with is well outside of the protections.
Conclusion
Other than the Maine privacy law and the CCPA, it seems as though there are no privacy laws in the United States that act to protect the information that an ISP can gather, sell, or share with third parties. They can capture your browser data, but in addition to that, the majority of the privacy laws that have been written only examine browsing behavior and ignore the device-to-device communication involved with IoT.
The lack of net neutrality regulations means that the ISPs can also treat all data types differently. This means that they can examine the source of the data transmissions and determine if they want to block, throttle or force the device maker or owner to pay more to transmit that data without interruption. It also means that that the ISPs are in a position to pick preferential business partners in the IoT marketplace.
If the manufacturer is willing to share data with the ISP, then their transmissions will go uninterrupted. This can disadvantage any real competition between device manufacturers, all under the name of “proper network management practices.”
Finally, it means that even though you are not actively providing information to edge service providers by using the internet, your devices are still providing a lot of data about the ways in which you live. Anyone with access to that information can collate it, determine your common behavioral patterns (even if you are offline), discover your preferred service providers, and then package and share that information.
Considering the degree to which an ISP can monitor your behavior, it’s pretty incredible that somehow the large ISPs have managed to avoid any public scrutiny while Google, Facebook, Apple, and Amazon are subject to complaints from Congress, and now pending antitrust litigation.
Josh Srago is a third-year law student at Santa Clara University. Prior to law school he spent over a decade designing communications and smart building solutions. His studies focus on the ethical development of technology, exploring how current regulations and policies affect smart home and smart city development.