Influential privacy scholar Paul Ohm is urging the Federal Communications Commission to move forward with rules that would require broadband providers to obtain people's opt-in consent before using data about their Web activity for ad purposes.
Ohm, who previously testified to Congress in support of the rules, this week filed FCC comments that aim to debunk some of the arguments that cable companies are making against the rules. Ohm specifically takes issue with the notion that the growing use of encryption makes new rules unnecessary -- an argument set out in a February report by privacy expert and former White House official Peter Swire.
In a report partially funded by the industry group Broadband for America, Swire argued that broadband providers no longer have a comprehensive view of subscribers' online activity, thanks to the growing use of encryption. When users visit encrypted sites, broadband providers generally can see the domain name -- like google.com -- but not the detailed URL.
Cable companies and other critics of the proposed rules have frequently drawn on that report in marshaling their arguments.
But Swire's paper, according to Ohm, is "a bit of a non sequitur."
That's because providers "retain a significant ability to invade individual privacy, even acknowledging the market and technological changes," Ohm writes in his most recent comments, which were published this week. The same day that Ohm's comments were posted, President Barack Obama announced his intention to appoint Ohm to a commission on evidence-based policy making.
Ohm points out in his comments that broadband providers can "possess a significant power to track user behavior, particularly by observing the domain names of websites visited by users," even when sites are encrypted.
Ohm also notes a flaw in the cable companies' arguments against the proposed rules: If broadband providers really don't know what subscribers do online, the privacy rules will have very little impact because the providers won't be able to target people anyway.
"If commenters correctly predict that ... providers are losing the ability to invade privacy due to encryption (a premise I seriously doubt), they are also conceding that the regulatory burden of the proposed rule will be minimal, because there will be so little benefit to lose," he writes.
Some critics of the proposal, including Federal Trade Commissioner Maureen Ohlhausen, have suggested the FCC should develop different standards based on the sensitivity of the data.
But Ohm notes that one problem with that approach is that no one can agree on the definition of "sensitive."
Consider, industry groups like the Network Advertising Initiative and Digital Advertising Alliance define "sensitive" health information differently. The DAA considers "pharmaceutical prescriptions or medical records related to a specific individual" sensitive health data. But the NAI takes a broader view of the concept of sensitive health information, which it defines as “precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history."
Facebook and Google also have their own definitions of sensitive information for online ad purposes, Ohm says.
"Advertisers can definitely target ads to people suffering from a particular disability on DAA platforms, definitely not on Facebook, and probably not on Google or NAI," Ohm writes. "Genomic information is only expressly prohibited within the NAI definition, arguably within Google’s, and likely not Facebook’s or DAA’s."
What's more, Ohm writes, companies can't figure out whether data is sensitive without violating people's privacy. "A rule that varies based on sensitivity will be a much more complex, unpredictable, and less privacy protective one," he says. "Determining whether information is sensitive requires far more invasion of privacy as well as far more surveillance."
The FCC is accepting comments on the privacy proposal through July 6.