
Maine passes bill to prevent ISPs from selling browsing data without consent - pseudolus
https://techcrunch.com/2019/05/30/maine-internet-history-data/
======
mrguyorama
I couldn't find links to the actual bill anywhere so I tracked it down:

[http://legislature.maine.gov/LawMakerWeb/summary.asp?ID=2800...](http://legislature.maine.gov/LawMakerWeb/summary.asp?ID=280072014)

The summary: "This bill prohibits a provider of broadband Internet access
service from using, disclosing, selling or permitting access to customer
personal information unless the customer expressly consents to that use,
disclosure, sale or access. The bill provides other exceptions under which a
provider may use, disclose, sell or permit access to customer personal
information. The bill prohibits a provider from refusing to serve a customer,
charging a customer a penalty or offering a customer a discount if the
customer does or does not consent to the use, disclosure, sale or access. The
bill requires providers to take reasonable measures to protect customer
personal information from unauthorized use, disclosure, sale or access. The
provisions of the bill apply to providers operating within the State when
providing broadband Internet access service to customers that are billed for
service received in the State and are physically located in the State."

~~~
ssss11
Won’t the customer consent just become a line in the T&C’s and unless you
accept it you can’t use their service? This would be a similar situation to
the cookie disclaimers.

~~~
ssalka
Isn't this covered by: > The bill prohibits a provider from refusing to serve
a customer...if the customer...does not consent to the use, disclosure, sale
or access [of their data]. ?

~~~
altfredd
> The bill prohibits a provider

Nobody cares, what provider does. What matters is whether or not you sign a
damn consent form.

Suppose, that there is a popular mobile App, written by Zhang Li Ltd. The App
allows you to buy travel tickets, receive discounts in local stores and upload
contents of your address book to it's servers. After a while you notice, that
everyone uses it. Your local store no longer sells large amounts of grocery
unless you make a reservation from The App. All train tickets must be booked
by using The App. A bunch of local utilities stopped accepting payments unless
you send them via The App. The thing is just so convenient!

One day you notice, that The App requires you to sign some "consent form" in
order to use it's advanced features. A month later it threatens to delete your
account if you don't "consent" (of course, it won't say so directly — "our ML
algo detected, that you are Russian hacker! plz confirm your identity! account
secuuuurity!" — that's how it will roll). The App is absolutely not connected
to your ISP — it's authors just want to buy the data, that's all!

Reminds you of anything?

~~~
duckMuppet
You're not forced to use an app.

You can go on a web browser even a phone browser and do almost all the
activities you can do in an app, and not deal with the T&C of the app once
declined. Of course, no one does because they can't be inconvenienced. Again,
you might believe that you can't check your
Facebook/tender/whatsapp/Snapchat/etc, but that's generally untrue for most of
them..

In most places due to govt regulation, you only have one or two ISP's serving
a geographic area. So the T&C in this case have an actual impact, not some
mythical and perceived injustice by "big tech".

Those app providers have the right to suck every last detail from their
meatspace, down to what color socks they like on Tuesday and sell it to Hanes.

------
malloreon
I look forward to the day when selling user's data requires the user's opt-in
every single time a third party wants to access that data. No more "yes to
all" or allowing blanket usage in TOS/EULAs.

People who use apps that sell their data should be bombarded with requests to
use that data each and every single time, until they either decide the app
isn't worth it or the app decides they should try a different business model.

And ad targeting should be included in that. Add a new notifications button to
FB - companies that have requested advertising access to me. If I decline or
don't answer, I never see their ads.

~~~
khawkins
I really don't understand the extreme hostility to data collection and data
markets. No one likes ads, but no one wants to have to pay a subscription fee
to every single site on the internet. If I'm going to see ads, I'd rather them
be something I might potentially find useful than something irrelevant. If I
end up buying their product, the exchange is mutually beneficial and both
parties walk away with value from the exchange.

What's really great is that it can really help small businesses and startups
over large corporations. Brands like Coca Cola can afford to canvas the world
with their logo, but a business with a handful of employees must use their
marketing budget very carefully. User data and profiling makes it realistic to
find those people naturally through their internet habits.

Even if this is being used by politicians, I don't see the harm. If you think
people can't think for themselves in the face of political advertising
campaigns, then I don't see why you'd also believe that those same people can
be trusted with the responsibility of the vote.

I can understand the need for treating data carefully and making sure the data
is sufficiently scrubbed for personal identification, but this issue is
something different.

