A group of legal and privacy analysts gave differing views on how the roles would affect consumers and businesses at a forum on capitol hill hosted by the congressional internet caucus committee. This is just over an hour. All right, folks. Welcome to another Congressional Internet Caucus Advisory Committee briefing. Thanks, everyone, for coming to this recess briefing. Were going to try to do this really quickly in like one hour and explain this issue from a pro and con perspective. The briefing that youve walked into, in case youre in the wrong place, is the new fcc privacy rules for broadband providers. What will they mean for privacy . And this is hosted by the Congressional Internet Caucus Advisory Committee in conjunction with the congressional internet caucus itself, which is chaired on the house side by congressman Bob Goodlatte and congress wam eshoo and on the senate side by senator john thune and senator patrick leahy. We are super supportive, appreciative of their support and the fact they allow us to host these briefings in conjunction with them in a fair and balanced way. And their ability to say we dont care where our particular perspectives are but we just want to actually have a good debate, pros and cons on these issues, and let, you know, Congressional Staff decide where they come out on the issue. So before i get going, just a few little bits of housekeeping. If you want to follow the conversation on twitter, the hashtag for today i is fccprivacy. Thats pound fccprivacy. And you can follow u us netcaucusaca. And that information is on your list here. We dont have any Upcoming Events but well probably notice one in a week or two. Probably the next one will be on the iena transition for the department of commerce and internet governance. Keep on the lookout for that. Let me introduce, we have pros and cons on this particular issue. And let me just introduce quickly my panel. Right from the left here is jim halpert. Hes with dla piper, which is a law firm here in town. And hes a partner there. Next to him is debbie matties. And shes debbie is Vice President of privacy at ctia, which is a collection of wireless and cellular phone companies. And next to her is katharina kopp, who is a director at the center for democracy and technology, which is a great privacy and Civil Liberties firm, nonprofit here in washington. Next to her is laura moy, who is the visiting professor of law at Georgetown University law school. All their twitter handles are on the page. So why are we here today . Yesterday the federal Communications Commission, and as the federal Communications Commission proposed a rule governing privacy issues related to Broadband Services and covering Broadband Service providers. Theyre basically updating a law from 1996 which incidentally is the same year that the congressional internet caucus was created. So 20 years ago the Telecommunications Act of 1996 was passed, which included a law governing the privacy of telephone service. And also the congressional internet caucus was created that year. Incidentally, the top one song on the billboard top 100 was the macarena. I dont remember what type of phone i had but it really wasnt portable. It was a very, very different day. And the congressional internet caucus was created that year to try to bring more attention to internet issues. This is really interesting collision of old and new. And what are we here for . So the fcc had a notice of proposal rule making. They wanted to do a rule to update these privacy rules for telephone providers. Now what theyre going to call Broadband Service providers. Our panels going to explain that and debate the pros and cons of that. Were going to go through a lot of material very quickly. The rules governing privacy for Broadband Service providers. They include folks that provide your cellular service. Not the phone itself but the service i get here, which is tmobile. Your over your laptop or your desktop, which in my case at home is verizon fios. But here its on the house public wifi. And so those are the types of services that were talking about. Broadband Service Providers. And these rules are covering them. So lets just go to my first question, and jim arrived just in time for the people out there who you know, the gnawing question is like that name sounds really familiar, jim halpert. Where do i know that from . And youre probably googling jim halpert and the first thing that comes up is that guy from the office. Jim, just so we get this out of the way, so youre not bugged all the way through the briefing. Jim is actually named hes the inspiration for jim halpert from the office. Thats right. Youll find that much less exciting than the actor. For what its worth, i had dinner last night with the real andy bernard, whos another childhood friend who was in town for a World Bank Economic conference. But lets talk about how this arose first. Yeah. Basically, the fcc has been trying to find a way to impose Net Neutrality requirements on Internet Access providers, and after a couple of attempts it decided to classify them as is common carriers. Just by virtue of providing Broadband Service. When the original cpni law was passed, the Internet Access providers were considered independent Internet Information Services and were not regulated at all by the fcc. This new classification through a quirk in the way that the federal trade Commission Law works are outside the authority of the federal trade commission. So before this Net Neutrality order Internet Access providers were regulated and subject to the same requirements as anyone else in the internet ecosystem or any other business. Its just this fcc rule changing the way that the service is classified for purposes of telecom that all of a sudden we have this change in authority over Internet Access service. So this is an offshoot of the open Internet Order or aka Net Neutrality . Right. So what is what is the commission proposing . It basically is proposing a privacy regime that includes notice, like telling people, consumers what their privacy rights are, choice, whether you can opt in or opt out or keep them from doing that collection. And then security. Which is like how you know, how are you going to keep my data secure when you collect it . What cause the rule specifically look like and what is the cpni thing people are hearing about . We dont yet know the exact text because it hasnt been released but based on discussions in public it sounds as though what the fcc would do is require an enormously long list of information to be provided to consumers by way of notice of what the data practices of the Internet Access service is and