Let's say one thing up front. When the U.S. House of Representatives passed HJR86 yesterday, sending it to President Trump's desk, nothing actually changed. The FCC rule -- the one that requires ISPs to get your consent before they sell your private information -- had not yet gone into effect. The rhetoric in the blogosphere leading up to the vote, however, made it sound like people believed their private data was already protected. It's a no-brainer that people to whom you entrust such intimately personal information as what you do online ought to get your permission before they sell it to third parties for their profit. During the debate on the House floor, one opponent of the bill to abolish the rule urged its supporters to leave Capitol Hill for five minutes and try to find three normal people who didn't want the opt-in consent requirement. Even worse, since Congress nixed the rule via the "nuclear option" of the Congressional Review Act, no similar rule can be made except by explicit act of Congress. A future FCC or FTC is now forbidden to regulate ISPs in the way Americans overwhelmingly want.
It gets worse.
To understand the real impact of this bill, we need to dissect the argument by which big corporate ISPs fought to have it passed. Social networks like Facebook and portals like Google are allowed to sell the information they obtain when you use their services. If you like a post on Facebook, Facebook is allowed to record that you did that and use it for its own marketing purposes, or to sell it to partners for whatever they want to use it for. It's part of the terms of service. If you don't like it, don't use Facebook. (I don't like it, so I don't use Facebook.)
Big ISPs like Comcast argued they should be able to do the same thing. They persuaded the more business-friendly factions of Congress and the FCC that they were being treated unfairly and demanded a level playing field in order to compete for marketing-data dollars with other major players. Facebook is able to build up profiles of its users based on their activity. Turns out those profiles are worth quite a bit of money in the marketplace of attention. People looking to promote goods and services want to efficiently target their ad dollars. They'd rather pay Facebook for a list of web sites you visit than to shotgun their promotions to everyone hoping to interest even just a tiny fraction.
That's a great lesson in market forces until you realize that Comcast isn't at all like Facebook for this particular regulatory purpose.
I control the information I put out on social media. The social media provider may indeed sell that, but he can only sell what I voluntarily provide. Facebook doesn't know that you also lurk anonymously on Brony forums unless you explicitly tell them so. The same is generally true for any service endpoint. What they can know about you is generally limited to what you have to share with them within the confines of their service they provide to you. The profile my travel booking site has on me is limited to the travel habits they can infer from my use of their service. My pizza-ordering habits are known to the local pizzeria and not generally to anyone else. They can sell my pizza profile to the highest bidder, but there's a limit to how much such a thing is worth.
My ISP sees everything. That puts them in a unique position to build up a much more comprehensive profile than any one service endpoint could achieve. That's immediately alarming because it enables metadata analysis.
The practice of analyzing metadata rocketed to public attention when Edward Snowden revealed that American intelligence services were routinely collecting the metadata from the communications of millions of unsuspecting Americans. Phone call metadata includes the number dialed and how long the call lasted, but not the content of the conversation. Thanks to the limits of aging regulations, that information isn't covered by the Fourth Amendment, just like what's written on the outside of an envelope. You have a right to privacy in what was said, but you don't have a right to privacy in the fact that the conversation took place via a voluntarily-contracted third-party service.
Metadata analysis attempts to infer useful information from those facts, without having to delve into content. And we do it because it works. Not only does it work, it works very well. Everyone knows about the intelligence-gathering applications. But they don't necessarily know that even ordinary, commercially-available cybersecurity solutions use it. ISPs and enterprise businesses rely heavily on metadata analysis systems to protect their networks from intrusions and exploits. They know how valuable metadata is.
And it works better the more comprehensive the metadata. All someone could learn from my pizza-ordering habits is that I don't like anchovies or chewy crust. That profile has limited value because it comes from only one sector of my daily activity. What if the metadata profile were able to aggregate information from several unconnected sectors? ISPs know how much more valuable their particular metadata is.
And worst of all, what if an ISP could do this regardless of any privacy agreements I have with the endpoint providers?
The analogy that's going around the net today is to the phone company. Let's say the county health department calls me up to give me the results of an anonymous test. Let's say it's bad news. So I call up my doctor and discuss the diagnosis and treatment. Then I call my mom to tell her what's up. Individually, each of those phone calls is protected by prior agreements of client privilege and privacy. My doctor isn't selling my medical records in order to make a buck on the side. But the phone company is in unique position to know that I had phone calls, in rapid succession with, (1) a health monitoring facility, (2) a doctor, and (3) a close relative. That information alone might be very interesting to my insurance company or employer because of what can be easily inferred from it. And this is a fairly on-the-nose example. In real life, metadata analysis is able to infer an astonishing amount of correct information from even more nebulous connections.
As a matter of policy, the phone company doesn't sell that sort of information. But that's exactly what ISPs can do. They can sell to anyone for any reason a comprehensive profile of you that has been acquired using their comparatively godlike powers of observation over all facets your life. That comprehensive perspective is why they aren't like social media or other limited forums to which they insist they should be compared. The voluntary and limited use from which Facebook has to infer its profile of you justifies why it's allowed to do it.
Internet service isn't an optional novelty these days. You don't have the luxury of just not using the Internet. Even for the most disadvantaged Americans, access to services such as low-cost healthcare and public assistance requires access to the Internet to manage the case. While we're not yet to the point of the Internet being a mandatory service, we're close. Close enough to regulate ISPs as a service that people cannot easily choose not to have. And in most markets there isn't meaningful competition for broadband access. That's why one of the rules that HJR86 eliminated would have prevented broadband ISPs operating practically as monopolies in a market from insisting that you opt into their data-sharing program as a condition of service.
Comcast and others insist they just want a level playing field. But it's not level; it's significantly downhill for them compared to the companies they designate as competitors. They insist they should be allowed to merely innovate like all the others. But their ability to see everything you do gives them the power to create a profile none of their competitors can hope to match. Now you see why they're antsy to enter the market for your private data. It would certainly be "innovative" for my doctor to sell all his patient data to pharmaceutical firms. They'd be better able to target their ads and he'd be able to recognize a new revenue stream. But we instantly recognize that would be immoral. And the new FCC, Comcast, and Congress don't want to talk about whether or not their policy toward ISPs is moral. Businesses make money, therefore it must be good.