~~~
kelnos
> no one wants to have to pay a subscription fee to every single site on the
> internet.

If we had a reasonable micropayments system so I could spend a few cents per
article I read online from non-subscription sites, I'd be thrilled. I do not
want to see ads, ever. I do not want companies collecting or selling my
activity patterns. If I've signed up for something, I don't want my personal
details sold to someone else in order to fund the service. I will gladly pay
my proportion of what's necessary to keep the service running in order to
avoid the "you're not the customer, you're the product" mentality.

I totally understand that probably most people don't think the way I do. They
are happy to exchange their privacy for free stuff, and in some cases wouldn't
be able to afford to pay if this wasn't an option. But it's just _sad_ that's
the case.

~~~
khawkins
Legislating such a micropayments system would centralize the monetization of
internet services in a way unprecedented since the advent of the internet. If
you're worried a lack of Net Neutrality would suppress free speech, this would
strangle it.

You'd create two internets: a bourgeoisie sphere of corporate sites with
enough influence to be included in the micropayment system, and the unwashed
masses, the sites deemed unworthy of monetization, forced to survive on
crippled ad market. The handful of large corporate microtransaction payment
processors would get to pick and choose who gets to be on the "good internet"
without any oversight.

~~~
kelnos
Who said anything about legislation? There's no need for legislation around
this.

The problems so far with micropayments infra is that publications don't
believe their readers will prefer payment over ads. Which is unfortunately
largely true, so anyone starting a micropayments company will have a lot of
trouble developing the network effects (both on payer and payee side) to be
successful.

I don't know the solution to this, but I'd hope it's not legislation. Well --
a possible solution might be legislation that makes it economically infeasible
to run sites on ad revenue and selling data. If we make it onerous or
impossible to allow sites to collect and sell data, and make it harder for ad
networks to target people, sites will have little choice but to implement
subscription schemes, or, hopefully, adopt a micropayments-type structure.

------
samayylmao
I live there and I am proud our lawmakers took this seriously. It seems too
common for lawmakers to not understand the ramifications of what was at stake.

~~~
erentz
There was a campaign by the Maine Chamber of Commerce running against it on
the grounds that the privacy protections didn't go far enough. They only
applied to ISPs (carriers) not to companies higher in the stack (Facebook,
etc.). [1]

I couldn't quite work out of this campaign was done out of legitimate concern
or was a cynical attempt to derail it? I mean, I agree with them that privacy
legislation should apply broadly, but then I'm happy to at least start
somewhere.

[1] [https://privacy.mainechamber.org/](https://privacy.mainechamber.org/)

~~~
ncallaway
I feel like industry groups often use the "perfect as the enemy of the good"
tactic to try and sabotage any starting point on progress.

~~~
rhizome
Industry groups in favorable contexts would say this is fine, then for the
"didn't go far enough" part they just lobby some changes in definitions next
year, another change in scope the year after that, etc. Pretty soon it's
exactly what they wanted and nobody's the wiser.

------
ethanpil
For all practical purposes it won't make a difference. When you sign up for
ISP service there will be a new small paragraph buried deep in the long 10000+
word contract text that says you consent to them selling your browsing data,
which you have to sign to start the service, which nobody reads anyway.

~~~
math_and_stuff
The bill explicitly prevents that behavior.

