Our Internet guru digs deep into the Open Internet decision and comes up with … questions.

I recently posted an item summarizing the broad strokes of the FCC’s new “Open Internet” (a/k/a net neutrality) rules and policies. Since the full text of those rules, and the accompanying Report and Order (“R&O”), had not been released when my summary was prepared, I had to work from the then-available public notices from the FCC. Now that the R&O is out, I’ve had a chance to slog through its 360+ pages of dense text, which has led me to one obvious conclusion: the R&O raises as many questions as it attempts to answer. Let’s look at two of particular aspects of the FCC’s decision that give rise to some of those questions.

Extending full net neutrality obligations to mobile broadband: What’s the number?

Historically, when it came to broadband Internet service, FCC efforts to craft Open Internet rules and policies drew a clear line between (a) fixed/wireline providers and (b) mobile providers. Mobile providers were regulated far more lightly than their fixed/wireline counterparts because of a number of distinctions between the two. In particular, mobile broadband networks at the time featured less speed and less capacity, meaning that more intrusive traffic management was acceptable on the mobile side because it was, as a practical matter, necessary. Further, consumers enjoyed some measure of protection simply because there was competition among mobile providers.

But over the years, things have changed. As the Commission views the situation now, the once nascent mobile broadband service market has matured and now boasts sophisticated speed and data transmission capacity (Can you spell 4G and LTE?). Many consumers (especially those in low income brackets) rely primarily on mobile devices for Internet access. So in the FCC’s view, the time has come to apply to mobile providers the same rules and policies that it applies to fixed providers. Of course, continuing technical differences between the two mean that some different standards may be appropriate with respect to traffic management techniques. Nevertheless, the FCC has decided to bring mobile broadband service providers into the Net Neutrality big leagues.

But wait. If mobile broadband access providers are now among the ranks of the fully-regulated, does that mean that the public switched network now includes public Internet Protocol (IP) addresses as well as regular old telephone numbers?

This question arises because, in crafting its latest version of Open Internet rules, the Commission has declared broadband Internet access service to be a “telecommunications service” subject to common carrier regulation under Title II of the Communications Act. In the view of some, the FCC had to take that step in light of two court decisions rejecting earlier stabs at neutrality rules. Whether or not that was in fact the case, broadband Internet access service – both fixed/wireline and mobile – is now a “telecommunications service”.

Under Section 332 of the Communications Act, however, a mobile service can’t be treated as a telecommunications service unless it meets the definition of commercial mobile radio service (CMRS). And that definition requires that a CMRS operator must provide a service that is interconnected with the “public switched network”. The term “public switched network” refers generally to the traditional telephone system, with wires (or fiber), poles, switching centers … and phone numbers. In fact, until the R&O the Commission defined the public switched network as

[a]ny common carrier switched network … that use[s] the North American Numbering Plan in connection with the provision of switched services.

The North American Numbering Plan involves telephone numbers, not IP addresses. Broadband Internet access providers don’t use telephone numbers; they use IP addresses. (IP addresses have historically consisted of four decimal numbers, ranging for 0 to 255, separated by dots – for example, 38.100.34.29. A new numbering protocol – IPv6 – with even more characters is being deployed, but let’s not get into that right now.) In order to insure that mobile broadband service is a CMRS and, thus, that it can satisfy the statutory requirements for a “telecommunications service”, the Commission had to expand its definition of “public switched network” to include interconnection with IP addresses. The definition now reads:

[a]ny common carrier switched network … that use[s] the North American Numbering Plan, or public IP addresses, in connection with the provision of switched services.

That might not be a major consideration but for the fact that IP addresses are currently regulated not by the FCC, but by the Internet Assigned Numbers Authority (IANA) of the International Corporation for Assigned Names and Numbers (ICANN), under a contract from the U.S. Department of Commerce. And as it happens, given the global nature of the Internet and IP addresses, the U.S. Government has been committed for nearly 20 years to transition key Internet domain name functions to the global multi-stakeholder Internet community, a process which is well underway. In other words, control of the IP addressing system has never been and is not likely ever to be within the FCC’s control.

In a welcome show of humility, the FCC acknowledges in the R&O that its expansion of the definition of “public switched network” to include public IP addresses “in no way asserts Commission jurisdiction over the assignment or management of IP addressing ….” That’s nice, but it underscores the fact that a critical definitional element of the FCC’s new net neutrality approach is dependent on a factor – the assignment of IP addresses – over which the FCC has no control. You can bet that this issue will be part of any appeal by wireless carriers attacking the FCC’s reclassification of mobile broadband Internet access service as a Title II CMRS.

Who will regulate privacy?

Common carrier regulation under Title II encompasses a wide range of regulatory requirements that could be imposed by the FCC. But the Act gives the Commission the opportunity not to subject Title II regulatees to all possible requirements. If it so chooses, the FCC may “forbear” from applying some of those requirements. In the R&O the Commission provides a detailed analysis of the Title II statutory provisions that it will apply to broadband Internet access providers and those from which it will forbear. One area over which the Commission clearly asserts jurisdiction – while forbearing at this time from imposing its existing rules – is consumer privacy. It states that it will apply the requirements of Section 222 of the Act to broadband providers, although it will forbear from doing so pending adoption of new rules in a separate rulemaking proceeding.

