A group of legal and privacy analysts gave differing views on how the roles would affect consumers and businesses at a forum on capitol hill hosted by the congressional internet caucus committee. This is just over an hour. All right, folks. Welcome to another Congressional Internet Caucus Advisory Committee briefing. Thanks, everyone, for coming to this recess briefing. Were going to try to do this really quickly in like one hour and explain this issue from a pro and con perspective. The briefing that youve walked into, in case youre in the wrong place, is the new fcc privacy rules for broadband providers. What will they mean for privacy . And this is hosted by the Congressional Internet Caucus Advisory Committee in conjunction with the congressional internet caucus itself, which is chaired on the house side by congressman Bob Goodlatte and congress wam eshoo and on the senate side by senator john thune and senator patrick leahy. We are super supportive, appreciative of their support and the fact they allow us to host these briefings in conjunction with them in a fair and balanced way. And their ability to say we dont care where our particular perspectives are but we just want to actually have a good debate, pros and cons on these issues, and let, you know, Congressional Staff decide where they come out on the issue. So before i get going, just a few little bits of housekeeping. If you want to follow the conversation on twitter, the hashtag for today i is fccprivacy. Thats pound fccprivacy. And you can follow u us netcaucusaca. And that information is on your list here. We dont have any Upcoming Events but well probably notice one in a week or two. Probably the next one will be on the iena transition for the department of commerce and internet governance. Keep on the lookout for that. Let me introduce, we have pros and cons on this particular issue. And let me just introduce quickly my panel. Right from the left here is jim halpert. Hes with dla piper, which is a law firm here in town. And hes a partner there. Next to him is debbie matties. And shes debbie is Vice President of privacy at ctia, which is a collection of wireless and cellular phone companies. And next to her is katharina kopp, who is a director at the center for democracy and technology, which is a great privacy and Civil Liberties firm, nonprofit here in washington. Next to her is laura moy, who is the visiting professor of law at Georgetown University law school. All their twitter handles are on the page. So why are we here today . Yesterday the federal Communications Commission, and as the federal Communications Commission proposed a rule governing privacy issues related to Broadband Services and covering Broadband Service providers. Theyre basically updating a law from 1996 which incidentally is the same year that the congressional internet caucus was created. So 20 years ago the Telecommunications Act of 1996 was passed, which included a law governing the privacy of telephone service. And also the congressional internet caucus was created that year. Incidentally, the top one song on the billboard top 100 was the macarena. I dont remember what type of phone i had but it really wasnt portable. It was a very, very different day. And the congressional internet caucus was created that year to try to bring more attention to internet issues. This is really interesting collision of old and new. And what are we here for . So the fcc had a notice of proposal rule making. They wanted to do a rule to update these privacy rules for telephone providers. Now what theyre going to call Broadband Service providers. Our panels going to explain that and debate the pros and cons of that. Were going to go through a lot of material very quickly. The rules governing privacy for Broadband Service providers. They include folks that provide your cellular service. Not the phone itself but the service i get here, which is tmobile. Your over your laptop or your desktop, which in my case at home is verizon fios. But here its on the house public wifi. And so those are the types of services that were talking about. Broadband Service Providers. And these rules are covering them. So lets just go to my first question, and jim arrived just in time for the people out there who you know, the gnawing question is like that name sounds really familiar, jim halpert. Where do i know that from . And youre probably googling jim halpert and the first thing that comes up is that guy from the office. Jim, just so we get this out of the way, so youre not bugged all the way through the briefing. Jim is actually named hes the inspiration for jim halpert from the office. Thats right. Youll find that much less exciting than the actor. For what its worth, i had dinner last night with the real andy bernard, whos another childhood friend who was in town for a World Bank Economic conference. But lets talk about how this arose first. Yeah. Basically, the fcc has been trying to find a way to impose Net Neutrality requirements on Internet Access providers, and after a couple of attempts it decided to classify them as is common carriers. Just by virtue of providing Broadband Service. When the original cpni law was passed, the Internet Access providers were considered independent Internet Information Services and were not regulated at all by the fcc. This new classification through a quirk in the way that the federal trade Commission Law works are outside the authority of the federal trade commission. So before this Net Neutrality order