EFF has long been critical of the Federal Communications Commission’s efforts to regulate digital technologies and services. We’ve warned against FCC rules and strategies that threatened to (or actually did) give the agency too much power over innovation and user choice. And with good reason: the FCC has a sad history of being captured by the very industries it’s supposed to regulate. It also has a history of ignoring grassroots public opinion. In the early 2000s, for example, the commission essentially ignored the comments of hundreds of thousands of Americans who opposed media consolidation.
When it came to the open Internet, the FCC’s confused legal arguments regarding the scope and limit of their power made us fearful that the FCC would abuse its power. With respect to net neutrality, it started out by claiming a broad “ancillary” authority to regulate the Internet – a claim that, if accepted, could be a Trojan horse for ever-expanding regulatory overreach. If the agency couldn’t articulate a reasonable and clear legal authority for its actions, how could we trust it to recognize the limits of that authority?
Until recently, those concerns have led us to largely stay out of the FCC’s various efforts to define “open Internet” rules. We’ve put our energies elsewhere: uncovering Comcast’s meddling with BitTorrent traffic; drawing attention to companies like Paxfire, through which ISPs diverted web searches; and developing software tools to Test Your ISP.
More recently we’ve worked to develop and support Open Wireless to give people more options for Internet access wherever they are. We are expanding that work to include stronger support for community and municipal high-speed Internet options. We’ve also strongly supported the FCC’s role in requiring transparency from providers.
Exploring our options
We will continue that crucial work. But in the meantime, the ground has shifted. The companies who have quasi-monopoly power over Internet infrastructure have gotten bigger and have begun to abuse that power. In addition, the D.C. Circuit appeals court told the FCC last January that the legal basis (called Section 706) it’s currently claiming to support its proposed open Internet rules doesn’t allow the FCC to pass the kinds of rules that would target those abuses, such as rules against blocking, discrimination among applications, and special access fees.
Against this background of quasi-monopolistic industry power and a confused regulatory agency, the question of how to ensure a neutral Internet that serves rather than inhibits innovation and user choice gets even harder. Is a carefully circumscribed role for the FCC part of the solution? Let’s look at the leading alternatives first.
We started by thinking about antitrust law. Some, including several witnesses at a congressional hearing last week, would like the FCC to stand down altogether on net neutrality. They argue that we should rely on antitrust law, not telecommunications policymakers at the FCC. There is strong appeal to that argument; if your concern is competition, isn’t that what antitrust law is for? But current antitrust law is no magic bullet. It focuses mainly on preventing monopoly prices, not harms to innovation, and it doesn’t protect free speech. Also, many tools of antitrust law can only be brought to bear where you can show that one company dominates a market. It is too easy to manipulate the definition of the “market for Internet access” and hard to tie the concept down so that courts can identify antitrust violations. Finally, antitrust litigation is slow and expensive for all parties, putting it out of reach for many startups and nonprofits that could be hurt by an ISP’s non-neutral practices. In the meantime, innovators and users face a climate of uncertainty and risk. We hope antitrust will help, but it can't be the only solution.
Another option is to leave the problem to Congress. A major revision to the Telecommunications Act is underway, and it could include new neutrality rules. Or Congress could pass a narrower law right now, focusing on promoting a neutral Internet. There’s at least one bill on the table already. That’s a fine idea and should happen but let’s face it: given the power of the telecom lobby, and Congress’s partisan gridlock, legislation that puts firm limits on harmful discrimination by ISPs will not happen anytime soon. While Congress dithers, or worse yet becomes beholden to the same forces that seek to capture the FCC, access monopolies and unequal treatment of Internet users are likely to become further entrenched. Moreover, any such legislation is likely to assign the role of enforcement back to the FCC, as did a proposed bill in 2007.
Looking to the FCC
So that leads us back to the FCC. While Congress does its work, antitrust lawyers weigh options, and Internet users work to promote competition, empower community solutions, and ensure transparency, the FCC can be acting to enforce a few rules of the road that target the non-neutral behavior we’re already beginning to see from Internet service providers.
We want to be very, very clear: the FCC’s regulatory role should be narrow and firmly bounded. Network neutrality rules should be limited to specific prohibitions—such as blocking, discrimination among applications and prohibiting special access fees—potentially combined with a renewed “open access” requirement that would foster local competition, and no more.
Luckily, the FCC has a way to bind itself and thereby limit its own regulatory reach. It’s called “forbearance.” While forbearance doesn’t set the limits on the regulatory agency in stone as Congress could, it does require the FCC to make a public commitment that is difficult to reverse. If it ever wants to change course, it has to engage in a contentious and tedious public process of notice and comment. We’ll have more to say about these very basic regulations in our comments on the FCC’s proposed rules, which we will also unpack in upcoming posts.
To get to a place where it can actually enforce neutrality rules and do nothing further, however, the FCC first needs to do one important thing: reverse its 2002 decision to treat broadband as an “information service” rather than a “telecommunications service.” This is what’s known as Title II reclassification.