Need a quick refresher on Section 222? Its formal title is “Privacy of Customer Information”. Section 222(a) requires every telecommunications carrier generally to protect the confidentiality of “proprietary information” of its customers. The FCC interprets “proprietary information” to include “private information that customers have an interest in protecting from public exposure”. Section 222(c) imposes specific obligations relating to the separate category of “Customer proprietary network information” (CPNI). CPNI has a complex definition; to simplify, think of it generally as records relating to quantity, type, destination, location, amount of use and configuration of service. Section 222(c)(1) requires that, when a carrier gets hold of CPNI as a result of the carrier’s provision of telecommunications services, the carrier can only use, disclose, or permit access to, “individually identifiable” CPNI in its provision of the services from which the information is derived (or underlying services). The Commission has consistently been a stickler on the Section 222(c) CPNI front.

Just last October, however, the FCC expanded its interest in enforcing privacy interests more broadly than CPNI. For the first time, it took action under Section 222(a) (and section 201(b)) against two telecom companies for storing customers’ “proprietary information”, including social security numbers, on unprotected, unencrypted Internet servers publicly accessible through a basic Internet search. The Commission clearly intended to send a message here: the fine was $10,000,000.

In the Open Internet R&O, the FCC continues that trend by concluding that broadband Internet service providers are subject to the general privacy provisions of both Section 222(a) and (c). Having so concluded, however, the Commission recognizes that its current rules relative to CPNI protection are oriented to traditional telephone services, and not broadband access services. (The current rules, for example, require protection of “call detail information”, not a category of information normally associated with broadband access.) Furthermore, the current rules do not address many of the types of sensitive information to which a broadband service provider is likely to have access, such as a customer’s web browsing history. Accordingly, the FCC has decided to forbear from applying its existing rules to broadband access services.

Of course, most broadband access providers are probably already paying attention to the need to protect their customers’ sensitive personal information. But now they will have to start paying attention to the way that the FCC will regulate their use, storage and destruction of that information. Expect the Commission to hold one or more workshops on this in the next few months; it will likely also issue a Notice of Proposed Rulemaking in the same time frame, aimed at developing a set of CPNI rules appropriately tailored for broadband access providers. Once such rules are adopted, we can expect the FCC to enforce them aggressively. As the FCC said in the R&O, it takes Section 222’s privacy mandate “seriously.”

The FCC’s assumption of the role of enforcer of on-line privacy puts it somewhat at odds with the Federal Trade Commission. The FTC has for years been protecting consumers’ on-line privacy interests, primarily through its statutory authority to sue companies that engage in “unfair” or “deceptive” trade practices. The FTC has interpreted the notion of “unfair” or “deceptive” practices broadly to include negligent data storage practices, failure of companies to fulfill the terms of their on-line privacy policies, and allegedly deceptive offers of “unlimited” data plans.

But the statute that gives the FTC the authority to do this clearly limits that authority in an important respect: common carriers subject to the Communications Act are exempt from FTC enforcement efforts relative to unfair or deceptive practices. As noted above, the FCC has now determined that broadband Internet access service providers are, in effect, common carriers under the Communications Act. Does that mean that the FTC is now barred from regulating such providers? Good question. (Note that, even if the FTC is indeed barred on that front, it can certainly continue to regulate the privacy practices of Internet content providers.)

Previously, the FTC has stated its view that the common carrier exception is a narrow, “activity-based” exception that excludes only regulation of services subject to the Communications Act’s common carrier regulatory provisions, rather than a “status-based” exemption that excludes regulation of companies typically regulated by the FCC. But that distinction would not help the FTC here: the FCC has, in its Open Internet R&O, determined that the broadband Internet access “service” is subject to telecommunications (i.e., common carrier) regulation by the FCC.

Presumably recognizing that its ability to act against broadband service providers may now have gone away, the FTC has lately emphasized that the FTC has always worked well with the FCC on issues of overlapping interest. Additionally, the FTC has floated recommendations that Congress delete the common carrier exemption. Still, unless the courts overturn the FCC’s reclassification of broadband access service, or Congress deletes the common carrier exemption, the FTC may be out of the business of enforcing privacy against broadband Internet access providers.

So, a new level of complexity has been created regarding the federal regulation of on-line privacy issues. The FTC has been an aggressive regulator, with a couple of decades of experience in this arena, and it will still be able to regulate non-common carriers on-line. For its part, the FCC appears to be very eager to jump into the game, regardless of whether or not it must share jurisdiction with the FTC. Broadband Internet access providers would be wise to pay close attention to how the FCC interprets and applies its privacy mandates. The FCC’s approach may differ from the approach historically taken by the FTC – in which case, providers will have to make adjustments to their operations.

Keep your eyes on CommLawBlog for further analyses of the FCC’s Open Internet R&O.