Internet Access providers were regulated and subject to the same requirements as anyone else in the internet ecosystem or any other business. Its just this fcc rule changing the way that the service is classified for purposes of telecom that all of a sudden we have this change in authority over Internet Access service. So this is an offshoot of the open Internet Order or aka Net Neutrality . Right. So what is what is the commission proposing . It basically is proposing a privacy regime that includes notice, like telling people, consumers what their privacy rights are, choice, whether you can opt in or opt out or keep them from doing that collection. And then security. Which is like how you know, how are you going to keep my data secure when you collect it . What cause the rule specifically look like and what is the cpni thing people are hearing about . We dont yet know the exact text because it hasnt been released but based on discussions in public it sounds as though what the fcc would do is require an enormously long list of information to be provided to consumers by way of notice of what the data practices of the Internet Access service is and then set up a multitiered set of permissions, degree of opt in or opt out that would be required for the Internet Access provider to use information that it obtained by virtue of providing this service to consumers. So there would be a very unusual optin consent requirement for any disclosure of information to a third party. Well talk about that, how it may be a little less unusual. But certainly for internal uses of information for purposes, for example, of advertising or marketing, that would be sharply restricted unless requiring an affirmative optin consent, unless the marketing was for something that was related to communications service, so an existing service that the consumer required. There would be an optout for that sort of marketing. So the default rule would be opt in with an optout rule in place for marketing, Communications Services or marketing those services through an affiliate. If i can just jump to laura. For the average consumer at home, what does this mean for them . What does it mean for their privacy . What companies are they interacting that theyll be covered by this rule and kind of what is so unique about Broadband Service providers that we need such a rule . Ill try to take those ill try to get to all of those. And just to do a little bit of background here, before we Start Talking about consumers and exactly what this means to them, i think its worth talking about what the objective is with respect to consumers of the law in the first place. I think this is something that we could probably discuss at length because im sure there would be differences among us panelists over what the primary goals of the statute are here. But basically, the section of the Communications Act that governs common carrier privacy, the privacy obligations of common carriers which in the past were private phone providers, now include broadband providers, essentially it kind of had two goals, right . And one was to protect the privacy of information that consumers have to provide to carriers to get service. So thats like when youre talking about common carriers youre talking about companies that where their primary function is to carry the Customers Communications from one end to the other. So in that context if youre making a phone call or browsing the internet or using any Online Service you have no choice but to provide certain information with the carrier about the traffic. So with a phone call you have to provide information about the phone number youre calling, the length of time youre talking on the phone, et cetera. And with internet photographic its kind of similar. You have to provide information about that enables a broadband provider to route the traffic from one place to another. The customer pays the carrier for service, and has to provide information about their communications in order to get that service, and one of the goals of the law is to protect that information. Basically to make sure the information isnt then being used for other purposes other than to direct the traffic or to direct the calls without the customers approval. And then the other objective is a competitionbased objective. So the fcc actually for decades prior to the 1996 telecom act had been regulating Customer Proprietary Network information. Youll be hearing us refer to this as cpmi. Had been regulating it on a competition basis because there was this idea that if you have carriers that are seeing lots of information about relationships that their customers have with other companies by virtue of the fact that their customers are calling other companies, then there might be competition problems presented if the carrier can then use that information to give itself a Competitive Edge to compete in other markets. A really good example of this is with an Alarm Service where if youre getting Home Security from one provider then your phone company if your phone company starts providing a Home Security system it knows who youre a customer of for Home Security. It might even know when youve had an incident based on your call logs. It might know how often youre contacting Customer Service with that other Home Security system, et cetera. And that could be information that it could use to gain an edge for itself. These are kind of the two goals. So for consumers now, now that broadband has been reclassified as a common carrier