Interestingly there seems to be a loophole in that they can collect the data regardless of consent, but can't use or share it without consent. So chances are this sensitive data will be recorded and put in a database anyway, even if they're not lawfully allowed to look at it without anonymizing first - but a future law could also add an exception, keeping things for law enforcement for instance.
The FCC confirmed that yes, regardless of consent, the ISP can collect 'sensitive' information if it is anonymized/de-identified before use or sharing. The ISP does need to make it clear to the user what information is being collected, but there's no way at present to prevent them from collecting it at all. They're also barred from attempting to de-anonymize the data, though a third party probably could.
> Interestingly there seems to be a loophole in that they can collect the data regardless of consent, but can't use or share it without consent. So chances are this sensitive data will be recorded and put in a database anyway, even if they're not lawfully allowed to look at it without anonymizing first - but a future law could also add an exception, keeping things for law enforcement for instance.
I'm not all that worried about law enforcement. I think it is much more likely that the database will be hacked and the data will just get shared that way.
The only way to protect private data is to prevent the ISPs from collecting it in the first place. Otherwise, everyone knows the ISP has the data whether they share it or not, it's a big juicy target, and it's probably not that difficult to get to.
There is no need for any sort of future law, that data is open to law enforcement already. That is the fundamental problem in all of this: decade old court decisions that determined you have no "reasonable expectation of privacy" in data you shared with a company.
That may have been a useful policy in a time where you yourself could decide what data you shared, now that devices share data on your behalf that can be stored forever, aggregated, analyzed and what not it is clearly no longer acceptable. We desperately need a whitelist approach to companies storing and handling cleartext user- and metadata.
This is completely pointless. They'll just add some form you have to sign before giving you service and that's about it.
After all, do you read and act on the privacy notifications other providers give you?
Does this at least require them to provider service irregardless of your consent to share data? If not, this is a pointless law that just makes it look like they did something.
Copied this from another comment of mine on this post, but it answers part of your question. From the FCC fact sheet[0] on the decision:
> The Order prohibits “take-it-or-leave-it” offers, meaning that an ISP can’t refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes.
So at least they can't cut you off entirely if you don't consent/opt-in. The fact sheet also touches on the "pay for privacy" issue:
> Recognizing that so-called “pay for privacy” offerings raise unique considerations, the rules require heightened disclosure for plans that provide discounts or other incentives in exchange for a customer’s express affirmative consent to the use and sharing of their personal information. The Commission will determine on a case-by-case basis the legitimacy of programs that relate service price to privacy protections. Consumers should not be forced to choose between paying inflated prices and maintaining their privacy.
Not an outright ban on discounting service for opt'ing-in, but looks like they're leaning towards not allowing something like that.
I think you are describing general problems with disclosure and consent regulations and common-law.
The regulators and legislators pursue and get credit for incremental actions, but there is no agent or body with accountability for overall impact. When regulators impose a new disclosure requirement, they often show that if a consumer reads the document, the individual will learn something; the problem is that when this document is page 53 of a 200 page disclosure, almost nobody reads it.
This issue was pointed out by Chief Justice Roberts when he said that he never read any of the prescription drug warnings that drug-producers have been required to provide (by courts and regulators).
You have to opt in and there can't be a penalty for opting out, the fact sheet says. That said, there may be a bonus for opting in — perks or whatnot. That will have to be settled separately, probably.
Well, thanks to sites like HN and Reddit, as soon as they drop some dumb stuff in the contract, it will be brought to the surface and informed people will at least KNOW... tahts a big thing
> This is completely pointless. They'll just add some form you have to sign before giving you service and that's about it.
>
> After all, do you read and act on the privacy notifications other providers give you?
So that's an interesting thing that's come up in the European Union, where the "constitution"/"bill of rights"[1] mandates "consent" for processing of personal data, namely does one of those click though I Agree things count as "informed consent".
Let's be honest, vast majority of people aren't actually consenting to things that are in the contract.
[1] For political reasons there is no "European Union Constitution". However there is the "Charter of Fundamental Rights of the European Union" which is sorta a "Bill of rights"
Yep, exactly. Comcast says "we can share your data", you agree because they're literally the only usable Internet offering in cities all across America.
Or worse, they will structure it like AT&T's project Hemisphere and find a way to provide the same insights without sharing the data specifically. And they will do it without any forms or notifications at all.
