Democratic Senators Propose 'Privacy Bill of Rights' To Prevent Websites From Sharing Or Selling Sensitive Info Without Opt-In Consent (arstechnica.com) 136
Democratic Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) today proposed a "privacy bill of rights" that would prevent Facebook and other websites from sharing or selling sensitive information without a customer's opt-in consent. The proposed law would protect customers' web browsing and application usage history, private messages, and any sensitive personal data such as financial and health information. Ars Technica reports: Markey teamed with Sen. Richard Blumenthal (D-Conn.) to propose the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. You can read the full legislation here. "Edge providers" refers to websites and other online services that distribute content over consumer broadband networks. Facebook and Google are the dominant edge providers when it comes to advertising and the use of customer data to serve targeted ads. No current law requires edge providers to seek customers' permission before using their browsing histories to serve personalized ads. The online advertising industry uses self-regulatory mechanisms in which websites let visitors opt out of personalized advertising based on browsing history, and websites can be punished by the Federal Trade Commission (FTC) if they break their privacy promises.
The Markey/Blumenthal bill's stricter opt-in standard would require edge providers to "obtain opt-in consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer." Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service. The FTC and state attorneys general would be empowered to enforce the new opt-in requirements. The bill would require edge providers to notify users about all collection, use, and sharing of their information. The bill also requires edge providers "to develop reasonable data security practices" and to notify customers about data breaches that affect them.
The Markey/Blumenthal bill's stricter opt-in standard would require edge providers to "obtain opt-in consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer." Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service. The FTC and state attorneys general would be empowered to enforce the new opt-in requirements. The bill would require edge providers to notify users about all collection, use, and sharing of their information. The bill also requires edge providers "to develop reasonable data security practices" and to notify customers about data breaches that affect them.
Consent (Score:5, Insightful)
The consent shouldnâ(TM)t be for using or sharing your data, it should be for collecting it in the 1st place
Re: (Score:2)
Did you miss this part? Right in TFS?
Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service.
Re: (Score:1)
"shouldnâ(TM)t" Congratulation it's 2018 and we have lost the ability to write normal text. While James Burke's connections series is running on the 2nd. screen and is talking about the 500 years old printing press and typesetting.
Re: (Score:3)
Re: (Score:2)
Him and the guy that invented fire will be arraigned next week.
Re: (Score:2)
Do you mean like that sentence in the Terms and Conditions that you agree to without reading?
Re: (Score:2)
No more like the laws governing psychotherapists, you know they can not publish your details. So more in that regard, you start to gather too much data and that data constitutes a potential harm to the individuals psychology via manipulation, would be considered excessive and banned. Pretty much tie all data to what the individual, individually approves, no blanket approvals. Approvals sought and confirmed for all data types and specifically renewed once a year with details provided for what information is
Re: (Score:1)
Re: Consent (Score:2)
Re: (Score:2)
Honest question here: How do you propose being able to use Facebook for people who want to refuse to consent to them collecting their data? Isn't that a bit like telling someone to build a website for you but forbidding them from storing the text you want to display on the pages?
Re: (Score:1)
Yet, it'd be interesting to see how this all can be enforced.
Worthless (Score:1)
A good effort in principle but ultimately worthless, all websites/apps will do is add "you explicitly consent to allow X" in their TOS and carry on as usual. a firmer action would be to make any TOS that is over 1 A4 page long legally invalid.
Re:Worthless (Score:5, Informative)
A good effort in principle but ultimately worthless, all websites/apps will do is add "you explicitly consent to allow X" in their TOS and carry on as usual. a firmer action would be to make any TOS that is over 1 A4 page long legally invalid.
Precisely what I came into here to comment on. You nailed it. No teeth.
Re: (Score:2)
a firmer action would be to make any TOS that is over 1 A4 page long legally invalid. Wouldn't they just use an insanely small font then and call it a win?
Re: (Score:2)
Indeed, GP shows they didn't even RTFS let alone RTFA.
However that clause is exactly the part of this proposed bill that I'd be surprised if it survived through to eventually being signed into law.
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Re:Worthless (Score:5, Informative)
pak9rabid snorted:
Because they don't care. This is just a song-and-dance to their constituents to look like give a shit.
No. No, it's not.
First of all, Markey and Blumenthal's constituents neither know nor care about privacy considerations on the Web. Like most Americans (and Brits, and Aussies, and the bulk of Internet users everywhere), they haven't bothered to inform themselves about it, nor do they want to, because it's too confusing and "technical" for them to grasp. Secondly, there really hasn't been any groundswell of demand for such protections. Most of the outrage has been generated by journalists - some of whom actually do know a little bit about the implications of data breaches.
