Draft Of Privacy Bill Introduced... And Pretty Much Everyone Hates It

from the is-that-a-good-sign? dept

Rep. Rick Boucher released a draft internet privacy bill that's getting plenty of attention. You can read the draft on Boucher's site (pdf) or embedded below:
In Europe, internet privacy laws are pretty standard -- but in the US we've stayed away from them. The initial reaction to the bill seems to be that everyone hates it. Well, everyone who has a strong position and/or financial interest in it. Privacy groups say the bill is way too weak. Companies say it's way too restrictive. As per usual, the reality is probably somewhere in the middle. The key component of the bill is that is splits up information into two categories: "covered information" which sites will have to allow users to opt-out of collection, and "sensitive information" which sites will have to have users opt-in.

Covered information (information that sites can collect, but users will have the right to "opt-out" if they don't like it) includes:
  1. The first name or initial and last name.
  2. A postal address.
  3. A telephone or fax number.
  4. An email address.
  5. Unique biometric data, including a fingerprint or retina scan.
  6. A Social Security number, tax identification number, passport number, driver's license number, or any other government-issued identification number.
  7. A Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account.
  8. Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user.
  9. A preference profile.
  10. Any other information that is collected, stored, used, or disclosed in connection with any covered information described in subparagraphs (A) through (I).
As for "sensitive information" (which sites will require people to opt-in to collect), you've got:
  1. medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
  2. race or ethnicity;
  3. religious beliefs;
  4. sexual orientation;
  5. financial records and other financial information associated with a financial account, including balances and other financial information; or
  6. precise geolocation information.
There are also some "exemptions" for the collection of information that was for "operational purposes" or "transactional purposes." Reading through the whole thing, I have to admit I'm a bit confused as to the purpose of the bill. It seems like the "opt-in" information is the type of information that you would have to opt-in for anyway, because no website is going to be able to get that information without it. As for the opt-out information, most of that can again be handled by the user, simply through various technology offerings out there.

Perhaps I'm missing something, but this seems like the kind of bill that's designed to say "hey, look, privacy law!" but that doesn't really do anything to protect people's privacy. I could see it causing a lot of trouble for sites, though, for no good reason. For example, saying that IP address information can be "opt-out" could create a massive hassle for pretty much any site that keeps log files. Imagine the fun someone could cause by visiting sites and then demanding the site remove his or her IP address from their logs. I understand the general thinking behind this, but I just don't see it doing anything good, while I could see all sorts of unintended consequences from it.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: laws, privacy, rick boucher


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Steve R. (profile), 5 May 2010 @ 6:26am

    Privacy belogns to the Receiptient

    The privacy debate, I find somewhat mischaracterized since it is privacy as a concept is unrealistic. We need to approach it from the perspective that companies do NOT have a right to contact you without your permission and they do not have a right to your personal information after your business transaction has been completed.

    I like this gloom and doom quote from The Hill. The quote below points to what is wrong with how we view privacy and why legislation to supposedly protect your privacy will never work. Companies do NOT have a right to your information nor do they have a right to always be-in-your-face to sell you something.

    “It would kill hundreds of thousands of jobs in America, and it would disproportionately put small publications out of business, because consumers won’t opt in,” said Zaneis, who later noted a series of positive aspects of the current legislation. His organization, the Interactive Advertising Bureau, represents 375 organizations and includes such members as Microsoft, Google and a host of publishing firms.

    link to this | view in chronology ]

    • icon
      Falindraun (profile), 5 May 2010 @ 7:37am

      Re: Privacy belogns to the Receiptient

      Colorado tried to pass a law like that afew years ago by popular vote, i was all for it, but the lobbyests got ahold of some advertizing money and the bill got defeated via lots misinformation.

      One of the things i could do with this bill is clean up my credit by forcing them to remove information from my credit that i dont like or is damageing to my credit, and bam, now i would have excelent credit.

      link to this | view in chronology ]

  • icon
    Killer_Tofu (profile), 5 May 2010 @ 6:27am

    Younger Generation's views?

