 I just wanted to thank everybody for coming. We're really excited to have this excellent panel assembled today to talk about broadband privacy. This has obviously been an issue that my boss cares deeply about, and now that we're in this new post-Title II era, he thinks it's really important that we extend strong privacy rules to broadband. So really looking forward to hearing everything that the panel has to say this morning, and Chris, I'll hand it over to you. Alright, good morning. Thank you, Joey. Thank you, Senator Markey, for helping us get the room and leading on this issue for so many years. My name is Chris Lewis. I'm the Vice President for Government Affairs and Public Knowledge. And I'll be moderating for the next hour. We're excited to be here talking about broadband network privacy. Many of you, I'm sure, followed the reclassification of broadband as a Title II or Common Carrier Service at the FCC in 2015. And if you follow that, you probably know that the FCC for bore from the traditional CP&I Telecom privacy rules with the expectation, express expectation from the Chairman that he would be coming back. At some point in looking at making rules for privacy under Title II that actually fit and work for broadband and center-saddling companies with the old telephone rules. And so we're here to talk about that today and why that's important and what it might look like. We have a great panel. We have three public interest experts and advocates and one expert from the industry side. And I'll just go down and introduce them. They're just going to take a few minutes to talk about their own perspective. And then we do want folks to engage us in conversation. So please start to think of questions that you might have. And when we get to Q&A, just raise your hand and tell us who you are. And I'll call you and we'll keep the conversation going. But going down the line here, first we have from my organization, Public Knowledge, we have Harold Feld immediately to his right from the Open Technology Institute at New America, Sarah Morris. Then we have from the Center for Democracy and Technology, Eric Stahlman. And finally on the end we have from the Alarm Industry Communications Committee, Mary Cissek. And we're just going to go down the line here and let folks make some opening remarks. It's noteworthy and I hope folks saw outside that each of the public interest groups represented here have been writing on this topic over the last couple of months. And so hopefully you've had a chance to see the studies and white papers that they put out. I believe some of them were available. Harold's holding up his hot off the press yesterday. But if you haven't gotten a copy, please grab one on your way out or check them out online. They are available on the organization's websites. So with that I'm going to let Harold go first and then we'll just go down the line. So thank you. What I've tried to do here in this white paper and one of the reasons why it ends up being a lot longer than what most people would care to know about the FCC, the FTC and privacy is because it's really important to understand the framework in this. There is a tremendous amount of confusion, some of it deliberately sewn, about how the structure of the FTC's privacy jurisdiction works and how the structure of other specialized agencies particularly that of the FCC's works. And to briefly try to go over the main points are the FTC is not explicitly a privacy protector. It is the general consumer protection agency for the United States government. It is not the sole consumer protection agency. Rather the FTC sits at the center of a sort of hub and spoke where you have associated state consumer protection, but on the federal level you have a number of specialized agencies such as the Department of Transportation, the various financial regulators, HHS for health privacy laws under HIPAA, the Food and Drug Administration and among these is the FCC. I'm happy to explain if anybody wants to corner me why we do it this way, but just suffice it to say this has been the general scheme with regard to the FTC and the FCC this relation goes back over 80 years when the FTC was established in 1914 and the FCC was established to be the consumer protector for telephone services in 1934. So this is not something new and in fact with regard to explicit privacy jurisdiction the FCC and the FTC have shared responsibility for over 30 years going back to the 1984 Cable Act and the original CP&I rules, CP&I meaning customer proprietary network information which the FCC developed under general rulemaking authority in order to protect competition during and after the bell break up. So there is a long history here. Congress in the 1990s made some adjustments to both the FCC and the FTC. In the case of the FTC as part of a shift to a more market oriented approach they stuck in a provision called subsection N in the FCC's general consumer protection statute section 5 of the Federal Trade Commission Act which requires the FTC to actually prove a bunch of things since it works through enforcement not rulemaking before it can declare a practice unfair or unlawful. So that includes things like could the consumer reasonably avoid the injury or their offsetting benefits to competition but with regard to telecommunication services specifically the same Congress in 1996 made a different judgment. They said yeah we're actually moving into a world where we expect to see convergence we're moving into a world where we want to see competition between services telecommunications networks are very different from the standard marketplace both because of the information that the consumer must expose if the communications network is not private and secure from the provider then all other privacy protections are essentially meaningless and this has only become more true as we move these things online. And at the same time the recognition that competitors must expose information to the telecommunications providers in order to make the system actually work. So there is a specially designed statute section 222 which is designed to deal with networks including the what do you actually have to expose to make it possible for the system to function what do you have to give to law enforcement under what conditions it's all of the objections that people will have in the rulemaking are pretty much answered already in the statute. So we put all these things together and we look at additional factors that make this need particularly urgent online my colleagues over here will speak to that more directly but we come away with a number of generalized recommendations one is of course the FTC needs more explicit authority to deal with privacy issues that's not a primary recommendation in here but all