More to the point, both Markey and Blumenthal are among the most tech-savvy legislators in Congress. They've both been opponents of restrictions on encryption and the efforts of law enforcement to get Congress to mandate back doors for their convenience. They're both suspicious of stingray cell phone data collection. They genuinely give a damn about their constituents' rights online and off - not because that plays well with voters, but because it's a subject that goes to the heart of Constitutional protections against unjustified government intrusion on individual liberty.
Oh, and because corporate intrusions on individual privacy are, in the age of AI, potentially an even greater threat to civil liberties, as evidenced by Cambridge Analytica's conveyance of FB users' private information to the ethical black hole that now occupies the Oval Office.
How your fact-free, unsupported opinion on this topic achieved plus ANYTHING "Informative" is beyond me ...
Re: (Score:1)
Because it is the kind of fact-free libertard ranting "Tuh Govemment is bad!1!!1!" that appeals to the basement dwelling nerds that resent living under their parents' authority but are too much of a failure to make it out on their own.
And lots of these losers read Slashdot and ipso facto have mod points.
Re: (Score:2)
I confessed:
Prompting mvdwege to explain:
Because it is the kind of fact-free libertard ranting "Tuh Govemment is bad!1!!1!" that appeals to the basement dwelling nerds that resent living under their parents' authority but are too much of a failure to make it out on their own.
And lots of these losers read Slashdot and ipso facto have mod points.
You are, of course, correct, sir.
(I'm certain you were aware that I knew that to begin with, but - taking your .sig into account - posted your explanation anyway, for the edification and amusement of the /. masses. And to bait the bears, obviously ... )
Re: (Score:1)
I confess I did feel like trolling a little.
Re: (Score:2)
First of all, Markey and Blumenthal's constituents neither know nor care about privacy considerations on the Web. Like most Americans (and Brits, and Aussies, and the bulk of Internet users everywhere), they haven't bothered to inform themselves about it, nor do they want to, because it's too confusing and "technical" for them to grasp.
I agree with most of your post, but I somewhat disagree with this part. Markey represents Massachusetts, and there is a pretty large number of intelligent, technically-knowledgeable people there.
Re: (Score:2)
I asserted:
First of all, Markey and Blumenthal's constituents neither know nor care about privacy considerations on the Web. Like most Americans (and Brits, and Aussies, and the bulk of Internet users everywhere), they haven't bothered to inform themselves about it, nor do they want to, because it's too confusing and "technical" for them to grasp.
Prompting Dragonslicer to observe:
I agree with most of your post, but I somewhat disagree with this part. Markey represents Massachusetts, and there is a pretty large number of intelligent, technically-knowledgeable people there.
Obviously including you. (I say "obviously" because you used the appropriate state-of-being verb construction to agree in number with the subject of your final clause. Most people would've used the incorrect "are.")
The thing is, Markey also represents all the Southies, and other high-school dropouts, near-dropouts, and people who barely managed to obtain their GEDs in Massachusetts. And, Harvard, Yale, and other such institutions notwithstandi
Re: (Score:2)
I stated:
corporate intrusions on individual privacy are, in the age of AI, potentially an even greater threat to civil liberties
Prompting an Anonymous Coward to contradict me, thusly:
Not possible. Only government can actually threaten you with anything. Corporations either provide a service...or don't. They cannot prosecute you, they cannot send cops to your home to no-knock raid you in the middle of the night, they cannot shoot you for "fearing for my(their) life". Only government can do all of those things.
Any corporation on the planet can collect literally every bit of information about me that they want, they still won't be a bigger threat to my liberty than the cops munching donuts in the police station down the street from my house.
I'll break my rule of not responding to ACs this one time, as a public service.
You fail to grasp the threat.
First, as we have seen again and again, corporate online databases are not secure. FB allowed Cambridge Analytica to collect tens of millions of its users' information, Equifax permitted black hats to siphon off essentially their entire credit database, including more than enough information on ALL of its users to easily allow anyone will
Re: (Score:3)
Reeeeeeeeeeeeeeetaaaaaaaaaaaaaaaaard
"Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service."
Re:Worthless (Score:5, Informative)
iamhassi blathered:
How can legislators not see that this is worthless? We will have a pop up on every website/app demanding CONSENT and if we click NO the website/app won't let us have access. Congratulations on passing a law to add another pop up to all websites and apps.