    
    
      "The 'opt-in' nature...would set it apart from other
      state internet privacy laws...
      
      the proposed Maine law also would prohibit any [ISP] from
      making the sale of customer data part of its mandatory
      [TOS]. It also could not charge higher fees to customers
      who refuse to opt in"
    

[https://www.pressherald.com/2019/05/29/maine-on-track-to-
pas...](https://www.pressherald.com/2019/05/29/maine-on-track-to-pass-nations-
strictest-internet-privacy-law/)

~~~
orblivion
They can't charge more for refusing to opt in, so nobody will opt in. The only
alternative seems to be a hike in rates for everybody. Which isn't necessarily
bad, it's arguably better that people actually know what cost they're paying.
It's just naive to assume that this is ISPs getting some "extra money" on the
side. This is factored into the revenue from the service. Now they'll have to
adjust their models.

~~~
danShumway
> The only alternative seems to be a hike in rates for everybody.

My naive understanding of the market is that the market doesn't work this way
-- you charge what the market will bear. How much a product costs to make has
nothing to do with how much you should charge for it; you charge what people
will pay you.

So if the market is already buying a product at a given price point, and you
find a way to save some money or make some extra money on the side, you
shouldn't lower your prices in response unless a competitor forces you to --
and the ISP market has notoriously low competition. You happily take the extra
margin and move on with your life.

In the same way, if a margin on a product goes down, but the market still
refuses to pay more for it, you shouldn't necessarily expect prices to rise.
Sometimes products just have different percentage margins.

In other words, if a company like Apple has good data that people are
perfectly willing to buy iPhones at $1200, and they figure out a manufacturing
trick that allows them to save $100 on each iPhone they build, they're not
just going to drop the price to $1100. Similarly, if Apple has good data that
people are _only_ willing to buy iPhones at $1200 (and presumably they do, or
else they would charge more), then a buyback or warranty program that loses
them $100 per iPhone isn't necessarily going to mean a price increase.

Of course, economic majors are welcome to correct me if I'm oversimplifying
this.

~~~
kelnos
For an ISP in the US, at least, normal market forces are largely irrelevant,
as most areas do not have competition.

~~~
hathawsh
In my area, there is a lot of competition among ISPs, but I have to talk to
sales people on the phone in order to get the best price. The prices
advertised online are much higher than what individual sales people are
authorized to offer. It often feels weird to haggle, but that's a natural
effect of a free market.

------
rapind
I can predict the "Dark Patterns" right now. Giant Accept button and 6pt font
opt-out link.

~~~
ourmandave
Can they email you a "Change of Terms of Service" link (that nobody reads)
that explains you auto accept if you continue using their service or some BS?

~~~
qmarchi
Legally dubious as you can't prove wether someone has read an email or not.
Official correspondence has to occur through verifiable means (ex: having them
login to a portal, certified mail) in order to handle the approval in order to
stand up to a challenge in court.

I'm not a legal professional, and my advice shouldn't be taken as rule. Please
consult an attorney.

~~~
anticensor
They consider you read emails after a set period of time, regardless of you
(do/did/have) actually read. It works like that in Europe not the least.

------
RandomGuyDTB
> The bill will go into effect if Gov. Mills signs it

She'll sign it. Mainer here who's been following what's been going on (she's
our first female governor), she's been very committed to making sure our state
is modernized. She quoted Kurt Vonnegut in her inaugural speech.

------
UweSchmidt
Still can't wrap my head around the idea that they even have my browsing data.
Just connect me to the Internet and mind your own business.

~~~
shanty
Boy have I got a surprise for you. I was an engineer at a web analytics firm a
decade ago and yes, ISPs have your web browsing data and are selling it left
and right. Also apps, Cell phone companies, etc. Our company bought all that
data. and when that wasn't enough, we created apps that collected even more.
Every click and ajax request, etc.... timestamped.

Yes, there are analysts sifting through your browsing data (if you're lucky,
vaguely anonymized). Yes, I heard countless stories of this data being abused
and misused. I simply can't imagine it has gotten much better by now.

~~~
JoshTriplett
> ISPs have your web browsing data

Since you worked in this area: What specific things do they track, and by what
technical mechanism? DNS requests? (Do they capture those that don't go to
their servers?) IP addresses? HTTP snooping? Full HTTP (non-TLS) MITM?

