The FCC approved a set of new ISP privacy rules that it hopes will give broadband customers more choice, transparency...
and security for their personal data.
Broadband internet service providers (ISPs) must now get customers to opt in for the sharing and use of sensitive information. Additionally, ISPs will be required "to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences," according to the new FCC privacy rules.
Rebecca Herold, CEO of Privacy Professor, said the ISP privacy rules from the Federal Communications Commission (FCC) are long overdue and a good start.
"However, as with any initial set of privacy rules, it hasn't yet met the mark in providing all the protections necessary in today's world, where the data created through internet use is an electronic extension and representation of every person's self," Herold told SearchSecurity.
According to the announcement issued by the FCC, "The rules specify categories of information that are considered sensitive, which include precise geolocation, financial information, health information, children's information, social security numbers, web-browsing history, app-usage history and the content of communications."
Herold said ISPs have long been protected from the same privacy criticism as Google or Facebook because users often don't know how much data ISPs gather.
"It is not apparent what their ISPs are doing when they are connecting to the internet; once they set internet connectivity up, it just happens whenever they want to get on," Herold said. "They do not see all the data being generated from their activities on and through the internet. Out of sight, out of mind ... without seeing the massive amount of ISP data they generate, they are oblivious."
The new ISP privacy rules allow the use of nonsensitive information, including email address and service-tier information, as long as ISPs offer their customers the option to opt out to block the ISP from using or sharing that data.
ISPs will also be required to comply with transparency requirements and data breach notification guidelines. According to the rules, broadband providers are required to have "reasonable data security practices and guidelines" for ISPs, including implementing "robust customer authentication tools" and "relevant industry best practices." The new rules apply only to broadband and other telecommunications service providers, so websites and other edge services will not be affected.
However, Herold noticed a few potential loopholes and issues with the new ISP privacy rules. According to Herold, the FCC didn't include many specifics that could become issues, including what constitutes "reasonable measures to protect customer data," what kind of precautions need to be taken to prevent reidentifying de-identified data, and what qualifies as an "unidentifiable format" for de-identified data.
"I know from my many years of working with businesses that when it comes to implementing security, a large portion of them will only do what is explicitly required by law," Herold said. "As a result, most ISPs will probably not significantly improve their security practices under these new rules. Without such specifics -- hello, loophole."
Learn more about the EFF calling for an ISP data retention law to be scrapped.
Find out why consumers don't trust big data or ISPs.
Get info on whether Privacy Shield will help build consumer-centric organizations.