Slashdot Mirror

← Back to Stories (view on slashdot.org)

Democratic Senators Propose 'Privacy Bill of Rights' To Prevent Websites From Sharing Or Selling Sensitive Info Without Opt-In Consent (arstechnica.com)

Posted by BeauHD on from the fill-in-the-box dept.

Democratic Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) today proposed a "privacy bill of rights" that would prevent Facebook and other websites from sharing or selling sensitive information without a customer's opt-in consent. The proposed law would protect customers' web browsing and application usage history, private messages, and any sensitive personal data such as financial and health information. Ars Technica reports: Markey teamed with Sen. Richard Blumenthal (D-Conn.) to propose the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. You can read the full legislation here. "Edge providers" refers to websites and other online services that distribute content over consumer broadband networks. Facebook and Google are the dominant edge providers when it comes to advertising and the use of customer data to serve targeted ads. No current law requires edge providers to seek customers' permission before using their browsing histories to serve personalized ads. The online advertising industry uses self-regulatory mechanisms in which websites let visitors opt out of personalized advertising based on browsing history, and websites can be punished by the Federal Trade Commission (FTC) if they break their privacy promises.

The Markey/Blumenthal bill's stricter opt-in standard would require edge providers to "obtain opt-in consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer." Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service. The FTC and state attorneys general would be empowered to enforce the new opt-in requirements. The bill would require edge providers to notify users about all collection, use, and sharing of their information. The bill also requires edge providers "to develop reasonable data security practices" and to notify customers about data breaches that affect them.

27 of 136 comments (clear)

  1. Consent by Anonymous Coward · · Score: 5, Insightful

    The consent shouldnâ(TM)t be for using or sharing your data, it should be for collecting it in the 1st place

    1. Re:Consent by scdeimos · · Score: 2

      I blame the guy that invented the plough 12,000 years ago.

  2. Facebook response: Oh wait, you're serious by rsilvergun · · Score: 2

    let me laugh even harder.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:Facebook response: Oh wait, you're serious by AmiMoJo · · Score: 2

      Well they are going to have obey the new European rules that are coming in, or get heavily fined and eventually shut down. So if the US simply adopted very similar rules, it would be as easy for Facebook to comply as adding the US to the list of places where it has to respect privacy.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Zuck is cockblocking others to get their share. by ezdiy · · Score: 4, Insightful

    Presumably the bill doesn't cover data already farmed without consent, only further farming from now on.

    It could be argued that FB has farmed as much data as possible already (since its popularity is more or less shrinking now). Zuck's move is "I got mine, now let's make sure nobody else gets hands on it".

    Reminder that this discussion isn't about privacy, but straight competition between data brokers. Massive, and accurate human behavior corpuses, of which FB is one of the largest repository will be monetized in machine learning models soon enough.

    I also wonder if google search will become pay service now, or what?

    1. Re:Zuck is cockblocking others to get their share. by AmiMoJo · · Score: 3

      The EU's GDPR rules cover old data too. These last few months I've been getting emails from companies asking for permission to keep my data on file. If I ignore them (don't give consent) they have to delete that data.

      In fact my own company is scrambling to get all the people on it's spam^H^H^H^H marketing mailing lists to agree to continue receiving emails, otherwise their email addresses have to be scrubbed.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. EU and Canada have stronger rights by WillAffleckUW · · Score: 2

    This is, at best, a half measure.

    --
    -- Tigger warning: This post may contain tiggers! --
  5. Re:Worthless by BradyB · · Score: 4, Informative

    A good effort in principle but ultimately worthless, all websites/apps will do is add "you explicitly consent to allow X" in their TOS and carry on as usual. a firmer action would be to make any TOS that is over 1 A4 page long legally invalid.

    Precisely what I came into here to comment on. You nailed it. No teeth.

    --

    Good is never enough, when you dream of being great!
  6. Make it compatible with the GDPR by markjhood2003 · · Score: 4, Insightful

    The proposed US legislation looks weak compared to the EU General Data Protection Regulation (GDPR). Why should people in the US have weaker protection? Facebook and other data collectors should be required to conform to a GDPR equivalent in the US and North America.