From TFS:
Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service.
If you're going to opine about something, you might want to try knowing what the fuck you're talking about ...
Re:Worthless (Score:5, Informative)
When you're the minority party in congress you can make a bunch of "good effort" bills that sound great to the voting masses but have no prayer of passing so as to not anger your donors.
Both sides do it. I'm honestly not sure why we even let minority parties propose bills when the answer is just going to be "haha, no." Even if it was a damn good bill that everyone agreed on, they'd still block it simply so they could propose it themselves. Passing a bill is a good metric on your record. Hell, remember how much they fought over RomneyCare? They'd even fight it on the principle that the other side proposed it.
Re: Worthless (Score:1)
Re: (Score:2)
Last I checked, the NSA did not run popular large-scale social media web sites...
Re: (Score:2)
Right, just "THE PHONE SYSTEM" [wikipedia.org]. I hear some people use it to, like, talk to people and stuff. Although I hear even with that massive farm out in Utah, they can still only store 3 days of traffic.
Re: (Score:2)
But... this bill doesn't target phone calls. It targets hosts of web sites. I'm not trying to say the NSA doesn't collect information - they obviously do. I'm saying they don't have any real reason to care about *this* bill, because it doesn't affect their affairs.
Re: (Score:2)
Right, which is why the NSA doesn't care and none of this matters to them. Do try and keep up.
Re: (Score:2)
I can print any TOS on one A4 page.
Provided I have a good enough printer with enough resolution, that is...
Re: (Score:2)
Thank goodness that shit is going to be illegal in the EU soon.
Re: (Score:2)
Re: (Score:2)
Except they state: "Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service."
Re: (Score:1)
Actually, I could see them offering an opt-out tier of service - limited function, limited bandwidth, and far, far more ads.
DOA (Score:2)
Re: (Score:1)
well, the R's will butcher it more than the D's will.
the R's sold us all out with the loss of net-neutrality (plus about a billion other things since the orange idiot has begin his plunder). they are clearly not for 'the people'. never really were, in recent memory.
the D's are bought and sold, too; but they aren't quite as blatant about selling our privacy. I don't hold much hope, but if any party is going to fix this, its the D and not the R.
Facebook response: Oh wait, you're serious (Score:3)
Re: (Score:3)
Well they are going to have obey the new European rules that are coming in, or get heavily fined and eventually shut down. So if the US simply adopted very similar rules, it would be as easy for Facebook to comply as adding the US to the list of places where it has to respect privacy.
Zuck is cockblocking others to get their share. (Score:5, Insightful)
It could be argued that FB has farmed as much data as possible already (since its popularity is more or less shrinking now). Zuck's move is "I got mine, now let's make sure nobody else gets hands on it".
Reminder that this discussion isn't about privacy, but straight competition between data brokers. Massive, and accurate human behavior corpuses, of which FB is one of the largest repository will be monetized in machine learning models soon enough.
I also wonder if google search will become pay service now, or what?
Re:Zuck is cockblocking others to get their share. (Score:4)
The EU's GDPR rules cover old data too. These last few months I've been getting emails from companies asking for permission to keep my data on file. If I ignore them (don't give consent) they have to delete that data.
In fact my own company is scrambling to get all the people on it's spam^H^H^H^H marketing mailing lists to agree to continue receiving emails, otherwise their email addresses have to be scrubbed.
Re: (Score:2)
This is about selling/sharing, not collecting. Collection of data will continue same as ever. You can certainly make an argument that it's in the interests of Facebook to stop sharing people's personal info and start protecting their data hoard. That's the approach Google has taken all along -- Google doesn't like to share your info, they like to make advertisers pay to benefit from proprietary Google data that won't be shared with them.
Re: (Score:2)
I didn't read the bill, only TFA summary, and the way I grok it is that sure, they can continue capture data all they want, but it won't longer be useful for arbitrary purpose as it is now. Meaning if the bill passes, and somebody puts scrapped data to some commercial use beyond the scope of the original service, they could be facing class action lawsuit should this come out to light.
Indeed this looks like 180 pivot into google direction, just more ev
Why just on-line providers (Score:1)
These rules should apply to all businesses (and people) who obtain private information for a particular purpose.
EU and Canada have stronger rights (Score:2)
This is, at best, a half measure.
Re: EU and Canada have stronger rights (Score:2)
Re: (Score:2)
Pug Nazis are not very amusing to people who remember real Nazis.