then set up a multitiered set of permissions, degree of opt in or opt out that would be required for the Internet Access provider to use information that it obtained by virtue of providing this service to consumers. So there would be a very unusual optin consent requirement for any disclosure of information to a third party. Well talk about that, how it may be a little less unusual. But certainly for internal uses of information for purposes, for example, of advertising or marketing, that would be sharply restricted unless requiring an affirmative optin consent, unless the marketing was for something that was related to communications service, so an existing service that the consumer required. There would be an optout for that sort of marketing. So the default rule would be opt in with an optout rule in place for marketing, Communications Services or marketing those services through an affiliate. If i can just jump to laura. For the average consumer at home, what does this mean for them . What does it mean for their privacy . What companies are they interacting that theyll be covered by this rule and kind of what is so unique about Broadband Service providers that we need such a rule . Ill try to take those ill try to get to all of those. And just to do a little bit of background here, before we Start Talking about consumers and exactly what this means to them, i think its worth talking about what the objective is with respect to consumers of the law in the first place. I think this is something that we could probably discuss at length because im sure there would be differences among us panelists over what the primary goals of the statute are here. But basically, the section of the Communications Act that governs common carrier privacy, the privacy obligations of common carriers which in the past were private phone providers, now include broadband providers, essentially it kind of had two goals, right . And one was to protect the privacy of information that consumers have to provide to carriers to get service. So thats like when youre talking about common carriers youre talking about companies that where their primary function is to carry the Customers Communications from one end to the other. So in that context if youre making a phone call or browsing the internet or using any Online Service you have no choice but to provide certain information with the carrier about the traffic. So with a phone call you have to provide information about the phone number youre calling, the length of time youre talking on the phone, et cetera. And with internet photographic its kind of similar. You have to provide information about that enables a broadband provider to route the traffic from one place to another. The customer pays the carrier for service, and has to provide information about their communications in order to get that service, and one of the goals of the law is to protect that information. Basically to make sure the information isnt then being used for other purposes other than to direct the traffic or to direct the calls without the customers approval. And then the other objective is a competitionbased objective. So the fcc actually for decades prior to the 1996 telecom act had been regulating Customer Proprietary Network information. Youll be hearing us refer to this as cpmi. Had been regulating it on a competition basis because there was this idea that if you have carriers that are seeing lots of information about relationships that their customers have with other companies by virtue of the fact that their customers are calling other companies, then there might be competition problems presented if the carrier can then use that information to give itself a Competitive Edge to compete in other markets. A really good example of this is with an Alarm Service where if youre getting Home Security from one provider then your phone company if your phone company starts providing a Home Security system it knows who youre a customer of for Home Security. It might even know when youve had an incident based on your call logs. It might know how often youre contacting Customer Service with that other Home Security system, et cetera. And that could be information that it could use to gain an edge for itself. These are kind of the two goals. So for consumers now, now that broadband has been reclassified as a common carrier service, again, with the routing of communications from one place to another, this means that broadband consumers can expect to have a very similar privacy framework to what has been instituted with respect to phone to the information that they provide to their phone carriers. They can expect to have very similar protections in place with respect to the information they share with their internet providers. The websites that you visit, the services that youre using that youre in contact with, the destination of your traffic and the origin of it, the duration, the amount of traffic, that type of information as jim described will now be subject to the sort of multitiered consent structure. So that information would be protected and the isp would not be able to collect it. Does this rule apply to sites like google, like twitter, like snapchat or the apps on my motorola phone and the operating system . Thats a good question. And i think just to address one part of that, though, these rules are not about collection, theyre about use in general because theres an assumption to see what carriers have to collect the information, that customers have to provide to carriers and carriers have to collect it in order to provide the service in the first place. Yes, that aside, no, these rules dont apply. At least, you know, based on what we know about the proposal, again, as jim said, we havent seen the text of the actual proposal yet. But based on what we know about it, no, it wouldnt it would not extend to Edge Services. So there are companies that provide both Edge Services and internet carriage, and when they are in the business of providing the providing Broadband Access, then theyd be subject to the fccs rules that protect the information in that context. And when theyre in the business of offering an edge service. So the phone i have in my hand, it wouldnt apply to like im look at my apps. It wouldnt apply to my fitbit app. It wouldnt apply to my google mail, my pandora, or even the operating systemk and this happens to be an android operating system. The other major operating system, you might have heard of it. Its ios by apple. Its been in the news a little bit. Yeah. Thats correct. It would not apply to those others. This is just about broadband Internet AccessService Providers. So let