More on Internet Privacy Legislation

Last week we noted that Senator Hollings had introduced a privacy bill and that there were likely to be more introduced. Now Salon has a piece critical of Hollings' bill. EPIC wrote about it as well, and they seem to think it's not too bad, all things considered. Read Hollings' bill yourself and decide who's right. Also of note is a bill introduced in the House that would require all Federal agencies to prepare privacy impact statements (the ACLU has a summary) akin to the environmental impact statements now required for actions adversely affecting the environment. Seems like a good idea to me.

sensitive/non-sensitive

[Transient0]

---direct quote from bill

(c) NONSENSITIVE PERSONALLY IDENTIFIABLE INFORMATION REQUIRES ROBUST NOTICE AND OPT-OUT CONSENT- An internet service provider, online service provider, or operator of a commercial website may not--

(1) collect personally identifiable information not described in subsection (b) online, or
(2) disclose or otherwise use such information collected online, from a user of that service or website.

---end quote

Salon's article does sem a bit overly critical. This bill is a necessary piece of legislation. Sure some would like to see it even stricter(prohibiting any spyware style market research), but as it is it prohibits companies from collecting sensitive information and also from collecting information which is non-sensitve but could potentially be used to identify you.

The Salon article implies that the bill will allow companies to collect all sorts of non-sensitive personal information and use it to build a complete profile of you, including the stuff that can't be directly collected due to it's sensitivity. This just isn't true.

Re:sensitive/non-sensitive

[Ibag]

One reason I dislike the bill is because I am not sure what they really mean by robust notice. If the salon article is right, the small bit they had in the kazaa liscense about BDE could count as robust notice.

Another reason I dislike the bill is because it requires opt-out. While this is better than nothing being required, it is easy to hide the option to opt out or to put the access to the option to opt out somewhere you can't access till you have allready registered. I don't want anybody selling my personal information before they've even given me a chance to opt out.

With those two thing, the bill unsettles me. Why can't it require things to be opt in? If a website had something clear that said "If you give us consent to collect and sell your personal information, check this box" I would have no qualms. In that case, you know both that the user does consent and that if you do not consent, then you won't be shafted.

While stuff like this should be regulated, it should not be under these terms.

Re:sensitive/non-sensitive

[mikosullivan]

"You have been added to our subscription list, please send an opt-out notice to our address to remove yourself, otherwise a charge of $21.99 will be billed to your credit card company as payment for services rendered".

(IANAL) I agree with your feelings on the matter, but there is a distinction, at least insofar as will be perceived by our lawmakers.

(Miko goes into lecture mode, pretending to be the guy in "Paper Chase") A contract requires a specific offer and a pro-active acceptance. A contract also requires consideration on all sides, i.e. everyone involved must get something theoretically of value. (That's why you hear about all those contracts in which someone gets one dollar. That one stinking dollar is the "consideration" received by one of the parties.) The scenario you describe wouldn't be a contract, because you did nothing to initiate the magazine subscription. However, an ISP can currently sell your name and other information and you aren't a party to that contract. You may feel like you're paying something out (your privacy) but that isn't currently recognized as something of consideration.

Furthermore, you can already establish a contract in which the ISP cannot sell your name and number. The problem is that most people don't know/care to do that and the contracts never mention the issue. Even if you tried to do so, most ISPs would simply look at you funny and keep smacking their gum. Ergo, in most real-world situations, the ISP has the right to sell your name because nothing in the contract said they couldn't. However, contracts are not entirely governed by their content. No contract in the world covers every possibility (Clause 182,383,282: Alien Invasions). That's why we have something called the Uniform Commercial Code. The UCC, among other things, sets the defaults for how contracts are interpreted. For example, if you offer to sell someone your car at a specific price (you have to set a specific price) but you don't tell them how long the offer is good, then they have a "reasonable" amount of time to accept. If you're wondering what's "reasonable", so have a lot of judges. One day is definitely reasonable. One year isn't. Now, back to the Hollings bill. What the Hollings bill does (theoretically) is establish some of those clauses that aren't explicitly covered in your contract with the ISP. The bill says, in effect, that unless the contract says otherwise, the ISP can sell your information, but if you tell them not to, they can't. Also, the ISP has to make it clear to you that if they intend to sell your info.

Who says the law ain't fun? Why, this stuff is almost as good as OOP.

I think I see his nefarious plan...

[phong3d]

I think Hollings is actually a visionary! He realizes that the high-tech industry can bring a lot of jobs and money into a state, and South Carolina's not really one of the hot geek destinations right now.

