Scott Cleland is mad at Google. This is not much of a surprise. Scott Cleland spends much of his time mad at Google and wishing terrible things would happen to them. This time, Cleland wants the FCC to investigate and punish Google for their collecting user data while sending their truck fleet to find open hot spots as part of their “street view” project. The FCC has confirmed it is investigating Google’s conduct. Cleland hopes the FCC will throw the book at Google.
I’m also hoping the FCC will act. But having pondered this for awhile, I’m not sure Cleland understands precisely what an FCC action against Google would mean for issues like network neutrality and regulation of wireless broadband access. Briefly, it would require the FCC to either assert authority over all unlicensed spectrum and passive reception under some combination of Section 301 (47 USC 301) and Section 302 (47 USC 302a) of the Act, or authority over wireless broadband pursuant to Section 705 (47 USC 605). While this does not trouble me, evil pro-regulatory big-government free-market hating Socialist that I am, I am rather surprised to see those (like Cleland) who usually want the FCC kept at arms length begging the FCC to charge into the fray and extend its authority over Google, especially when such an expansion of authority would extend to network neutrality regulation as well.
More below . . . .
I will defer to EPIC for the details. To give a brief summary, Google sent a bunch of trucks around in 2007 to take pictures for their “Google Streetview” project. Along the way, they also used receivers to capture and store information people transmitted on surrounding wifi systems. Once this information came to light in 2010, we had much hue and cry — and deservedly so. Many agencies outside the U.S. investigated, while in the U.S. the Federal Trade Commission (FTC) took the lead. At the end of October, the FTC announced it had concluded its investigation by telling it to be a good boy and put voluntary controls in place.
Needless to say, this is mildly disappointing. Even taking Google at its word that it did not actually use the information collected, something a bit more enforceable than “try to put procedures in place so this doesn’t happen again” seems called for. However, such is the pathetic state of U.S. privacy law that I cannot say the FTC’s behavior is in any way exceptional.
Enter now the Federal Communications Commission (FCC). Back when Google’s conduct came to light, EPIC’s Mark Rotenberg filed a letter with the FCC asking the FCC to investigate (and presumably punish) Google’s collection of WiFi information. After the FTC pronounced itself satisfied, the FCC announced that it would continue its own investigation. All well and good so far. But here comes the fun part: under what authority will the FCC investigate Google?
If broadband access were a Title II service, this would clearly be covered under a number of statutes that cover tapping telephone calls. But it’s not. It’s an information service. Making life more difficult for the FCC, all this took place over unlicensed frequencies, and Google’s bad behavior involved passively receiving and recording the information. Google did not break any encryption or otherwise do anything other than passively receive and record information not intended for it. The closest analogy would be if Google pointed a passive directional microphone at you and listened from a distance while you chatted quietly with a friend in a public park.
The EPIC Letter suggests that the FCC could enforce the Electronic Communication Privacy Act (ECPA) (18 USC 2510, et seq.). Leaving aside the various defenses Google has raised, it does not appear that the FCC has any particular enforcement power with regard to ECPA. The EPIC Letter also suggests Section 222 (47 USC 222), but since broadband access is not a telecommunications service this is simply not applicable. The letter also suggests Section 705 (47 USC 605) of the Act. As I shall discuss below, this has much greater promise — both to reach Google’s conduct and other conduct as well.
But before I get to that, let us consider a possibility not mentioned in the Epic Letter, the prohibition on using an unlicensed wireless device for eavesdropping, found at 47 C.F.R. 15.9.
The “No Eavesdropping” Rule And Its Implications:
Part 15.9 of the FCC’s rules states:
Except for the operations of law enforcement officers conducted under lawful authority, no person shall use, either directly or indirectly, a device operated pursuant to the provisions of this part for the purpose of overhearing or recording the private conversations of others unless such use is authorized by all of the parties engaging in the conversation.
Let us assume that Google used a device authorized under Part 15 of the Commission’s rules, and that the data gathered constitute a “conversation.” If we grant these two, then Google would certainly appear to have violated this rule. Problem solved, yes?
Not quite. The rule appears to derive from 47 USC 302a(d), which explicitly requires the FCC to ban devices capable of “receiving transmissions in the frequencies allocated to the domestic cellular radio telecommunications service.” Google did not monitor “cellular radio telecommunications service.” For Part 15.9 to apply to Google’s passive reception of data (and recording of same) would require acknowledging the FCC’s ability to regulate such conduct under its general authority pursuant to Sections 301 (47 U.S.C. 301) and 302 (47 USC 302a). Section 301 gives the FCC authority to regulate all transmissions of radio frequency energy to control interference. Section 302a allows the FCC to set rules for certification of devices that emit radio frequency (RF) energy (either intentionally or unintentionally), and to regulate the manufacture, transport and sale of such devices. But the FCC most emphatically does not control the behavior of such devices once they passively receive a communication. That was settled in the “broadcast flag case,” American Library Assoc. v. FCC, 406 F.3d 689 (D.C. Cir. 2005). Even if we distinguish Google’s activity from the “broadcast flag” in that broadcast flag sought to control what happened after the communication ended, whereas Google’s conduct occurred during the communication, we would still need to acknowledge that Sections 301 and 302 combined give the FCC ongoing authority to regulate the use of unlicensed spectrum — including the passive collection of information without any incidental transmission of RF.