me ask whether katharina wants to weigh in on this or anybody wants to weigh in on this. What is so special, like really what is so special about Broadband Service providers . And is this regime similar or different to other privacy regimes that we have in the United States . Now, we had a briefing down the hall last week on the euu. S. Privacy shield. We had a fellow from the european commission. Hes like the reason we have to do this kind of bandaid is because the u. S. Has an inadequate level of Privacy Protection in our opinion, meaning the european commissions opinion. So whats so special about this particular Broadband Service provider and what do they see thats so special . You want to jump in or so thank you for that question. I think you have to look at the whole context of this data. So its not so much that its particularly Sensitive Data but its the whole context. So a customer who you use at home or on the phone, theres a lot of amount of data that is being collected. It is sensitive and detailed information and theres really not that many options for a customer to sort of switch the provider or, you know, evade the situation. So its the amount of situation in detail and really the opportunity for the customer to not go anywhere else. And if you think about the whole the kind of profile that can be collected about a user, a lot of important inferences can be made about a user. So you can understand, for example, the usage patterns. You can draw conclusions about whether somebody, for example, is unemployed, because they suddenly start using their Home Internet service more frequently during the daytime the kind of devices that are being connected to the internet again in the home setting, for example, a pacemaker or your fitbit, theres a lot of information that can be gleaned from that. So its the entire context you have to look at. I know the ftc, for example, looks at the sensitivity of the data and, for example, says with regard to Health Information you should its particularly sensitive, therefore, theres an optin required. I think its important ton only look at the sensitivity of the data but then thats the next step, also the purpose of the data. I think thats where well get into it a little more, when we talk about the proposed rules. It looks at the entirety of the data but then what is it being used for. Id be happy to go into that a little more. Well come back to the two points about not being able to go to somewhere else. And then also the sensitivity of the data, the uniqueness of the data. You can come back to that. But lets go quickly to debbie. Can we focus more on the mobile ecosystem . Because thats who your members represent, is mobile and wireless. So the mobile ecosystem, as you know, as tim was just talking about, involves a lot of companies who are providing the service to you. The isps. One of those companies provides the activity. But it isnt always the same isp when youre using your phone. If you think about youre at home, you might connect to your home wifi and then when youre out taking transportation to work, youre on your network connection. Once you get to work you might connect with your work wifi. If you go to a coffee shop you might be on the coffee shop wifi and use it when youre at a park because you have no internet connection. Throughout the day youre certainly using more than one isp. You take a look back at the original purpose of the privacy law that were talking about here and the Communications Act, you look at the Voice Services market, which is you had really one phone company back in 1996. You made a phone call from your house. They delivered it to someone else. And that was the only company you had two companies and everyone that was within that phone Services Market was covered by the law. Here by applying that same law to internet Service Providers, youre only applying it to a tiny subset of the number of companies who are delivering Internet Service to you. So from the isps perspective it doesnt make a lot of sense. And really from a consumers perspective it doesnt make sense because theres a lot of confusion that will ensue if you have one set of rules that you have for isps and then other companies who are handling the exact same data, in some cases even more data because if you think about using your phone and youre bouncing around from one isp to another throughout the day, you might be logged in to some services throughout the day consistently no matter which isp youre using. So if you have an email provider or social network you may be logged in the entire time. So that social Network Provider or Search Engine would be able to see all your activity throughout the day whereas any given isp would only see a fraction of that. So we have a difference of between xen you and katherine. Katherine is saying the sensitivity of the data and its unique. Youre saying that while theres the data that the isp would collect isnt all that different from what other apps or operating systems would collect, why are we being treated differently. Is that the point of contention . I think so. I think the market has just changed so much. The smartphone has changed so much of the way we communicate. And while in the 90s when we first got the internet everyone had their home connection, you sat at your computer and worked on the computer for a couple of hours and then maybe turned your connection off because you had to dial in, right . And now we have an always on connection and youre seeing isps all over town its just a very different market. And there is a lot of competition, especially in the wireless market. Think about when youre watching the super bowl how many of those ads were for Wireless Companies trying to get you to switch from one wireless provider to another wireless provider. Its very unlike the market that was around back when this law was passed when there was a monopoly phone provider. I think one of the challenges here is that in an overall internet ecosystem where there is potentially tracking of users in a variety of different ways, probably the simplest thing for consumers to understand is that they can go one place and opt out. Exercise control. If you read the legislative history of the cpni law that Congress Passed that was part of the telecom act, the key concept was to give consumers control. Control can mean an opt out or it can mean an opt in. If youre in a market, theres a small percentage of markets in the United States where theres only one land line isp. If you have an opt out you can still object and exercise your choice, provided thats presented clearly. Similarly, with the rest of the ecosystem and the internet