Pushback on the rollback of Internet privacy rules

Congress has just declared open season on your privacy, and the president is about to rubber-stamp it.

We are now waiting on Trump to sign recently passed House and Senate legislation eliminating the Federal Communications Commission’s (FCC) Internet privacy protections. In addition to existing rules, new FCC regulations announced in October of 2016 would have prevented Internet Service Providers (ISPs) from sharing or selling your information without your permission -- or that of your children if they use your internet at home -- without your permission as of the end of 2017.

In particular, the new FCC rule would have required you to opt in to having sensitive information shared by your ISP including “geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history, and the content of communications.” You also would have been able to opt out of having your email address shared.

Instead, we are apparently going from a (yet to be implemented) semi-private system with the ability to opt-in, to a no-privacy system with the inability to opt out.

With the expected stroke of Trump’s pen, what will we have we lost...?

ISPs, websites, and apps will be able to share or sell all the information you provide without your permission. What’s worse, the rollback forbids the FCC from setting privacy protection rules in the future because Congress has decided it is better that the Federal Trade Commission (FTC) govern these rules – but this new bill does not require that the FTC create them.

Ajit Pai, the new chairman of the FCC, says he believes “the best way to achieve [consumers’ online privacy] would be to return jurisdiction over broadband providers’ privacy practices to the Federal Trade Commission (FTC), with its decades of experience and expertise in this area.”

President Obama’s Commission on Enhancing National Cybersecurity also believed that the FTC should take the lead on consumer issues and the Internet. But the FTC cannot enforce Internet guidelines without Congress passing legislation enabling it to do so. And there are no signs of movement in that direction, which is very troubling.

Was this significant change an accident? No. Is this an all-too-common tale of corporate lobbyists winning out over the interests of individual Americans? Yes.The elected officials who voted for this have given the lobbyists and communications companies a giant present wrapped in a big red bow.

We should all be outraged.

Our federal government is essentially sacrificing our personal privacy on the altar of “less regulation,” which is supposed to ultimately help business and the economy. But in this case I am having trouble connecting these particular dots, and so should we all.

Corporations that will benefit from acquiring our personal information without our permission are hoping the subject is too complicated for us little people to understand. Or that we are too distracted with other things to care.

One of the sure signs that we should all be paying attention -- because it’s such a rare occurrence -- is that both liberal Democrats and right-wing libertarians are on common ground. Both groups believe that an individual’s privacy is sacrosanct. Both are appalled at the current state of affairs.

I believe no one -- public or private -- should have the ability to know the subjects that occupy our minds, the landscape of our interpersonal relationships, or our buying habits. These are profoundly intimate topics and not intended for the public domain. Putting them into the hands of a major corporation, and the legions of strangers that make up their employee base, is inviting abuse.

And that's before they sell it to other companies.

The counter-argument that information is de-identified and aggregated so as to prevent it from being traced back to individuals has been repeatedly debunked by computer scientists, who have been able to comb through and re-attach data to identify the individuals by their addresses, web habits, and communications. This is really scary stuff, even without the added layer of government surveillance.

It has been proven that NSA employees in the past have used their specialized skills and access to track their “LOVEINT” (geek shorthand for love interest, derived humorously from the intelligence agency shorthand for human intelligence “HUMINT” and signals intelligence “SIGINT”) even though NSA employees are heavily monitored. Corporate employees will likely never be subject to that degree of scrutiny.

Vote count

How did Congressional representatives vote on taking the FCC out of the privacy regulation loop while not authorizing the FTC to step in and begin monitoring? It was a party line vote, with the exception of Rep. Justin Amash, a Michigan Republican who has repeatedly sided with advocates of privacy rights.

Our own congressmen and congresswomen voted as follows:

  • Dina Titus (CD-1, Democrat) voted no;
  • Mark Amodei (CD-2, Republican) voted yes;
  • Jacky Rosen (CD-3, Democrat) voted no;
  • Ruben Kihuen (CD-4, Democrat) voted no.

Our two senators likewise voted on party lines: Dean Heller (Republican) voted yes, and Catherine Cortez Masto (Democrat) voted no.

In short, Nevada Republicans voted to kill the privacy rules, while the Democrats voted to keep them. The Republicans have not explained their votes, and this economics and finance expert truly doesn't understand how it's good for business. And I would venture that they don't, either.