of the concerns that people raise about operating systems search engines, social media platforms and the general way in which spyware for lack of a better generic term is seeping into our daily lives we all agree that yes the FTC needs a real boost the most recent real-life example of this is a case called MD Labs where a company released the health information of 10 million individuals onto the internet and where there is evidence that this is leaking into the information sales market and the FTC administrative law judge said yeah but you haven't proved substantial injury you haven't proved all of the things you need to prove under this N so therefore no case that's wending its way but it is a rather graphic illustration as compared to when the FCC went after a couple of providers who exposed the information of a couple of hundred subscribers and was quite capable of enforcing its rules but more importantly with regard to the FCC is the FCC needs to do the job it was designed for this includes looking at how broadband providers are currently collecting information how the fact that broadband providers are also MVPDs or otherwise direct competitors to online providers is influencing the nature of their information collection as well as opening up new vistas and opportunities for them to combine information that's not otherwise available I never give Google my social security number I have to give my cable provider a social security number so they can do a credit check is just one example access to the local number portability database is another example so that I can see if I'm a cable company I can see what provider your cell phone is on so I know when you're streaming video to your cell phone rather than to your laptop I get all kinds of very interesting information and so what we think that the FCC cannot wait that efforts to disrupt the long-standing relationship between the FCC and the FCC are either are both misguided and in some cases clearly self-serving and in any event no one has shown why the FCC-FTC relationship is under attack whereas say the FTC HHS or the FTC Consumer Financial Protection Bureau relationship or the relationships with any of the other financial regulators the relationship with the Food and Drug Administration none of these is being subject to an attack on the overall relationship in the authority so if we want to change the way we do privacy and go the way that a number of European countries have and have one privacy enforcer fine but then it's one real privacy enforcer it's not the industry the cable and telephone industry lobbying Congress to get rid of what has been a very effective enforcer on the grounds that somehow it would be so much better and more efficient and normal if we altered what has been the standard practice and made this radical reshift to exclusive FTC authority without of course changing the nature of FTC authority or giving them adequate resources Thank you Harold, Sarah Morris Thanks Chris, good morning everyone and thank you to Public Knowledge for putting together such an important event and thank you guys all for joining us today My name is Sarah Morris, I'm Senior Counsel and Director of Open Internet Policy at the New America's Open Technology Institute just by way of a bit of background New America is a non-partisan think tank and civic enterprise dedicated to the renewal of American politics, prosperity and purpose in the digital age Our experts work on a wide range of issues from national security policy to work family balance and of course technology and telecommunications policy to that end the Open Technology Institute brings together policy experts technologists and practitioners to promote ubiquitous safe and affordable access to communications technologies and communities around the world and in the United States OTI is deeply committed to ensuring that all Americans have access internet access that is both open and secure The 2015 Open Internet Order had important privacy implications as the FCC took on the critical task of reclassifying the delivery of internet service under Title II of the Communications Act It both laid the legal framework for sound net neutrality rules and also recognized that broadband is a vital service that should be subject to the foundational principles that have guided communications policy for over a century Notably, the FCC exercised forbearance from many provisions under Title II It declined to use its power under Title II to regulate rates or impose tariffs or unbundling requirements on internet service providers However, it did recognize the need for authority to, for example, protect people with disabilities, bolster universal service support for broadband service and protect consumer privacy As a result, the Commission recognized that the privacy protections that Congress envisioned for common carriers are applicable to the latest generation of Title II providers The application of Title II provisions in this context is a reflection of the statute's technology neutral framework and the recognition that broadband access is an essential conduit for ubiquitous communications access and the platform for the open exchange of speech and ideas These protections are not only an appropriate extension of the FCC authority They are necessary in light of a carrier special relationship with its customers From its perch as the gateway to the internet, your internet service provider has a unique window into your online behavior By nature of this role, an ISP can build a comprehensive picture of users' online activities ranging across time and across different sites, services, and devices A clear privacy framework developed under the long-standing authority granted to the FCC under Section 222 of the Communications Act will benefit consumers ensuring that the power asymmetry between customers and their internet service providers is mitigated by consumer privacy protections In a policy paper released last month I'll pull a hairline Find it in my pile So the policy paper that we released last month copies of which are available on the table OTI explores the types of information that internet service providers can learn about their subscribers and details of the ways in which this information can be abused Carriers can ascertain the content of all unencrypted internet traffic and even where traffic is encrypted, carriers know the destination information of that traffic through the domain name system or DNS Under typical circumstances, an ISP can also see each site user visits and when and for how long revealing user habits and other behavior This data collection can lead to myriad harms allowing inferences about things like employment and health conditions and undermining the internet as an open engine of commerce