Draft Of Privacy Bill Introduced… And Pretty Much Everyone Hates It

from the is-that-a-good-sign? dept

Rep. Rick Boucher released a draft internet privacy bill that’s getting plenty of attention. You can read the draft on Boucher’s site (pdf) or embedded below:

In Europe, internet privacy laws are pretty standard — but in the US we’ve stayed away from them. The initial reaction to the bill seems to be that everyone hates it. Well, everyone who has a strong position and/or financial interest in it. Privacy groups say the bill is way too weak. Companies say it’s way too restrictive. As per usual, the reality is probably somewhere in the middle. The key component of the bill is that is splits up information into two categories: “covered information” which sites will have to allow users to opt-out of collection, and “sensitive information” which sites will have to have users opt-in.

Covered information (information that sites can collect, but users will have the right to “opt-out” if they don’t like it) includes:

  1. The first name or initial and last name.
  2. A postal address.
  3. A telephone or fax number.
  4. An email address.
  5. Unique biometric data, including a fingerprint or retina scan.
  6. A Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number.
  7. A Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
  8. Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user.
  9. A preference profile.
  10. Any other information that is collected, stored, used, or disclosed in connection with any covered information described in subparagraphs (A) through (I).

As for “sensitive information” (which sites will require people to opt-in to collect), you’ve got:

  1. medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
  2. race or ethnicity;
  3. religious beliefs;
  4. sexual orientation;
  5. financial records and other financial information associated with a financial account, including balances and other financial information; or
  6. precise geolocation information.

There are also some “exemptions” for the collection of information that was for “operational purposes” or “transactional purposes.” Reading through the whole thing, I have to admit I’m a bit confused as to the purpose of the bill. It seems like the “opt-in” information is the type of information that you would have to opt-in for anyway, because no website is going to be able to get that information without it. As for the opt-out information, most of that can again be handled by the user, simply through various technology offerings out there.

Perhaps I’m missing something, but this seems like the kind of bill that’s designed to say “hey, look, privacy law!” but that doesn’t really do anything to protect people’s privacy. I could see it causing a lot of trouble for sites, though, for no good reason. For example, saying that IP address information can be “opt-out” could create a massive hassle for pretty much any site that keeps log files. Imagine the fun someone could cause by visiting sites and then demanding the site remove his or her IP address from their logs. I understand the general thinking behind this, but I just don’t see it doing anything good, while I could see all sorts of unintended consequences from it.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Draft Of Privacy Bill Introduced… And Pretty Much Everyone Hates It”

Subscribe: RSS Leave a comment
Steve R. (profile) says:

Privacy belogns to the Receiptient

The privacy debate, I find somewhat mischaracterized since it is privacy as a concept is unrealistic. We need to approach it from the perspective that companies do NOT have a right to contact you without your permission and they do not have a right to your personal information after your business transaction has been completed.

I like this gloom and doom quote from The Hill. The quote below points to what is wrong with how we view privacy and why legislation to supposedly protect your privacy will never work. Companies do NOT have a right to your information nor do they have a right to always be-in-your-face to sell you something.

“It would kill hundreds of thousands of jobs in America, and it would disproportionately put small publications out of business, because consumers won’t opt in,” said Zaneis, who later noted a series of positive aspects of the current legislation. His organization, the Interactive Advertising Bureau, represents 375 organizations and includes such members as Microsoft, Google and a host of publishing firms.

Falindraun (profile) says:

Re: Privacy belogns to the Receiptient

Colorado tried to pass a law like that afew years ago by popular vote, i was all for it, but the lobbyests got ahold of some advertizing money and the bill got defeated via lots misinformation.

One of the things i could do with this bill is clean up my credit by forcing them to remove information from my credit that i dont like or is damageing to my credit, and bam, now i would have excelent credit.

Killer_Tofu (profile) says:

Younger Generation's views?

This may just be because I am from a younger crowd than most, but I don’t really know that many people amongst my groups who care about race or ethnicity. We have friends from lot of different backgrounds and get along well with all of them.
I know that times used to be different in the US (and still are in many countries) but I can only hope that as time goes on we are more accepting of cultural differences. We find the idea that something as simple as skin color can be used to be mad at somebody as ridiculous. We would rather be mad at them for something they have done that demonstrated to us that they are not “nice” people (its a relative term).
The only things that make us mad in general are when certain groups start demanding special rights for their stuff. Practice whatever you want as long as it doesn’t negatively impact us.