So, he's decided that if he can sponsor enough loony internet-related bills, he'll rile up enough geeks to move to South Carolina for the sole purpose of voting him out of office. Once they're settled there, they'll figure they might as well get jobs and some entreprenurial-minded individuals will start businesses that will eventually boost the economy of the state!

I have to admit, it's a brilliant plan from a brilliant senator, whose love of his state far outweighs petty concerns like hundreds of thousands of dollars in lobbyist contributions.

Bravo, Senator Hollings, bravo!

TrustE -- Not!

[floppy+ears]

From the Epic site: Hewlett Packard urged inclusion of a safe harbor provision in the Act to insulate companies from enforcement if they are members of a certified seal program such as BBBOnline or TrustE.

Oh, yes, of course, if they are members of wonderful TrustE then they'll nevvver evvver violate our privacy. That's why TrustE busted Yahoo! for changing our marketing preferences, right?

Seriously, has TrustE ever busted anybody -- at least any company that we've ever heard of?

Personal data is easy to get off of gov't. servers

[Artifice_Eternity]

The resourceful team at the Subversive Intellectual Society managed to dig up a whole series of confidential letters sent to people like David Koresh, Ted Kaczynski, Elian Gonzalez, and others, by various government agencies.

Maybe they'll dig up Senator "SSSCA" Hollings' tax returns next. Or his CD or video purchases...I'd love to see those...

;)

Sigh ...

[ProfMoriarty]

The problem with OPPA (as its currently called) is obvious (to those who read the article).

Unfortunately, this legislation looks likely it would pass, since it isn't as obvious to what's really going on ...

The second is "nonsensitive" information, and among that will include your name, address, and records of anything you buy or surf on the Internet.

Under the act, business can't collect or divulge the sensitive bits without your express consent, but anything classified as nonsensitive can be freely collected and sold at will.

This disturbs me more each day

[Eagle5596]

What bothers me most is that I think he will pass his bill, given that he can market it under false pretenses to both sides. By far the most disturbing part of this proposed bill however, is what they deem "nonsensitive information", namely my name, address, and shopping/surfing habits.

Don't be fooled, your name and address are two of the most sensitive peices of information you posses! In the hands of malicious people, it can simply be taken down to the DMV to bring up your file, and the unfortunate state of things is that most people list their social security number as their drivers ID (I changed mine to an anonymous number after taking a class in privacy, when we learned about the growing number of cases of identity theft). The fact of the matter is, I don't want people to have access to this sort of thing unless I give them it expressly. I also don't want information on my shopping and surfing habits getting released as it leads to phone soclicitations, as well as spam. What happened to the rights of the consumer? Why does congress allow bribes to give corperations the upper hand?

The world is changing rapidly, and our time is increasingly sucked away by meaningless adds. My parents can still remember a time not so long ago when junk mail was practically unheard of. Now we are saturated with it.

I think we ought to push for a bill which affords us a form of personal protection akin to the laws against tresspassing. In my opinion all cookies, spyware, etc that are installed on a computer without express permission from the user (EULA's are no good as no one reads them, and besides, we would be outraged if everyday were provided with a huge list of random comments, buried within which was a grant to tresspass on our property if we exit our house), should subject their makers to a fine. As a computer professional, my machines are a place I spend a considerable ammount of time, and I have a right to not have others intrude on my privacy.

As a final point, I realize that you can disable cookies, and most spyware, but it is ridiculous to assume that this makes them all right. Many people do not know how to do so, and above all else, we should never have to arm our computers with defenses just to preserve our rights. That is analogous to requiring everyone to bring a body guard when they left the house, or it would be legal to mug them.

*steps off of soapbox*, Sorry my wife is an IP lawyer and deals with this stuff everyday. We need more computing professionals in the government and law.

"Fritz Hollings" is today's secret word!

[Lendrick]

From now on, when you type the words "Fritz Hollings", be sure to link him to goatse.cx! Instead of just typing his name, type:

<a href='http://goatse.cx'>Fritz Hollings</a>

No sense of humor? Go ahead and mod me down. I don't mind.

These same people accusing us of

[Vicegrip]

wanting free rides in our use of purchased media, complaining vigorously about the perceived lost dollars the legitamit exercise of personal use costs them... these people are now turning around and wanting a free-ride with my personal data?

I think not. Let me take the time to personally assure any politicians who happen to read Slashdot that a their support for this kind of initiative wil gurantee them my lost support, regardless of party, in their next bid for re-election.

