Maine inches closer to shutting down ISP pay-for-privacy schemes

Maine inches closer to shutting down ISP pay-for-privacy schemes

Maine residents are one step closer to being protected from the unapproved use, sharing, and sale of their data by Internet service providers (ISPs). A new state bill, already approved by the state House of Representatives and Senate, awaits the governor’s signature.

If signed, the bill would provide some of the strongest data privacy protections in the United States, putting a latch on emails, online chats, browser history, IP addresses, and geolocation data collected and stored by ISPs like Verizon, Comcast, and Spectrum. The bill goes further: Unlike a data privacy proposal in the US and a new data privacy law in California, the Maine bill explicitly shuts down any pay-for-privacy schemes.

The Act to Protect the Privacy of Online Customer Information (or LD 946 for short) would go into effect on July 1, 2020. It is, with minor exception, widely supported, even among its intended targets.

“We sell Internet access, and we know that if people can’t trust the Internet, then the value of the Internet is significantly lessened, as it will be used less for sensitive applications,” wrote Fletcher Kittredge and Kerem Durdag, CEO and COO of Maine-based ISP GWI. “Even if government regulation blocks us from making money selling customer data (something we never ever do), we still benefit because a trusted Internet is more valuable to all our customers.”

Not everyone agrees, though.

The Maine State Chamber of Commerce opposes the bill and, following the Senate’s unanimous approval last week (35–0), has vowed to “ensure that this harmful bill does not become law.”

The Chamber’s arguments have puzzled the ACLU of Maine, a supporter of LD 946. According to the nonprofit, the Chamber has engaged in “gaslighting” and “disingenuous” advertising, serving as a mouthpiece for the region’s big ISPs.

The Chamber did not respond to requests for comment.

Further, the Chamber commissioned a public survey that handwaves away the actual matter at hand: Should ISPs be restricted from selling user data?

To the ACLU of Maine, that answer is clear: Yes.

“This bill protects Mainers from having their ISPs sell their data without their knowledge and consent,” said Oamshri Amarasingham, advocacy director of ACLU of Maine.

The bill

Sponsored by Maine state Democratic Senator Shenna Bellows, LD 946 would prohibit ISPs from using, disclosing, selling, or allowing access to customers’ “personal information.” That includes the content of online communications, web browsing history, app usage history, “precise geolocation information,” and health and financial information.

This bill does not exist in a vacuum. In February, Motherboard revealed that, for years, actual, honest-to-God bounty hunters could access the location data of AT&T, T-Mobile, and Sprint customers. It gets better (worse): The location data was initially intended for 911 operators, but was sold to data aggregators by the telecom companies themselves.

Away from bounty hunter headlines, The Verge also spotlighted AT&T’s future profiteering plans last month to monetize nearly every piece of its customers’ data.

Under LD 946, that activity would be regulated.

The bill allows for some exceptions. An ISP could sell user data so long as the user consents to that sale, and ISPs could also use and disclose user data when complying with court orders, rendering bills, protecting users from fraud and abuse, and providing their services, so long as the user data is necessary to those services. Further, ISPs could disclose geolocation data in the case of emergencies, like dispatching 911 services.

The bill also closes a few potential loopholes, prohibiting ISPs from requiring that users consent to the sale of their data in order to use their services. The bill also states that ISPs must provide “clear, conspicuous, and nondeceptive notice” when users consent to sell their data.

Finally, the bill shuts down any “pay-for-privacy” schemes that have already proved popular. According to the bill, ISPs cannot “charge a customer a penalty or offer a customer a discount based on the customer’s decision to provide or not provide consent” to having their data sold, shared, or accessed by third parties.

Good.

As we previously wrote about Sen. Ron Wyden’s data privacy proposal, which includes a pay-for-privacy stipulation:

“[Pay-for-privacy] casts privacy as a commodity that individuals with the means can easily purchase. But a move in this direction could further deepen the separation between socioeconomic classes. The ‘haves’ can operate online free from prying eyes. But the ‘have nots’ must forfeit that right.”

The Maine state bill does its part to prevent that unequal outcome.

Maine Governor Janet Mills has until June 11 to sign the bill and turn it into law. If she misses the deadline, the bill automatically becomes law.

Amarasingham of ACLU of Maine expects a positive outcome.

“We are optimistic that [Governor Mills] will sign this bill,” Amarasingham said. “I know ISPs and the Chamber of Commerce are exerting a lot of pressure, but I’m proud to say Maine legislators didn’t cave to that. I hope the governor’s office won’t either.”