I don’t mind finding the FCC has such authority. But I recognize doing so goes well beyond what the FCC has ever previously asserted. It would absolutely extend the FCC’s authority to cover receiver standards (a matter of some dispute for receivers that are not also transmitters — such as televisions), as well as provide the FCC with authority to regulate users of unlicensed spectrum (such as WISPs) in precisely the same manner as the FCC now regulates licensees. Furthermore, how do you engage in prioritization of wireless traffic or behavioral advertising without gather information on the nature of the traffic? If the FCC has authority to prohibit and punish the mere passive collection of information on unlicensed spectrum, one must concede its authority to prohibit such practices by wireless licensees.
Somehow, for all Cleland would like to see the FCC punish Google and enforce stronger privacy guarantees, I can’t see him (or those who pay his salary) wanting the FCC to expand its authority over passive reception of RF and over unlicensed spectrum use post-equipment certification in ways not directly linked to transmission/radiation of RF energy.
Section 705 and Its Implications:
We now return to the provision recommended by EPIC, Section 705 of the Communications Act as amended (47 USC 605) (not to be confused with Section 705 of the Telecommunications Act of 1996). This looks considerably more promising. Section 705 says, in pertinent part:
No person not being authorized by the sender shall intercept any radio communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communication to any person. No person not being entitled thereto shall receive or assist in receiving any interstate or foreign communication by radio and use such communication (or any information therein contained) for his own benefit or for the benefit of another not entitled thereto.
Broadband information is clearly a “communication.” This is why it falls under Title I, as a “communication by wire or radio.” The term “intercept” would appear to cover what Google did, the passive collection of information not directed to it.
There are, however, rather interesting consequences to applying Section 705 to broadband traffic, especially when considering the prohibition on self-benefit as well as the prohibition on making the “contents, substance, purport, effect, or meaning” known to another. On its face, this would appear to ban deep-packet inspection or other forms of information scanning to which a subscriber does not explicitly consent. The statute, on its terms, applies to the carrier entrusted with the message as well as to any outside entity.
So does Section 705 prohibit targeted and behavioral advertising? Heck, does it prohibit paid prioritization of user traffic (when done without user consent). If we apply Section 705 to Google’s passive collection of data, never published and never used, then it should surely apply to any data actively collected via deep packet inspection or other means — especially when that information is then disclosed to others for purposes of paid prioritization or advertising.
If Cleland gets what he wants, the FCC coming down on Google like a ton of bricks, wouldn’t that require imposing stronger privacy rules on all carriers, wireless and wireline alike? Indeed, it would appear Section 705 would also create the basis of authority for the FCC’s proposed network neutrality “fifth principle” of non-discrimination. to discriminate on the basis of origin or destination or type of traffic requires that the carrier “intercept” the communication — in the sense of gathering information not readily available and not intended to be conveyed to the carrier by the subscriber, or not intended by the subscriber to be used by the carrier for this purpose. Arguably, the carrier could meet the existing requirements under Section 705 via disclosure to the subscriber as part of the terms of service. But under Section 4(i) of the Communications Act, the FCC has authority to enforce Section 705 and make “such rules as are necessary” to carry out “the purposes” of Communications Act — including Section 705. If Section 705 applies to the passive collection of information from a wireless transmission, then it would appear to give the FCC authority to impose (at least) network neutrality regulations (on wireless carriers, at least) directly rather than as a matter of ancillary authority.
I’ll confess I never thought of Section 705 in connection with network neutrality (or anything else for that matter) until this came up. To the extent folks think of Section 705 at all these days, they think of it as the prohibition on stealing encrypted satellite services. I’ll also note that the prohibition on wireline communications does not prohibit self-benefit, but does prohibit making the communication known to another. This may limit its effectiveness to impose certain types of network neutrality rules on wireline carriers. Still, if the FCC refuses to take the safer course and reclassify broadband access as a Title II service, it would appear that Section 705 provides a basis for exercise of direct authority over the “interception” of broadband communications.
Unless the FCC determined that mere passive collection of information did not constitute an “interception,” in which case Section 705 does not reach Google’s behavior. That would, of course, mean letting Google off the hook. What a choice for Scott Cleland — punish Google for its privacy violation while laying the foundation for FCC enforcement of wireless network neutrality and the prohibition on behavioral advertising, or let Google get off completely. For myself, I’m happy to throw the book at Google and impose more meaningful privacy and consumer protection regulation on the broadband industry. Others, however, may prefer to let Google off easy rather than establish such a broad precedent. Decisions, decisions . . . .
Stay tuned . . . .