there are selfregulatory mechanisms like the Digital Advertising alliance opt out. One could work on that further and spread its adoption even more broadly. And isps could be part of doing that. But by if this order goes through, isps are going to be subject to a unique, far more restrictive set of privacy rules than apply to virtually any other sector in the United States. And theyll be separated out from and not be part of a unified system where consumers would have control. And consumers may not understand it, probably wont understand the optin request that they get from the isp doesnt apply to anyone else in the internet universe. Let me go to katharina and laura. If we need to clarify what opt in or opt out is. Opt in is the isp has to say to the customer were going to use this information in the following ways, here it is, do you want this . And you have to do something. But basically its like yes. Thats opt in. Opt out is they do it, they provide you notice generally, and then if you say i dont really want to do, that you can click on something that says exempt me from it. And it manifests in a number of ways. But thats basically it. This is an optin regime. Why should this be an optin regime . Can you defend that . I think these are really important distinctions. Optin requires an affirmative action. Opt out assumes you dont have an objection. Okay. Here i think what the fcc right now is proposing, we know this from the fact sheet. We do some idea of what they have in mind. These three buckets with regard to the use of the data. The first bucket is this implied consent. You dont really need to ask the customer to do anything because you might need the data to use for maintenance or sort of security purposes. And then also for a service that is for marketing, using the data for marketing for the same type of service that the customer already has. Again, no action is needed. So id say you have a certain data plan and you need an upgrade for that. So no further action is needed. When you then look to the optout regime that theyre proposing, again you have to look at the use of the data. So its for marketing of communicationsrelated services. These are the use of the data that you signed up for a particular purpose now. The isp wants to market your related services. It seems to make sense that you can expect that the customer would be interested. Its related. There are certain expectations that make sense to say we assume youre okay with this until you tell us otherwise. The third bucket really is for any other purposes, to use this data for any other purposes. I think its fair to say that you cannot assume that the customer is okay with that. Unless they tell you affirmatively yes, i would like for you to tell me what other things you can offer me and then i agree to that kind of practice. I think you have to look at the purpose for the use, and thats really critical. And so i think thats sort of a fair point. That kind of scheme is found i dont think thats ever found anywhere in the rest of the marketing roles that apply to companies in the United States. Its on. Now its on. Go ahead. So if you think about a company that is offering you clothing and they decide to go into the shoe business or they go into a completely different business, theyre selling hardware or something, they are fully able to say hey, we saw you bought some clothing and wed like to sell you something completely different. And theyre not restricted from doing that. So im not understanding the sensitivity of marketing different kinds of products and services, especially when customers probably want to get discounts on different products and services that a Company Might offer. An example of that was just yesterday or the day before sprint came out with a new offer that you can get amazon prime by the month as opposed to amazon prime for the year. And this would be a benefit if you only want to have amazon for, say, the Christmas Season, you want to have Free Shipping, for example, during the Christmas Season and you dont want to pay for it for the whole year. Amazon through sprint would be potentially i dont know. These rulz are a little unclear. We havent seen them yet. But they wouldnt be able to market to their customers unless the customers know about this new offer, unless the customer had affirmatively said i want to get marketing offers from you. As opposed to saying heres a marketing offer for amazon, you can get it on a monthly basis, its october, youre going to get ready to do Christmas Shopping and the customer can say oh, gosh, i dont really want that, maybe ill tell them not to send it to me anymore. But a lot of customers are going to say thats a great deal. But it doesnt give them a choice if they have to affirmatively say back in february when they sign up for service that they want marketing emails or not. Because how are they going to know that the amazon offers going to be so great for them . So i think yeah. I would challenge actually this argument that we dont have anything like this anywhere else in the u. S. Privacy regime because of course the most obvious place where we have a very similar framework is with respect to phone information, with respect to information that customers share with their phone carriers where theres a very similar theres a very similar privacy Regulatory Framework that applies to that information. The information that a customer shares with their phone provider or that the phone provider has access to solely by virtue of this carriercustomer relationship, the phone carrier can only use on an optout basis for marketing of related services and its on anent out basis for marketing of related services. One is if youre talking about what the privacy justification for that type of regime is, again, its important to remember that privacy is contextspecific. Consumers feel their privacy has been violated when they think that information has been used out of context. In violation of the norms that they apply to the way they thought information would be shared and the context in which they first shared it with the provider. And we do see in the phone context or in the internet context, where a consumer is sharing information with their carrier for purposes of routing traffic or for purposes of routing phone calls, they expect that the information will be used in that way and not that it will be used for marketing purposes. We see is this in other types of information, other contexts where consumers have no choice but to go through a particular provider for a service that we think is generally essential like health. Lets unpack that a little bit. In the United States we