Oh, and how is our Social Security Number not sensitive, but sexual orientation is?
Lastly, to all of us gay marriages should be allowed too. We don’t understand why they aren’t completely legal yet everywhere. I know I am starting to veer off topic but these seem to be the prevalent views amongst my generation and a few things on that list seem odd being from the group that thinks this way.
All of my friends either feel this way, or don’t care. None of them that I hang out with are against the ideas I mentioned here. Is it just a younger generation’s views with how times are changing, or is it just because of the area from which I hail?

Verve (profile) says:

Re: Younger Generation's views?

From purely a marketing perspective, race/ethnicity can be useful because of exactly what you point out … cultural differences! It’s market segmentation; it’s how you present your product to your target audience. But you have to know what your audience is to target your communications!

Otherwise, I’m totally with you… ethinicity, race, cultures… those lines are becoming more blurred over time. But this is a very slow process…

Anonymous Coward says:

the ip address one is funny. you guys all argue that an ip address is not unique, yet you think someone will visit a site and then demand his ip be removed from the logs? how does one prove that it is really them visiting? oh wait, you mean an ip address is at least a temporarily unique identifier? damn, another of the masnicks basic concepts out the window!

keven sutton says:

Re: IP Adress

I think IP Address was brought up not because it was a unique Identifier, but because if someone were to ask for it to be removed it would cause a great deal of unnecessary overhead.

IP Addresses are very rarely unique, but there are privacy advocates that would opt out of as much as possible, including IP addresses. Your conclusion that “Masnick’s Basic Concept” is “out the window” is incredibly uninformed. I don’t really believe that you will read this though. Chances are you are just a troll looking for someone to bait.

Anonymous Coward says:

Re: Re: IP Adress

you have to think past your nose on this. if the ip address is unique, then the user can ask for it to be removed. but if it is not unique, how can he? passing a law like this would essentially make the ip address unique by definition. otherwise, how can a user claim to have an ip address removed from a log if the ip address isnt uniquely theirs to start with? contradiction time!

keven sutton says:

Re: Re: Re: IP Adress

…And that’s where the unnecessary overhead comes in. Because it’s NOT a unique identifier there is no reliable way to conclude that any given user is the sole user of any given IP address.

So I have thought passed my nose to the reality of the way IP works, Rather than concluding that if a bill states that I can remove IP addresses from my personal information on a site, then those people who are knowledgeable about IP are wrong about how it works.

John Doe says:

Re: Re: Re: IP Adress

Nice try again, ignoring my previous post AC. You can determine your IP address at the time you are surfing and then demand it be removed. So yes, IP addresses are unique. The problem is when outside parties try to nail down the IP address you were using. They can’t say for sure it was you. But you can because you can check it on your machine. So please, quit twisting the facts and admit you are wrong. There is no contradiction here.

Anonymous Coward says:

Re: Re: Re:2 IP Adress

you see, that is the problem. the masnick claims ip addresses are never unique. there is no way to connect a user and an ip addresses. heck, it could be a printer. yet, there you are contradicting the masnick and stating that an address can be unique for a time. wow. maybe you can explain that contradiction to keven up there. he seems to have missed it.

Mike Masnick (profile) says:

Re: Re: Re:3 IP Adress

you see, that is the problem. the masnick claims ip addresses are never unique.

Most people already know this, but just for the few that might not, the above statement is not even close to true. I have never said anything along the lines that an IP address is not “unique.” I have merely said — correctly — that an IP address does not identify who the user is.

PaulT (profile) says:

Re: Re:

I have to wonder who you’re talking about when you say “you guys”. Especially when the people who (correctly) point out that an IP address is neither a unique or reliable identifier are usually talking about how lawmakers misunderstand technology. You know, the same lawmakers who drafted this bill.

There is also a question as to whether the phrase “unique persistent identifier” would apply to dynamic IP addresses or just static IPs since dynamic IPs are not persistent. The language used in this document is, at best, questionable to anybody with technical knowledge.

“an ip address is at least a temporarily unique identifier?”

If by unique, you mean that only one computer can have said address at any one time? No, it’s not. That’s how they’re intended, but not how they actually work – an important distinction.

“damn, another of the masnicks basic concepts out the window!”

