A First Look Inside the Net Neutrality Order

Our Internet guru digs deep into the Open Internet decision and comes up with … questions.

I recently posted an item summarizing the broad strokes of the FCC’s new “Open Internet” (a/k/a net neutrality) rules and policies. Since the full text of those rules, and the accompanying Report and Order (“R&O”), had not been released when my summary was prepared, I had to work from the then-available public notices from the FCC. Now that the R&O is out, I’ve had a chance to slog through its 360+ pages of dense text, which has led me to one obvious conclusion: the R&O raises as many questions as it attempts to answer. Let’s look at two of particular aspects of the FCC’s decision that give rise to some of those questions.

Extending full net neutrality obligations to mobile broadband: What’s the number?

Historically, when it came to broadband Internet service, FCC efforts to craft Open Internet rules and policies drew a clear line between (a) fixed/wireline providers and (b) mobile providers. Mobile providers were regulated far more lightly than their fixed/wireline counterparts because of a number of distinctions between the two. In particular, mobile broadband networks at the time featured less speed and less capacity, meaning that more intrusive traffic management was acceptable on the mobile side because it was, as a practical matter, necessary. Further, consumers enjoyed some measure of protection simply because there was competition among mobile providers.

But over the years, things have changed. As the Commission views the situation now, the once nascent mobile broadband service market has matured and now boasts sophisticated speed and data transmission capacity (Can you spell 4G and LTE?). Many consumers (especially those in low income brackets) rely primarily on mobile devices for Internet access. So in the FCC’s view, the time has come to apply to mobile providers the same rules and policies that it applies to fixed providers. Of course, continuing technical differences between the two mean that some different standards may be appropriate with respect to traffic management techniques. Nevertheless, the FCC has decided to bring mobile broadband service providers into the Net Neutrality big leagues.

But wait. If mobile broadband access providers are now among the ranks of the fully-regulated, does that mean that the public switched network now includes public Internet Protocol (IP) addresses as well as regular old telephone numbers?

This question arises because, in crafting its latest version of Open Internet rules, the Commission has declared broadband Internet access service to be a “telecommunications service” subject to common carrier regulation under Title II of the Communications Act. In the view of some, the FCC had to take that step in light of two court decisions rejecting earlier stabs at neutrality rules. Whether or not that was in fact the case, broadband Internet access service – both fixed/wireline and mobile – is now a “telecommunications service”.

Under Section 332 of the Communications Act, however, a mobile service can’t be treated as a telecommunications service unless it meets the definition of commercial mobile radio service (CMRS). And that definition requires that a CMRS operator must provide a service that is interconnected with the “public switched network”. The term “public switched network” refers generally to the traditional telephone system, with wires (or fiber), poles, switching centers … and phone numbers. In fact, until the R&O the Commission defined the public switched network as

[a]ny common carrier switched network … that use[s] the North American Numbering Plan in connection with the provision of switched services.

The North American Numbering Plan involves telephone numbers, not IP addresses. Broadband Internet access providers don’t use telephone numbers; they use IP addresses. (IP addresses have historically consisted of four decimal numbers, ranging for 0 to 255, separated by dots – for example, A new numbering protocol – IPv6 – with even more characters is being deployed, but let’s not get into that right now.) In order to insure that mobile broadband service is a CMRS and, thus, that it can satisfy the statutory requirements for a “telecommunications service”, the Commission had to expand its definition of “public switched network” to include interconnection with IP addresses. The definition now reads:

[a]ny common carrier switched network … that use[s] the North American Numbering Plan, or public IP addresses, in connection with the provision of switched services.

That might not be a major consideration but for the fact that IP addresses are currently regulated not by the FCC, but by the Internet Assigned Numbers Authority (IANA) of the International Corporation for Assigned Names and Numbers (ICANN), under a contract from the U.S. Department of Commerce. And as it happens, given the global nature of the Internet and IP addresses, the U.S. Government has been committed for nearly 20 years to transition key Internet domain name functions to the global multi-stakeholder Internet community, a process which is well underway. In other words, control of the IP addressing system has never been and is not likely ever to be within the FCC’s control.