have this kind of patchwork. Im not saying that in a negative way. But we have different types of regimes for different types of privacy. So for instance, in cover passed the cpni law back in 1986 which is being updated now. We have in the past graham h. Bliely that covers financial information. We have hipaa, which is the Health Information privacy act. We have and those related to just generally noninternet types of data. Really the only major legislation we have related to internet privacy is copa, which is the childrens online Privacy Protection act. And as an overlay jim mentioned this earlier and correct me if im wrong because im not the expert here, you guys are. We have the federal trade Commission Section 5 act. So the federal trade commission can say if somebody says were going to protect your privacy, were going to do did this way and were not going to give your information here but were going to use it for this, if they make that promise and they fail to follow up with it whether its online or offline, the federal trade commission which is the other cop on the beat here, can come in and say you didnt do what you told the customer youd do with regard to their privacy and were going to slap a 20 million fine on you or something. Furthermore, both the democraticcontrolled white house and the majority democraticcontrolled ftc issued reports on privacy the way they thought privacy should work in the United States, to establish a bunch of best practices that are widely followed in the business community. And both of those thought there should be no choice whatsoever offered with regard to first party advertising. Not opt in, not opt out. The eu Data Protection regulation, which youve heard the privacy discussion last week, europeans think is way tougher than u. S. Privacy law, does not require optin consent for firstparty advertising. So this part, this firstparty advertising aspect of the cpni rule would be the toughest or most extreme, however i you want to characterize it, restriction on use of data that you as a consumer have a relationship with in u. S. Law if it were to go through without qualification. In the Health Context there are limits. And in some aspects firstparty advertising is prohibited. Your doctor cant come to you and say hey, you should use this drug instead of that drug. They can put up signs, but they cant use your information to go propose that to you. But if you go to a hospital, and some of you may have had to do that for good reasons or bad reasons, and you check into the hospital, you get Marketing Communications from that hospital because they know youve been to the hospital and they start offering you other sorts of services and other sorts of things through their hospital. This would be a limit only on offering essentially existing types of services that the broadband isp currently offers to a consumer with some small types of upgrades. To give you an idea of how thats different or how that made sense in the context of the Telephone Network which laura was talking about before, as of 1996 when the telecom act passed from the way the internet is today, you need to think about what the competitive purpose of the cpni law which laura described second. But if you read the cpni law, there are actually requirements on the incumbent carrier, incumbent phone company, to disclose to competitors subscriber lists so competitors can go market to them and try to get service or shift service over to if they choose to sign up with a competitor. There are restrictions against trying to win back customers if a customer decides to switch to a competitor. And the competitive concern, if you look at the original cpi rules, is that the incumbent, which has all these local Telephone Companies which had all these customers would use that information to try to keep large control of the market. In the context of the Telephone Network, which was as debbie explained a closed network, there was no question about advertising. There was no advertising over the phone network. Were now in a very, very different world of the internet where there is a lot of advertising and this would effectively be saying only for this category of people can indeed opt into it. So youre saying two things. One, coming off my comment about different types of privacy regimes for different types of data, youre saying no fair, that isps are held to this higher standard compared to the other privacy regimes. More importantly, confusing. And number two and customers cant get the offers theyre getting from other companies. Number two, the competitive environment under which the original cpni rules were passed youre saying im not saying this but youre saying that they seem not to make sense. Id just ask kath reina and laura to respond to that. Yeah, sure. So with regard to the consistency argument, that we need consistency and clarity, cdt and the host of Public Interest organization active in the space, we have all advocated for a long time for the need for baseline privacy legislation for the entire ecosystem, for all the players in this space. But absent such legislation, which is unlikely to come anytime soon, and with the fcc having that authority, in effect the responsibility to protect the privacy of broadband customers, we feel they have to take that step and thats an important step, and well see what has to happen afterwards. But you know, thats the sort of context we operate in. And we feel that consistency is an important goal but it is not sort of for the sake of consistency, we want to have the right protections, the right standards that we customers feel that they have control over their data. And just to pick up on this control piece, i think we have to look a little bit at the evolution of the space, and we have you know, yesterday the commissioners, many of them cited the pew study thats come out earlier in the year, and theres another stud grit Annenberg School at the university of. Pen that really talks about how customers, Internet Users have lost a sense of control over their data. They are resigned. They feel they dont trust the institutions in this space. So i think for the purpose of the robustness of the Economic Development and people really wanting to engage with the technology its really important to give customers and u. S. Citizens the sense of control over their data back. The problem is if you give control to customers over a tiny segment of Certain Companies that hold the data when the data is flowing freely throughout the rest of the ecosystem, theyre going to get a false sense of security perhaps that ive opted out or ive opted in to certain things and thats going to apply