Nope, it’s upheld, perfectly.

Anonymous Coward says:

Re: Re: Re:

legally, you are the same people, you are a single internet service with one responsible party (whoevers name is on the bill). my point is that the ip address is at least temporarily unique to a single internet access, which blows up all of the masnicks claims that ips are not unique. he likes to pull things both ways, and sometimes gets caught doing it!

PaulT (profile) says:

Re: Re: Re: Re:

“legally, you are the same people, you are a single internet service with one responsible party”

So, how does a company identify the user making the opt-out request? What if one member of the household wishes to opt out of privacy and the others want to opt in? How would a 3rd party even know there are other users on the line?

Hell, what if the address in connection is PATed address utilised by a single employee of a 200 seat office? How exactly can someone identify a user for privacy purposes? What if a modem was rebooted mid-connection and a different dynamic IP was assigned? What a nightmare to work out whether you’re complying with this rag!

“all of the masnicks claims that ips are not unique”

Except that’s never what’s being claimed. An IP address is only unique enough to confirm the sending and receipt of a piece of data (and only then assuming that the IP is not being spoofed or intercepted). They’re unique enough to identify a device *temporarily* and not enough identify a person. Even geographical IP location is error prone (people all over the world use VPNs to connect to Hulu from outside the US, for example).

This is not good enough for a person’s internet connection to be terminated by a biased 3rd party – the thing that’s usually being refuted here. It’s also not good enough for a company which had neither the resources nor the data to uniquely identify a user to ensure they’re complying with the law. therefore, the law should not be passed in its current form, just as passing 3 strikes laws is a mistake with a much higher burden of evidence.

Since the law demands a “unique persistent identifier” and an IP address does not meet that criteria then it should be deemed invalid.

“he likes to pull things both ways, and sometimes gets caught doing it!”

Assuming you’re the same moron who always refers to “the Masnicks”, I don’t think I’ve ever seen you post an internally coherent argument, let alone one that “catches” anybody else doing anything.

Mark says:

From my reading elsewhere, I think this bill is more for websites that collect the information and then pass it on to 3rd parties (Marketers, advertising, telemarkerts, partners) rather than for the website itself directly.

the website is able to collect this information and store it. for covered information, you then have the ability to opt of them selling your information to a 3rd party. For sensitive information, you have to explicitly tell a website (opt-in) that you approve of them passing on the data to 3rd parties.

Now, why are SSN, biometric data, and financial account data only classified as covered information. I would consider that information sensitive, but that’s just me.

Pixelation says:

“While I may not support everything in the current draft bill, it is important to get the input of stakeholders,”

Um, too bad this likely doesn’t mean the stakeholders that count, you and me.

Will there be protection for people who opt-out or refuse to opt-in? Or will companies then deny service?

Nothing is better than government making more work for itself.

Crosbie Fitch (profile) says:

Misunderstanding Privacy

Privacy is the individual’s natural right to protect the physical boundaries of their private domain (the spaces they enclose and occupy, and their contents), to exclude others.

Privacy is not the privilege of constraining the disclosure or circulation of ‘sensitive’ information by those it has been confided to.

No doubt many would like such a privilege over their fellows, to prosecute them if they betray their confidence, but it has no natural basis.

Corporations (being immortal psychopaths) may well need to be tightly regulated, but that’s not the same as the folly of granting unnatural powers to mortals.

So, create regulations applying to corporations by all means, but don’t corrupt the meaning of privacy in the process.

Jesse says:

We have a similar law in BC, and basically the end effect is that businesses can’t require you to hand over information during a transaction (unless the transaction requires that information, i.e. credit card information). So they can’t say, “Hey, tell us your religion or we can’t do this transaction.”

Of course, there is a huge problem with enforcement. There are a large number of bars in downtown Vancouver which require you to scan and log your drivers license on their database when you come in (you don’t need to log my driver’s license to check my age). They’ve been doing it for years and nobody is doing anything about it, despite complaints to the privacy commissioner.

Katherine Warman Kern (profile) says:

Boucher proposed bill

Since all the corporations are lobbying the bill to defend what they are doing and we are advising clients who are interested in improving upon “what is” – we are fielding a survey to ask people how they think their information should or shouldn’t be shared.


We will share the results with Rep. Boucher.

Katherine Warman Kern

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...