In a welcome show of humility, the FCC acknowledges in the R&O that its expansion of the definition of “public switched network” to include public IP addresses “in no way asserts Commission jurisdiction over the assignment or management of IP addressing ….” That’s nice, but it underscores the fact that a critical definitional element of the FCC’s new net neutrality approach is dependent on a factor – the assignment of IP addresses – over which the FCC has no control. You can bet that this issue will be part of any appeal by wireless carriers attacking the FCC’s reclassification of mobile broadband Internet access service as a Title II CMRS.  

Who will regulate privacy?

Common carrier regulation under Title II encompasses a wide range of regulatory requirements that could be imposed by the FCC. But the Act gives the Commission the opportunity not to subject Title II regulatees to all possible requirements. If it so chooses, the FCC may “forbear” from applying some of those requirements. In the R&O the Commission provides a detailed analysis of the Title II statutory provisions that it will apply to broadband Internet access providers and those from which it will forbear. One area over which the Commission clearly asserts jurisdiction – while forbearing at this time from imposing its existing rules – is consumer privacy. It states that it will apply the requirements of Section 222 of the Act to broadband providers, although it will forbear from doing so pending adoption of new rules in a separate rulemaking proceeding.

Need a quick refresher on Section 222? Its formal title is “Privacy of Customer Information”. Section 222(a) requires every telecommunications carrier generally to protect the confidentiality of “proprietary information” of its customers. The FCC interprets “proprietary information” to include “private information that customers have an interest in protecting from public exposure”. Section 222(c) imposes specific obligations relating to the separate category of “Customer proprietary network information” (CPNI). CPNI has a complex definition; to simplify, think of it generally as records relating to quantity, type, destination, location, amount of use and configuration of service. Section 222(c)(1) requires that, when a carrier gets hold of CPNI as a result of the carrier’s provision of telecommunications services, the carrier can only use, disclose, or permit access to, “individually identifiable” CPNI in its provision of the services from which the information is derived (or underlying services). The Commission has consistently been a stickler on the Section 222(c) CPNI front.

Just last October, however, the FCC expanded its interest in enforcing privacy interests more broadly than CPNI. For the first time, it took action under Section 222(a) (and section 201(b)) against two telecom companies for storing customers’ “proprietary information”, including social security numbers, on unprotected, unencrypted Internet servers publicly accessible through a basic Internet search. The Commission clearly intended to send a message here: the fine was $10,000,000.

In the Open Internet R&O, the FCC continues that trend by concluding that broadband Internet service providers are subject to the general privacy provisions of both Section 222(a) and (c). Having so concluded, however, the Commission recognizes that its current rules relative to CPNI protection are oriented to traditional telephone services, and not broadband access services. (The current rules, for example, require protection of “call detail information”, not a category of information normally associated with broadband access.) Furthermore, the current rules do not address many of the types of sensitive information to which a broadband service provider is likely to have access, such as a customer’s web browsing history. Accordingly, the FCC has decided to forbear from applying its existing rules to broadband access services.

Of course, most broadband access providers are probably already paying attention to the need to protect their customers’ sensitive personal information. But now they will have to start paying attention to the way that the FCC will regulate their use, storage and destruction of that information. Expect the Commission to hold one or more workshops on this in the next few months; it will likely also issue a Notice of Proposed Rulemaking in the same time frame, aimed at developing a set of CPNI rules appropriately tailored for broadband access providers. Once such rules are adopted, we can expect the FCC to enforce them aggressively. As the FCC said in the R&O, it takes Section 222’s privacy mandate “seriously.”

The FCC’s assumption of the role of enforcer of on-line privacy puts it somewhat at odds with the Federal Trade Commission. The FTC has for years been protecting consumers’ on-line privacy interests, primarily through its statutory authority to sue companies that engage in “unfair” or “deceptive” trade practices. The FTC has interpreted the notion of “unfair” or “deceptive” practices broadly to include negligent data storage practices, failure of companies to fulfill the terms of their on-line privacy policies, and allegedly deceptive offers of “unlimited” data plans.