To address these harms, OTI urges the FCC to initiate a proceeding to adopt clear rules of the road for protecting consumer privacy online This proposed framework includes an inclusive definition of customer proprietary network information or CP&I, an often standard for non-service related uses of CP&I transparent access by customers to their CP&I baseline requirements for data security and breach notification and a clear process for consumer complaints As the FCC recognized when it reclassified broadband last year, broadband is no longer just a luxury It's an essential service, central to the way we communicate in the 21st century That means we can no longer think of user internet service provider interactions as something that consumers have any real choice about If we want to use the internet and we all do, we have no alternative but to share intimate details of our private lives with a broadband provider It's only reasonable then that we set strong baseline privacy rules to protect that information so that the internet can continue to flourish as a central forum for speech, commerce, and innovation in the modern era Hi, I'm Mayor Sloan from the Center for Democracy and Technology We're a non-profit, I think, tank and advocacy organization focusing on promoting democratic values and civil liberties on the internet and the individual world So our relatively modest submission for today's panel is a chart that I hope you have in front of you and if not, they're available on the back table and I have copies up here if you need it But essentially what we have tried to do and what we were thinking about pretty much as soon as the FCC adopted the open internet order is trying to figure out how the statutory definition of customer provider network information would apply to packet switch networks because it was not clear that that was the nature of network communication that the Congress had in mind when they inserted that provision into the Communications Act and to answer that question, what we basically did was break down the basic IP packet the way that all information is delivered over the internet into its constituent parts and see how those parts map onto the definition of customer provider network information which is defined as the information that relates to the quantity, technical configuration, type, destination, location and use of a telecommunications service subscriber subscribed to by any customer of a telecommunications carrier and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship and that final bit, this information is made available solely by virtue of the customer-carrier relationship is important because of course there are other ways to get access to this information but what I think Section 222 is uniquely preoccupied with is access to and use of information that a carrier gets by a bit or two of them being the network provider for that particular subscriber and what we found in what I submit now is that actually the definition in Section 222 maps on quite nicely to the IP packet and to the header information in IP packets that information definitely talks about where content is coming from the type of content that it is on its size on things like this that can really actually tell a customer or sorry a network operator or anyone else a lot of information about what a user is doing online without getting access to information in the application layer and that has two potential points of significance in the current debate one being that there is an argument right now that because traffic can be encrypted that CP and I privacy protections are unnecessary in CT's view this argument is unpersuasive for two reasons one being is that while encryption is becoming an increasingly common practice and one that we very much encourage becoming a more common practice it right now represents something about 40% of all traffic on the internet which means at present most traffic on the internet appears to be unencrypted so the argument that encryption is the south for all was first assumes a level of encryption that we don't think it reflects the current internet environment second even if all traffic is encrypted the information that is in the IP packet header that information about the destination source the type of traffic is not encrypted and for a good reason because if it were all encrypted the network operators would have no way to figure out where packets are coming to and going from and that's one important point about CP and I too is ISPs need access to this information because this is information they need in order to make their networks work and so there's nothing about CP and I being some special category of information that network operators shouldn't have access to what we're talking about here is simply what are reasonable uses and reasonable consumer expectations about uses of that information other than the provision of the network service so that information in the IP packet header even if encryption is used is still available to the network operator and we have seen instances of network operators making certain distinctions and differential treatment of traffic based on information in the IP packet header and I think probably the most current example of this is and again the details of this are not entirely clear but in the context of T-Mobile's been John which even though YouTube traffic was supposedly encrypted that they were still able to determine that this was video traffic and then subjected to limitations of 1.5 megabytes per second even though they didn't have access to everything in the application layer of that data so in closing I would just simply say that one, the CP9 definition in this statute does fit well to the broadband context and two, within that context encryption well something that we should all be encouraging is not the single answer to the problem of user privacy on the internet Thank you Eric and Mary Good morning Good morning, my name is Mary Sasak I'm a counsel for the Alarm Industry Communications Committee and just briefly, the Alarm Industry Communications Committee is made up of all of the major associations that represent businesses in the security industry and that includes the companies that come to your home and install an alarm system businesses, companies that install alarm systems for businesses the manufacturers of alarm systems such as Honeywell and all of the large and small companies that sell alarm services and systems and also the companies that monitor alarm communications This issue of customer information is extremely important to the alarm industry largely because alarm services and monitoring services all depend on the communications network and therefore the communications service providers including broadband