Interestingly there seems to be a loophole in that they can collect the data regardless of consent, but can't use or share it without consent. So chances are this sensitive data will be recorded and put in a database anyway, even if they're not lawfully allowed to look at it without anonymizing first - but a future law could also add an exception, keeping things for law enforcement for instance.
The FCC confirmed that yes, regardless of consent, the ISP can collect 'sensitive' information if it is anonymized/de-identified before use or sharing. The ISP does need to make it clear to the user what information is being collected, but there's no way at present to prevent them from collecting it at all. They're also barred from attempting to de-anonymize the data, though a third party probably could.
Most use OpenVPN and tunnel all traffic over SSLed TCP. So your traffic goes out to an endpoint server run by the proxy company, and gets dumped onto the public net at that point.
> How would LE defend money being spent on something that they cannot use? I mean any judge will see it, no?
The common-sense interpretation is not always (and, much as I hate to say it, probably sometimes should not be) the interpretation arrived at by a judge.
I appreciate healthy skepticism, but evidence has been thrown out on far flimsier premises by even the lowest of courts. It would be very surprising if evidence of this manner continually survived through the court system on appeal after appeal.
This isn't saying it can never happen, but it would be in contrast to the multitude of times that evidence was discarded for less.
I haven't had a chance to read the fcc's reasoning on why the ISPs are allowed to collect the data in the first place, and I do agree it seems like a ruling that's just can't wait to show off all its loopholes; but I think this would be pretty difficult to bring as evidence in trial. Though I do agree and think it'll be used as a cudgel for other purposes outside of the courts, for threats or for discriminatory justice.
A contract violation by LE is not a constitutional violation that triggers the exclusionary rule, it's a matter between LE and the party they have a contract with. Even if enforcement of the contract happens at all, the result is likely a damage award for the breach.
Copied this from another comment of [his] on this post, but it answers part of your question. From the FCC fact sheet[0] on the decision:
> The Order prohibits “take-it-or-leave-it” offers, meaning that an ISP can’t refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes.
So at least they can't cut you off entirely if you don't consent/opt-in.
As AT&T already did until right before the FCC started talking about this decision (and I'm sure they'll go right back to now that it's OK), charging $30 to opt out of their spying program, plus a bevy of one-time fees that are "waived" if you let them spy.
> Interestingly there seems to be a loophole in that they can collect the data regardless of consent, but can't use or share it without consent. So chances are this sensitive data will be recorded and put in a database anyway, even if they're not lawfully allowed to look at it without anonymizing first - but a future law could also add an exception, keeping things for law enforcement for instance.
I'm not all that worried about law enforcement. I think it is much more likely that the database will be hacked and the data will just get shared that way.
The only way to protect private data is to prevent the ISPs from collecting it in the first place. Otherwise, everyone knows the ISP has the data whether they share it or not, it's a big juicy target, and it's probably not that difficult to get to.
Or it will be sold without permission in secret, and when it comes to light, the ISP will get a slap on the wrist much smaller than what they gained from selling the data.
There is no need for any sort of future law, that data is open to law enforcement already. That is the fundamental problem in all of this: decade old court decisions that determined you have no "reasonable expectation of privacy" in data you shared with a company.
That may have been a useful policy in a time where you yourself could decide what data you shared, now that devices share data on your behalf that can be stored forever, aggregated, analyzed and what not it is clearly no longer acceptable. We desperately need a whitelist approach to companies storing and handling cleartext user- and metadata.
This is completely pointless. They'll just add some form you have to sign before giving you service and that's about it.
After all, do you read and act on the privacy notifications other providers give you?
Does this at least require them to provider service irregardless of your consent to share data? If not, this is a pointless law that just makes it look like they did something.
Copied this from another comment of mine on this post, but it answers part of your question. From the FCC fact sheet[0] on the decision:
> The Order prohibits “take-it-or-leave-it” offers, meaning that an ISP can’t refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes.
So at least they can't cut you off entirely if you don't consent/opt-in. The fact sheet also touches on the "pay for privacy" issue:
> Recognizing that so-called “pay for privacy” offerings raise unique considerations, the rules require heightened disclosure for plans that provide discounts or other incentives in exchange for a customer’s express affirmative consent to the use and sharing of their personal information. The Commission will determine on a case-by-case basis the legitimacy of programs that relate service price to privacy protections. Consumers should not be forced to choose between paying inflated prices and maintaining their privacy.
