Lawmakers' decision to repeal the broadband privacy rules seems to be sparking an unanticipated backlash.
Not only did Illinois lawmakers advance two new privacy bills this week, but legislators in Minnesota approved a measure that would require Internet service providers to obtain subscribers' written consent before collecting their "personal information."
Democratic state Senator Ron Latz, who authored the Minnesota measure, suggested the bill is a direct reaction to Congress's vote to scrap privacy rules that would have prohibited carriers from drawing on users' Web-surfing data for ad targeting, without their opt-in consent.
"Due to a joint resolution passed by Congress this week, that is likely to be signed by President Trump, Minnesotans will soon be vulnerable to have their browsing history, health data, financial information, online purchase data, app usage and geo-location recorded by internet providers and sold by them to the highest bidder," he stated. He added that his measure -- an amendment to a budget bill -- "is about standing up and saying that our online privacy rights are critically important."
It's still not clear whether these bills -- and other privacy measures making their way through various state legislatures -- will be enacted. It's also unclear whether state online privacy laws would survive legal challenges, especially if the measures will have nationwide consequences. But even if the bills ultimately fail, they're putting Internet service providers (and other Web companies) on the defensive for now.
State lawmakers aren't the only ones who see new threats to online privacy. The editorial board of the Washington Post this week called on Congress to pass new broadband privacy laws -- though ones that were less sweeping than the rules passed last year by the Federal Communications Commission. The Post's editorial board said that some of the criticism of the FCC's privacy rules was "fair," but went on to urge lawmakers to craft measures that would give users "a say in how their sensitive information is used."
Privacy expert Paul Ohm, a law professor at Georgetown, expressed concerns that the data broadband carriers will collect about people's Web-browsing habits could be obtained by the FBI. "Never has one industry been cut loose to generate one spine of information that could serve the needs of law enforcement so well -- until now," Ohm writes in a Washington Post op-ed. "Congress just approved the single greatest expansion of the Database of Ruin to date -- and Verizon, Comcast, AT&T, Time Warner, CenturyLink and the rest of our broadband providers are racing to build it."
The pushback has left some Internet service providers scrambling to defend themelves to the public.
"We do not sell our broadband customers’ individual web browsing history. We did not do it before the FCC’s rules were adopted, and we have no plans to do so," Comcast chief privacy officer Gerard Lewis said this morning in a blog post. He added that Comcast obtains opt-in consent before sharing data it considers sensitive, like banking and health information, and allows subscribers to opt out of receiving targeted ads based on data it doesn't consider sensitive.
AT&T's Bob Quinn authored a similar post. "Given the Beltway reaction to the commendable work by Congress to reverse the FCC’s off-course privacy rules, it’s worth taking a step back to see what’s really going on," AT&T's Bob Quinn wrote this morning.
"No one is saying there shouldn’t be any rules," Quinn continued, adding that AT&T wants the rules replaced "by a return to the long-standing Federal Trade Commission approach."
The FTC -- which lacks jurisdiction over common carriers -- broadly recommends that Web companies allow people to opt out of the collection and sharing of non-sensitive data. The FTC also suggests that companies should obtain opt-in consent before sharing a narrow category of "sensitive" data -- including health information and precise location data.
Quinn added that repealing the net neutrality rules will allow the FTC to police broadband privacy. But the 9th Circuit Court of Appeals disagrees. That court ruled last year that the FTC couldn't bring an enforcement action against AT&T for allegedly duping wireless customers about broadband data -- although the alleged deception occurred years before mobile broadband was classified as a common carrier service.