But the statute that gives the FTC the authority to do this clearly limits that authority in an important respect: common carriers subject to the Communications Act are exempt from FTC enforcement efforts relative to unfair or deceptive practices. As noted above, the FCC has now determined that broadband Internet access service providers are, in effect, common carriers under the Communications Act. Does that mean that the FTC is now barred from regulating such providers? Good question. (Note that, even if the FTC is indeed barred on that front, it can certainly continue to regulate the privacy practices of Internet content providers.) 

Previously, the FTC has stated its view that the common carrier exception is a narrow, “activity-based” exception that excludes only regulation of services subject to the Communications Act’s common carrier regulatory provisions, rather than a “status-based” exemption that excludes regulation of companies typically regulated by the FCC. But that distinction would not help the FTC here: the FCC has, in its Open Internet R&O, determined that the broadband Internet access “service” is subject to telecommunications (i.e., common carrier) regulation by the FCC.  

Presumably recognizing that its ability to act against broadband service providers may now have gone away, the FTC has lately emphasized that the FTC has always worked well with the FCC on issues of overlapping interest. Additionally, the FTC has floated recommendations that Congress delete the common carrier exemption. Still, unless the courts overturn the FCC’s reclassification of broadband access service, or Congress deletes the common carrier exemption, the FTC may be out of the business of enforcing privacy against broadband Internet access providers.

So, a new level of complexity has been created regarding the federal regulation of on-line privacy issues. The FTC has been an aggressive regulator, with a couple of decades of experience in this arena, and it will still be able to regulate non-common carriers on-line. For its part, the FCC appears to be very eager to jump into the game, regardless of whether or not it must share jurisdiction with the FTC. Broadband Internet access providers would be wise to pay close attention to how the FCC interprets and applies its privacy mandates. The FCC’s approach may differ from the approach historically taken by the FTC – in which case, providers will have to make adjustments to their operations.

Keep your eyes on CommLawBlog for further analyses of the FCC’s Open Internet R&O.

White House Proposes Approach to Privacy Protection On-line

Statutory “Consumer Privacy Bill of Rights”, FTC-reviewed/FTC-approved private codes of conduct highlight Administration’s opening gambit

Hoping to shape the development of national – and possible international – consensus on the privacy protections to which on-line consumers should be entitled, the Obama Administration has issued a report on “Consumer Data Privacy in a Networked World” in which it lays out a “blueprint for privacy in the information age.” A central component of the report is a proposed “Consumer Privacy Bill of Rights”. That “bill of rights” reflects a set of principles which are, at this point, merely aspirational, with no independent legal force. The White House is hoping to change that on at least two fronts.

First, it is calling on Congress to pass laws that would impose the “bill of rights” on commercial sectors not currently subject to federal data privacy laws. And second – presumably because it recognizes that Congressional action is far from a sure thing – the Administration is calling on a wide range of “stakeholders” to develop their own “codes of conduct” effectively implementing the “bill of rights”. The idea is that such codes, once publicly and affirmatively adopted by companies subject to Federal Trade Commission (FTC) regulation, could be legally enforced by the FTC. The stakeholders the White House is targeting include companies, privacy and consumer advocates, “international partners”, state attorneys general, criminal and civil law enforcement representatives and academics.

This approach appears to have the support of major on-line companies such as Google and Yahoo. Some consumer advocates remain wary about the process and concerned that rigorous enforceable protections may not be achieved.

At this point, it's impossible to reliably predict the chances that the “bill of rights” will ultimately be adopted – whether by Congress or by a significant number of the commercial “stakeholders” identified by the White House. Still, the process of developing broad privacy standards has now been started, and all companies that do business on the Internet should be aware not only of the proposed “rights” (and the burdens that they could impose), but also of the process by which any such “rights” are likely to be developed and implemented.

What Rights? –Just what “rights” are on the table?