  7. But then they couldn't compete with ISPs! by pots · · Score: 3, Interesting

    The principle excuse trotted out for stripping away privacy protections from ISPs, was that those protections didn't apply to websites or other tech firms. So protecting peoples' privacy wasn't fair or something... I didn't really follow that argument, but I don't think that was the point. They just needed some nonsense that they could repeat over and over again until some people started to believe it.

    Now we have a bill doing the opposite, I'm interested to see the argument they make in opposition to this one. Granted, since they're not overturning an existing rule they don't need to work as hard in justifying it, so they'll probably just trot out one of their old standbys. Something like: "Regulations bad! Thog smash responsible government!"

    However, I would love it if they just flipped that shit around and went full doublethink on us.

  8. Exceptions are made for high quality acronyms by HeckRuler · · Score: 5, Interesting

    Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act

    Initially I balked at the introduction of a new bullshit term like "edge-provider", but that's a mighty fine acronym.

    And why do online services get specific punishment? Why not apply this to grocery stores? I don't want HyVee telling anyone I buy 10lbs vats of mayonnaise. (don't judge me).

    How about we extend "Browsing history" to the real world. I don't think we want companies tracking and who entered their store and what they looked at. The age of ubiquitous cameras, face-recognition, and customer databases is upon us. With a high enough resolution camera, they could even track where your eyeballs are pointed.

    Do you want a list of everyone who ever entered a gun store? Do you want to see who shops at the thrift-mart AND the ... gucci-emporium? Do you want your health insurance provider to know how often you stop at McDonalds?

    If you're going to squawk at Facebook abusing "customer" data, you might as well take a closer look at the potential abuse of everyone else's databases.

    1. Re:Exceptions are made for high quality acronyms by Ichijo · · Score: 2

      I don't think we want companies tracking and who entered their store and what they looked at.

      That's what exactly salesmen do whenever you walk into a store, only instead of storing the information magnetically, they store it in their own grey matter. But I like your way of thinking--let's ban salesmen!

      --
      Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
    2. Re:Exceptions are made for high quality acronyms by HeckRuler · · Score: 2

      If they develop mentats that can remember a timestamp of every customer that walks in through the door for decades, then YES, that should be addressed.

      But as for now, we should probably acknowledge that computers fundamentally change the nature of the game and keeping databases of everyone's movements turns what was a perfectly normal and more or less unabuseable tidbit of knowledge into the building block of a dystopian nightmare.

      AND, remember, this bill is NOT about what people remember or what databases companies have. It's about them SELLING that information. Otherwise Netflix couldn't suggest movies based on your browsing history, and Amazon could keep track of your purchase history. So you can shove your strawman right up your ass.

  9. Re:Worthless by pak9rabid · · Score: 2, Insightful

    Because they don't care. This is just a song-and-dance to their constituents to look like give a shit.

  10. First Amendment? by mi · · Score: 4, Interesting

    This is, quite literally, an attempt by Congress to make a law limiting the Freedom of Speech: prohibiting them from telling others something they've learned... Learned without any prior promise not to tell others...

    If the Amendment protects the right of newspapers to publish state secrets , why wouldn't it also protect "social media" companies' right to publish our private little ones?

    --
    In Soviet Washington the swamp drains you.
    1. Re:First Amendment? by sexconker · · Score: 3, Insightful

      Try again. This is informing users and requiring them to give that data up willingly int he first place. Currently, Facebook et al rape it out of you surreptitiously.

    2. Re:First Amendment? by fibonacci8 · · Score: 3, Informative

      Signing a digital contract saying that a business may study my information but may not share additional copies with other people doesn't have anything to do with the first amendment issue at all. Nor does the bill outlining civil recourse for businesses failing to provide adequate security to uphold their side of such contract.
      What the bill actually seems to describe: Businesses that obtain information based on a digital contract have a responsibility to maintain adequate security to justify their claims of who they will and will not share that information to. Third parties obtaining information in bad faith are also the responsibility of the business. The Federal Trade Commission is defining some of the terms that apply to such digital contracts and making legal distinctions between some of them. There's more to it than that, but it's Democrat sponsored and it's unlikely to be passed. So I don't recommend anyone actually read it.

