November 14, 2020

3965 words 19 mins read

Perpetually Missing from Tech Policy: ISPs And The IoT

Perpetually Missing from Tech Policy: ISPs And The IoT

U.S legislators have drawn a bizarre line in the sand when exploring the invasive nature of technology companies and personal rights to privacy.

In Washington, D.C. there are regular hearings about the potential harms that big tech companies can cause because they have so much access to so much information. Facebook, Google, Apple, and Amazon testified before Congressional Subcommittees about th

eir business practices, their data sharing between their own businesses, and the way that information gets used in relation to competition. Whats interesting about that, though, is the fact no consumer can share their personal information directly with any of them.

In order to reach any of the Big Tech companies that are generating immense amounts of policy discussion these days, a person must first have access to an internet service provider (ISP). This could be your home wireline connection from companies like AT&T, Verizon, Comcast, Frontier, Charter/Spectrum or a litany of other providers. It could also be your mobile service provider if you use a smartphone to browse the internet.

Who Sees What Data?

The big tech companies have historically obtained the majority of the data they have because people elected to use the services. Amazon knows your buying habits because they track what you order. Google knows what ads to show because it tracked what searches you were making. The ISPs, though, have a unique position in that they facilitate the connection between you and those edge services. They not only know that you elected to go to Google to perform a search, they also know that from that Google search, you then clicked a link and navigated to another website. While Googles reach can be pretty extensive with the ability to track behavior from a search or any click on an ad that they provide, an ISP doesnt need that secondary interaction. They know where you go online because they facilitate the connection between you and that end point.

There are ways to protect yourself against ISPs monitoring how munch they can see. First, HTTPS encrypts a lot of the actual data being transferred. This means that unless the website is encrypting DNS itself, the only thing the ISP might know is what websites youre choosing to visit. You can also use a virtual private network (VPN). If you choose to do that, then the ISP will see only that you are connecting from your location to the secondary location. This allows you to mask your location to websites because all of the bidirectional browser traffic is between the websites and the secondary location youve tunneled into where the VPN is located.

The Internet is More than Browser Traffic

The problem with many of the policy considerations regarding how to protect consumers when so much of their data is accessible is that it repeatedly falls short. Think about all the devices in your life that connect to the internet. These include your phone, tablet, and laptop along with all of the ancillary devices lights, outlets, home assistants, robot vacuums, and even the infamous toaster - that make up the world of the Internet of Things (IoT). These IoT devices require similar connectivity as your computer or phone, but without many of the security and safety measures in place.

IoT functions relatively simply. There is a sensor that connects to the network in order to communicate its status to a processor. When the sensors status changes, it sends that single to a processor. From there, the processor determines what that sensors status change means and sends out a command over the network to an actuator that performs a task. Consider the following example: You pull into your driveway, your house recognizes that youre there and it opens your garage door, adjusts the temperature, turns on lights, starts your favorite evening playlist. Maybe it even brews you a fresh cup of decaf so you can kick off your shoes and settle in for whatever comes next.

Thats one sensor using merely the presence of your device to trigger a communication with the processor. That processor then reaches out over the network and provides commands for services provided by potentially five different manufacturers the garage door controller, the thermostat, the lights, your preferred streaming music service, and your coffee pot. How much information has an ISP just potentially learned about you with you typing a single character?

They know that someone arrived home at that specific time because the sensor communicated over the network to the control processor. They know that you have each of those devices in your home provided by each of those manufacturers. They know what streaming music service you prefer.

Some of that information might seem innocuous. Who cares if the ISP knows what coffee maker you have? Why does it matter if the ISP knows what time you got home? Everyone is going to have to get home at some point in time, arent they?

The value of an ISP being able to monitor that kind of information is not in the snapshot of one instance. Yes, they can use that information to help third-parties better target where they sell ads for your browsing behavior. The real value, though, is that these ISPs know what devices are connecting to your home, and that they can trace your habits and behavioral patterns from that information.

If you habitually arrive at home around that specific time each day, the ISP can track that information. If that data shows that every Thursday theres no command, but theres increased traffic from your home, the ISP can reasonably conclude that those are the days that you work from home. They might be able to glean that information from just the increased traffic, but the missing command when you arrive home gives them more verifiable data about your habits and practices.

Your next thought, after reconsidering the position that the data isnt that important might be to conclude that you have some protections to under United States privacy laws from an ISP monitoring your behavior online. Except, you’d be wrong.

ISPs Broadening Their Reach

This may not concern you, personally, because you figure there isnt enough data there to be harmful. However, not everyone is a sophisticated tech user. Some people, would rather have one company provide them all of their smart tech and have that company manage it. This is the landscape were starting to find ourselves in today.