Nevada is generally pretty strong on personal liberties and privacy, so I am somewhat surprised at the vote cut down partisan lines. Especially in light of the fact that Nevadans -- in a rather obscure but concrete way back in 1999 as part of modifying the crimes against property statute -- have already said that they want no part of letting ISPs, in particular, share their personal information.

States to the rescue?

What about Nevada? Can the state do anything to mitigate the new federal state of affairs?

In effect, we already have a legislative foundation in place upon which to build -- if we have the political will to use it. No cases have yet been brought against the ISPs or vendors who provide and then share email addresses though they are covered in our statute, but it certainly appears at first glance that these entities may have broken Nevada law in these intervening years.

Specifically, any sharing of information is addressed by NRS 205.498, which states that all data concerning a subscriber of Internet service must be kept confidential unless the person opts out. Email addresses are excluded, but you can opt in to keep that confidential, too. On its face, this law makes it appear that companies such as Google that provide emails and then sell information may have broken Nevada law.

Moreover, NRS 205.511 states that regardless of whether somebody has been acquitted or convicted of this crime -- a misdemeanor -- or even if they were not prosecuted at all, a civil suit can still be filed against them for damages, punitive damages, and attorney's fees.

We could certainly take the law further, if we wished, as other states are doing. Internet Service Providers are only one of the many entities that are privy to our personal information. Others include: Google, Amazon, Facebook, and thousands of phone apps. All of them should be precluded from sharing our personal information without express permission. While our legislative session is short, there is still time. And is not the privacy of our citizens paramount?

Our body of law also includes NRS 603A.210, which states that data collectors are to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.” This is a good starting point for breach laws, but it doesn't cover damages to consumers and only requires notification. In this case, our laws have fewer teeth than the legislation other states are actively pursuing.

Some states are seeking to push their own privacy rules further and include all websites. Proposed legislation in a few large states (Illinois, California, Texas, and others) could feasibly force Internet companies to comply with their laws everywhere. Why? ISPs and websites/apps having millions of users residing in dozens of states. It could be prohibitively burdensome to create a patchwork of rules. If even two high population states pass strong privacy rules, it will likely be easier for Facebook to adopt those rules across all U.S. users rather than determining which of their users are residents of the rule-setting states and then selectively applying those rules.

For example, Illinois state Sen. Michael E. Hastings has proposed a law that would allow customers to know what information a commercial website or online service has collected and who received their collected information. The proposed law states that companies should inform their customers of “all categories of personal information that were disclosed; and the names of all third parties that received the customer's personal information.”

If the measure passes, the state’s more than 12 million residents could play a part in establishing state-driven privacy rules that would benefit all of us.

ISPs versus websites and apps

There is presently a notable disparity in the rules of operation between Internet Service Providers and websites or apps. Cox, Verizon, and Comcast collect some personal data in order to provide your Internet service. ISPs can also see every website you visit and how much time you spend there, which in some ways is more information than an individual website or app will ever know about you.

Websites and apps gather massive amounts of data, however. Google and Amazon take your payment information -- and also know exactly what it is you search for, and what you purchase.

Twitter, Facebook, and Google all see and track your clicks. Google likewise sees every Like, every Internet search conducted on their site, every restaurant you tag yourself in, every set of directions you look up, and every product you are sold. Your Facebook page Likes, geographic information, check ins, click-throughs, messages, emails, payment information, and photos are all within Facebook’s reach.

All of this data is used to target you - to sell you things.

And it’s not just that. Do the elected officials who voted to open us all to invasive corporate spying realize they just gave their Internet Service Providers the right to sell their own children’s Internet history to anyone willing to pay for it? And that this is in conflict with their own constituents’ desires for the safety of their families?

Whether ignorance or carelessness or a nod to big business interests were the motivation for all the votes, this recent change puts us all at tremendous risk.

UPDATED: This story has been updated to correct Rep. Jacky Rosen's vote.
Heather Murren is a special correspondent who works pro bono for The Nevada Independent. She is married to MGM Resorts International CEO Jim Murren. MGM is a major ($250,000 ) donor to The Nevada Independent.

Heather served as a commissioner on the White House Commission for Enhancing National Cybersecurity, a 12-member commission charged with identifying steps our nation should take to ensure our cybersecurity in an increasingly digital world. The commission report was submitted December 2nd, 2016 and made recommendations relating to consumer rights and responsibilities in the digital age, the internet of things, building cyber workforce capabilities, better equipping the government to function securely and effectively in the digital age, among others.

Feature photo: “Privacy” by Owen Moore is licensed under CC BY 2.0