Nick Heiner

@nickheiner

The WSJ’s “Phony” Internet Privacy Op-Ed

A response to WSJ’s “The Phony Internet Privacy Panic

FCC HQ in Washington, DC by Ser Amantio di Nicolao

On March 31st, the Wall Street Journal published an op-ed claiming to “add a few facts” to the discussion over S.J. Res. 34, which undoes Obama-era FCC protections for consumer internet privacy. Unfortunately, the Wall Street Journal’s fact-finding mission is fundamentally marred by inaccuracies of its own.

What the WSJ Got Wrong, Objectively

Comcast and Google are not the same

The FCC ditched this approach and promulgated a rule [for internet-service providers] that, curiously, did not apply to companies like Google or Amazon…
The crew pushing the rule say cable companies deserve scrutiny because it is easy to change websites but hard to change internet-service providers. The reality is the reverse: The average internet user connects through six devices, according to a paper last year from Georgia Tech, and moves across locations and networks. But which search engine do you use, whether on your home laptop or iPhone at work? Probably Google.

This is flagrantly inaccurate. The “crew pushing the rule” is correct. Let’s look at the steps required to exercise consumer choice on a search engine versus an internet service provider (ISP):

Switch to searching with Bing on your iPhone

  1. Launch the Settings app
  2. Type “search engine” in the search bar
  3. Tap “Safari Search Engine”
  4. Tap “Bing”

That was pretty easy. As a consumer, I can easily exercise my choice if I’m not satisfied with Google’s service. iOS will even let me switch to DuckDuckGo, a privacy-oriented search engine, if that’s a concern to me.

Now let’s say that I’m concerned with Verizon’s data collection practices, and I’d like to exercise my consumer choice and switch to a competitor like Comcast.

  1. See if my home is served by multiple ISPs. If not, move to a new home.
  2. Try to cancel my service on Verizon’s website, and sign up on Comcast’s website. Pay any additional fees for early termination of Verizon and setup for Comcast. (Thanks to Eduardo F. Ortiz for reminding me about the fees.)
  3. If the website doesn’t work (which is anecdotally common), call customer service on the phone and slog through a call tree and long wait times. When you’re on the phone, fight your way past customer service reps who are incentivized to try to talk you out of switching.
  4. Go through some combination of driving to a store to pick up or drop off ISP cable equipment and setting it up yourself (if you know how), or make an installation appointment. (Anecdotally, the installation appointments rarely occur on time.)
  5. If the router does not give you the option of choosing your WiFi network name and ID, reset the WiFi connection of every device in your house.

These two procedures are not even close to being the same.

It is true that an average user may interact with many different ISPs at home, work, and while travelling. But who has ever exercised consumer choice by choosing their job based on what ISP the company uses? What was the last time you chose one coffee shop over another to use an ISP whose privacy policy you were more comfortable with? It’s completely erroneous to suggest that using multiple devices provides meaningful consumer choice.

The Wall Street Journal also notes that the “average internet user connects through six devices”. This does not provide a degree of privacy. ISPs can sell data to third-party aggregators, who provide value to advertisers by joining data streams together to create one picture of users across many devices. It is not hard for them to do this.

So, no, it is not “curious” that this rule applies to ISPs, which are often regional monopolies with a high cost of consumer switching, and not to internet companies like Google or Amazon, which are not monopolies, and have substantially lower costs of consumer switching. In general, the Wall Street Journal editorial board rightly praises the power of the free market and competition to spur innovation and protect consumer interests. If they are confused and don’t realize that ISPs often look much more like utility companies than internet companies, it’s understandable how they could make this mistake. But only a company that’s largely immune from consumer choice can see its net income rise by 150% and stock price rise by 50% even as its consumer satisfaction rating drops by 3% and remains one of the lowest in the country.

When you understand that internet companies are subject much more strongly to free market forces than ISPs, it’s no surprise to see that Google and Bing offer highly-polished experiences to consumers, whereas Verizon and Comcast offer broken websites and seemingly interminable call center wait times.

Encryption is not a panacea

Encryption and other technology will soon shield some 70% of the internet from service providers.

This is misleading. (And what source did the 70% number come from? And what does “of the internet” mean? 70% of all web sites? 70% of all traffic by volume? 70% of minutes spent online are using encryption?)