Make it compatible with the GDPR (Score:5, Insightful)
Re: (Score:1)
Why should people in the US have weaker protection?
Greed.
Facebook and other data collectors should be required to conform to a GDPR equivalent in the US and North America.
American: "no durn tootin' way some otha' country's gonna tell ME what to do. DON'T TREAD ON ME."
Re: (Score:2, Insightful)
Re: (Score:1)
now we have to give them more permission to steal our data
Why?
Because you need to use Facebook? Because you deserve it? You have a right to use it?
Shit, the nutters are right, we have raised a fucking gibmedat entitlement generation.
Re: (Score:2)
But then they couldn't compete with ISPs! (Score:4, Interesting)
Now we have a bill doing the opposite, I'm interested to see the argument they make in opposition to this one. Granted, since they're not overturning an existing rule they don't need to work as hard in justifying it, so they'll probably just trot out one of their old standbys. Something like: "Regulations bad! Thog smash responsible government!"
However, I would love it if they just flipped that shit around and went full doublethink on us.
Exceptions are made for high quality acronyms (Score:5, Interesting)
Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act
Initially I balked at the introduction of a new bullshit term like "edge-provider", but that's a mighty fine acronym.
And why do online services get specific punishment? Why not apply this to grocery stores? I don't want HyVee telling anyone I buy 10lbs vats of mayonnaise. (don't judge me).
How about we extend "Browsing history" to the real world. I don't think we want companies tracking and who entered their store and what they looked at. The age of ubiquitous cameras, face-recognition, and customer databases is upon us. With a high enough resolution camera, they could even track where your eyeballs are pointed.
Do you want a list of everyone who ever entered a gun store? Do you want to see who shops at the thrift-mart AND the ... gucci-emporium? Do you want your health insurance provider to know how often you stop at McDonalds?
If you're going to squawk at Facebook abusing "customer" data, you might as well take a closer look at the potential abuse of everyone else's databases.
Re: (Score:3)
That's what exactly salesmen do whenever you walk into a store, only instead of storing the information magnetically, they store it in their own grey matter. But I like your way of thinking--let's ban salesmen!
Re: (Score:3)
If they develop mentats that can remember a timestamp of every customer that walks in through the door for decades, then YES, that should be addressed.
But as for now, we should probably acknowledge that computers fundamentally change the nature of the game and keeping databases of everyone's movements turns what was a perfectly normal and more or less unabuseable tidbit of knowledge into the building block of a dystopian nightmare.
AND, remember, this bill is NOT about what people remember or what databases
Re: (Score:2)
I actually appreciate that kind of service, but such knowledge is limited to that employee who recognizes you by appearance and not by name.
Re: (Score:2)
And the WaffeHouse CEO didn't interrogate her every week for a list of all clients and ordering history so he could sell it.
Re: (Score:2)
... Do you want your health insurance provider to know how often you stop at McDonalds?
Hey, I stop at McDonald's almost every time I take bike ride. That's usally 3-4 stops a week. I get all the iced tea I want for $1 and no fat or calories. (Well, maybe one or two from the lemon juice I squeeze into it.) With the temperature at 98F (36C) today, I drank quite a bit of tea for my $1 and my insurer would think it's great. Just don't eat anything there!
And, FWIW, the term "edge" has been standard networking
Re: (Score:1)
Initially I balked at the introduction of a new bullshit term like "edge-provider", but that's a mighty fine acronym.
INAA*.
I don't want HyVee telling anyone I buy 10lbs vats of mayonnaise. (don't judge me).
I suggest that, next time, you try reversing the order in which you present those two particular fragments.
*It's Not An Acronym.
Re: (Score:2)
CONSENT. The bill is an acronym. They needed an "E".
What isn't an edge service? (Score:2)
Re: (Score:2)
First Amendment? (Score:5, Interesting)
This is, quite literally, an attempt by Congress to make a law limiting the Freedom of Speech: prohibiting them from telling others something they've learned... Learned without any prior promise not to tell others...
If the Amendment protects the right of newspapers to publish state secrets [theatlantic.com], why wouldn't it also protect "social media" companies' right to publish our private little ones?
Re:First Amendment? (Score:4, Insightful)
Try again. This is informing users and requiring them to give that data up willingly int he first place. Currently, Facebook et al rape it out of you surreptitiously.
Re: (Score:2)
Why, thank you kindly for the encouragement...