The White House’s “bill of rights” is intended to provide a “baseline of clear protections for consumers and greater certainty for companies.” It is based on longstanding, globally recognized, Fair Information Practice Principles (FIPPs), and bears a striking similarity to the European Union’s influential Data Protection Directive. Under the Administration’s proposals, consumers would be entitled to the following, while affected companies would be expected to respond as indicated:

Individual Control – Consumers would get the right to exercise control over what personal data companies collect from them and how they use it. Companies would be expected to enable consumer choice over use of their personal data by providing easy-to-use mechanisms reflecting the “scale, scope and sensitivity” of the data being collected.

Transparency – Consumers: the right to easily understandable and accessible information about privacy and security practices. Companies: provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete or de-identify it, and whether and for what purposes they will share the data with third parties.

Respect for Context – Consumers: the right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies: “heightened measures of Transparency and Individual Choice” would be required if, after collecting data, a company were to decide to use the data for purposes inconsistent with the original context under which it was collected

Security – Consumers: the right to secure and responsible handling of personal data. Companies: assess their data collection and protection practices, and maintain reasonable safeguards to control risks of loss, unauthorized access, and improper disclosure.

Access and Accuracy – Consumers: the right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies: use reasonable measures to ensure that they maintain accurate personal data.

Focused Collection – Consumers: the right to reasonable limits on the personal data that companies collect and retain. Companies: collect only as much personal data as they need, consistent with the Respect for Context right.

Accountability – Consumers: the right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies: accountability to enforcement authorities and consumers for adhering to these principles.

These concepts are obviously broad and vague. But that appears to be purposeful, since the “bill of rights” as envisioned by the White House is intended to serve merely as a basic framework for protections in the myriad commercial areas not already subject to more specific federal privacy regulation (e.g., healthcare, financial services, education, telecommunications.)

Implementation – As it stands now, the “bill of rights” is little more than a wish list, a set of desirable goals the Administration would like the commercial world to embrace. Turning the “rights” into enforceable codes of conduct will not be simple. The White House proposes to do that through an “open, transparent, multistakeholder” process. The stakeholders would include “international partners” in the process. The goal there is presumably to assure that any U.S. codes of conduct would qualify for international “safe harbor” standards, thus facilitating international trade for U.S. companies.

The job of soliciting input from all of the stakeholders has been given to the Department of Commerce’s National Telecommunications and Information Administration (NTIA). While Commerce has previously waded into privacy policy, the FTC has as well. The choice of NTIA as the locus of the process may be an effort to encourage on-line industry participants to participate. Also, since the White House appears to contemplate that the FTC would be the agency with primary enforcement authority relative to any codes of conduct that get developed, the Administration may feel it more appropriate to leave the development to a separate agency.

Several consumer groups have already expressed concerns, though, that one or more stakeholders may attempt to impose “unilateral solutions” on consumers. Those groups have proposed their own process principles.

Notwithstanding the involvement of NTIA, or the FTC, in the development phase of any codes of conduct, the Administration sees such codes as being primarily private initiatives that “can provide the flexibility, speed, and decentralization necessary to address Internet policy challenges.” As models, the White House is looking at such non-governmental organizations as the Internet Engineering Task Force, and the Internet Corporation for Assigned Names and Numbers (ICANN) which are responsible for important Internet-related technical standards.

Is This Enforceable?Um, no.   As matters now stand, the components of the Administration’s “bill of rights” are not enforceable. But there are at least two ways in which they might become enforceable, directly or otherwise.

First, as noted above, the White House hopes that the stakeholder discussions it is initiating will lead to the adoption of specific codes of conduct to which companies will publicly commit themselves. Such commitment to compliance could provide the FTC the hook necessary to enable it to bring enforcement actions against companies whose conduct falls short of their commitment to the code they have embraced. (This would be similar to the FTC’s current practice, under its authority to prevent deceptive trade practices, of bringing enforcement actions based on a company’s violation of its own website privacy statements.)  

