{"id":15500,"date":"2019-06-05T08:10:09","date_gmt":"2019-06-05T16:10:09","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/06\/05\/news-9249\/"},"modified":"2019-06-05T08:10:09","modified_gmt":"2019-06-05T16:10:09","slug":"news-9249","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/06\/05\/news-9249\/","title":{"rendered":"Maine inches closer to shutting down ISP pay-for-privacy schemes"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Wed, 05 Jun 2019 15:00:00 +0000<\/strong><\/p>\n

Maine residents are one step closer to being protected from the unapproved use, sharing, and sale of their data by Internet service providers (ISPs). A new state bill, already approved by the state House of Representatives and Senate, awaits the governor\u2019s signature. <\/p>\n

If signed, the bill would provide some of the strongest data privacy protections in the United States, putting a latch on emails, online chats, browser history, IP addresses, and geolocation data collected and stored by ISPs like Verizon, Comcast, and Spectrum. The bill goes further: Unlike a data privacy proposal in the US<\/a> and a new data privacy law in California, the Maine bill explicitly shuts down any pay-for-privacy schemes. <\/p>\n

The Act to Protect the Privacy of Online Customer Information<\/a> (or LD 946 for short) would go into effect on July 1, 2020. It is, with minor exception, widely supported, even among its intended targets. <\/p>\n

\u201cWe sell Internet access, and we know that if people can\u2019t trust the Internet, then the value of the Internet is significantly lessened, as it will be used less for sensitive applications,\u201d wrote Fletcher Kittredge and Kerem Durdag<\/a>, CEO and COO of Maine-based ISP GWI. \u201cEven if government regulation blocks us from making money selling customer data (something we never ever do), we still benefit because a trusted Internet is more valuable to all our customers.\u201d<\/p>\n

Not everyone agrees, though. <\/p>\n

The Maine State Chamber of Commerce opposes the bill and, following the Senate\u2019s unanimous approval last week (35\u20130), has vowed to \u201censure that this harmful bill does not become law.\u201d<\/p>\n

The Chamber\u2019s arguments have puzzled the ACLU of Maine, a supporter of LD 946. According to the nonprofit, the Chamber has engaged in \u201cgaslighting\u201d and \u201cdisingenuous\u201d advertising, serving as a mouthpiece for the region\u2019s big ISPs. <\/p>\n

The Chamber did not respond to requests for comment. <\/p>\n

Further, the Chamber commissioned a public survey that handwaves away the actual matter at hand: Should ISPs be restricted from selling user data? <\/p>\n

To the ACLU of Maine, that answer is clear: Yes. <\/p>\n

\u201cThis bill protects Mainers from having their ISPs sell their data without their knowledge and consent,\u201d said Oamshri Amarasingham, advocacy director of ACLU of Maine. <\/p>\n

The bill<\/strong><\/h3>\n

Sponsored by Maine state Democratic Senator Shenna Bellows, LD 946 would prohibit ISPs from using, disclosing, selling, or allowing access to customers\u2019 \u201cpersonal information<\/a>.\u201d That includes the content of online communications, web browsing history, app usage history, \u201cprecise geolocation information,\u201d and health and financial information.<\/p>\n

This bill does not exist in a vacuum. In February, Motherboard revealed that, for years, actual, honest-to-God <\/a>bounty hunters<\/a><\/em> could access the location data<\/a> of AT&T, T-Mobile, and Sprint customers. It gets better (worse): The location data was initially intended for 911 operators, but was sold to data aggregators by the telecom companies themselves. <\/p>\n

Away from bounty hunter headlines, The Verge also spotlighted AT&T\u2019s future profiteering plans<\/a> last month to monetize nearly every piece of its customers\u2019 data. <\/p>\n