    This may just be because I am from a younger crowd than most, but I don't really know that many people amongst my groups who care about race or ethnicity. We have friends from lot of different backgrounds and get along well with all of them.
    I know that times used to be different in the US (and still are in many countries) but I can only hope that as time goes on we are more accepting of cultural differences. We find the idea that something as simple as skin color can be used to be mad at somebody as ridiculous. We would rather be mad at them for something they have done that demonstrated to us that they are not "nice" people (its a relative term).
    The only things that make us mad in general are when certain groups start demanding special rights for their stuff. Practice whatever you want as long as it doesn't negatively impact us.

    Oh, and how is our Social Security Number not sensitive, but sexual orientation is?
    Lastly, to all of us gay marriages should be allowed too. We don't understand why they aren't completely legal yet everywhere. I know I am starting to veer off topic but these seem to be the prevalent views amongst my generation and a few things on that list seem odd being from the group that thinks this way.
    All of my friends either feel this way, or don't care. None of them that I hang out with are against the ideas I mentioned here. Is it just a younger generation's views with how times are changing, or is it just because of the area from which I hail?

    link to this | view in chronology ]

    • identicon
      keven sutton, 5 May 2010 @ 7:00am

      Re: Younger Generation's views?

      just a quick post, I agree that SS number should be sensitive. I'm not sure why it's not. I'm also worried about the biometric data. I REALLY have to OPT OUT?!?!

      link to this | view in chronology ]

      • icon
        Killer_Tofu (profile), 5 May 2010 @ 11:56am

        Re: Re: Younger Generation's views?

        Heh, I have nothing on my computer to input my biometric data so they are kind of SOL on that one. =)
        I would love to see how they determined what was super private and what was okay for corps to hold onto.

        link to this | view in chronology ]

    • icon
      Verve (profile), 5 May 2010 @ 9:06am

      Re: Younger Generation's views?

      From purely a marketing perspective, race/ethnicity can be useful because of exactly what you point out ... cultural differences! It's market segmentation; it's how you present your product to your target audience. But you have to know what your audience is to target your communications!
      Otherwise, I'm totally with you... ethinicity, race, cultures... those lines are becoming more blurred over time. But this is a very slow process...

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2010 @ 6:35am

    the ip address one is funny. you guys all argue that an ip address is not unique, yet you think someone will visit a site and then demand his ip be removed from the logs? how does one prove that it is really them visiting? oh wait, you mean an ip address is at least a temporarily unique identifier? damn, another of the masnicks basic concepts out the window!

    link to this | view in chronology ]

    • identicon
      John Doe, 5 May 2010 @ 6:44am

      Re:

      Wrong. You can determine your IP address at the time you were surfing a website and then demand it be removed. So you know your IP address, but it doesn't mean anyone else does.

      Nice try though.

      link to this | view in chronology ]

    • identicon
      keven sutton, 5 May 2010 @ 6:54am

      IP Adress

      I think IP Address was brought up not because it was a unique Identifier, but because if someone were to ask for it to be removed it would cause a great deal of unnecessary overhead.

      IP Addresses are very rarely unique, but there are privacy advocates that would opt out of as much as possible, including IP addresses. Your conclusion that "Masnick's Basic Concept" is "out the window" is incredibly uninformed. I don't really believe that you will read this though. Chances are you are just a troll looking for someone to bait.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 May 2010 @ 6:59am

        Re: IP Adress

        you have to think past your nose on this. if the ip address is unique, then the user can ask for it to be removed. but if it is not unique, how can he? passing a law like this would essentially make the ip address unique by definition. otherwise, how can a user claim to have an ip address removed from a log if the ip address isnt uniquely theirs to start with? contradiction time!

        link to this | view in chronology ]

        • identicon
          keven sutton, 5 May 2010 @ 7:06am

          Re: Re: IP Adress

          ...And that's where the unnecessary overhead comes in. Because it's NOT a unique identifier there is no reliable way to conclude that any given user is the sole user of any given IP address.