The opposition

The challenge to LD 946 includes claims of insufficiency, unproven rhetoric, misguiding statistics, and a question as to what legislation should accomplish.

As Amarasingham said, one of the bill’s main opponents is the Maine State Chamber of Commerce. In recent months, the Chamber funded a 30-second video ad criticizing the bill, hired a research firm to conduct public surveys about data privacy, and launched a website that asked Maine residents to tell their representatives to vote against the bill.

That website labeled LD 946 as “harmful to Maine’s consumers,” because, allegedly, the bill “will create greater consumer confusion and undermine consumers’ confidence in their online activities—a risk to the continued growth of the digital economy.”

That confusion argument showed up in a Central Maine opinion piece written by Mid-Maine Chamber of Commerce president and CEO Kimberly Lindlof. Lindlof wrote that a “patchwork” of state data privacy laws—with different standards across different state lines—could create a scenario where Maine residents “might have to opt in to a privacy setting in Maine but opt out of that setting if you go into another state for vacation.”

But the Mid-Maine Chamber of Commerce and the Maine State Chamber of Commerce both oppose LD 946 for another reason: The bill does not go far enough.

According to both agencies, LD 946 should apply not just to companies that provide Internet service, but also companies that operate their businesses online, such as Google and Facebook. The Chamber’s video ad, which it posted on Facebook, said that “it doesn’t make sense” to leave out these big Silicon Valley tech companies which have repeatedly failed to protect user data. (The video ad also claims that that LD 946 “exempts Facebook,” which is flatly untrue—it simply does not apply to Facebook. There are no written exemptions for the company.)

Boiled down, the Chamber wants a stronger bill.

However, this is an ideological argument about policy: Should legislation immediately achieve broad goals, or should it take individual steps towards those goals?

According to Amarasingham, the reality of policy-making is the latter.

“The nature of legislation and law reform is that it is incremental,” she said. “There is no one bill on any issue that solves an entire problem. This bill is an enormous first step and it is very important.”

Following the Senate’s approval of LD 946 last week, the Chamber responded on its website:

“Today the State Senate failed to protect the online privacy of all Maine consumers in passing LD 946, a fundamentally flawed bill that will do little to make Mainers’ personal privacy more secure on the Internet. Despite the fact that 87% [nearly 90%] of Mainers believe a state law should apply to all companies on the Internet according to a recent survey, senators chose to pass a bill that leaves consumers’ personal data unprotected when they are using websites, search engines, and social media apps.”

Those statistics deserve scrutiny.

The statement cites a Chamber-funded survey by David Binder Research, in which the firm conducted 600 telephone interviews between May 9 and May 11. The statistic referenced by the Chamber pertains to this question:

“If the Maine state legislature were to pass a law today to protect your personal privacy, should this law apply to just a few companies on the Internet, with the idea of passing more law [sic] in the future to cover additional companies on the Internet, or should this law apply to all companies?”

According to the survey, 87 percent of respondents answered “All companies.”

But that question asks respondents to make a choice between two entirely different things—one of them literally exists and the other does not.

LD 946, which applies to a “few companies,” is written. A bill that applies to “all companies” is not. This is a choice between reality and possibility.

Further, the question’s language obfuscates a core difference between “companies on the Internet”—like Google and Facebook—and companies that provide the internet. These are not the same.

The Maine State Chamber of Commerce did not respond to emailed questions about when it last created a website campaign against a bill, or about why it believes the potential for broader privacy protections supersedes the current bill’s incremental protections. The Chamber also did not reply to a voicemail providing similar questions.

If at this point, you’re confused about how incremental protections against sneaky ISP behavior could be seen as “harmful,” you’re not alone. Tracking the Chamber’s privacy-protective messaging against its anti-ISP-protection messaging can make anyone’s head spin.

“I can’t say that I fully understand why the Chamber is carrying Spectrum and AT&T’s water on this,” Amarasingham said. “Their top line, outward-facing message was Mainers deserve privacy protections, which is also our top line message.”

Amarasingham continued: “This is real privacy protection.”

Data privacy shoulds and should-nots

Should rules be written to stop Facebook and Google and dozens of Silicon Valley tech companies from profiting off your data? That depends on several factors, like what those rules would look like, how they would be implemented and enforced, and what exemptions would apply, not to mention whether those rules would nullify current state rules that are being pushed forward today.

But should ISPs be allowed to sell user data without consent when there is already a widely-supported plan in place to stop them? Absolutely not.

ABOUT THE AUTHOR

David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.