service, again, with the routing of communications from one place to another, this means that broadband consumers can expect to have a very similar privacy framework to what has been instituted with respect to phone to the information that they provide to their phone carriers. They can expect to have very similar protections in place with respect to the information they share with their internet providers. The websites that you visit, the services that youre using that youre in contact with, the destination of your traffic and the origin of it, the duration, the amount of traffic, that type of information as jim described will now be subject to the sort of multitiered consent structure. So that information would be protected and the isp would not be able to collect it. Does this rule apply to sites like google, like twitter, like snapchat or the apps on my motorola phone and the operating system . Thats a good question. And i think just to address one part of that, though, these rules are not about collection, theyre about use in general because theres an assumption to see what carriers have to collect the information, that customers have to provide to carriers and carriers have to collect it in order to provide the service in the first place. Yes, that aside, no, these rules dont apply. At least, you know, based on what we know about the proposal, again, as jim said, we havent seen the text of the actual proposal yet. But based on what we know about it, no, it wouldnt it would not extend to Edge Services. So there are companies that provide both Edge Services and internet carriage, and when they are in the business of providing the providing Broadband Access, then theyd be subject to the fccs rules that protect the information in that context. And when theyre in the business of offering an edge service. So the phone i have in my hand, it wouldnt apply to like im look at my apps. It wouldnt apply to my fitbit app. It wouldnt apply to my google mail, my pandora, or even the operating systemk and this happens to be an android operating system. The other major operating system, you might have heard of it. Its ios by apple. Its been in the news a little bit. Yeah. Thats correct. It would not apply to those others. This is just about broadband Internet AccessService Providers. So let me ask whether katharina wants to weigh in on this or anybody wants to weigh in on this. What is so special, like really what is so special about Broadband Service providers . And is this regime similar or different to other privacy regimes that we have in the United States . Now, we had a briefing down the hall last week on the euu. S. Privacy shield. We had a fellow from the european commission. Hes like the reason we have to do this kind of bandaid is because the u. S. Has an inadequate level of Privacy Protection in our opinion, meaning the european commissions opinion. So whats so special about this particular Broadband Service provider and what do they see thats so special . You want to jump in or so thank you for that question. I think you have to look at the whole context of this data. So its not so much that its particularly Sensitive Data but its the whole context. So a customer who you use at home or on the phone, theres a lot of amount of data that is being collected. It is sensitive and detailed information and theres really not that many options for a customer to sort of switch the provider or, you know, evade the situation. So its the amount of situation in detail and really the opportunity for the customer to not go anywhere else. And if you think about the whole the kind of profile that can be collected about a user, a lot of important inferences can be made about a user. So you can understand, for example, the usage patterns. You can draw conclusions about whether somebody, for example, is unemployed, because they suddenly start using their Home Internet service more frequently during the daytime the kind of devices that are being connected to the internet again in the home setting, for example, a pacemaker or your fitbit, theres a lot of information that can be gleaned from that. So its the entire context you have to look at. I know the ftc, for example, looks at the sensitivity of the data and, for example, says with regard to Health Information you should its particularly sensitive, therefore, theres an optin required. I think its important ton only look at the sensitivity of the data but then thats the next step, also the purpose of the data. I think thats where well get into it a little more, when we talk about the proposed rules. It looks at the entirety of the data but then what is it being used for. Id be happy to go into that a little more. Well come back to the two points about not being able to go to somewhere else. And then also the sensitivity of the data, the uniqueness of the data. You can come back to that. But lets go quickly to debbie. Can we focus more on the mobile ecosystem . Because thats who your members represent, is mobile and wireless. So the mobile ecosystem, as you know, as tim was just talking about, involves a lot of companies who are providing the service to you. The isps. One of those companies provides the activity. But it isnt always the same isp when youre using your phone. If you think about youre at home, you might connect to your home wifi and then when youre out taking transportation to work, youre on your network connection. Once you get to work you might connect with your work wifi. If you go to a coffee shop you mi