FCC: Your cybersecurity isn't our problem

Our privacy was on life support. The FCC is pulling the plug.

Illustration by D. Thomas Magee

The new FCC chairman hasn't wasted any time getting down to business. That is, the business of burning consumer privacy and security to the ground.

New Trump appointee FCC Chairman Ajit Pai has suspended the agency's consumer data privacy rules indefinitely. Before they even went into effect. He's basically holding the safeguards underwater while two Republican-backed congressional resolutions come in for the kill.

This neatly lays the groundwork for companies to spy, track and profit off our private viewing and browsing habits. You see, ad industry trade groups absolutely hated those privacy rules, which were established under former Chairman Tom Wheeler.

The rules would've required internet service providers to notify consumers about the collection and use of their data and required opt-in consent before using or sharing what the FCC considers sensitive information. That's stuff like Social Security numbers, data associated with kids, health and financial info, email content, location data, internet history and app-usage data.

It seems like it should be a basic right to know what's being collected about you, how it's shared, and to have a chance to opt out. But no, leading ad groups have said that Wheeler's protections would chill innovation.

So now if Verizon or Comcast want to share with their partners that you've visited websites about diabetes or pregnancy tests, the companies are freer than ever to do so. Former FCC enforcement chief Travis LeBlanc cautioned the press earlier this month that if Pai got rid of these protections, "then consumers will have nothing."

"Think about how much your ISP can know about you," he told Bloomberg Law last week. "Your phone is with you all the time, so your phone carrier knows where you are, they know who you're calling, they can see all the websites you're visiting."

He added, "You can imagine a world in which you go on television and see an ad about something you just searched for on the internet 20 seconds ago."

In addition to freezing the privacy protections, Pai gutted its provisions to make ISP's notify consumers when there's a breach. That would've been nice considering Comcast's track record. But, unfortunately for us, making breach notifications mandatory would be very expensive for companies whose priorities are their advertisers and not their customers.

Worryingly, this all is in lockstep with Pai's attitude about consumer cybersecurity in general. He and fellow Republican commissioner Michael O'Rielly have made it clear that they don't think the FCC should have any kind of active role in cybersecurity.

What happens without the rules in the event of a breach? Pai told Sen. John Thune last week that consumers would be back to relying on any federal or state breach notification requirements. In absence of a federal breach notification law, we have to assume he means we're stuck with state breach laws, which are, incidentally, a sprawling mess.

Cybersecurity in communications is not the FCC's area, Pai and O'Rielly maintain when questioned, much to the delight of broadband and telecom providers, we're sure. In fact, O'Rielly stated that it's not really in any rules anywhere that the FCC should be doing anything about cybersecurity, so, like, they won't be. Pai and O'Rielly didn't high-five after he said that. But from the way their faces twitched to smiles, like when someone tells adults that safety in their frat house isn't technically their responsibility, they didn't need to.

The thinking by Pai and his cohorts seems to be that the Department of Homeland Security should be responsible for cybersecurity risk oversight in the communications sector. Yes, the DHS: an organization with no regulatory authority over the commercial communications sector. Which is, you know, exactly what the FCC was created for.

Pai didn't stop there. The former Verizon attorney is, after all, the man who called net neutrality a "mistake," so we know he's got some slashing and burning to do around Wheeler's old office.

The new FCC head has stopped an order that would've addressed flaws in the Emergency Alert System that allows hijackers to prevent 911 calls from getting through by performing the phone equivalent of a DDoS attack. He rescinded a notice for public input on cybersecurity risk reduction for next-generation wireless networks. Morning Consult reported that Pai also "removed from public view a study by FCC economists highlighting the growing gap between communications sector corporate cybersecurity investment and that needed to properly protect society."

Did Pai and friends not read the instructions that came with the job? Maybe someone should tell these bros and their ad-beholden buddies that the FCC is a government agency created to regulate communications for the purpose of national defense, without discrimination, "for the purpose of promoting safety of life and property through the use of wire and radio communications."

Making cybersecurity part of that mission isn't just a good idea -- even if it is a bunch of work for the FCC's new boys -- it should be a goddamn requirement. It's difficult to comprehend the logistical gymnastics behind the belief that cybersecurity and telecommunications are separate entities. They're so intertwined that to address communications regulation absent its security component would be reckless at best, catastrophic at worst. Our current situation adds a layer of creeping horror to Edward R. Murrow's prescient warning of, "Look now, pay later."

But now the FCC officially believes that cybersecurity is someone else's problem. And in the real world, when security is "someone else's problem" it quickly becomes your problem.

Images: Chip Somodevilla/Getty Images (Wheeler / Pai)