The further corporatization of the web

[anthony_dipierro]

My biggest problem with the bill is that it will further enhance the corporatization of the web. Imagine if slashdot had to comply with these rules when it first started out. The access rules alone would be a nightmare (imagine sorting through gigs and gigs of server logs to find all the instances of one person's IP address, printing them out, and mailing them, all for $3). Add the cost of defending litigation, and hiring lawyers just to ensure compliance, and quite simply, slashdot would not have existed.

It would be kind of neat to be able to request from companies all the information they have about me, but this is something that should be optional, not mandatory. The government should set up a certification program, similar to truste, and offer it to those who have the resources to comply. Then the user can decide for him/herself whether they want to go to a certified site or not.

biting the hand that feeds one

[tps12]

I just don't get it. I may be asking to get modded down for saying this on slashdot, but it's worth a shot.

I mean, we geeks are virtually (heck, actually!) the only people in the world who appreciate privacy. Obviously, the smarter, more connected, more civilized one is, etc., the more use one gets out of privacy.

Now I understand that the senator in question does not have what we would call a good "track record" with respect to the individual Rights that make this country good (let's face it, he's a stinker). But when it comes right down to it, I'm inclined to call a spade a spade, and not look a gift horse in the mouth.

IANAL but, IIRC, support of this bill or legislation or what have you does not lock us in to future or past legislation, though they may all be by the same guy! Yes, in the past I would have been in favor of opposing him and not reelecting him, but the fact is, if it walks like a duck...

I say, support Privacy, support this Bill and the Constitution. To the Death, as our forefathers would have.

We will send him, and all others like him, a powerful message: shape up or ship out. But the key is, we are giving him the option to make good on his pledge to the People. And second chances, my friends, is what America is all about.

What about "Sensitive" data?

[BranMan]

Most of the focus on discussion I have seen so far has been addressing the "non-sensitive" information, and how this bill will open the flood gates to allow companies to collect and share it on a massive scale.

I think this is a huge problem, BUT - doesn't anyone else see the problem with how "sensitive" data is defined in this bill?

Sensitive data can only be collected or shared on an opt-in basis. Sounds good, but isn't medical information (one of the "sensitive" items) protected more highly by the HIPPA acts? Won't this act undo everything HIPPA did to help protect medical records? All it takes is one hidden or weasle worked opt-in box to release all your medical information. Or finantial information. Once out there, it can be sold. Then it's gone for good - opting out at that point won't do any good.

We need to raise a huge stink about how trivially this bill handles critical private information - medical, finantial and other records.

Lessig on privacy and fair use

[jonathanjo]

Lawrence Lessig, in his book "Code", points out that the trend in the commodification of the web is for our personal information to be traded and sold by companies without our consent, and meanwhile for corporate "intellectual property" to be protected from unauthorized use with the full force of code and law.

Lessig argues that these situations should be exactly reversed. Personal info should be treated as property owned by us; anyone who takes it without our consent should be subject to lawsuit or criminal charges, and if we choose to allow it to get bought & sold, we should get a cut of the proceeds. It's our data, after all. But for other types of data that doesn't identify any individual, including copywrighted works, there should be mechanisms that allow us fair use to use them and share them as we will, without actually overstepping our rights under copyright law. As it is, as we all know, our rights under copyright are being eroded by encryption and the DMCA. We should have that kind of infrastructure (*and* law) protecting our personal data that the RIAA wants to have protecting their work.

J

Re:Intellectual property?

[jonathanjo]

Huh? You argue against the DMCA, but it is arguments like the one above that are used to support the DMCA and similar efforts at censorship. There have to be better ways to protect privacy than "intellectual property" arguments.

You misunderstand, good Coward. I think it may be possible and indeed possibly even desirable to define all personal identifying information about a person as properly belonging under that person's control, in a similar fashion that we consider a person's property to be under their control. Hollywood wants us to see creative works as "intellectual property", and they are wrong. But perhaps a property metaphor may prove useful as we attempt to navigate a way of allowing individuals control over who knows what about them.

J

Federal Preemption

[MountainLogic]

I wonder if this bill will preempt the state's rights to pass stronder bills. If so this could, in the long run, resuilt in less privacy. Right now many of your local legislators are writing very strong privacy protectin bills, but a federal bill will at the least put the breaks on state efforts and at the worst over ride state laws with weaker federal protection. This bill may be better than we have now, but any holes in it could give away your privacy for a very long time. I wonder how the marketoids feel about this bill?