Along the same lines, private codes of conduct might also serve as a measure of the reasonable standard of conduct applicable to parties engaged in on-line activities involving data collection. For instance, plaintiffs in defamation cases often seek to use the Code of Ethics of the Society of Professional Journalists to establish that a defendant acted negligently because he or she failed to strictly adhere to that Code.  The consumer privacy code of conduct envisioned by the White House could provide a similar yardstick for treatment of personal information collected on-line.

Second, the White House Report urges Congress to pass legislation adopting the proposed “Consumer Privacy Bill of Rights”, but with more specific terms that would be worked out between the White House and Congress during the drafting stage. 

As the White House sees it, that legislation would provide a number of enforcement mechanisms. First, the FTC would be given the authority to (a) review any private codes of conduct that companies might adopt and (b) effectively grant those companies forbearance from enforcement under the statutory provisions provided that the companies commit to adhere, and do in fact adhere, to their private codes.  Such FTC review would be subject to a number of limitations (e.g., require public comment, complete agency review within 180 days, etc.). Importantly, such private codes would have to reflect the “consensus of all participants in the multistakeholder process”.  

The “safe harbor” approach – i.e., forbearance from compliance with a statutory “bill of rights” – would theoretically encourage companies to devise their own codes of conduct, subject to the FTC review process. (While the White House Report does not address the possibility expressly, it appears at least possible that a company that adopts a code not reviewed and approved by the FTC might still also be subject to FTC enforcement for violating that code, under the FTC’s existing Title 5 authority to prevent deceptive trade practices.)

Second, the FTC would be given authority to directly enforce each element of the statutory “bill of rights”. 

So would state attorneys general (at least as long as they coordinate their enforcement actions with the FTC). But the ability of individual states to provide their own separate privacy protections would be limited. In the hope of establishing nationally uniform privacy rules, the White House recommends that state privacy laws be preempted to the extent that they are inconsistent with whatever “bill of rights” Congress may enact. And companies that adopt FTC-approved private codes of conduct would be exempt from enforcement activities based on state privacy laws. The Administration Report does suggest that states could enact their own privacy laws, but only so long as they “not disrupt the broader uniformity the Report seeks in consumer data privacy protections.” State officials are not likely to be happy with the proposed federal preemption of their existing privacy laws.

While it may be politically necessary for the Administration to suggest joint federal/state enforcement of federal privacy requirements, the result could become a confusing and dangerous quagmire for consumers, and negate the regulatory certainty that companies seek.

What’s Next?The process the White House hopes will ultimately lead to enforceable private codes of conduct has started. The NTIA has called for comments on the “substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct, as well as procedures to foster the development of these codes.” (Comments are due by March 26, 2012.) The NTIA is seeking input on a wide range of threshold issues, including privacy issues associated with mobile apps, cloud computing services, and on-line services targeted to children. The NTIA also asks numerous questions regarding process, including how the term “consensus” should be defined.

With regard to the prospects for legislation, it’s probably best not to hold your breath. While some Senators and Representatives have publicly concurred that legislation to protect on-line consumers is a good idea, let’s not forget that a number of privacy bills have been sitting on the Hill for years already with no action. Given that, a betting man would not stake much on seeing such legislation any time soon.

Of course, it’s impossible to predict what impact, if any, the White House proposal will ultimately have. Time alone will tell.

What we do know is that the Obama Administration has clearly embraced the issue of on-line privacy and is seeking to position itself as a champion of the on-line consumer. In view of recent, highly public, privacy flaps involving a number of the major on-line players (e.g., Apple, Google), that may be a smart move, particularly with a presidential election fast approaching. But note also that the White House proposal constitutes yet another effort by the Administration to try to assert some measure of federal control over Internet-related conduct. Such efforts might ordinarily alienate many on-line companies – as have the FCC’s net neutrality initiatives. But the White House’s proposed approach to privacy protection does include the notion of “private” codes of conduct. That notion arguably gives companies some opportunity to take control of their own fates (if you don’t focus too closely on the “consensus” obligation the White House Report would impose), which might deflect some opposition.

In any case, the White House is trying to set the tone, and possibly establish some preliminary parameters, of the debate about on-line privacy protections. We won’t know whether that effort is going to be successful for some time. Check back here on CommLawBlog – we’ll keep you updated as developments warrant.