      --
      Inheritance is the sincerest form of nepotism.
    3. Re:First Amendment? by Anubis+IV · · Score: 2

      Great question, but this is actually quite similar to existing restrictions on free speech. For instance, according to federal wiretapping laws it’s already illegal in all states to record a private conversation without consent (the question of whose consent is necessary varies from state to state). In a sense, this law is proposing to extend that restriction to various forms of asynchronous communication, rather than just synchronous, real-time communication, ensuring that what you say in “private conversation” to a Facebook or Google stays between the two of you unless you consent for them to share it with others.

      More broadly, while the First Amendment is incredibly important, it’s also important to remember that it has never been universal. Whether it’s shouting “Fire!” in a theater, slandering or libeling a political opponent, swatting an online foe, or falsely claiming that your quack medicine is proven to cure all ailments, we’ve had restrictions on the right to free speech from the every beginning. The fact that we allow state secrets to be published shows you just how important it is, but that doesn’t mean it isn’t without limitations, and that’s a very good thing

    4. Re:First Amendment? by Phydeaux314 · · Score: 2

      Counterpoint: HIPAA exists, and places limits on speech. California has an extension of it, called CMIA, that goes further. The first amendment is massive, and the supreme court has been very leery of any reductions in its power, but there are a few limits that the court is willing to accept.

      --
      Never underestimate the stupidity inherent in all human beings.
  11. File sharing by ebonum · · Score: 2

    Once something digital is out of your control it is gone. Everything from electronic medical records to the new AC/DC cd. Gone. Trying to regulate it into a box is futile. Collecting, copying, storing, sending costs almost nothing. No barrier. Everything will eventually be leaked or hacked.
    The answer is to keep the electronic records/data from being created in the first place (offline storage= very very good). That means someone like me will never use or touch Facebook and will block every IP address connected to Facebook. Even if that means I can't watch a few videos.

    1. Re:File sharing by burtosis · · Score: 2

      My favorite part today was the "we asked CA to delete data and they said they did at which point we considered the matter closed". As if the data couldn't be copied and sent around the world within the space of just his response. The very notion that you ever could get all copies of the data back is fanciful beyond belief.

  12. Re:Worthless by HeckRuler · · Score: 4, Informative

    When you're the minority party in congress you can make a bunch of "good effort" bills that sound great to the voting masses but have no prayer of passing so as to not anger your donors.

    Both sides do it. I'm honestly not sure why we even let minority parties propose bills when the answer is just going to be "haha, no." Even if it was a damn good bill that everyone agreed on, they'd still block it simply so they could propose it themselves. Passing a bill is a good metric on your record. Hell, remember how much they fought over RomneyCare? They'd even fight it on the principle that the other side proposed it.

  13. How it will go down... by burtosis · · Score: 4, Insightful

    Senator: Do you even understand how serious the data privacy breach is here? It's almost as if your entire business model is simply selling private data to anyone for any reason regardless of user settings. If Facebook doesn't get it together we will regulate each and every one of your competitors into bankruptcy! Are you even listening to us Mr. Zuckerberg?

  14. Re:Worthless by sexconker · · Score: 2

    Reeeeeeeeeeeeeeetaaaaaaaaaaaaaaaaard

    "Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service."

  15. Re:Worthless by thomst · · Score: 4, Informative

    iamhassi blathered:

    How can legislators not see that this is worthless? We will have a pop up on every website/app demanding CONSENT and if we click NO the website/app won't let us have access. Congratulations on passing a law to add another pop up to all websites and apps.

    From TFS:

    Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service.

    If you're going to opine about something, you might want to try knowing what the fuck you're talking about ...

    --
    Check out my novel.
  16. Re:Worthless by thomst · · Score: 5, Informative

    pak9rabid snorted:

    Because they don't care. This is just a song-and-dance to their constituents to look like give a shit.

    No. No, it's not.

