by Deborah Caldwell-Stone and Michael Robinson
(crossposted from Choose Privacy Week)

This week Congress, voting along party lines, passed a resolution that repealed the groundbreaking privacy rules adopted by the Federal Communications Commission last October under the Obama administration.  The new rules would have required ISPs to adopt fair information privacy practices in regards to their customers’ data, including a requirement that the ISP obtain affirmative “opt-in” consent from their customers before using, sharing or selling sensitive information, including geo-location information, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.  In addition, the rules would have imposed data breach notification requirements and required ISPs to adopt reasonable data security measures.

If the privacy rules had been left alone,they would have gone into effect at the end of this year. But because of the way the new resolution was written, the FCC will likely be barred from writing any similar rules in the future.  And the Federal Trade Commission, which otherwise has broad authority to regulate unfair and deceptive business practices like inadequate privacy protections or deceptive privacy policies, is likely barred from regulating ISPs, which are classified as telecommunication common carriers only subject to FCC regulation.  Thus, those Congressional representatives voting to roll back the FCC privacy rules have likely skewed the privacy playing field in favor of the ISPs for a long time to come.

This means internet service providers are free to collect information like a user’s IP address, mobile number, device identifier, device type and operating system, location information, installed apps, and contacts and share that information with advertisers without the customer’s consent.

How can libraries respond to the rollback of the FCC privacy rules?   Start with the Library Privacy Guidelines and the accompanying Library Privacy Checklists, which outline the steps libraries should take to protect users’ data and provide a secure online experience in the library.

More specific steps libraries can take to protect themselves and help users protect themselves from data collection by ISPs include:

• Participating in the movement to encrypt all web traffic by moving library websites and services to HTTPS, a protocol which prevents intermediaries like ISPs from eavesdropping.  ALA is a sponsor of the Let’s Encrypt initiative which provides free and easy to install certificates for HTTPS websites.
• Negotiating contracts with ISPs that forbid the collection of browser history and other activity data of Internet users in the library.
• Providing anonymous Internet access in library using the Tor browser or similar technologies.
• Teaching users to protect themselves from online surveillance by using technologies such as public proxies, Virtual Private Networks (VPNs) services, and anonymity networks such as Tor, as well as educating and encouraging patrons to exercise their ability to opt-out of behavioral tracking, adopt do-not-track tools, and employ encryption technologies.  San Jose Public Library’s Virtual Privacy Lab provides one model for providing patrons with the information they need to protect their privacy.

For those who are interested in learning more about these tools and tactics, the Office for Intellectual Freedom and the IFC Privacy Subcommittee are sponsoring a webinar on Practical Privacy Practices for Choose Privacy Week on Thursday, April 13 at 2:00 PM Eastern/1:00 PM Central/12 Noon Mountain/11:00 AM Pacific.  The webinar will provide information on how to configure and manage your integrated library system to preserve patron privacy, how to install free HTTPS certificates on your websites using the Let’s Encrypt services, and how to provide anonymous web browsing using TOR and other tools.

Finally, advocacy on behalf of data privacy, transparency, and customer choice is always an option.  Minnesota and Illinois have already introduced legislation that would require ISPs providing services in those states to abide by a set of rules comparable to the FCC privacy rules repealed by Congress.   While the FCC may be barred from adopting new privacy rules, Congress itself can propose and adopt a privacy regime that will protect individuals’ data.  Librarians and patrons alike can let their elected officials know that they support laws that protect individuals’ online privacy.