Maine residents are one step closer to being protected from the unapproved use, sharing, and sale of their data by Internet service providers (ISPs). A new state bill, already approved by the state House of Representatives and Senate, awaits the governor’s signature.
If signed, the bill would provide some of the strongest data privacy protections in the United States, putting a latch on emails, online chats, browser history, IP addresses, and geolocation data collected and stored by ISPs like Verizon, Comcast, and Spectrum. The bill goes further: Unlike a data privacy proposal in the US and a new data privacy law in California, the Maine bill explicitly shuts down any pay-for-privacy schemes.
The Act to Protect the Privacy of Online Customer Information (or LD 946 for short) would go into effect on July 1, 2020. It is, with minor exception, widely supported, even among its intended targets.
“We sell Internet access, and we know that if people can’t trust the Internet, then the value of the Internet is significantly lessened, as it will be used less for sensitive applications,” wrote Fletcher Kittredge and Kerem Durdag, CEO and COO of Maine-based ISP GWI. “Even if government regulation blocks us from making money selling customer data (something we never ever do), we still benefit because a trusted Internet is more valuable to all our customers.”
Not everyone agrees, though.
The Maine State Chamber of Commerce opposes the bill and,
following the Senate’s unanimous approval last week (35–0), has vowed to “ensure
that this harmful bill does not become law.”
The Chamber’s arguments have puzzled the ACLU of Maine, a supporter of LD 946. According to the nonprofit, the Chamber has engaged in “gaslighting” and “disingenuous” advertising, serving as a mouthpiece for the region’s big ISPs.
The Chamber did not respond to requests for comment.
Further, the Chamber commissioned a public survey that handwaves away the actual matter at hand: Should ISPs be restricted from selling user data?
To the ACLU of Maine, that answer is clear: Yes.
“This bill protects Mainers from having their ISPs sell their data without their knowledge and consent,” said Oamshri Amarasingham, advocacy director of ACLU of Maine.
Sponsored by Maine state Democratic Senator Shenna Bellows, LD 946 would prohibit ISPs from using, disclosing, selling, or allowing access to customers’ “personal information.” That includes the content of online communications, web browsing history, app usage history, “precise geolocation information,” and health and financial information.
This bill does not exist in a vacuum. In February, Motherboard revealed that, for years, actual, honest-to-God bounty hunters could access the location data of AT&T, T-Mobile, and Sprint customers. It gets better (worse): The location data was initially intended for 911 operators, but was sold to data aggregators by the telecom companies themselves.
Away from bounty hunter headlines, The Verge also spotlighted AT&T’s future profiteering plans last month to monetize nearly every piece of its customers’ data.
Under LD 946, that activity would be regulated.
The bill allows for some exceptions. An ISP could sell user data so long as the user consents to that sale, and ISPs could also use and disclose user data when complying with court orders, rendering bills, protecting users from fraud and abuse, and providing their services, so long as the user data is necessary to those services. Further, ISPs could disclose geolocation data in the case of emergencies, like dispatching 911 services.
The bill also closes a few potential loopholes, prohibiting
ISPs from requiring that users consent to the sale of their data in order to
use their services. The bill also states that ISPs must provide “clear, conspicuous,
and nondeceptive notice” when users consent to sell their data.
Finally, the bill shuts down any “pay-for-privacy” schemes that have already proved popular. According to the bill, ISPs cannot “charge a customer a penalty or offer a customer a discount based on the customer’s decision to provide or not provide consent” to having their data sold, shared, or accessed by third parties.
As we previously wrote about Sen. Ron Wyden’s data privacy
proposal, which includes a pay-for-privacy stipulation:
“[Pay-for-privacy] casts privacy as a commodity that
individuals with the means can easily purchase. But a move in this direction
could further deepen the separation between socioeconomic classes. The ‘haves’
can operate online free from prying eyes. But the ‘have nots’ must forfeit that
The Maine state bill does its part to prevent that unequal
Maine Governor Janet Mills has until June 11 to sign the
bill and turn it into law. If she misses the deadline, the bill automatically
Amarasingham of ACLU of Maine expects a positive outcome.
“We are optimistic that [Governor Mills] will sign this
bill,” Amarasingham said. “I know ISPs and the Chamber of Commerce are exerting
a lot of pressure, but I’m proud to say Maine legislators didn’t cave to that.
I hope the governor’s office won’t either.”
The challenge to LD 946 includes claims of insufficiency, unproven rhetoric, misguiding statistics, and a question as to what legislation should accomplish.