~~~
shanty
I wasn't responsible for the data intake, but I know that the data was
extensive, and always included time on page, full URL, other request
information (often post stuff).

I know that HTTPS provided a technical hurdle that our company and data
providers worked around after about 6 months.

My guess is that some MITM-type collection? Some data providers gave us IPs
and some just gave us some Tokenized ID. I don't know if ISPs provided IPs,
but probably not.

Note that we did lots of data linking. Let's say an ISP provided us your age,
URL, and Timestamp. We would link that into another data provider that
provided past purchases, URL, and Timestamp (shopping toolbar/plugins do this)
to get a bigger picture of who you are.

~~~
wildrhythms
>get a bigger picture of who you are.

Sorry if I'm reading too much into this, but are you saying this data being
collected and sold contains PII?

~~~
shanty
Well, PII is a bit of a nebulous term. Some websites still transfer some
signup/user info in url parameters or unencrypted responses. We would even see
SSNs pop up now and then.

Most data being sold has some good faith effort to remove PII, but that's
never 100% complete, and by utilizing multiple data sources, an industrious
person or team could de-anonymize your data. We were mostly doing this type of
work for segmentation and persona analysis. Targeting an individual was never
a goal, but would not have been terribly difficult.

I'll give you an example. We might receive all urls a person visited. Many
contain person information that would not be caught in usual PII filtering
process:
[https://mail.google.com/mail/u/1/#search/my+viagra+prescript...](https://mail.google.com/mail/u/1/#search/my+viagra+prescription)

------
munk-a
My hope is that a high tracking rejection rate will cause these companies
running data vacuums on the side to reconsider the RoI of investing in data
vacuums - it could result in a sort of herd immunity to advertising, if 95% of
people opt-out the other 5% may be effectively opted out since advertising to
just 5% of consumers becomes unprofitable.

------
beecat
Section 4-B says it's acceptable to use a customer's personal data:

"To advertise or market the provider's communications-related services to the
customer;"

With ISPs that own networks, e.g. Comcast -> NBC, would a service like NBC
Sports be considered a communication-related service of Comcast's? If yes,
then could they feed that customer data into NBC's advertising infrastructure?
If so, could NBC then sell that data?

Do Maine judges tend to honor the spirit or the letter of the law more often?

------
tyfon
Kind of ironic, when I click it I am presented with a huge oath overlay saying
how much they care about my privacy without a "Reject all" button anywhere in
sight.

~~~
lotu
Really we need to stop relying on third parties to use our data "correctly"
no-one has the time and expertise to carfully read and understand what these
third parties say they intend to do with the data and then actually verify
that they did what they said.

It is much easier to just assume these third parties will do whatever they
want and either not share the data or accept that it will be used in ways you
can't control.

~~~
asdkhadsj
I agree, but I can't imagine a world where the internet works any different
than currently in your scenario.

Eg, right now _(or at least a few years ago)_ companies could basically do
anything with your data. And they did. It's getting worse too, with advanced
techniques on identifying individuals across website bounds, etc.

That is what is spawning these sorts of debates, laws, etc. So my question to
you is while I agree that we have to assume malice _(for ease of discussion)_
, we can't actively allow or encourage malice right? So if we do nothing, do
we just accept that they do who knows what with our data?

Ie, I think we mostly agree that what is going on right _(with our data)_ now
is bad. So don't we have to do _something_? What do you see as the right
solution?

------
awalton
Probably not strict enough. ISPs are just going to shrinkwrap their contracts
with an extra clause saying they're selling your data unless you write them a
letter to some address which they will check at a ridiculously low frequency
or have to call through a call center and deal with every salesman and their
brother and sister flabberghasted at such a request while passing it on to
their "superior" for an hour at a time while you sit on hold waiting... and in
the meantime will sell your data. The law really should have made it
completely opt-in only (which nobody would reasonably do) or just bar it
completely.

They already know all the tricks to stop people getting out of their
contracts, they're just going to start applying that to this kind of opt-out
situation too.