          So I have thought passed my nose to the reality of the way IP works, Rather than concluding that if a bill states that I can remove IP addresses from my personal information on a site, then those people who are knowledgeable about IP are wrong about how it works.

          link to this | view in chronology ]

        • identicon
          John Doe, 5 May 2010 @ 7:35am

          Re: Re: IP Adress

          Nice try again, ignoring my previous post AC. You can determine your IP address at the time you are surfing and then demand it be removed. So yes, IP addresses are unique. The problem is when outside parties try to nail down the IP address you were using. They can't say for sure it was you. But you can because you can check it on your machine. So please, quit twisting the facts and admit you are wrong. There is no contradiction here.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 5 May 2010 @ 9:25am

            Re: Re: Re: IP Adress

            you see, that is the problem. the masnick claims ip addresses are never unique. there is no way to connect a user and an ip addresses. heck, it could be a printer. yet, there you are contradicting the masnick and stating that an address can be unique for a time. wow. maybe you can explain that contradiction to keven up there. he seems to have missed it.

            link to this | view in chronology ]

            • icon
              Mike Masnick (profile), 5 May 2010 @ 10:30am

              Re: Re: Re: Re: IP Adress

              you see, that is the problem. the masnick claims ip addresses are never unique.

              Most people already know this, but just for the few that might not, the above statement is not even close to true. I have never said anything along the lines that an IP address is not "unique." I have merely said -- correctly -- that an IP address does not identify who the user is.

              link to this | view in chronology ]

              • identicon
                Anonymous Coward, 5 May 2010 @ 12:25pm

                Re: Re: Re: Re: Re: IP Adress

                then how could a user ask to have stuff removed from a log if you have no way to know if it is them to start with? Do you think that Google and your ad partners collect IP addresses and match them up with other information just for the fun of it?

                link to this | view in chronology ]

    • icon
      PaulT (profile), 5 May 2010 @ 7:02am

      Re:

      I have to wonder who you're talking about when you say "you guys". Especially when the people who (correctly) point out that an IP address is neither a unique or reliable identifier are usually talking about how lawmakers misunderstand technology. You know, the same lawmakers who drafted this bill.

      There is also a question as to whether the phrase "unique persistent identifier" would apply to dynamic IP addresses or just static IPs since dynamic IPs are not persistent. The language used in this document is, at best, questionable to anybody with technical knowledge.

      "an ip address is at least a temporarily unique identifier?"

      If by unique, you mean that only one computer can have said address at any one time? No, it's not. That's how they're intended, but not how they actually work - an important distinction.

      "damn, another of the masnicks basic concepts out the window!"

      Nope, it's upheld, perfectly.

      link to this | view in chronology ]

    • icon
      Rose M. Welch (profile), 5 May 2010 @ 9:21am

      Re:

      If an IP address is a unique identifier, then my family of five and the neighbors are all the same person.

      Since none of us are disassociative, I think not.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 May 2010 @ 9:27am

        Re: Re:

        legally, you are the same people, you are a single internet service with one responsible party (whoevers name is on the bill). my point is that the ip address is at least temporarily unique to a single internet access, which blows up all of the masnicks claims that ips are not unique. he likes to pull things both ways, and sometimes gets caught doing it!

        link to this | view in chronology ]

        • icon
          Modplan (profile), 5 May 2010 @ 10:28am

          Re: Re: Re:

          A single internet access, seriously?

          That's your idea of "The Masnicks" concept out the window? Why am I surprised...

          link to this | view in chronology ]

          • icon
            Killer_Tofu (profile), 5 May 2010 @ 12:01pm

            Re: Re: Re: Re:

            Thats a good question. After a lot of the things the AC has said, why are you surprised?

            link to this | view in chronology ]

        • icon
          Rose M. Welch (profile), 5 May 2010 @ 12:45pm

          Re: Re: Re:

          So McDonald's would be responsible if child porn were found on my neighbor's computer?

          Awesome.

          link to this | view in chronology ]

        • icon
          PaulT (profile), 5 May 2010 @ 1:18pm

          Re: Re: Re:

          "legally, you are the same people, you are a single internet service with one responsible party"

          So, how does a company identify the user making the opt-out request? What if one member of the household wishes to opt out of privacy and the others want to opt in? How would a 3rd party even know there are other users on the line?

          Hell, what if the address in connection is PATed address utilised by a single employee of a 200 seat office? How exactly can someone identify a user for privacy purposes? What if a modem was rebooted mid-connection and a different dynamic IP was assigned? What a nightmare to work out whether you're complying with this rag!