across the board when its not because all those other companies, and not even just the companies that they directly interact with like the social networks and the Search Engines, with the Companies Offering behind the scenes the Advertising Networks that theyve never even heard of, the data brokers, their operating system, they may not appreciate that the operating system thats on their phone is seeing all the data, and theyre seeing it in an unencrypted way. Isps as we talked bay little bit i think already about encryption, a lot of the internet is becoming encrypted. And so the isps are unable to see any of the data thats encrypted. And at the same time the other companies on the internet can see that data. So theres a real disparity into its sort of like taking a howitzer and shooting it at a mosquito. I mean, its like a tiny little segment of the ecosystem. And all that datas going to go everywhere. A few things. One is i think there is theres definitely a desire by the companies, an understandable one, to try to make it sound like isps and other companies that are operating on the internet that are collecting information and marketing with it are the same type of entity and that consumers have the same type of relationship with them, but they dont. Consumers pay their isps to provide them with service. They pay their isps to get them connected to the internet. And then once theyre on the internet they make choices about what services theyre going to use online or on the internet or however theyre using the network. And thats but as an initial matter they have no choice but to go through an isp in order to get onto the network in the first place. And that is different. Theres a different Value Exchange where theyre exchanging money in a subscription generally in a subscription context for access to the network and thats what theyre paying for. Thats what they expect theyre getting. There is this difference with respect to the fact they have to go through an Internet Access provider to get on there. I can choose whether or not to use a free email service where i understand that im sharing information about my communications with the email provider, im sharing that information in exchange for getting email for free. But i cant choose whether or not to build a relationship with an isp and share lots of super Sensitive Information about my communications with them to get thats really interesting. So what youre suggesting is at least in part, and this is only the first part of what you were suggesting, is consumers and customers and people using the internet have come to this convention of their expectation privacy that if they pay for a service they want to just get that service, but for the Free Services on the internet like twitter or facebook or snapchat theres a builtin assumption that theyre bargaining for a free service, theyre bargaining something, maybe its perhaps advertising. Im not necessarily saying that is always the case. I think there are probably situations where people i think it is questionable in some situations whether people understand that the information theyre providing will just be used in whatever they clearly dont read privacy policies. They dont necessarily understand how the information will be used had in exchange for a free service. But i do think the relationship theyre building with their Broadband InternetService Provider is one where they believe the relationship is one where they have subscribed to a service specifically to go online and thats the service that they think theyre getting. You have an Advertising Service sorry. Go ahead. Chairman wheeler said in his statement that most of us understand that the social media we join and the websites we visit collect our personal information and use it for advertising purposes. Hes suggesting what you were suggesting but youre not suggesting it as strongly as he suggested it. In some ways it is an empirical question. But yes, i think in general people probably understand more about how their information will be used. Or at least consider it in the context of considering an Optional Service and considering to engage in an Optional Service than when theyre engaging in a service that is essential. And i also think just on the point of firstparty uses of data, again, like these are theyre different types of service. You can expand if youre a company that provides Internet Service and you want to expand into tuesdaying, thats fine, but you dont have a right necessarily to use information that youve collected in the context of routing traffic in the Broadband Access service, provision of Broadband Access service. You dont have a right to use that information to build this other business. And i think if you saw a Health InsuranceCompany Expand its business into advertising, you know, start moving whatever. Start up an advertising arm because its a giant and has a lot of money and wants to move into advertising, you wouldnt say, okay, yeah, go ahead and use this is first party use of information, go ahead and use all the information that you know about insurance. But wait. So were talking about opt in versus opt out. Were not saying they have a right to do it without any choice. Were just saying why should consumers have to choose specifically to get better deals on products they might want to get . Why cant they just get the offer and if they decide they dont like those kinds of offers anymore they can opt out. Theres nothing unique about an isp offering the deal then. So uber has cars and they drive you around and all of a sudden they start offering uber eats. Should they have been prohibited from telling you about uber eats unless you specifically said oh, i want to learn about food offered from uber . Doesnt make any sense to me. Just in terms of framing the debate that you sort of opt in to get better offers or additional offers, i think what a lot of the folks in the privacy community and civil Rights Groups have pointed out, that this data can also be used to sort of disadvantage you. So its not always about you getting great new offers but that there might be information gleaned from you that might be used to your disadvantage. Thats where i think it makes a lot of sense that people want to have control. First of all, the naacp president has written saying it did not make sense to focus on this particular area. Secondly, essentially a lot of the advocacy for this proposal and even the logic of what the fcc has said is while there might be particular uses of information that are unfair to consumers, discriminatory, intrusive, the way that the F Federal Trade Commission approaches this is to say there