------
OkGoDoIt
Define consent. Because I’m pretty sure the only outcome of this will be some
new language tucked away in the fine print of every customer’s monthly bill
giving consent unless they cancel service or something like that.

------
umvi
Is this personally identifiable? I don't see any issue with collecting and
selling anonymized observations.

It would be like police setting up cameras and using them to train a machine
learning model on drunk driver detection. It's not collecting who is driving,
just observing how normal cars subtly drift in and out of a lane and brake vs.
intoxicated drifting/braking and using that to train a DUI detection model.

~~~
JohnFen
> I don't see any issue with collecting and selling anonymized observations.

In this day and age when correlating and analyzing data from a wide variety of
sources is commonplace, the only effectively "anonymized" data is data that
has been discarded.

~~~
umvi
Right so you are basically saying companies/governments should not be able to
make generic observations about anything involving people in any way without
their consent because it is impossible to have truly anonymous data.

I don't know if I agree with that.

~~~
JohnFen
No, I'm not saying that.

It is possible, for instance, to collect individual data, tally up certain
characteristics in the aggregate, then discard the individual data points and
only keep the aggregate statistics.

With certain narrow exceptions, though, no data about me personally should be
collected without my explicit permission regardless.

~~~
umvi
> With certain narrow exceptions, though, no data about me personally should
> be collected without my explicit permission regardless.

Well, I don't agree with that. I don't see any reason people should have a
right to "own" information observed about them.

I make observations all the time about other people. You can't force me to
forget what I've observed. Computers make it easier to "remember" and process
observations, true, but at the root there is no difference between me
observing stuff and writing it down and a computer observing stuff and writing
it down.

~~~
JohnFen
I suspect your objection may mostly fall into what I consider exceptions, such
as things done in public spaces (although I don't think it's sustainable to
assert that you give up _all_ privacy rights in public spaces).

> at the root there is no difference between me observing stuff and writing it
> down and a computer observing stuff and writing it down.

If that computer isn't talking with other computers, I agree. I actually don't
have much of a problem with individuals making individual observations of
public behavior and writing them down or storing them in a computer.

My concern is more about the parameters around sharing that data (mostly
because of the existence of databases and data mining). Further, I'm far more
concerned about data collected about me on the internet than in the physical
public square.

That said, I do and will continue to go out of my way to avoid as much
surveillance as possible even in physical public spaces. For instance, any
store using those surveillance devices intended to analyze my shopping
behavior, moods, etc., in order to target ads at me is a store I won't be
stepping into.

------
JohnFen
Hmmm...

This might make it worth having me park a server in the state and get my
internet feed through a VPN to that server.

~~~
idlewords
There's a lot of reliability problems with Maine internet because lobsters
keep snipping the cable.

~~~
Dig1t
I don't know what this site has against jokes, but you can have my upvote.

~~~
mediocrejoker
The site guidelines are here
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

Jokes aren't explicitly against the guidelines either, but I think the site
likes to emphasize high quality content that will not alienate people who
don't understand obscure references.

~~~
idlewords
Username checks out.

------
TomMckenny
So given that this law and others like it are necessary, does this imply that
court verdicts and silence have neutered the right to privacy?

Actually I wonder, have there been any major decisions since Roe v Wade that
have affirmed a right to privacy?

~~~
sjy
[https://en.wikipedia.org/wiki/Lawrence_v._Texas](https://en.wikipedia.org/wiki/Lawrence_v._Texas)
is an example. But these constitutional decisions are about the validity of
particular State laws; they don't create free-standing rights that can be
enforced against companies that violate your privacy.

------
shmerl
Good, now we just need to overcome corrupt crooks in Congress and also pass
strong Net Neutrality bill, or at least prevent the fake one from passing to
avoid cementing perpetual loopholes.

------
jonahhorowitz
Why not just prevent them from collecting it in the first place?

~~~
mrguyorama
A significant amount of the data is stuff that will normally be logged for
diagnostics, billing, complying with legal requests etc, ie normal ISP
business.

~~~
PeterStuer
I don't think the commercial department gets access to the data collected
under lawful intercept regulation.