providers do have extremely important information about the customers of the alarm industry so when your alarm goes off at your home that communication is carried to your alarm monitoring center and from there the communication is carried to possibly a PSAP or a fire company or a fire station or police officers to respond to whatever your alarm situation might be and so from a business perspective although we recognize that broadband providers and telephone companies, wireless providers are all in the alarm business not all of them but most of them are in the alarm business they do have important information about who the customers are of alarm companies and they can use that information in an unfair competitive advantage so the interest of the Alarm Industry Communications Committee is really to make sure that there is a fair playing field that their members can continue to operate in a fair manner and that the communications providers who have information about alarm customers cannot unfairly use that information to then try to grab business in an unfair and a competitive way I would also just point out that Congress apparently felt it was an important issue as well in the 96 Act, Section 275 was put into the 96 Act which essentially gave some protections to the alarm industry in relation to local exchange carriers and one of those important protections had to do with the use of customer information or customer data but this particular section is really geared toward local exchange carriers and as we now have a lot of providers in the communications business and providing communications networks that are not classified as local exchange carriers this section does not necessarily translate to also apply to them so in that sense it's also a competitive issue among broadband providers where this is an example of a restriction that applies to some but not all and the hope of the Alarm Ministry Communications Committee is that this type of protection would extend to all communications providers including broadband providers Thank you Mary So I want folks to go ahead and volunteer and raise your hands if you have questions I did want, I know Harold you flipped some of the competitive concerns about this as well I know you wanted to make an extra comment Yes, I wanted to point out one of the things we trace in this paper is the fact that what we now call the CP&I provision started out as a pro-competitive measure and that as part of the evolution of what is now Section 222 the House particularly then Representative Markey was very instrumental in making sure that this was an extremely strong consumer protection statute The result was that a number of the pieces that had initially been included as part of the competition protection were transplanted into other sections and primarily dealt with the major telephone companies who at that time were the big providers but one of the most important provisions that was put in as a backup which is often overlooked is Section 222B which expressly says that if you're a telecommunications provider and somebody is interconnecting with you another telecommunications provider is interconnecting with you in order to provide service you're not allowed to use anything that is revealed by the competitor for your own marketing purposes or for your own information Let me give one example of where that's really important as we move into the broadband universe The T-Mobile has a thing called Benjon and Verizon and AT&T also have competing wireless services so they might be curious for example is Benjon really something that is attracting a lot of customers and how could we measure that not just yeah we're losing customers because T-Mobile has been growing for a while how can you tell if it's really Benjon or the fact that they now have better coverage Well T-Mobile buys interconnection from people like AT&T and Verizon through things called special access they contract for backhaul that's an interconnection point so these guys can look and see okay is there a spike in video traffic that is now flowing through the connection to T-Mobile I can get pretty granular because of all of this other information that has to be revealed about when, how, which customers it's associated with so already my competitor's product is now my market research which if you're the income it is totally awesome and if you're the competitor totally sucks but it gets better because let's pretend that I'm a Verizon Fios customer and I'm the T-Mobile subscriber I'm not either but let's pretend for a minute I was Verizon Fios will notice how much I'm transferring my viewing habit from my laptop or even my hand set going through the Wi-Fi connection and transferring that to viewing on my handset over the T-Mobile connection so it can also determine which of the, in both of these, through these connections can also determine which of the Binjhan services are the most vital to have in any kind of competing service so there is a whole host of information that right now would be directly prohibited under 222B that the Federal Trade Commission never touches because that's not the purpose of the Federal Trade Commission to promote this kind of competition but which I think we would all agree if we want a healthy competitive wireless market we need to protect in order to make sure that my innovative competitive offering does not become my competitor's market research I would ask the panel a question back to the concern for consumers Sarah made the point about how broadband has become an essential basic service and so given that the existing phone CDI rules allow for customers to opt out is it fair for a consumer, given that this is a basic essential service to give up their privacy voluntarily it's often an argument that you hear when it comes to internet privacy that people are more and more willing to give up their privacy in exchange for online services I think there's a couple of different ways I buried in that question I think is the question of paid for privacy arrangements and things like that and I think that baseline privacy protections shouldn't be a luxury and so the implementation of strong, clear privacy rules under the CP&I framework I think is really important that's not to say that consumers shouldn't have choice in how their data can be used but the baseline privacy protections for us are very important I'll just add to that to say that in CET's view this is a very difficult question because on some level giving consumers choice means giving them consumer choice in what they do with their personal information and I think in some arrangements where this has come up really the concern hasn't been over the mere fact of consumers being able to enter into this arrangement but the actual terms of that