Comcast not only offers cable and internet to homes, they also offer security systems including cameras, window and door sensors, and more. They even tout the capabilities of being compatible with numerous smart home devices like door locks, thermostats, and lighting. AT&T is no different, offering to sell streaming media players, smart outlets, security cameras, and both Google or Amazon devices as the control.

The ISPs do not care what devices you connect to your network. In theory, any device should work just as well as any other. Though, given the repeal of federal net neutrality regulations. The ISPs have positioned themselves in the perfect spot to pick preferred vendors. Essentially, while they wont state it openly, if you buy the products that they sell, now they know exactly whats in your home, and you have an extra bit of confidence that it will work reliably, without any blocking or throttling, because you bought it from the service provider. This creates an advantage for any company willing to open up your information to the ISP because theres a self-serving benefit. Provide more data to the ISP-reseller about the user and how the device is used and youll be included in the preferred vendor list.

Ties to Title II

It seems almost everything that has to do with telecom these days has to do with the net neutrality and reclassification battle, and the ability of the Federal Communications Commission (FCC) to make privacy rules is no different. The ability of the FCC to promulgate privacy regulation turns on the same point in the 1996 Telecommunications Act as net neutrality.

If telecommunications are classified as a Title I service, then they are subject to 47 U.S.C. 160 which states,

“…the Commission shall forbear from applying any regulationif the Commission determines that (1) enforcement of such regulation or provision is not necessary to ensure that the charges, practices, classifications, or regulation by, for, or in connection with that telecommunications carrier orservice are just and reasonable and are not unjustly or unreasonably discriminatory; (2) enforcement of such regulation or provision is not necessary for the protection of consumers; and (3) forbearance from applying such provision or regulation is consistent with the public interest.”

All this to say that the FCC, while having authority to make rules that govern privacy regulations under the Telecommunications Act has to deem that it’s required to do so. If the services are classified as Title I, then they lack the authority to regulate.

Even if the FCC was to consider acting, the ISPs could file petitions seeking that the FCC forebear from taking action. Once that petition is filed, then the FCC has one year to respond, with the ability to extend by 90 days under certain circumstances.

Under a Title II classification, the FCC has broad authority to act and regulate.

It shall be unlawful for any common carrier to make any unjust or unreasonable discrimination in charges, practices, classifications, regulations, facilities, or services for or in connection with like communication service, directly or indirectly, by any means or device or to make or give any undue or unreasonable preference or advantage to any particular person, class of persons, or locality, or to subject any particular person, class of persons, or locality to any undue or unreasonable prejudice or disadvantage.

There is no forbearance consideration required to be made, though one can still be petitioned.

In 2015, when the FCC reclassified broadband as a Title II service, it set up circumstances for greater broadband rules. It even passed privacy rules for broadband interactive service providers. However, when the current FCC passed the Restoring Internet Freedom Order (RIFO), it undid the Title II classification, returning broadband services to a Title I classification. As such, broadband is again outside the regulatory authority of the FCC.

While the logical conclusion, then, might be to restore the 2015 Open Internet Order, that would be incorrect. The 2015 order carved out specific exceptions for non-BIAS (Broadband Internet Access Services) that included devices like heart monitors, e-readers, energy consumption sensors, or other limited-purpose devices such as automobile telematics and scholastic applications providing content in schools. This was not an exhaustive list and, based on the type of communication involved, most if not all IoT devices would likely fall into this same gap. This means that even with a Title II reclassification, IoT would remain outside the protections.

The California net neutrality law does a little better in potentially offering some protection in that it focuses its efforts on the behavior of the ISPs when it comes to blocking, throttling, or forcing paid prioritization for the devices on a network. However, the emphasis of the devices needing to be non-harmful may defeat any IoT protections because nowhere in the bill did it define what a non-harmful device was. Considering the lack of security measures and the common use of IoT in botnet or Distributed Denial of Service (DDoS) attacks, it may be difficult to confidently state that the devices are non-harmful.

Federal Privacy laws

In October 2016, the FCC passed new privacy rules that required the ISPs to get their customers to opt-in to before the data that the ISPs acquired was shared with third parties. The scope of information, as defined by the FCC was the, statutory definition of customer proprietary network information (CPNI), meaning, individually identifiable CPNI, personally identifiable information (PII), and content of communications.

Even examining those terms, its still difficult to see how IoT would have seen any coverage. Perhaps an argument could have been made for devices that were tracking personal health information, but its hard to say what identifiable information could be gained from an individual IoT device that raises and lowers a garage door. In aggregate its a different story, but that would have required the ISPs to be collating the data to sell in a package about a consumer household, which may have been deemed a violation of the rules, or to be doing it themselves.