As Amarasingham said, one of the bill’s main opponents is the Maine State Chamber of Commerce. In recent months, the Chamber funded a 30-second video ad criticizing the bill, hired a research firm to conduct public surveys about data privacy, and launched a website that asked Maine residents to tell their representatives to vote against the bill.
That website labeled LD 946 as “harmful to Maine’s
consumers,” because, allegedly, the bill “will create greater consumer
confusion and undermine consumers’ confidence in their online activities—a risk
to the continued growth of the digital economy.”
That confusion argument showed up in a Central Maine opinion piece written by Mid-Maine Chamber of Commerce president and CEO Kimberly Lindlof. Lindlof wrote that a “patchwork” of state data privacy laws—with different standards across different state lines—could create a scenario where Maine residents “might have to opt in to a privacy setting in Maine but opt out of that setting if you go into another state for vacation.”
But the Mid-Maine Chamber of Commerce and the Maine
State Chamber of Commerce both oppose LD 946 for another reason: The bill does
not go far enough.
According to both agencies, LD 946 should apply not just to companies that provide Internet service, but also companies that operate their businesses online, such as Google and Facebook. The Chamber’s video ad, which it posted on Facebook, said that “it doesn’t make sense” to leave out these big Silicon Valley tech companies which have repeatedly failed to protect user data. (The video ad also claims that that LD 946 “exempts Facebook,” which is flatly untrue—it simply does not apply to Facebook. There are no written exemptions for the company.)
Boiled down, the Chamber wants a stronger bill.
However, this is an ideological argument about policy:
Should legislation immediately achieve broad goals, or should it take individual
steps towards those goals?
According to Amarasingham, the reality of policy-making is
“The nature of legislation and law reform is that it is
incremental,” she said. “There is no one bill on any issue that solves an
entire problem. This bill is an enormous first step and it is very important.”
Following the Senate’s approval of LD 946 last week, the
Chamber responded on its website:
“Today the State Senate failed to protect the online privacy
of all Maine consumers in passing LD 946, a fundamentally flawed bill that will
do little to make Mainers’ personal privacy more secure on the Internet.
Despite the fact that 87% [nearly 90%] of Mainers believe a state law should
apply to all companies on the Internet according to a recent survey, senators
chose to pass a bill that leaves consumers’ personal data unprotected when they
are using websites, search engines, and social media apps.”
Those statistics deserve scrutiny.
The statement cites a Chamber-funded survey by David Binder Research, in which the firm conducted 600 telephone interviews between May 9 and May 11. The statistic referenced by the Chamber pertains to this question:
“If the Maine state legislature were to pass a law today to protect your personal privacy, should this law apply to just a few companies on the Internet, with the idea of passing more law [sic] in the future to cover additional companies on the Internet, or should this law apply to all companies?”
According to the survey, 87 percent of respondents answered “All
But that question asks respondents to make a choice between
two entirely different things—one of them literally exists and the other does
LD 946, which applies to a “few companies,” is written. A bill
that applies to “all companies” is not. This is a choice between reality and possibility.
Further, the question’s language obfuscates a core difference between “companies on the Internet”—like Google and Facebook—and companies that provide the internet. These are not the same.
The Maine State Chamber of Commerce did not respond to
emailed questions about when it last created a website campaign against a bill,
or about why it believes the potential for broader privacy protections supersedes
the current bill’s incremental protections. The Chamber also did not reply to a
voicemail providing similar questions.
If at this point, you’re confused about how incremental protections
against sneaky ISP behavior could be seen as “harmful,” you’re not alone. Tracking
the Chamber’s privacy-protective messaging against its anti-ISP-protection
messaging can make anyone’s head spin.
“I can’t say that I fully understand why the Chamber is carrying
Spectrum and AT&T’s water on this,” Amarasingham said. “Their top line, outward-facing
message was Mainers deserve privacy protections, which is also our top line
Amarasingham continued: “This is real privacy protection.”
Data privacy shoulds and should-nots
Should rules be written to stop Facebook and Google and
dozens of Silicon Valley tech companies from profiting off your data? That
depends on several factors, like what those rules would look like, how they
would be implemented and enforced, and what exemptions would apply, not to
mention whether those rules would nullify current state rules that are being
pushed forward today.
But should ISPs be allowed to sell user data without consent when there is already a widely-supported plan in place to stop them? Absolutely not.
The post Maine inches closer to shutting down ISP pay-for-privacy schemes appeared first on Malwarebytes Labs.
Powered by WPeMatico