I'm sure this will lead to radical alterations on paragraph 117 of the typical EULA, where everyone will notice it immediately and have a serious think about the economic value of their personal identifiable information. I have not looked at the actual motion yet but I suspect that companies will only have to answer consumer inquiries in general terms rather than giving them detailed statement. Oh well I've given up trying to safeguard my privacy anyway.
If the data is collected at all, it can be collected incorrectly (e.g. stored in such a way that it is stolen eventually, “permissions” be damned). Still solving the wrong fundamental issue.
We desperately need to work on reducing the importance of data itself. We must assume by default that all information will be improperly handled pretty much anywhere (or, that the task of keeping it secure indefinitely is just too hard).
That means: data whose usefulness expires extremely quickly (with corresponding protocols), and the complete retirement of stupid bits of information we now carry like social security numbers and credit card numbers that can instantly screw you in the wrong hands. In fact, we ought to have proxies for EVERYTHING; I don’t know why I even have to hand out my home address, for instance, when in theory I could give a company some temporary proxy address that routes to my house only as long as I ALLOW that forwarding; after that, it becomes meaningless and cannot be used for junk mail.
I wish the UK had this. Mobile phone/data providers send a header with HTTP requests to provide the site with your phone number which they can then use to charge you without permission.
I am kind of surprised that this wasn't already regulated, considering that telephone privacy has been an issue for decades. Perhaps this is a case of an unwritten common-sense policy that is only being codified when ISPs start to break it (e.g. AT&T's now-canceled "Internet Preferences").
B2B and B2G are a whole different ball-game. In B2B scenario they are exposed to class-action lawsuit for bad-behavior or government fine. In B2G scenario really only thing individual citizen can do is take it to the supreme court.
"Commissioner Ajit Pai, who voted no, cautioned that the "cold reality" is that nothing in the new rules will stop those companies from "harvesting and monetizing your data," including the websites visited, YouTube videos watched or search terms entered on any device."
Any reasonable person reading that would infer that Pai thinks that these rules are not sufficient and is in favor of stricter rules. That turns out not to be the case at all.
I agree. I'm also glad they specified "opt-in" consent and not "opt-out." They can't start collecting your data without your prior knowledge and authorization. This is a good thing.
Next step would be to disallow hijacking and data insertion into your stream of data. It would be a step towards cementing ISPs role as a dumb carrier of data.
[+] [-] devindotcom|9 years ago|reply
I'm triple checking with the FCC on this though.
[+] [-] devindotcom|9 years ago|reply
More info here:
http://transition.fcc.gov/Daily_Releases/Daily_Business/2016...
[+] [-] wmf|9 years ago|reply
If the FCC allows ISPs to collect data as long as they swear it will never be used, the ISPs can then sell it to law enforcement with a contract that says they will also "never use it". https://www.theguardian.com/business/2016/oct/25/att-secretl...
[+] [-] ez_psychedelic|9 years ago|reply
[+] [-] twblalock|9 years ago|reply
I'm not all that worried about law enforcement. I think it is much more likely that the database will be hacked and the data will just get shared that way.
The only way to protect private data is to prevent the ISPs from collecting it in the first place. Otherwise, everyone knows the ISP has the data whether they share it or not, it's a big juicy target, and it's probably not that difficult to get to.
[+] [-] revelation|9 years ago|reply
AT&T turned this into a product:
http://www.zerohedge.com/news/2016-10-27/us-taxpayers-pay-at...
That may have been a useful policy in a time where you yourself could decide what data you shared, now that devices share data on your behalf that can be stored forever, aggregated, analyzed and what not it is clearly no longer acceptable. We desperately need a whitelist approach to companies storing and handling cleartext user- and metadata.
[+] [-] Something1234|9 years ago|reply
[+] [-] JumpCrisscross|9 years ago|reply
[+] [-] ars|9 years ago|reply
After all, do you read and act on the privacy notifications other providers give you?
Does this at least require them to provider service irregardless of your consent to share data? If not, this is a pointless law that just makes it look like they did something.
[+] [-] christianmunoz|9 years ago|reply
> The Order prohibits “take-it-or-leave-it” offers, meaning that an ISP can’t refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes.