Its a moot point, though, because a few short months after the rules were passed, when Congress went into session at the beginning of 2017, they utilized the Congressional Review Act to repeal the rules. This had two effects. First, it treated the rules as though they had never taken effect. (See 5 U.S.C. 801(f)). The second, and arguably more important part, this disapproval resolution made it so that the FCC could not reissue privacy rules in substantially the same form nor could they issue a new rule that is substantially the sameunless the reissued or new rule is specifically authorized by a law enacted after the date of the joint resolution disapproving the original rule. (See 5 U.S.C. 801(b)(2).

What this means is that the federal agency tasked with overseeing communications by wire and the companies that operate in that space have now been specifically restricted from enacting any kind of rulemaking in regards to how those companies gather, store, and share data from their customers.

State Privacy Laws

To date, there are only three states that have passed consumer privacy laws California, Maine, and Nevada. There are several other states that either have bills in process or have assembled task forces in lieu of a comprehensive privacy bill. Since there is only a small offering of laws, its worth taking a look at the contents to each bill to see if they cover ISP activity.

California: The California Consumer Privacy Act (CCPA) applies to any business that has annual gross revenues in excess of $25 million, or that annually deals with personal information from 50,000 or more households in California, or that gets 50% or more of its annual revenues from selling consumers personal information. The larger ISPs will certainly fall under the first category and would likely be subject to the second as well.

Where this hits the IoT space would be Section 1798.135(o)(1)(F) which covers Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumers interaction with an internet website, application, or advertisement. Alternatively, Section 1798.135(o)(1)(K) includes Interferences drawn from any of the information in this subdivision to create a profile about a consumer reflecting the consumers preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Of course, theres a strange loophole. The CCPA does not protect consumer information that is deidentified or aggregate consumer information. (See Section 1798.135(o)(3)). This seems to means that if the ISP is able to piece little bits of deidentified data together to offer a more comprehensive view, then its not in violation of the CCPA.

Maine: The Maine legislature went a different direction with their privacy law when it passed the Broadband Internet Access Service Customer Privacy. Instead of focusing on the edge service providers collecting data, Maines law specifically targets the ISPs. The key points in relation to IoT are 9301(1)(C)(g), protecting The customers device identifier, such as a media access control address, international mobile equipment identity or Internet protocol (IP) address; and 9301(1)(C)(i) covering The origin and destination Internet protocol addresses.

In order for the IoT devices to communicate with other devices on the network or phone home and provide data to the manufacturer they have to have an IP address. For the device to provide useful information to the ISP, it would need to know the destination where the device was communication the destination IP address. Both are protected under the law.

Much of the Maine law is what the FCC rules tried to implement before being subject to the disapproval resolution from Congress.

Nevada: The Nevada law has the most limited protections of the three enacted laws. It only protects personal information if it includes first initial or name and the last name along with either a social security number; or drivers license or identification card number; or a bank or credit card number with the required security code or password to provide financial account access; or medial identification or health insurance identification number; or a user name, unique identifier, or email address in combination with a password, access code or security question and answer permitting access to an online account.

This law is useful from the perspective of keeping personal account information secured, but the sensor and actuator data that IoT is dealing with is well outside of the protections.

Conclusion

Other than the Maine privacy law and the CCPA, it seems as though there are no privacy laws in the United States that act to protect the information that an ISP can gather, sell, or share with third parties. They can capture your browser data, but in addition to that, the majority of the privacy laws that have been written only examine browsing behavior and ignore the device-to-device communication involved with IoT.

The lack of net neutrality regulations means that the ISPs can also treat all data types differently. This means that they can examine the source of the data transmissions and determine if they want to block, throttle or force the device maker or owner to pay more to transmit that data without interruption. It also means that that the ISPs are in a position to pick preferential business partners in the IoT marketplace.

If the manufacturer is willing to share data with the ISP, then their transmissions will go uninterrupted. This can disadvantage any real competition between device manufacturers, all under the name of proper network management practices.

Finally, it means that even though you are not actively providing information to edge service providers by using the internet, your devices are still providing a lot of data about the ways in which you live. Anyone with access to that information can collate it, determine your common behavioral patterns (even if you are offline), discover your preferred service providers, and then package and share that information.

Considering the degree to which an ISP can monitor your behavior, its pretty incredible that somehow the large ISPs have managed to avoid any public scrutiny while Google, Facebook, Apple, and Amazon are subject to complaints from Congress, and now pending antitrust litigation.