Not an outright ban on discounting service for opt'ing-in, but looks like they're leaning towards not allowing something like that.
I think you are describing general problems with disclosure and consent regulations and common-law.
The regulators and legislators pursue and get credit for incremental actions, but there is no agent or body with accountability for overall impact. When regulators impose a new disclosure requirement, they often show that if a consumer reads the document, the individual will learn something; the problem is that when this document is page 53 of a 200 page disclosure, almost nobody reads it.
This issue was pointed out by Chief Justice Roberts when he said that he never read any of the prescription drug warnings that drug-producers have been required to provide (by courts and regulators).
You have to opt in and there can't be a penalty for opting out, the fact sheet says. That said, there may be a bonus for opting in — perks or whatnot. That will have to be settled separately, probably.
it's really hard for me to understand what the meaningful difference would be between penalty for opting out vs. bonus for opting in. don't those amount to the same thing, in practice?
heh pretty much yes, though I'm sure someone can think of times it would be different. and since penalties for opting out are not allowed, the ISPs will have to be very careful how they structure such bonuses - they would have to be perks totally separate from the service they provide is my guess.
Right, so it's not at all out of reach. You can configure your OS to use a VPN in under a minute, in my experience. Maybe five, if you were following directions.
It also takes a few minutes to change your smoke-detector batteries...
this is more or less the practice used at gas stations that offer different prices for cash and credit (framed as a "cash discount"); also, not dissimilar to the debate over employer/insurer "wellness plans", wherein the employee is forced to choose between surrendering private information or paying premiums that are often 2-4x+ more than what those who participate in the plan pay.
Yes, the difference is just playing with words. Rewarding those who opt-in is materially equivalent to penalising those who opt-out. I don't think the FCC would stand for such shenanigans.
Well, thanks to sites like HN and Reddit, as soon as they drop some dumb stuff in the contract, it will be brought to the surface and informed people will at least KNOW... tahts a big thing
Not sure I'm as optimistic. Many long agreements include vague language that gives the author A LOT of leeway.
I'm more concerned about getting this fixed in healthcare. Recently had to get lawyers involved over a debt dispute for a bill that was never sent to insurance and that the hospital couldn't even verify because it came from a "partner" no one could contact. The chief argument against us: an agreement signed by my wife while in labor that placed all the responsibility for any bills, correct or not, on us with no recourse. I remember disputing it at the time but they insisted it was just a CYA form and they couldn't admit us without it.
> This is completely pointless. They'll just add some form you have to sign before giving you service and that's about it.
>
> After all, do you read and act on the privacy notifications other providers give you?
So that's an interesting thing that's come up in the European Union, where the "constitution"/"bill of rights"[1] mandates "consent" for processing of personal data, namely does one of those click though I Agree things count as "informed consent".
Let's be honest, vast majority of people aren't actually consenting to things that are in the contract.
[1] For political reasons there is no "European Union Constitution". However there is the "Charter of Fundamental Rights of the European Union" which is sorta a "Bill of rights"
We are working on an Erasmus+ grant project with my company ProctorExam, and due to the nature of the project, we've also included a privacy lawyer and a representative from SURF(The Dutch institution that deals with all things education). From discussions that we had last week, an "I agree" button does NOT count as informed consent because they aren't actually presented with what they are consenting to.
IANAL but I think there is also something about a reasonable chance to understand it, i.e. a wall of text + a Agree (to get anyway) shouldn't fly either.
Maybe someone who knows can confirm or deny this.
Also: personally I think current EULAs are stupid and "Contents hot" on coffee cups only exist because Americans like to sue each other.
I somewhat naively think that contracts between consumers and companies should be brought down to Creative Commons level.
Yep, exactly. Comcast says "we can share your data", you agree because they're literally the only usable Internet offering in cities all across America.
Or worse, they will structure it like AT&T's project Hemisphere and find a way to provide the same insights without sharing the data specifically. And they will do it without any forms or notifications at all.