------
HNLurker2
M'lord pseudolus another great article that we opened can fest on. Another
1000+ points article

------
sambull
It's needed, I can tell you from anecdotally someone is feeding these habits
to the advertising surveillance bots

------
qwerty456127
They should not be allowed to even collect data about particular user
browsing.

------
PeterStuer
At this point, given the relentless barrage of evidence of 'dark pasterns' and
worse in 'consent' luring, the practice should just be outlawed full stop.

------
cityzen
lets see what kind of slap on the hand fines these ISPs will pay to continue
profiting off user data.

------
daodedickinson
Just ban it period. Stop the madness.

------
guelo
Note that this is only necessary because the 2018 Republican Congress voted to
allow ISPs to sell user data.

[https://www.consumerreports.org/consumerist/house-votes-
to-a...](https://www.consumerreports.org/consumerist/house-votes-to-allow-
internet-service-providers-to-sell-share-your-personal-information/)

~~~
reaperducer
You seem to be under the impression that this didn't happen before 2018.

This has been going on for a very very long time.

~~~
guelo
The FCC passed a regulation to stop the practice and Congress voted to
overturn that regulation.

~~~
dmix
...so it was happening before 2018. And therefore has nothing to do with that
bill because it was never law?

~~~
guelo
...so if Congress had not taken that 2018 vote this Maine legislation would
not be necessary. Just like I said.

~~~
dmix
That’s what you should have said then, instead of they changed something which
resulted in this.

------
josefresco
This never would have been possible with Paul LePage aka Trump-lite in office.

------
mlindner
ISPs don't (can't) have your browsing data anyway... Not sure what the point
of this law is.

~~~
username90
They got the ip, time stamp and data amount of every request you make. So
unless you use a proxy with https they know quite a lot of valuable things
about you.

------
rhino369
Why not ban browser companies, operating system companies, computer/phone
companies, email providers, etc. too?

~~~
asark
We _should_ ban collecting tons if info about people, for all companies,
period. We won't, because banks and CC companies are very into doing that and
the politicians love them, but we should.

~~~
yeukhon
No. Because many businesses rely on data available. FAANG would be out of
business then.

~~~
rndgermandude
AAN actually sell stuff other than hyper-targeted ads. F and G (and AAN) still
can sell ads, just less targeted ones. They would suffer a bit (or a bit
more), but not outright be forced out of business. And same goes for most if
not all other FAANG-tier companies not explicitly included in that acronym.

As for the "improving service" angle, e.g. Netflix could ask if it's OK to
collect history to improve/personalize recommendations.

And a lot of "improvements" and metrics do not really need detailed data
collection per person anyway. Collecting anonymous data in broader groupings
is often quite fine. E.g. "Strange Things is really popular our total-views
counter says ergo order a new season". There is no need for Netflix to know
exactly who specifically watched the show to make such a decision.

~~~
asark
Is this a generational thing, or an industry-you're-in blindness thing? Or
both? We had an economy, and even advertising (so, so much of it) before
spyvertising was such a huge thing. It was fine. The sky did not fall. For
some reason there's a set of people who seem to think it'll be the end of the
world if we stop letting companies operate private dragnet spy operations.

~~~
beecat
I didn't see this before I posted my reply. I'm so glad I'm not the only one
who is seeing this. I would go so far as instead of saying:

> It was fine.

To say that "it was better", because there was more competition.

That's a keen insight, that it might be a "generational thing". I remember
things, in general, working better before the Shermann Antitrust Act stopped
applying to technology companies.

------
Frost1x
It's all political marketing to make consumers continue to feel good about
being screwed over more and more by corporate policy following demands of the
very wealthy.

~~~
WillPostForFood
What’s the point of this level of cynical response when a good bill passes?
Let’s give some props and do more good things, not sulk.

~~~
dredmorbius
This is passed legislation (and it's not yet clear to me if it's passed one or
both houses).

It has yet to be signed into law, enforced, or litigated.

Given past track records on such matters, there's ample room for pessimism.

