Revelations this week that Verizon Wireless secretly used “supercookies” to track customers’ browsing habits underlines a less-talked about benefit of the FCC’s potential reclassification of broadband as a Title II public utility — consumer privacy protection.
With broadband defined as a Title I “information service” as it is today, the FCC lacks the legal language and authority to punish carriers for things like “supercookies.”
So far the idea of reclassifying broadband as under Title II — a section of the Communications Act of 1934 that provides rules for “common carriers” — has been mainly associated with the net neutrality debate. Title II contains non-discrimination rules that allow the FCC to make sure big ISPs don’t give some data streams precedent over others.
But Title II also provides detailed rules for protecting consumer privacy, and would give the FCC the power to enforce those rules with mobile data service providers like Verizon.
As a service to advertisers over the past couple of years, Verizon has been quietly modifying its users’ web traffic running on its network to inject a cookie-like tracker known as X-UIDH (Unique Identifier Heading). This tracker is sent to every website Verizon customers visit using their mobile device.
This enables third-party advertisers and websites to assemble a deep, permanent profile of visitors’ web browsing habits, and Verizon neither told customers it was doing this nor provided a way for them to opt out, according to the Electronic Freedom Foundation.
A New York Times story earlier this week reported that an ad tech company called Turn had figured out a way to use Verizon’s unique customer codes to regenerate its own tracking tags after consumers had chosen to delete what is called a cookie. In effect, the story says, Turn could continue tracking user browsing habits even after the that person had deleted cookies that had been dropped in their browser.
Verizon now says it’s working on giving customers a way to truly opt out.
“We have begun working to expand the opt-out to include the identifier referred to as the UIDH, and expect that to be available soon. As a reminder, Verizon never shares customer information with third parties as part of our advertising programs,” says spokeswoman Deborah Lewis in a prepared statement. (Lewis didn’t return requests for comment for this story.)
After big carriers are caught with their hands in the cookie jar, they always suggest “self-regulation” as the solution.
But some believe that consumers shouldn’t need to rely on advocacy groups to sniff out and correct the privacy violations of companies like Verizon. Groups like Consumer Watchdog and Public Knowledge want the FCC to possess the authority to make binding rules prohibiting privacy-violating practices like Verizon’s and Turn’s — and to be able to fine bad actors.
A Title II classification for broadband might be the answer. “If you hate supercookies, you love Title II,” Public Knowledge’s Harold Feld told VentureBeat.
“The reason for that is there are statutory provisions in Title II that protect user privacy,” Feld said. Section 222 of the Title II section of the Telecommunications Act of 1996 contain provisions that protect what’s called “consumer proprietary network information” or CPNI. “CPNI means all the information you have to expose to the telecommunications provider in order to make the service work.”
Title II has so far been used mainly to regulate voice service, in which case CPNI can include information about the device you’re using, your telephone number and the number of the person you’re calling, the length of a call, your calling history, your name, your address, and so forth, Feld said. Section 222 contains the customer safeguards to prevent the operator from using that information without the express consent of the subscriber.
But the Title II language in Section 222 is broad enough to apply to data services, Feld says. In fact, Title II has regulated data services in the past, albeit older ones like Telex and fax services.
Title II also sets forth a system of sanctions for companies that violate customer privacy, including a schedule of fines. The FCC has fined companies substantial amounts for misusing CPNI. On one occasion in the early 2000s, it fined Verizon $9 million for failing to allow customers to opt out of sharing personal informal information regarding voice service. The violation was the result of an error on Verizon’s part, and the giant telecom self-reported the error to the FCC — but only six months after it had fixed the problem. The FCC levied the fine not only for the privacy violation itself but for failing to report the problem when it was discovered.
Feld said that for violations related to data service — like the use of supercookies — there is simply no way for the FCC to punish Verizon. “We have no way to do anything when Verizon sticks a bright neon sign on your back in cyberspace that says ‘follow me,'” Feld said.
Not only is there no legal description of the violation and no schedule of penalties, there is also a question of whether or not the agency has the authority to act.
“If broadband were a Title II service, Verizon would be violating Section 222 CPNI statutes as well as Section 201 rules against unjust and unreasonable practices,” Feld says.
Revelations about Verizon’s supercookie practice could not have surfaced at a better time. As the FCC and Congress move closer to making new rules protect and enforce network neutrality, the need for solid privacy protection for mobile data users might strengthen the case for a Title II classification of the Internet.