NBP And Privacy: Whose Job Is It Anyway?

NBP identifies on-line privacy as important – but questions abound as to what steps to take and who to take them

The FCC’s National Broadband Plan calls for the extension of broadband into virtually every facet of American life.  While ubiquitous connectivity has many benefits, it also raises questions about how to maintain the privacy of those who enter this brave new world.   The FCC astutely recognized that people’s concerns in this regard could be a significant barrier to adoption and utilization of on-line systems, and it has therefore offered some recommendations on how to create an on-line environment which will provide more consumer protections. But lest you think the FCC has suddenly gone soft and consumer-oriented, the National Broadband Plan (NBP) recommendations for on-line privacy place a hefty emphasis on the need to encourage commercial services which harness “digital identities” to provide customized services (and make a lot of money). These seemingly contradictory goals actually serve the same common purpose, according to the plan: firms with greater access to greater amounts of personal information can offer better targeted services, which in turn increase consumer use and utility.

So how do we reconcile these apparent cross-purposes to reach the FCC’s goal? Generally, the theme seems to hinge on two notions: (1) ensure competition and innovation in the data-collection and data-mining industry, and (2) ensure that individuals can manage their own “digital identities”.

Noting that the “existing regulatory frameworks provide only a partial solution to consumer concern and consist of a patchwork of potentially confusing regulations”, the NBP suggests, but does not outright recommend, that someone (Congress? It is unclear.) should sort out and clarify the roles of the FTC and FCC with respect to on-line privacy.  In a side-bar, the FCC tiptoes around asking Congress to help, but suggests that maybe the legislative branch ought to look into revision of the Privacy Act to, at the very least, grant consumers more control over their personal data.

Whichever branch of government or executive agency actually acts, the FCC makes recommendation is in the following areas:

Federal Framework – First, the FCC calls for laws or regulations that more specifically address the obligations data-collection and data-mining firms have to consumers with respect to use, sharing, collection, and storage of personal data. 

Second, the FCC thinks Congress should help develop trusted “identity providers” to assist consumers in managing their data. Apparently the FCC believes that Congress is the best vehicle for adopting a regime in which safe harbor provisions, guidelines and audits could permit companies to become “trusted” safe-guarders of personal information. The FCC feels that Congress should also ensure that such companies can get insurance for their trouble.

Finally, the FCC recommends that it work with the FTC to develop principles to require consent before broadband service providers share certain personal data with third parties. Why this concept falls under the rubric of “principles” rather than “rules” is not explained, nor are potential enforceability issues.

Identity Theft and Fraud – Given that the FTC is mandated by Congress to act as the identity theft complaint clearinghouse and consumer guidance counselor, the FCC is all too happy to let the FTC continue to bear that burden.  The NBP does recommend some changes: first, the FTC should be given additional resources to battle identity theft and fraud.  These efforts should include amping-up OnGuard Online (an FTC-administered website that provides practical tips to consumers on internet privacy), maintenance of a database sorting out which agency is responsible for what when it comes to consumer protection on-line (back to that hot potato problem), and greater education and outreach.  Finally, the FCC recommends that the FTC coordinate more closely with the national security apparatus.

Child Protection – Citing the lesson that the best way to make swimming pools less dangerous for children is to teach children how to swim, the FCC recommends that the federal government (presumably the White House) create an interagency working group to coordinate child on-line safety and literacy efforts, and to spearhead a national education campaign.

 [Blogmeister note: This is one in a series of posts describing the range of regulatory and societal areas in which the National Broadband Plan could, and likely will, affect us all. Click here to find other posts in this series.]

Congressional Update: Online Consumer Privacy Laws In The Works

[Blogmeister’s Note: CommLawBlog.com welcomes guest blogger Catherine McCullough, principal of Meadowbrook Strategic Government Relations, a D.C. lobbying firm. We are pleased that Catherine has agreed to share with our readers some insight into communications-related issues pending before Congress.]