needs to be optin for specific types of uses. Laura also equated an isp a few minutes ago with a hospital or a Health Care Institution that opens a Health Care Advertising network. I would say compared, not equated. But sure. You drew an analogy. Absolutely. Yes. And the point here is if there is Sensitive Data that is being obtained through provision of Internet Service under the old federal trade Commission Framework or the framework that applies fought rest of the internet ecosystem it makes sense for the fcc now that it has done something regulatory which means it rules this roost. It should apply the same set of standards which would be opt in for uses of health data, a prohibition against use of information in a way that would discriminate against consumers. Probably if there was analysis of absolutely all the data that traveled through a system, that might also be worthy of optin consent. But instead what were seeing in this proposal is optin consent, is the requirement for all of these buckets of uses regardless of whether theres any health data, any discrimination, anything else. So i think we need to take that off the table for the purpose of this because it would be much more narrowly tailored and precise to focus on things that actually might cause some consumer harm. From what we know about this proposal, it also applies to not information that contains your name but information that could be used to identify you. Its very broad. All the data an Internet Access provider might have that might be linked to your account even though if its not in fact linked. Thats a huge amount of information that could be subject to a lot of regulations. Were scratching the surface and im sorry i dont have i do want to drill down on two points. But before we want to go to questions from the audience, but before we leave i just would ask you guys to try to explain what happens from here . Before we leave. And what is the role of congress in this entire rulemaking process . Since they originally wrote the law. Any questions from the audience . John. Hes going to bring the microphone over to you. And it wont go through the speakers but it will go through the network. So just talk away. John p. Hawk, Carnegie Mellon university. Two of you have emphasized the fact that there are different rules for different players. But the fcc if what you want is the same rules everywhere, the fcc cant give you that. They have title 1 authority over commercial broadband Internet Access providers. They dont have authority over starbucks when they provide me Internet Access. The only way to get that is legislation. So are you calling, the Congressional Staff in this room, are you calling for broadbased privacy regulation across awful these legislation across all these providers . So do you want to opt in for privacy legislation from congress or do you want to just be opted out of this fcc rule . I think to be clear the previous fcc requirements with opt which can be placed into regulation under the fccs own framework, there was a proposal that was submitted to do that. There is nothing to stop the fcc if its going to, as its proposing in its talk about regulating all information, not just cpni thats received by an Internet Access provider. If it has the authority to do that, it certainly has the authority to go beyond the structure of cpni and to replicate essentially the fcc framework ftc. The ftc framework, excuse me, for optins with the use of Sensitive Data. Optins for prohibitions against disclosing any information that might be used for profiling or in ways that might discriminate against data. All that is within the fccs authority if, as it says it can, its going to regulate all customer information received. There are two ways to do this, just to answer your question. You could pass legislation, and there has been support among many in industry to have one overriding privacy law to simplify everything in the United States. And thats certainly not all the industrys unified behind that but there are some. But i do think what jim was saying, so harmonize it with the ftcs framework is a good way to go because the ftcs framework has resulted in very strong Enforcement Actions against Huge Companies. Im not going to name it here. But Huge Companies youve heard of that last for 20 years and provide really strong protection. But at the sam time theres enough flexibility in the ftc framework unlike what the fcc is proposing, enough flexibility to allow for all this kind of innovation weve seen in the last 20 years in the internet. Thats the model thats been applied so far. And to try to pull into a very restrictive scheme where theres lots of specific notices and very arcane choices is not going to promote any kind of its going to make it really hard to make innovation around isps. So i think its a serious question to ask as to how we want to move, what direction we want to go. Do we want to go more prescriptive for everybody or have a flexible system that has served this country very well . Especially as compared to other countries that maybe havent had as much innovation, they havent had silicon valleys. Its a question thats going on in my view for at least 18 years certainly. Very, very strongly. Let me relieve johns question. Let me go to katharina. And john suggested that why dont you just go up to the hill and ask for, you know, privacy regulation across the board and for it to be optin. The world when you opt in. Up on the hill, and would it be opt in or opt out. We have been, of course we support, based on privacy legislation, and i think we would have to look again at the data whether or not that is opted out. And if i can just add, it is worth noting these are not mutually exclusive options, i would argue that it is the appropriate to have high standards for internet Service Providers because of the special relationship they have with consumers, and it is a relationship you want to encourage them to build the relationship, to get on the network, and will willing to connect and consider the services they use online. But not be afraid to get online because of the possible practices isps might be engaging in. The default is going online, doing nothing, and there will be strong protections for your information that you have to o provide. And that is not mutually exclusive with needs baseline privacy legislation to use information that is sensitive, and that maybe the fcc framework is not quequally addressing that may have made sense when there was less isps, but now let them compete for this kind of business. Its just so different now than it was in 1996. I appreciate your point but the market has changed so