Under LD 946, that activity would be regulated. <\/p>\n

The bill allows for some exceptions. An ISP could sell user data so long as the user consents to that sale, and ISPs could also use and disclose user data when complying with court orders, rendering bills, protecting users from fraud and abuse, and providing their services, so long as the user data is necessary to those services. Further, ISPs could disclose geolocation data in the case of emergencies, like dispatching 911 services. <\/p>\n

The bill also closes a few potential loopholes, prohibiting ISPs from requiring that users consent to the sale of their data in order to use their services. The bill also states that ISPs must provide \u201cclear, conspicuous, and nondeceptive notice\u201d when users consent to sell their data. <\/p>\n

Finally, the bill shuts down any \u201cpay-for-privacy\u201d schemes that have already proved popular<\/a>. According to the bill, ISPs cannot \u201ccharge a customer a penalty or offer a customer a discount based on the customer\u2019s decision to provide or not provide consent\u201d to having their data sold, shared, or accessed by third parties. <\/p>\n

Good. <\/p>\n

As we previously wrote about Sen. Ron Wyden\u2019s data privacy proposal, which includes a pay-for-privacy stipulation:<\/p>\n

\u201c[Pay-for-privacy] casts privacy as a commodity that individuals with the means can easily purchase. But a move in this direction could further deepen the separation between socioeconomic classes. The \u2018haves\u2019 can operate online free from prying eyes. But the \u2018have nots\u2019 must forfeit that right.\u201d<\/p>\n

The Maine state bill does its part to prevent that unequal outcome. <\/p>\n

Maine Governor Janet Mills has until June 11 to sign the bill and turn it into law. If she misses the deadline, the bill automatically becomes law. <\/p>\n

Amarasingham of ACLU of Maine expects a positive outcome. <\/p>\n

\u201cWe are optimistic that [Governor Mills] will sign this bill,\u201d Amarasingham said. \u201cI know ISPs and the Chamber of Commerce are exerting a lot of pressure, but I\u2019m proud to say Maine legislators didn\u2019t cave to that. I hope the governor\u2019s office won\u2019t either.\u201d <\/p>\n

The opposition<\/strong><\/h3>\n

The challenge to LD 946 includes claims of insufficiency, unproven rhetoric, misguiding statistics, and a question as to what legislation should accomplish. <\/p>\n

As Amarasingham said, one of the bill\u2019s main opponents is the Maine State Chamber of Commerce. In recent months, the Chamber funded a 30-second video ad<\/a> criticizing the bill, hired a research firm to conduct public surveys about data privacy, and launched a website that asked Maine residents to tell their representatives to vote against the bill. <\/p>\n

That website labeled LD 946 as \u201charmful to Maine\u2019s consumers,\u201d because, allegedly, the bill \u201cwill create greater consumer confusion and undermine consumers\u2019 confidence in their online activities\u2014a risk to the continued growth of the digital economy.\u201d <\/p>\n

That confusion argument showed up in a Central Maine opinion piece<\/a> written by Mid-Maine Chamber of Commerce president and CEO Kimberly Lindlof. Lindlof wrote that a \u201cpatchwork\u201d of state data privacy laws\u2014with different standards across different state lines\u2014could create a scenario where Maine residents \u201cmight have to opt in to a privacy setting in Maine but opt out of that setting if you go into another state for vacation.\u201d<\/p>\n

But the Mid-Maine Chamber of Commerce and the Maine State Chamber of Commerce both oppose LD 946 for another reason: The bill does not go far enough. <\/p>\n

According to both agencies, LD 946 should apply not just to companies that provide Internet service, but also companies that operate their businesses online, such as Google and Facebook. The Chamber\u2019s video ad, which it posted on Facebook, said that \u201cit doesn\u2019t make sense\u201d to leave out these big Silicon Valley tech companies which have repeatedly failed to protect user data. (The video ad also claims that that LD 946 \u201cexempts Facebook,\u201d which is flatly untrue\u2014it simply does not apply to Facebook. There are no written exemptions for the company.) <\/p>\n