Does your business gather data about your audience – especially online? If you are thinking of engaging in behavioral advertising – widely considered the future of the industry – you should know about two new pieces of legislation in Congress that would affect the way you gather, store, and utilize the consumer data that advertisers so desire. 

Yes, the long-anticipated online consumer privacy laws are coming.

Congress has repeatedly considered new consumer privacy bills for much of the last decade. But only since the 111th Congress began have all political elements necessary for passage existed at the same time: Democratic control of both houses of Congress; a supportive White House; and a new Chairman of the Senate Commerce Committee who is not afraid to make his voice heard on consumer protection. 

And thanks to a new technology on the scene, there is an additional element essential to all political dramas: a bad guy. Public, meet your new enemy: Deep Packet Inspection.

(At the risk of getting too technical: Deep Packet Inspection is the process by which Internet service providers can probe around in the contents of data packets passing through their systems.  When a file – whether it’s a web page, or an email, or a video, or whatever – is sent from Point A to Point B on the Internet, it first gets organized into “packets” which are then sent on their way to their common destination.  Those packets don’t necessarily all travel the same path through the myriad interlinked computer systems which comprise the Internet.  For purposes of getting them all to the same place, the intervening systems need to know only the intended destination and a few other factoids relating to routing.  The particular contents of the packets ordinarily do not come into play in the transmission.  Deep Packet Inspection, however, permits detailed analysis of those contents, thus affording inquiring minds access to information which would ordinarily be thought to be private.)

There is concern that this technology is too much of a temptation for those who gather and utilize consumer data. But the bills being written don’t restrict themselves to dealing only with this “extreme” type of tracking. They apply to most companies that store and use data. Here is how the legislation breaks down:

Two online privacy bills are now in different stages of development in the House. The first is being written by Rep. Rick Boucher (D-VA-9th), Chairman of the Energy and Commerce Subcommittee on Communications, Technology and the Internet, one of two House subcommittees with jurisdiction over the issue.  Boucher reportedly is working with his Republican counterpart, Cliff Stearns (R-FL-6th), on language that would: (a) allow Internet sites routinely to collect benign information from consumers unless the consumers affirmatively “opt-out” of such collection; but (b) prohibit the collection of sensitive personal information unless the consumer expressly agreed to such collection by affirmatively “opting-in”. The objective of this approach seems to be to force people to jump through hoops before releasing tracking rights to their sensitive information, because it takes more effort to opt-in than out. In theory, people will therefore make informed choices about who collects the sensitive details of their lives and how they use that information. (But how do we define sensitive, you ask? We’ll have to wait until the bill is introduced to see.)

The second bill has been introduced by Rep. Bobby Rush (D-IL-1st), Chairman of Energy and Commerce’s Subcommittee on Commerce, Trade and Consumer Protection – the other House subcommittee of jurisdiction. Rush’s bill, H.R. 2221, would require the Federal Trade Commission (FTC) to promulgate regulations to secure computerized data containing personal information.   (See the subcommittee hearing on the bill here.) It would be no surprise if the two subcommittees’ bills were to be merged into one piece of legislation regulating online privacy.

If an online privacy bill passes the House, the torch will be passed to the Senate, where Senate Commerce Committee Chairman Rockefeller has made no secret of his consumer-oriented focus. On the one hand, Senator Rockefeller acknowledges the reliance of the news industry on new technology. On the other hand, his Committee position makes him responsible for drafting a law restricting how media profit from the same advertising that supports their news-gathering operations. It is unclear how Senator Rockefeller and others of like mind will resolve this tension. 

While the bills will determine the principles of privacy policy, Congress will likely rely on the executive branch to determine important detail. The FCC is already shaping the online landscape as it writes its National Broadband Plan and takes its public stand on “network neutrality.” The Federal Trade Commission is deeply involved in behavioral advertising and is beginning to share its thoughts with the FCC as well.  Whether involved in writing online privacy law or executing and enforcing online privacy regulations, all government entities involved are now deciding how they will allow much-needed innovative online-related business to flourish while keeping consumer trust.