Encryption, by which the Wall Street Journal presumably means HTTPS, does protect the contents of traffic from ISPs. But it does not protect the destination of the traffic. Imagine a hypothetical Comcast customer named Sam who has AIDS and researches it on ihaveaids.com. Comcast would know Sam visited that site, but wouldn’t know what they were doing there. Comcast can then sell Sam’s browsing history to an ads company, which infers from their presence on that site that they may be interested in ads for Ziagen. When they next pull up CNN at work, and the ad network serves them an ad for HIV medication, they could be outed in front of their colleagues who are glancing over their shoulder. If that scenario sounds bad to you, then the Wall Street Journal’s “encryption” is not a replacement for regulation protecting consumers.

And HTTPS doesn’t even grant total protection for the content of internet traffic. It’s possible for a site to use HTTPS with ancient encryption algorithms that have long since been rendered useless, providing encryption in name only. Or a site could use a mix of encrypted and non-encrypted content, which can compromise the entire site because the non-encrypted content can snoop on the encrypted content. Are these broken cases included in the uncited “70%” number?

If a consumer wants to protect the contents and the destination of their traffic from their ISP, they can use a VPN. This costs extra money, and is far beyond the technical reach of most users. And, although it protects from the ISP, it requires placing trust in a new set of groups, which may not be any more trustworthy.

What the WSJ Got Wrong, Subjectively

There’s a reason people don’t trust Comcast

This belies the idea that Comcast and other invented villains

“Invented villains” is a subjective term, but to add a little additional context: Comcast has over a decade of issues stemming from treating consumers poorly. Problems range from a 2004 finding that Comcast had the lowest American Customer Satisfaction Index (ASCI) score of any organization or government agency, to a 2007 incident of accidentally broadcasting porn instead of the Disney Channel, to a 2015 instance of changing a customer’s name to “Asshole Brown” when they tried to cancel their service. And lest you think that the 2004 American Customer Satisfaction Index finding was an outlier: the poor scores for Comcast and the rest of the ISP industry have been consistently at the bottom of the barrel ever since.

Shockingly, the ASCI found in 2004 that “almost half of all cable customers have registered complaints about one thing or another”.

Consumer trust in Comcast and other ISPs is very low, which is why people are uncomfortable giving them more freedom to use their data. It’s misleading for the Wall Street Journal to fail to acknowledge Comcast’s history here. The Wall Street Journal takes a shot at the IRS for allegedly targeting conservative political groups every chance it gets. In 2004, Comcast scored worse on the ASCI than the IRS, and the rest of the ISP industry is only marginally better. The Wall Street Journal should have at least some sympathy for those who are wary of ISPs.

Internet privacy is about more than pandas

… companies like Google or Amazon, whose business model includes monetizing massive data collection — what panda videos you watch or which gardening tools you buy.

Although this description is convenient for someone arguing against privacy-protecting regulation, it’s an obfuscating way to characterize privacy issues online. Yes, some portion of internet activity is frivolous, with limited risk of causing bad outcomes for consumers without privacy. But people also use the internet for activities that are much more sensitive than “panda videos”, like banking, researching medical issues, and finding dates. Target tries to determine if you’re pregnant, and Facebook helpfully detects closeted gay men and offers them advice on coming out. These privacy concerns disproportionately effect marginalized people in society, but even those with “nothing to hide” are right to be concerned. As Cory Doctorow writes, “ I know what you do in the toilet, but that doesn’t mean you don’t want to close the door when you go in the stall.”

What the WSJ Got Right

Although the main thrust of the WSJ’s fact-adding mission is objectively wrong, I should acknowledge one thing that they’re right about:

The result [of S.J. Res. 34] will be . . . the status quo.

The regulations that this bill undoes were never in effect, because they occurred late in the Obama administration. And the delta in consumer privacy caused by undoing these regulations is marginal; there have always been very few consumer privacy protections for ISPs. And more broadly, the entire digital world is just an awful place if you have serious concerns about privacy. Most people are constantly interacting with digital systems, and their behavior is recorded, analyzed, and monetized in ways they often don’t understand.

So no, this isn’t a “the sky is falling” moment, although it is good that it’s raising awareness of internet privacy issues.

Conclusion

If you are uncomfortable with your ISP selling your browsing history and behavior, you should contact your elected representatives and let them know how you feel about S.J. Res. 34. The now-dead FCC rules were solving a real problem, but repealing those rules is not creating a new problem but instead removing a solution to an old one.

I enjoying reading the Wall Street Journal’s editorial page almost every day for their perspective of rational conservatism. “The Phony Internet Privacy Panic” is an abberance from the level of quality I’d expect, so I wonder if the editorial board just received bad information from whoever they consult on technical topics. If anyone from the Wall Street Journal is reading this: I’m happy to provide accurate technical information if you’d like to be informed about an issue with a technical dimension. DM me at @nickheiner if you’re interested.

More by Nick Heiner

Topics of interest

More Related Stories