So at least they can't cut you off entirely if you don't consent/opt-in. The fact sheet also touches on the "pay for privacy" issue:
> Recognizing that so-called “pay for privacy” offerings raise unique considerations, the rules require heightened disclosure for plans that provide discounts or other incentives in exchange for a customer’s express affirmative consent to the use and sharing of their personal information. The Commission will determine on a case-by-case basis the legitimacy of programs that relate service price to privacy protections. Consumers should not be forced to choose between paying inflated prices and maintaining their privacy.
Not an outright ban on discounting service for opt'ing-in, but looks like they're leaning towards not allowing something like that.
[0] http://transition.fcc.gov/Daily_Releases/Daily_Business/2016...
[+] [-] nickff|9 years ago|reply
The regulators and legislators pursue and get credit for incremental actions, but there is no agent or body with accountability for overall impact. When regulators impose a new disclosure requirement, they often show that if a consumer reads the document, the individual will learn something; the problem is that when this document is page 53 of a 200 page disclosure, almost nobody reads it.
This issue was pointed out by Chief Justice Roberts when he said that he never read any of the prescription drug warnings that drug-producers have been required to provide (by courts and regulators).
[+] [-] devindotcom|9 years ago|reply
[+] [-] jmcdiesel|9 years ago|reply
[+] [-] rmc|9 years ago|reply
So that's an interesting thing that's come up in the European Union, where the "constitution"/"bill of rights"[1] mandates "consent" for processing of personal data, namely does one of those click though I Agree things count as "informed consent".
Let's be honest, vast majority of people aren't actually consenting to things that are in the contract.
[1] For political reasons there is no "European Union Constitution". However there is the "Charter of Fundamental Rights of the European Union" which is sorta a "Bill of rights"
[+] [-] mperham|9 years ago|reply
[+] [-] wheelerwj|9 years ago|reply
[+] [-] driverdan|9 years ago|reply
Yes. Never sign a contract without reading it.
[+] [-] alexbanks|9 years ago|reply
[+] [-] anigbrowl|9 years ago|reply
[+] [-] cordite|9 years ago|reply
[+] [-] makecheck|9 years ago|reply
We desperately need to work on reducing the importance of data itself. We must assume by default that all information will be improperly handled pretty much anywhere (or, that the task of keeping it secure indefinitely is just too hard).
That means: data whose usefulness expires extremely quickly (with corresponding protocols), and the complete retirement of stupid bits of information we now carry like social security numbers and credit card numbers that can instantly screw you in the wrong hands. In fact, we ought to have proxies for EVERYTHING; I don’t know why I even have to hand out my home address, for instance, when in theory I could give a company some temporary proxy address that routes to my house only as long as I ALLOW that forwarding; after that, it becomes meaningless and cannot be used for junk mail.
[+] [-] afarrell|9 years ago|reply
[+] [-] guelo|9 years ago|reply
[+] [-] SEJeff|9 years ago|reply
[+] [-] hackuser|9 years ago|reply
[+] [-] cunotaco|9 years ago|reply
[+] [-] wmf|9 years ago|reply
[+] [-] Spooky23|9 years ago|reply
[+] [-] supergeek133|9 years ago|reply
Think of it like when you authorize facebook or someone else to share data via OAuth, how many people read that list?
[+] [-] whatupmd|9 years ago|reply
[+] [-] revelation|9 years ago|reply
What world are we living in where the post service is allowed to rip open mail and deface it.
[+] [-] wmf|9 years ago|reply
[+] [-] MayMuncher|9 years ago|reply
[+] [-] chipperyman573|9 years ago|reply
[+] [-] dsr_|9 years ago|reply
Any reasonable person reading that would infer that Pai thinks that these rules are not sufficient and is in favor of stricter rules. That turns out not to be the case at all.
[+] [-] Frogolocalypse|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] jgord|9 years ago|reply
[+] [-] mankash666|9 years ago|reply
[+] [-] Spartan-S63|9 years ago|reply
Next step would be to disallow hijacking and data insertion into your stream of data. It would be a step towards cementing ISPs role as a dumb carrier of data.
[+] [-] mirimir|9 years ago|reply
[+] [-] 1812Overture|9 years ago|reply
[+] [-] elhenrico|9 years ago|reply
[+] [-] 6DM|9 years ago|reply
[+] [-] blurbleblurble|9 years ago|reply
for real?
[+] [-] cloudjacker|9 years ago|reply