arrangement in cases where the cost of opting out of a personal information sharing arrangement is so prohibitively high that actually seems something more coercive rather than being something like participating in a competitive market for the sale of your information so this is definitely a question that we will have to grapple with and at some point the FCC may need to grapple with it but I think at the end of the day this is probably not a yes or no question let me add a couple of considerations that are very important here one is the competition aspect my general opt-in or worse opt-out should not be allowed to reveal the competing information from businesses like the alarm industry because there's a whole set of information that either consumers are probably not even aware of that is directly related to these competition questions so using the FCC's competition enhancement which is not just 222B but there are also statutes that apply to wireless and cable which are important here there are competitive concerns about this kind of waiver the other point which is exceedingly important here is in two-way communication we've never let you expose the content on a waiver I could always opt out of the telephone company using my CP and I to sell me services in the telephone universe I could never consent to the telephone company listening in on my conversations because that conversation is a two-way conversation as we move to the realm of the internet and the availability of certain practices the question is so can I opt into DPI for these purposes well, DPI being deep packet inspection it allows the cable operator or excuse me the broadband provider to actually look inside the content of what I'm sending rather than simply look at that header information that Eric was talking about earlier on the outside there are right now providers that ask if you'd like them to use DPI in order to provide you with better services and will combine this DPI information that is the actual content with all other information they collect for their advertising companies now that's with user consent the user is saying sure I love that I want you to not bore me with bad advertising I want you to advertise services that are relevant to me but they're also choosing to expose not just their information but my information when I Harold felt in communicating with somebody who was opted into this I don't know that you've opted into the police spy on me box and if I'm not happy with your receiving provider looking at the content of my email or other communication to you I have no way of knowing that you are permitting that so with regards to this is not an on off the nature of the information the type of information that consumers can opt in or opt out to revealing needs to be studied very carefully because in a interactive network like this you may be signing away the rights to stuff that you don't have a right to sign away and don't be shy please raise your hand otherwise I'll just keep asking questions so great hands right away let's start here and work earlier sure Angie Cromberg friend and compass I was wondering if maybe you could expound upon the current obligations that apply the FCC to some of these providers like Harold you talked about special access well special access has been a title to service has never been in doubt that it's a title to service so presumably 222 has applied all along to special access and is there any kind of correlation of those rules in the context of that service that should apply here and then it also would just be kind of nice to hear like what's different what is different that you're proposing now versus where Brevin Internet access service providers have been in the context of when it was defined as an information I won't take the special access question I'll kick that one right back to Harold but I think what's different about what's happening now as opposed to what happened in the context when Robin providers were on worse information services is simply this question of having rulemaking authority I mean the one sort of it seems slightly schizophrenic as to whether different participants in the internet ecosystem whether for rules or just sort of big sort of standards like under section 5 that are sort of unfortunately in a case by case basis if at all I think in the window case you saw a call for clear privacy rules whereas now that the FCC actually has this rulemaking authority you're seeing people who are the potential regulatory subjects of these rules I'm calling for something more just like principles and standards and so I think the one thing that the FCC is really good at that it was not able to do before now is to actually provide rules that provide clarity to all participants in the internet ecosystem over the legitimate privacy expectations of users of broadband networks and how those expectations were enforced Alright well specifically on the special access question we've got a very complicated situation one of the issues is that as we all know Ethernet loops which are increasingly the most important means by which carriers purchase these backhaul services and special access were the FCC forebore from everything but 201202 so they explicitly forebore with regard to the sale of Ethernet loops from section 222 that's a problem the other issue that you get is when you are doing these negotiations around terms and service around interconnection I anticipate that we will see going forward lots of legal arguments around the nature of the traffic, what's carried, what's not carried if there's a provision governing broadband even as a Title II service is somehow different and the standard CP&I regulations don't apply there then in the absence of clarification from the FCC with regard to 222B what happens? I understand that incumbents have very good lawyers and that many of them are prepared to make arguments about how we slice and dice and divvy up the traffic and reclassify it it additionally raises concerns with regard to not covered entities such as cable operators who are increasingly moving into the contractual the backhaul business now I'm all for that, the A competition but without baseline rules in place the question becomes for carriers, particularly smaller carriers or competitive carriers so if there's now not one I like monopoly possibility but two, count them two possible backhaul providers or maybe three possible backhaul providers how do I protect myself where I have very little negotiating power and the other parties have negotiating power and where if my choice is between a lower price than I might get from another provider but you get to look at all of my competing information including that of my customers do I know both as a customer and as a competitor that you