          "all of the masnicks claims that ips are not unique"

          Except that's never what's being claimed. An IP address is only unique enough to confirm the sending and receipt of a piece of data (and only then assuming that the IP is not being spoofed or intercepted). They're unique enough to identify a device *temporarily* and not enough identify a person. Even geographical IP location is error prone (people all over the world use VPNs to connect to Hulu from outside the US, for example).

          This is not good enough for a person's internet connection to be terminated by a biased 3rd party - the thing that's usually being refuted here. It's also not good enough for a company which had neither the resources nor the data to uniquely identify a user to ensure they're complying with the law. therefore, the law should not be passed in its current form, just as passing 3 strikes laws is a mistake with a much higher burden of evidence.

          Since the law demands a "unique persistent identifier" and an IP address does not meet that criteria then it should be deemed invalid.

          "he likes to pull things both ways, and sometimes gets caught doing it!"

          Assuming you're the same moron who always refers to "the Masnicks", I don't think I've ever seen you post an internally coherent argument, let alone one that "catches" anybody else doing anything.

          link to this | view in chronology ]

  • identicon
    Mark, 5 May 2010 @ 7:02am

    From my reading elsewhere, I think this bill is more for websites that collect the information and then pass it on to 3rd parties (Marketers, advertising, telemarkerts, partners) rather than for the website itself directly.

    the website is able to collect this information and store it. for covered information, you then have the ability to opt of them selling your information to a 3rd party. For sensitive information, you have to explicitly tell a website (opt-in) that you approve of them passing on the data to 3rd parties.

    Now, why are SSN, biometric data, and financial account data only classified as covered information. I would consider that information sensitive, but that's just me.

    link to this | view in chronology ]

  • identicon
    Pixelation, 5 May 2010 @ 7:31am

    "While I may not support everything in the current draft bill, it is important to get the input of stakeholders,"

    Um, too bad this likely doesn't mean the stakeholders that count, you and me.

    Will there be protection for people who opt-out or refuse to opt-in? Or will companies then deny service?

    Nothing is better than government making more work for itself.

    link to this | view in chronology ]

  • icon
    Crosbie Fitch (profile), 5 May 2010 @ 7:49am

    Misunderstanding Privacy

    Privacy is the individual's natural right to protect the physical boundaries of their private domain (the spaces they enclose and occupy, and their contents), to exclude others.

    Privacy is not the privilege of constraining the disclosure or circulation of 'sensitive' information by those it has been confided to.

    No doubt many would like such a privilege over their fellows, to prosecute them if they betray their confidence, but it has no natural basis.

    Corporations (being immortal psychopaths) may well need to be tightly regulated, but that's not the same as the folly of granting unnatural powers to mortals.

    So, create regulations applying to corporations by all means, but don't corrupt the meaning of privacy in the process.

    link to this | view in chronology ]

  • identicon
    Jesse, 5 May 2010 @ 8:16am

    We have a similar law in BC, and basically the end effect is that businesses can't require you to hand over information during a transaction (unless the transaction requires that information, i.e. credit card information). So they can't say, "Hey, tell us your religion or we can't do this transaction."

    Of course, there is a huge problem with enforcement. There are a large number of bars in downtown Vancouver which require you to scan and log your drivers license on their database when you come in (you don't need to log my driver's license to check my age). They've been doing it for years and nobody is doing anything about it, despite complaints to the privacy commissioner.

    link to this | view in chronology ]

  • identicon
    Bengie, 5 May 2010 @ 9:45am

    Can't store an IP?

    Sorry, you opted out of storing/using your IP. We can no longer communicate with you over the internet.

    link to this | view in chronology ]

  • icon
    Katherine Warman Kern (profile), 10 May 2010 @ 11:12am

    Boucher proposed bill

    Since all the corporations are lobbying the bill to defend what they are doing and we are advising clients who are interested in improving upon "what is" - we are fielding a survey to ask people how they think their information should or shouldn't be shared. http://www.comradity.com/comradity/how-do-you-feel-about-sharing-your-information.html We will share the results with Rep. Boucher. Katherine Warman Kern @comradity

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.