I'm sure this will lead to radical alterations on paragraph 117 of the typical EULA, where everyone will notice it immediately and have a serious think about the economic value of their personal identifiable information. I have not looked at the actual motion yet but I suspect that companies will only have to answer consumer inquiries in general terms rather than giving them detailed statement. Oh well I've given up trying to safeguard my privacy anyway.
If the data is collected at all, it can be collected incorrectly (e.g. stored in such a way that it is stolen eventually, “permissions” be damned). Still solving the wrong fundamental issue.
We desperately need to work on reducing the importance of data itself. We must assume by default that all information will be improperly handled pretty much anywhere (or, that the task of keeping it secure indefinitely is just too hard).
That means: data whose usefulness expires extremely quickly (with corresponding protocols), and the complete retirement of stupid bits of information we now carry like social security numbers and credit card numbers that can instantly screw you in the wrong hands. In fact, we ought to have proxies for EVERYTHING; I don’t know why I even have to hand out my home address, for instance, when in theory I could give a company some temporary proxy address that routes to my house only as long as I ALLOW that forwarding; after that, it becomes meaningless and cannot be used for junk mail.
I wish the UK had this. Mobile phone/data providers send a header with HTTP requests to provide the site with your phone number which they can then use to charge you without permission.
Terrifying, horrifying, amazing... none of these words have any impact left after huffpo and buzzfeed have watered them down to meaninglessness. They get to join "evil" on the scrapheap of linguistic history.
For some reason that makes it way worse in my book. It isn't some scumbags running a sketchy website you were tricked into clicking on - it's the very people you've entrusted to give you service.
I am kind of surprised that this wasn't already regulated, considering that telephone privacy has been an issue for decades. Perhaps this is a case of an unwritten common-sense policy that is only being codified when ISPs start to break it (e.g. AT&T's now-canceled "Internet Preferences").
B2B and B2G are a whole different ball-game. In B2B scenario they are exposed to class-action lawsuit for bad-behavior or government fine. In B2G scenario really only thing individual citizen can do is take it to the supreme court.
I'm not sure yours and their definition of net neutrality overlaps much.
I personally don't think "not modifying user data" above IP is much of a net neutrality issue either; it should be a felony issue, as is tampering with mail.
"Commissioner Ajit Pai, who voted no, cautioned that the "cold reality" is that nothing in the new rules will stop those companies from "harvesting and monetizing your data," including the websites visited, YouTube videos watched or search terms entered on any device."
Any reasonable person reading that would infer that Pai thinks that these rules are not sufficient and is in favor of stricter rules. That turns out not to be the case at all.
I agree. I'm also glad they specified "opt-in" consent and not "opt-out." They can't start collecting your data without your prior knowledge and authorization. This is a good thing.
Next step would be to disallow hijacking and data insertion into your stream of data. It would be a step towards cementing ISPs role as a dumb carrier of data.
Does this also preclude ISPs from not allowing you access to higher tiers of service without consenting to data collection? That is that in addition to requiring an opt-in they can't incentivize it at all by giving users who don't opt-in a degraded experience.
I was able to find an answer to at least part of this question in the FCC fact sheet[0] on the decision.
> The Order prohibits “take-it-or-leave-it” offers, meaning that an ISP can’t refuse to serve customers who
don’t consent to the use and sharing of their information for commercial purposes.
So at least they can't cut you off entirely if you don't consent/opt-in.
Yeah, I wonder how this applies to something like the high speed connections on Uverse, where your defaulted into data collection/traffic injection. Opt out requires paying more for the service.
Which is the absolute first thing they thought of.
ISPs are not allowed to refuse you service for opting out and they're also not allowed to make you "pay for privacy". We'll see how strictly this is applied but it implies that they're also not allowed to weasel out of it by giving a 'discount' to people who opt-in.
They are legally empowered by elected officials, just like the police, the courts, the entire Justice Department, military, State Department, NIH, NSF, IEEE (for some things), and many, many more.
What alternative is there? Our elected officials can't possibly have the time or the expertise to perform all those tasks themselves.
If Congress legally empowered an un-elected five person 'Super Congress' that wielded the power of Congress itself to make laws independently would you feel like your voice at the ballot box was being undermined?
I'm not saying the US regulatory agencies are at that point, but I would feel better about them if their power was more directly checked by the Executive branch.
Instead of "FCC voted today on a new ISP resulations..." it would be "Today President Obama approves new FCC recommendation...".