much. It is different but no matter where you are, youre going first through an isp and then online. If it is a free wifi hot spot, its not regulated by the fcc, they can use your data then. If you look at what consumers do, they access the internet at work, home, on their smart device, they may go through a bub bunch of locations. I dont think that is true. One Internet Access provider with a special relationship. Can i connect through the house wifi, im entrusting the data that flows through unless i nut a vpn. Star skrn bucks is the same thing. I think youre special relationship here is, without the data to support it is questionable, but if you have a customer who is ready was that to your satisfaction . Any other questions . I find a lot of inconsistency in your offers. They are so terrible they would not be able to get these wonderful offers through sprint or whatever. If it is so wonderful, why are you saying they may not be jumping in. Say you sign up for service in january with a new isp and they say would you like to opt in for marketing offers. They say theyre great but they dont know what they are yet. In october there is Free Shipping on amazon or something, and they cant make the offer because they have not opted in. How will the consumers know what offers are before the offers are out there. I dont mean to hijack your question. What is the practical effect of opt in versus opt out. And how does it hurt to get an offer. Just getting an offer and you end up not taking it, you get offers all of the time. I assume that if amazon will offer this to somebody, theyre doing it on the basis of some kind of data, say you buy a high end data package you never use. Maybe you will buy a high end delivery and video package but a consumer that could use a wonderful per month thing for december or whatever, theyre not going to see it. They are redlined. Why do you assume that . What is the interest in not trying to get as much of the market as you can. You want the part of the market that gives you a profit. But youre all generating profit. Youre supposing there is no interest in serving middle and low income consumers. If you look at the money, for example comcast is putting hundreds of millions of dollars to wire low Income Neighborhood sos they get broadband, but it could be something else. Im not saying its a wonderful opportunity for consumer, thats not my point, but to think it will always be nefarious conduct in advertising would not be economically rational. And it would apply to higher averages. Most of the Online Advertising is by 10 companies and none of them are isps. I just want to jump in on the i am pretty confident that companies can come up with creative ways to explain the value proposition. If it is an opt in they need that extra step. And the assumption is that until the customer objects you cant opt in. If i can just add i think it is also worth noticing. We are getting, we have not even see the text yet. But this is activities based regulation, not entity based regulation. That means if a company is both an internet Service Provider, it can continue to operate under the ftc general opt out framework in this area where it is engaging in advertising. It just cannot use the information it is collecting from the broadband customers, that theyre giving it to route that traffic. It cant use that if anyone has a burning question, i want to finish with the last question. I didnt get to, there will be a lot of questions about how much can the unique perch that they have, you will hear a lot of data about how much can they see. People are accessing wifi at mcdonalds or the house public wifi or that the data is encrypted. Im sorry we dont have the notice or proposal, but i understand there is like 500 texts. What is the process from here. What is congresss rule. Were going to get the text of the rule shortly i think. Maybe today, maybe next week early, and there will be two comment periods. And there will be an opportunity for companies, consumer advocates, and members of the companies. I think that congress has a strong role to play here to smooth this out and make sure the data is protected and not just what is held by Certain Companies. So we will be hearing throughout the summer on this and more discussion on the hill about these rules, is that fair to say . Yeah. Ill let you have one last parting comment quickly. Whether youre satisfied with the speed and availability of broad band in their congressional districts, and in connection with a unique burdensome regulatory instruction. There is almost no capital investment. And we didnt really get to encryption. And this is a debate much broader than this. And the less the isps will be and the trends are clear, so think about that for the larger encryption debates, and to you know, it is a question that needs to be considered. Ill skip over the encryption comment, but it is really exciting about this debate because we think it is a very important debate for our society at large. And i ask that you broaden this. And i think it just really touches on some fundamental issues into thank you for hosting this. And okay, as my final parting thought, i would give that i think it is important for us to think about the justifications for some the privacy laws, and that is why we have Strong Health privacy laws. People will feel comfort tobl go to their talked and talk about their health status. It is why we have lawyerclient confidentiality. Clients can feel free speaking with their lawyers. So they can take that stop of going online and knowing their traffic will be routed and not be concerned about how it will be used. Thank you to the panelists and thank you to everybody for coming. Thank you so much. On newsmakers this week our guest is raul grijalva. He will talk about the president ial campaign of Bernie Sanders and more. Watch the interview sunday at 10 00 a. M. And 6 00 p. M. Eastern on cspan. You know, were not there to serve some kind of corporate agenda. Sunday night on q and a, amy goodman, host and executive producer of democracy now talks about the book she go authored changing america. The idea of democracy now is that it really has not changed. I think they are representing the majority of people. They are concerned deeply about war and peace. The growing inequality in this country. About climate change, the fate of the planet, and are not a fringe minority. Not even a silent majority. Silenced by the corporate media. Recently our bus travelled to wyoming. Sam smith was recognized by classmates, family, and the investment of the future. Then our bus travelled. And then we went to minnesota where third Prize Winners were