Josh Srago is a third-year law student at Santa Clara University. Prior to law school he spent over a decade designing communications and smart building solutions. His studies focus on the ethical development of technology, exploring how current regulations and policies affect smart home and smart city development.

Author: Josh Srago

Date: 2020-12-02

URL: https://www.techdirt.com/articles/20201019/06482945528/perpetually-missing-tech-policy-isps-iot.shtml

techdirt.com

WHO Is Blocking Commenters From Even Mentioning Taiwan On Its Facebook Page (2020-11-12) A few months back we highlighted the insane lengths the WHO was going to in an effort to silence Taiwan despite that countrys extraordinarily successful efforts to combat COVID-19 Yes yes everyone understands the geopolitical mess in that the Chinese government refuses to recognize that Taiwan is an independent country which everyone who lives in reality knows and that various organizations and go..
To Prevent Free, Frictionless Access To Human Knowledge, Publishers Want Librarians To Be Afraid, Very Afraid (2020-11-04) After many years of fierce resistance to open access academic publishers have largely embraced – and extended – the idea ensuring that their 35-40% profit margins live on In the light of this subversion of the original hopes for open access people have come up with other ways to provide free and frictionless access to knowledge – most of which is paid for by taxpayers around the world One is pr..
Beijing Tightens Grip On Hong Kong With Arrest Of Pro-Democracy Lawmakers (2020-11-19) Literally everyone saw this coming On the heels of a rushed through resolution out of mainland China that ousted four pro-democracy Hong Kong lawmakers leading to the resignation of every other pro-democracy lawmaker as well the question was when not if Beijing would continue to tighten its communist grip The answer to that question appears to be almost immediately with China announcing the arrest..
People With Silly Patents Would Really Like It If It Was Harder To Cancel Them (2020-11-05) A large group of patent holders sent a letter to Congress expressing concern that since the US Patent and Trademark Office USPTO Director Iancu might soon be leaving recent policies making it harder to challenge bad patents might be reversed The letter concerns a process created somewhat recently called inter partes review IPR that allows the USPTO to take a second look at the patents they issue b..
576 German Artists Want EU Copyright Directive Made Worse, With No Exceptions For Memes Or Mashups (2020-12-03) When the EU Copyright Directive was being drawn up one of the main battlegrounds concerned memes The fear was that the upload filters brought in by the new law would not be able to distinguish between legal use of copyright material for things like memes quotation criticism review caricature parody and pastiche and illegal infringements Supporters of the Directive insisted that memes and such-like..
Techdirt Podcast Episode 262: An Open Protocol For Web Monetization (2020-11-11) Recently Techdirt began a new monetization experiment with Coil Its a system for making payments on the web but its not just another micropayment service layered on top of existing technology its part of a broader effort to create an open standard for web monetization based on the Interledger network protocol This week were joined by Coil founder and Interledger co-creator Stefan Thomas to explain..
Daily Deal: The 2021 Advanced Data Analyst Bundle (2020-11-09) The 2021 Advanced Data Analyst Bundle has 5 courses to help you become a better data analyst Courses cover Excel Power BI PivotTables Python and more Youll learn how to to harness analyze and draw insight from the data youre given The bundle is on sale for $30 Note: The Techdirt Deals Store is powered and curated by StackCommerce A portion of all sales from Techdirt Deals helps support Techdirt Th..
Donald Trump Argues That Use Of ‘Electric Avenue’ In Campaign Video Was Transformative (2020-11-13) The election is over and no matter the current administrations flailings Joe Biden is now President Elect It was well quite a campaign season filled with loud interruptions a deluge of lies and some of the most bizarre presidential behavior on record And rather than running on his own record the Trump Campaign mostly went 100% negative filling the digital space with all kinds of hits on Biden One ..
Portland, Maine Passes Facial Recognition Ban That Says The City Can Fire Employees For Violating It (2020-11-23) Another facial recognition ban has been passed bringing a bit more enforceable privacy to the eastern side of the nation Most of the ban action to date has been on the West Coast with small pockets of resistance popping up elsewhere Well mainly just Massachusetts The latest ban passed during the most recent election gives Portland Maine residents the freedom to live their lives with a little less ..
Trump Doubles Down On Threat To Defund Military Because People Are Mean To Him Online; Republicans Threaten To Override His Veto (2020-12-04) On Tuesday we highlighted that it looked like Congressional Republicans were willing to finally stand up to their partys insecure and whiny lame duck president and refuse to include a Section 230 repeal as part of the military authorization bill the NDAA Senator Jim Inhofe who heads the Senate Armed Services Committee and who lead the negotiation on the bill has been a longtime supporter of the Pr..