won't take that bargain additionally you have the problem as I mentioned earlier of you get to combine all of these sorts of information very different ways and things that you don't discover for example through the direct interconnection process you can use information that's at the basis of the interconnection process that you know to cross-correlate and check with other things use it with information you already have from the broadband subscription or from the cable subscription one of the biggest things that we recommend is that the FCC has to take a look at this comprehensively it has to invoke not just its 222 authority not just its 201B authority which is part of the title 2 but it also needs to invoke its section 628 authority which is the cable competition statute so that we can protect OTT video competition many of which are not OTTs so we also think they need to invoke section 637 which is general cable privacy statute they need to invoke your title 3 authority with regard to wireless services which may not be explicitly covered for the express purpose of protecting consumers and competitors alike from two things one the shell game where oh no I didn't collect that through 222B I collected that over my cable system and then cross-correlated with aggregate information that I'm allowed to pull under 222B so now even though I have exactly the same granular picture my shell game between the services lets me evade specific rules targeted over one type of service but also in recognition of the fact that this is now enormously powerful the amount of information that your residential broadband provider particularly if it is also your MVPD provider if you rent the set top box from them if you get your Wi-Fi access from them all of that information can be combined in ways that were not previously possible that require the FCC to use all of the tools at its disposal to protect privacy let's go right next to you Hi, Lynn Stanton from TR Daily I'm interested in this concept of consumers not having the right to give away information that you're saying belongs to somebody else it seems it's a lot like saying that if I want to go get a different service from the service I have now I can't tell them what I'm paying for my current service I can't tell them exactly what I get from my provider with my current service and not at all, that's my point this is multi-layered one of the key elements of both section 222 and section 637, the Cable Privacy is to put the customer in charge the customer is king there's specific provisions of these statutes that allow a customer to direct the carrier or the cable operator to provide me with this information so the idea is that I, the customer and the boss the question is a particular category of information that has nothing to do with what I'm paying that has nothing to do with what services I'm receiving that has nothing to do with any of the things that are clearly mine that belong to somebody else that they are implicated in interested parties and that requires a certain amount of balancing that balancing is built into section 222 through 222B and needs to be evaluated here in this broader context I can't, either, I have to hang some kind of sign outside my door that says, hey Sarah, I know you're a privacy freak so the fact that I'm letting RCN, my actual broadband provider monitor everything that comes over my wire you might not want to talk to me now or we say I can't give RCN permission to monitor Sarah's conversation the fact that it's a conversation with me doesn't change the fact that it's still also a conversation with Sarah and that's an issue the sort of more interesting gray area is, you know, the question of the alarm company and there I think there are very legitimate questions that we ought to ask which is, yeah, maybe I as the customer can tell Comcast or RCN or anybody what services I'm getting but so they know I've got a competing alarm company so that they can, you know, tell me about the wonderfulness of their alarm system but there are, A, it has to be really clear that's what you're doing it can't just be, we might take some of your information and might use it in some interesting ways which is what you have now on these disclosures it really ought to be if it's somebody else's proprietary information okay, you understand you're letting us look directly at the competitor it ought to be something the competitor should insulate from saying you the customer cannot decide to give away this information to your broadband provider we should at least consider because otherwise I don't want to service you because you're providing my direct competitor market information these are all things that we need to look at and figure out where the proper balance is but I'm very comfortable based on, you know, our long history of not letting telephone companies listen into the actual conversations of people on the telephone that we really should not allow broadband providers to do the equivalent of through deep packet inspection to look at the actual content of two-way communications we're going to go here in the front row and then we'll come to the back thank you, Paul Mary from CQ Roll Call I guess I have sort of a real basic question is if the goal is greater protection of data privacy for the FCC, how do they actually do that given how the internet works? I mean, you're talking about a hardware black box solution or just not letting them use that information that they inevitably are going to see how does the FCC actually achieve this goal? I think it's not a technological question I mean, again, as I said earlier, like CP&I is information that the network provider needs access to without it they can't make sure the packets get to and from where they're supposed to be going the question is around use and the way that the FCC would go about making sure that the uses of CP&I are consistent with any promulgated rules is through the process that it uses to make sure all of its rules are adhered to which is a series of formal and informal complaints enforcement guidance is an occasional addition for rulemaking where those rules can be clarified so I don't think that any of us are up here asking for a technological mandate or a technological solution to this problem and I think that that wouldn't really benefit the overall and continue evolution of the internet ecosystem The FCC's 20-year-old traditional CP&I rules have been enormously successful they raise similar problems I will offer as proof of the fact that they are enormously successful that when Pew Research surveyed consumers and asked them what means of electronic communication do you consider the most secure the overwhelming winner was traditional landline telephone which are where the traditional CP&I rules