Boiled down, the Chamber wants a stronger bill. <\/p>\n

However, this is an ideological argument about policy: Should legislation immediately achieve broad goals, or should it take individual steps towards those goals?<\/p>\n

According to Amarasingham, the reality of policy-making is the latter. <\/p>\n

\u201cThe nature of legislation and law reform is that it is incremental,\u201d she said. \u201cThere is no one bill on any issue that solves an entire problem. This bill is an enormous first step and it is very important.\u201d <\/p>\n

Following the Senate\u2019s approval of LD 946 last week, the Chamber responded on its website:<\/p>\n

\u201cToday the State Senate failed to protect the online privacy of all Maine consumers in passing LD 946, a fundamentally flawed bill that will do little to make Mainers\u2019 personal privacy more secure on the Internet. Despite the fact that 87% [nearly 90%] of Mainers believe a state law should apply to all companies on the Internet according to a recent survey, senators chose to pass a bill that leaves consumers\u2019 personal data unprotected when they are using websites, search engines, and social media apps.\u201d<\/p>\n

Those statistics deserve scrutiny. <\/p>\n

The statement cites a Chamber-funded survey by David Binder Research<\/a>, in which the firm conducted 600 telephone interviews between May 9 and May 11. The statistic referenced by the Chamber pertains to this question: <\/p>\n

\u201cIf the Maine state legislature were to pass a law today to protect your personal privacy, should this law apply to just a few companies on the Internet, with the idea of passing more law [sic] in the future to cover additional companies on the Internet, or should this law apply to all companies?\u201d<\/p>\n

According to the survey, 87 percent of respondents answered \u201cAll companies.\u201d <\/p>\n

But that question asks respondents to make a choice between two entirely different things\u2014one of them literally exists and the other does not. <\/p>\n

LD 946, which applies to a \u201cfew companies,\u201d is written. A bill that applies to \u201call companies\u201d is not. This is a choice between reality and possibility. <\/p>\n

Further, the question\u2019s language obfuscates a core difference between \u201ccompanies on the Internet\u201d\u2014like Google and Facebook\u2014and companies that provide<\/em> the internet. These are not the same. <\/p>\n

The Maine State Chamber of Commerce did not respond to emailed questions about when it last created a website campaign against a bill, or about why it believes the potential for broader privacy protections supersedes the current bill\u2019s incremental protections. The Chamber also did not reply to a voicemail providing similar questions. <\/p>\n

If at this point, you\u2019re confused about how incremental protections against sneaky ISP behavior could be seen as \u201charmful,\u201d you\u2019re not alone. Tracking the Chamber\u2019s privacy-protective messaging against its anti-ISP-protection messaging can make anyone\u2019s head spin. <\/p>\n

\u201cI can\u2019t say that I fully understand why the Chamber is carrying Spectrum and AT&T\u2019s water on this,\u201d Amarasingham said. \u201cTheir top line, outward-facing message was Mainers deserve privacy protections, which is also our top line message.\u201d <\/p>\n

Amarasingham continued: \u201cThis is real privacy protection.\u201d<\/p>\n

Data privacy shoulds and should-nots <\/strong><\/h3>\n

Should rules be written to stop Facebook and Google and dozens of Silicon Valley tech companies from profiting off your data? That depends on several factors, like what those rules would look like, how they would be implemented and enforced, and what exemptions would apply, not to mention whether those rules would nullify current state rules that are being pushed forward today. <\/p>\n

But should ISPs be allowed to sell user data without consent when there is already a widely-supported plan in place to stop them? Absolutely not. <\/p>\n

The post Maine inches closer to shutting down ISP pay-for-privacy schemes<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Wed, 05 Jun 2019 15:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Unlike a data privacy proposal in the US and a new data privacy law in California, the Maine data privacy bill aimed at Internet Service Providers (ISPs) explicitly shuts down any pay-for-privacy schemes. <\/p>\n

Categories: <\/p>\n