What does "this" refer to in the quoted sentence? The proposed law? The bill is informing users — and requiring them to do something?
The "surreptitious rape" metaphor does not add any clarity to the already convoluted text. Try again, perhaps...
Re:First Amendment? (Score:4, Informative)
What the bill actually seems to describe: Businesses that obtain information based on a digital contract have a responsibility to maintain adequate security to justify their claims of who they will and will not share that information to. Third parties obtaining information in bad faith are also the responsibility of the business. The Federal Trade Commission is defining some of the terms that apply to such digital contracts and making legal distinctions between some of them. There's more to it than that, but it's Democrat sponsored and it's unlikely to be passed. So I don't recommend anyone actually read it.
Re: (Score:3)
Great question, but this is actually quite similar to existing restrictions on free speech. For instance, according to federal wiretapping laws it’s already illegal in all states to record a private conversation without consent (the question of whose consent is necessary varies from state to state). In a sense, this law is proposing to extend that restriction to various forms of asynchronous communication, rather than just synchronous, real-time communication, ensuring that what you say in “priv
Re: (Score:2)
No, it is not.
First of all, so long as the stalker does not trespass on my property, he is entitled to watch — and record — anything he can see, hear, or otherwise perceive.
Second, unfortunately, you are 100% wrong. The proposed law, according to both TFA and the write-up, would ban just that — sharing, not collecting
Re: (Score:3)
Counterpoint: HIPAA exists, and places limits on speech. California has an extension of it, called CMIA, that goes further. The first amendment is massive, and the supreme court has been very leery of any reductions in its power, but there are a few limits that the court is willing to accept.
Re: (Score:2)
Subjects to HIPAA promise people to never reveal their secrets to anyone not allowed by the law. It is this promise, that then bars them from disclosing your information... It does impose quite a limitation on this companies — and the cost of proving compliance is non-negligible — but, at least, it is justified by people being compelled to reveal their secrets in order to get medical care.
There is no such pressure to use "social media". People do that voluntarily.
Of course, maybe, the Supreme Co
Re: (Score:2)
It is a different matter, and it is protected by the First Amendment. As long as news media can publish anything they choose to, including people's tax-returns [thehill.com] and unproven crime-allegations [theguardian.com], so can anyone else, "social media" (however defined) included.
File sharing (Score:3)
Once something digital is out of your control it is gone. Everything from electronic medical records to the new AC/DC cd. Gone. Trying to regulate it into a box is futile. Collecting, copying, storing, sending costs almost nothing. No barrier. Everything will eventually be leaked or hacked.
The answer is to keep the electronic records/data from being created in the first place (offline storage= very very good). That means someone like me will never use or touch Facebook and will block every IP address connected to Facebook. Even if that means I can't watch a few videos.
Re: (Score:3)
How it will go down... (Score:5, Insightful)
And how would it be enforced? (Score:1)
like that's going to make a difference (Score:2)
This will end up being some variant of: "You want to see hot naked girls? We'll even share your stats with them, you gorgeous hunk! Just click OK!"
Will this apply to the Governments? (Score:2)
Like Email (Score:1)
Change the economy of data collection. (Score:5, Interesting)
Attempts to legislatively say: "Thou Shalt NOT" will probably be ineffective when the underlying economy strongly favors collecting, storing, and using private information.
The most effective legal protections against invasive data collection are to change the economy of personal information. This sounds harsh and invasive, but it may be the only workable protection from widespread privacy threats and manipulation.
For example, we can increase the expense of collecting, storing and exchanging personal data by:
Then we must work to harden our society against the manipulative effects of collected personal data. This is a continual challenge. Things we might consider include:
Ultimately, dealing with the problem of privacy abuse and invasive data collection will take much more than a legislative "Thou Shalt Not".
Too little and too late (Score:2)
Take it or leave it (Score:1)
Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service.
My first thought was "Here comes the TOS people have to sign to use the service. And this will be buried in the middle of millions of pages somehow."
As is typical (Score:2)
great idea...maybe (Score:1)
I have an essay on this topic now (Score:2)
http://yuhongbao.blogspot.ca/2... [blogspot.ca]
Sauce, goose, gander (Score:1)
How about having something similar for the information that the government gathers -- without the person's consent -- for one purpose that is used for another?
And don't say it never happens. Here's some reminders of one especially awful one. Census Bureau. Japanese. FDR. Internment camps.
And simple failure to safeguard information. Sensitive personal information about me is now in China, thanks to the federal government's failure. And of millions of others, of course.