next after that was cellular and I don't know for sure but I would guess part of the reason why cellular was below was because of the nature of radio communication allows people to intercept the signal because CP&I rules apply to both of those everything else was a huge drop down in terms of how secure people felt their information was email, direct chat clients all of these things were they were basically at sort of Christy level of general support and approval on privacy so it is clear that even without knowing specifically about the CP&I rules that consumers have a very high degree of confidence in privacy to those services for which these rules are applied the problems that you are asking about how do I actually know how do I make sure that the company doesn't do it anyway the FCC has developed mechanisms for this including they have to report on their CP&I collection and use under a certification to the FCC annually they have a high standard to which they are held accountable the FCC imposes a reporting obligation in the event of data breach or in the event of a violation as soon as the company becomes aware of it there was an enforcement case I think it is now two years ago where Verizon got fined because they waited until after they solved the data breach problem to report it not because they didn't actually ultimately report it but because they didn't comply with the rules that required reporting in a timely manner because the FCC is really vigorous about this so I think that you are right it certainly presents challenges but the advantage of having the FCC do it is they are not new challenges we are just talking about solving it is a more complex environment to be sure but we have had basic solutions that have been time tested and worked and there is no reason why the FCC can't build off those for the next generation of privacy protections on the aisle in the back Thanks, Jules Polanetski at the future of Privacy Forum I have been working on EdTech issues almost as long as Harold has been working on FCC issues and so the section of the report that talks about the data that is available externally, certainly ISPs and so forth have access to a wide range of data but I hesitate to minimize the vast amount of data that is automatically distributed to hundreds of parties as soon as I get all mine and I think the choices this is a real challenge for those of us who want to see real choices sort of in EdTech clearing cookies is sort of malpractice nowadays we tell people their cookies there is a browser fingerprinting across device tracking there is just such a broad range of areas where the options and choices are broken Senator Markey is pushing for do not track because we don't have a way to don't track so I guess I just would ask whether you guys would be interested in sort of going deeper into you know, the kind of data that is available somehow I'm on Oracle's mailing list and so I keep getting offers to license their data as a service I don't buy it anymore with a credit card I can license it so just wonder whether you all be open to sort of and it's only one of the arguments I get that but sort of looking at the holistic picture of how do we solve the big problem in one swoop this is just FCC but this is framing up a really important issue do people have the choice when they turn on their computer or fire up their cell phone is there some way to leverage these things to solve the big problem you know, I think, not in the negative but I mean some of the criticism that folks have heard around the FCC looking forward also is that the FCC is picking winners and losers and somehow they should be going after broader privacy or you know, so Eric can sound like you want to address this or I'll go first and then let Harold follow up but I think this is a sorry where's Eric follow up this is definitely a valid concern and you see when it has been a voice frustration in this proceeding that that somehow people will be left with the impression that addressing privacy practices for broadband internet access service providers will in itself be a comprehensive answer to privacy protection on the internet I don't think that there's anyone on this panel who actually believes that I think there's an acknowledgement that the comprehensive solution is needed in CDT has long called for comprehensive privacy legislation I think what's interesting in this context and what's important to remember is that the Federal Communications Commission is an agency with very defined jurisdiction or a very discreet set of actors within that ecosystem in that case that is broadband internet access service providers and I think we definitely hope that we move towards sort of symmetrical or more symmetrical with privacy protections that still acknowledges that the roles that the edge providers have and the role that internet access providers have are distinct but ultimately the consumer is using both of them when they use the internet can I jump in? I would just say too that the statute was framed in recognition that gatekeepers can exist and recognizing the specific relationship between internet service providers and their customers and so as Eric mentioned this is a specific intended targeted statute to address a certain the use of information in certain contexts and so I agree with Eric that using the FCC's use of that section in the broadband context shouldn't foreclose asking the big broader questions about privacy in general Mary, I mean as a service online you guys I'm assuming don't expect to be under FCC privacy rules but you do have some sort of privacy guidelines or rules can you explain how it works as a non broadband provider? Yes Yeah, we're members of the alarm industry are not communications providers and are not subject to the FCC's jurisdiction as such however as businesses they are interested in making sure their customers' data is protected obviously since part of their business is security it's extremely important that they protect their customers' data and information that's part of their business and so not only is it necessary as part of their business but it's necessary just as good business practice so they are all trying to keep abreast of all the latest and greatest ways of making sure they have processes in place anything they can do from a technology standpoint to make sure that customer information can be protected they're trying to keep abreast of all those things and implement them as appropriate and so yeah that's a very important part of it just the one comment that I would make though and this does touch on the alarm industry a little bit customer privacy is only as good as what the customer understands and I think a lot of what has been touched on here is I think most people don't really