    First of all, Markey and Blumenthal's constituents neither know nor care about privacy considerations on the Web. Like most Americans (and Brits, and Aussies, and the bulk of Internet users everywhere), they haven't bothered to inform themselves about it, nor do they want to, because it's too confusing and "technical" for them to grasp. Secondly, there really hasn't been any groundswell of demand for such protections. Most of the outrage has been generated by journalists - some of whom actually do know a little bit about the implications of data breaches.

    More to the point, both Markey and Blumenthal are among the most tech-savvy legislators in Congress. They've both been opponents of restrictions on encryption and the efforts of law enforcement to get Congress to mandate back doors for their convenience. They're both suspicious of stingray cell phone data collection. They genuinely give a damn about their constituents' rights online and off - not because that plays well with voters, but because it's a subject that goes to the heart of Constitutional protections against unjustified government intrusion on individual liberty.

    Oh, and because corporate intrusions on individual privacy are, in the age of AI, potentially an even greater threat to civil liberties, as evidenced by Cambridge Analytica's conveyance of FB users' private information to the ethical black hole that now occupies the Oval Office.

    How your fact-free, unsupported opinion on this topic achieved plus ANYTHING "Informative" is beyond me ...

    --
    Check out my novel.
  17. Change the economy of data collection. by dweller_below · · Score: 4, Interesting

    Attempts to legislatively say: "Thou Shalt NOT" will probably be ineffective when the underlying economy strongly favors collecting, storing, and using private information.

    The most effective legal protections against invasive data collection are to change the economy of personal information. This sounds harsh and invasive, but it may be the only workable protection from widespread privacy threats and manipulation.

    • 1st, we need to increase the expense of collecting and storing personal data.
    • 2nd, we need to decrease the value of using personal data.

    For example, we can increase the expense of collecting, storing and exchanging personal data by:

    • * Require accurate tracking information on the collection, storage and exchange of personal data. This should include identifying information for every entity that handled the data. This should be coupled with large mandatory fines for any data that is missing past transaction history. Currently, data brokers have low overhead and bear no responsibility for their behavior. They are selling goods worth billions. Their activity should be tracked as completely as credit card transactions. Requiring accurate documentation of the personal data marketplace will increase the expense of reselling personal data.
    • * Impose aggressive taxes on collected, stored and exchanged personal information. It obviously has value. It is a major asset of Google and Facebook. It should be taxed like real estate or an economic transaction. The higher the taxes, the less incentive to collect, store and exchange personal information.
    • * Forbid exporting personal information from the country of origin. If an entity wishes to collect, store, or exchange personal information, they must do it in the country of origin.
    • * Add more teeth to "data breach" legislation. Remove any "due diligence" protection. Impose mandatory fines for data breach. Fines should be based on the number and severity of personal "facts". The higher the fines, the less incentive to collect and store personal information.
    • * Impose full breach liability on every upstream entity in the data collection stream. Currently, data collectors and brokers get rich by selling to a wide market and experiencing no liability. Imposing liability for the behavior of down-stream purchasers of personal data will greatly increase the expense of collecting, storing and exchanging personal data.

    Then we must work to harden our society against the manipulative effects of collected personal data. This is a continual challenge. Things we might consider include:

    • * Require search engines and social media to unmistakably indicate if we are viewing "Relevant, tailored for us illusion" or "Consensus Reality".
    • * Consistently penalize search engines and social media when they inaccurately represent "Consensus Reality"
    • * Require search engines and social media to provide a simple, always on-screen method to easily switch between "Relevant, tailored for us illusion" or "Consensus Reality".
    • * Impose meaningful, effective restrictions on our government's ability to attempt to manipulate "Consensus Reality"
    • * Require our government to protect it's citizens from other government's or corporation's attempts to manipulate "Consensus Reality"
    • * Impose mandatory penalties on the enabling parties for every occurrence of identity theft. This means penalize the banks, the credit reporting agencies, and even the IRS. If identity theft occurred, then their process must have immediate, corrective feedback.
    • * Require multi-factor authentication when authenticating to critical resources.
    • * Educate our society that biometrics might be identifiers, but should never be an authentifier.

    Ultimately, dealing with the problem of privacy abuse and invasive data collection will take much more than a legislative "Thou Shalt Not".