That 2002 decision, as interpreted by the D.C. Circuit last January, now actually prevents the FCC from truly promoting a neutral Internet. That is because the court said that rules that actually do what many of us want—such as forbidding discrimination against certain applications—require the FCC to treat access providers like “common carriers, ” treatment that can only be applied to telecommunications services. Having chosen to define broadband as an “information service,” the FCC can impose regulations that “promote competition” (good) but it cannot stop providers from giving their friends special access to Internet users (bad). The result: a set of proposed rules that implicitly endorses paid prioritization and special deals that may not be available to new businesses at any price.
Some have said that reclassification would give the FCC too much power to regulate the Internet. That very concern is why forbearance is so important. Nor is it the case that the FCC has very limited power now—the D.C. Circuit affirmed that the FCC has broad powers to “promote competition” which could be just as vulnerable to misuse by a future FCC as any regulatory authority granted via a “common carrier” reclassification. More important than the potential breadth of power, however, is the fact that the powers that the FCC has now don’t match the real goal: protecting the neutral Internet we expect and need to flourish. Reclassification, combined as it must be with a commitment to forbear from imposing aspects of Title II that were originally drafted for 20th century telephone services and that don't make sense for the Internet, can give the FCC the right tool for the job without giving it regulatory tools it doesn’t need and may dangerously misapply.
While we would have preferred for the market to right this problem itself, the consolidation of Internet access providers and the increasing willingness to use their position to extract rents from downstream applications means that we need to do more than just shine a light with transparency and support alternatives with community and municipal infrastructure. We need some minimal rules of the road and, for better or worse, the FCC is in the best position to get those rules in place sooner rather than later. EFF will be working hard to make sure the FCC does just that – and no more. You can help.Related Issues: Net Neutrality
Share this: || Join EFF
A Zombie Bill Comes Back to Life: A Look at The Senate's Cybersecurity Information Sharing Act of 2014
The Senate Intelligence Committee recently introduced the Cybersecurity Information Sharing Act of 2014. It’s the fourth time in four years that Congress has tried to pass "cybersecurity" legislation. Unfortunately, the newest Senate bill is one of the worst yet. Cybersecurity bills aim to facilitate information sharing between companies and the government, but they always seem to come with broad immunity clauses for companies, vague definitions, and aggressive spying powers. Given such calculated violence to users' privacy rights, it’s no surprise that these bills fail every year.
What is a surprise is that the bills keep coming back from the dead. Last year, President Obama signed Executive Order 13636 (EO 13636) directing the Department of Homeland Security (DHS) to expand current information sharing programs that are far more privacy protective than anything seen in recent cybersecurity bills. Despite this, members of Congress like Rep. Mike Rogers and Senator Dianne Feinstein keep on introducing bills that would destroy these privacy protections and grant new spying powers to companies.
New Countermeasures and Monitoring Powers
Aside from its redundancy, the Senate's bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system. Combined, the two definitions could be read by companies to permit attacks on machines that unwittingly contribute to network congestion. The countermeasures clause will increasingly militarize the Internet—a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user.
Second, the bill adds a new authority for companies to monitor information systems to protect an entity's rights or property. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.
Sharing Information with NSA
Such sharing will occur because under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government. Its new role in the bill mandates DHS send information to agencies like the NSA—"in real-time and simultaneous[ly]." DHS is even barred from "delay[ing]" or "interfer[ing]" with the information, which ensures that DHS's current privacy protections won’t be applied to the information. The provision is ripe for improper and over-expansive information sharing.
This leads to a question: What stops your sensitive personal information from being shared by companies to the government? Almost nothing. Companies must only remove personally identifiable information if the information is known to be US person information and not directly related to the threat. Such a willful blindness approach is inappropriate. Further, the bill does not even impose this weak minimization requirement on information shared by, and within, the government (including federal, state, local, and tribal governments) thereby allowing the government to share information containing personally identifiable information. The bill should require deletion of all information not directly related to a threat.
Overbroad Use of Information
Once the information is sent to a government agency, it can use the information for reasons other than for cybersecurity purposes. One clause even allows the information to be used to prosecute violations of the Espionage Act—a World War I era law that was meant to prosecute spies but has been used in recent years primarily to go after journalists’ sources. The provisions grant the government far too much leeway in how to use the information for non-cybersecurity purposes. The public won’t even know what information is being collected, shared, or used because the bill will exempt all of it from disclosure under the Freedom of Information Act.
The bill also retains near-blanket immunity for companies to monitor information systems, to share information, and to use countermeasures. The high bar immunizes an incredible amount of activity, including negligent damage to property and may deprive private entities of legal recourse if a computer security contractor is at fault for destruction of property. Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and the Computer Fraud and Abuse Act would be precluded or at least sharply restricted by the clause. It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information. It's also unclear because we continue to see companies freely share information among each other and with the government both publicly via published reports and privately.
A Fatally Flawed Bill
This fatally flawed bill must be stopped. There's a hearing Thursday next week to discuss the bill and we encourage you to join us stopping this bill. Get in touch with your Senator, tell them to vote no on the bill, and to not cosponsor the Cybersecurity Information Sharing Act of 2014.Related Issues: PrivacyCyber Security Legislation
Share this: || Join EFF