understand how their data and information is being used and even when some company tells you check this box to allow me to do XYZ who really understands that there's no real explanation that they actually have a right to say no in fact most of these disclosures are usually written in the form of if you check the box you should understand that you may not get any service at all for many so it's more like a threat to check the box and get whatever privacy or whatever information you may have so and the way that touches on the alarm industry is there's always the concern as a competitor so you want to make sure and this you want to make sure that your competitors are not falsely providing information to your customers about what they must do or must not do and that ties in with the whole issue that the alarm industry has and the CP&I aspect of it is not the actual communication but it is the information like routing information and things like that that are necessary for the communication to go through so it is something uniquely given to communications providers and from that information they can determine all sorts of information all sorts of things about your customers and there should be some some protections for competitors otherwise you lose a competitive market the key word drills is really in that last sentence that you had leverage there is absolutely it is the system design that we talk about in this white paper that permits us to leverage what the FCC is doing here to further beef up privacy protections in other areas everything that the FCC does here it's public record it's room making everything that it is doing will provide further information to the federal trade commission to the members of congress with regard to this other side of the equation how do we beef up and expand the overall problem of protecting consumer privacy in this age where your lamp can be collecting personal information about you and beaming it back to some unknown mother chip the one thing I also just want to stress is the other exciting word from our political campaigns these days pragmatic approach which is the way you solve a problem this big and this complex is to break it down into the solvable pieces and keep solving them rather than standing back and trying to figure out how am I going to create one large general solution that's going to encompass all kinds of different technologies and special cases you're never going to solve it that way the only way you're going to solve it is if you say I got this piece I'm going to do what I can on this piece how I solve the problem here informs how I'm going to solve the problem over here and we keep moving until we actually get to a place where we're no longer as consumers sitting with you know the equivalent of naked in a glass house with regard to our personal information Chris, good night so we are over our time how about we do one more question and then we'll cut it off there since yeah alright if you don't mind I think Mary hit on something if the end result is that the privacy policies that you have to check off before you download the software get on twitter just become more complex what good is it going to do I mean don't you have to change that equation make it a real choice and can the FCC do that which probably is the first question can the FCC do that or does it think your paper demonstrates that they can I would say that yes they can and that yes they should I mean one thing about the current rules require is that notice be given to the consumer these are the rules that apply to the PSTM rather than to heavy networks but that notice be given to consumers and the FCC has the authority to make sure that notice is effective and part of doing so make sure that notice is given in terms that users can understand I mean while there is arcane terminology associated with IP networks one thing that I hope that we did in our short papers sort of exploring these is break it down into the very practical implications of the information that's collected and I think this is something that the FCC is uniquely positioned to work with consumer groups and with ISPs to make sure that the information about what CP9 is collected and what is done with it is communicated into in terms that users can understand such that when they give their sense to use of that information that that consent is effective and with regard to your twitter question again it goes to this setting aside the fact that my broadband provider sees a hell of a lot more information than twitter so it's not like oh it's useless unless I get everybody because twitter is not talking to my damn smart stove whereas my nest is not tweeting but it is communicating over broadband and my broadband provider is getting all kinds of information and that informational environment is getting more rich such as do I have a nest the other important factor is you start with the broadband providers where you have a specialized agency that has the power to do rulemaking that has the power to explore these proceedings these practices and proceedings in public and you set a standard for the kind of disclosures that we're talking about for the kind of opt-in rather than opt-out protections doing all of these judgments issuing rules that say this, this and this and here's why that makes it a hell of a lot easier for the FTC to say yeah you know what looking to how we do things through enforcement against companies like twitter facebook, google whatever the FCC has now done a lot of work on this and they've shown the kind of harm that happens when you have access to this information we can now meet the standard that we have to meet under section 5 sub n in order to show it is substantial injury in order to show that you can't really avoid, the consumer can't really avoid it without opt-out rather than opt-in to show that there are not prevailing benefits to competition if you allow this kind of collection of information so what the FCC does today helps the FTC to do its job tomorrow and it helps congress should it decide that it wants to address this issue and come up with more comprehensive solutions to have a basis for which it can determine where are the real issues what is the nature of the harm and what do we have to do in order to balance these things in order to protect privacy while still giving consumers choice we're going to have to stop it there we are well past 11 o'clock but I want to thank everyone for coming out this is an important topic that we hope people will continue to talk about talk with our organizations up here about and I want you to thank me help me in thanking our panelists for talking for the last hour thank you and again the studies should be available outside on the table in the back thanks everybody