> Instead of "FCC voted today on a new ISP resulations..." it would be "Today President Obama approves new FCC recommendation...".
Again, how could that be done realistically? The President would do nothing else and still have no chance to keep up. They could print the statement the way you describe, but it would be deceitful.
Also, we want to depoliticize regulations; I'm not sure I want the President involved in every one.
There's a longstanding principle in U.S. Constitutional Law called the nondelegation doctrine[1]. Congress has broad authority to grant administrative and rulemaking authority to executive branch agencies, but it can't just give them blank-check power as a mini-legislature. Instead, it has to provide an "inteligible principle" to guide agency rulemaking.
> The executive can always modify or repeal the act that defines their constitution and authority.
Um, what? Once it's signed into law (which the acts that empower agencies like the FCC are), the executive branch can't modify the law at all. Only Congress can. The only thing the executive can do is veto a bill when it comes, to prevent it from becoming law in the first place.
Sorry, I should have said 'government'. There are three branches of the US government : the legislature, the judiciary, and the executive. You have a say in all of them though. Don't you vote in your congress-people and senators?
So...
They can. The government can always modify or repeal the act that defines their constitution and authority. They're your representative. If you don't like an act, get them to change it.
Ah, ok. Yes, the government--specifically the legislative branch--can always modify or repeal a law.
> The government can always modify or repeal the act that defines their constitution and authority.
If by "their" you mean "the FCC's" (or some other agency), then yes. But if by "their" you mean "the government's" in general, it's not so easy. A Constitutional amendment has a much higher threshold of passage than a simple law. It takes a 2/3 majority of both houses of Congress to propose an amendment, and then it takes 3/4 of the states ratifying it before it actually can take effect.
> If you don't like an act, get them to change it.
Sure, as long as enough other voters agree with you to get their attention. Which practically never happens.
> A Constitutional amendment has a much higher threshold of passage than a simple law.
You are misunderstanding the word 'constitution'. Every company and regulatory body has one. It defines who does what, and the 'what you can do, and more importantly, what you should do' of a regulatory body is defined within the act. It is not the 'american constitution'. It is created and modified during the regular practice of government with the creation and modification of an act. Every democratic government, and indeed, even non-democratic ones, does it roughly the same way. If it didn't happen this way, cars would still be driving with lead petrol.
> Sure, as long as enough other voters agree with you to get their attention.
It happens all of the time.
You know dude, I'm not really sure you know how the government functions. This is what they do, and there are so many levels of it. It's true that large multi-state regulatory bodies have larger impacts, and therefore require more support, in order to be enacted. But they get created in the first place for a reason, and end up getting modified for a reason. Your representatives create and modify acts that allocate funds to fund regulatory bodies to enforce laws. That's democracy. That's how it works.
> You are misunderstanding the word 'constitution'.
If you want to use that word in an unusual way, that's fine; but I didn't understand that that's how you were using it in reference to regulatory bodies created by US statutes. ("Statute", btw, is the usual way of referring to laws that tell what regulatory bodies can and should do.)
> You know dude, I'm not really sure you know how the government functions.
You know, I'm not really sure you know how to describe how the government functions using proper terminology. If you had said "statute" in the first place, which, as above, is the correct term for what you are referring to, I would have understood what you said right away. But you didn't.
> Your representatives create and modify acts that allocate funds to fund regulatory bodies to enforce laws.
Yes, and these are called "statutes", not a "constitution".
the difference is the communication act of 1934 essentially lets the FCC create laws whereby the police etc don't have that power. the power to create laws should be held by elected officials imo.
the 5 leaders of the FCC get to unilaterally make regulations (laws) that affect every single citizen in america. everything from tv broadcasts to net neutrality
No, it allows them to create regulations within the framework of the act of their constitution. They can't create laws that stop someone fishing for tuna, now can they? This is the same as road/highway authorities being able to set traffic speed zones, food authorities for setting health quality regulations, health bodies regulating medicines, or any other regulatory body.
You don't like it? Get you politician to change/repeal the act. That's how democracy works.
except speed limits are enforced by police. huge administrative authorities have executive, law making, and judicial power.
The [Federal Trade] Commission promulgates substantive rules of conduct. The Commission then considers whether to authorize investigations into whether the Commission’s rules have been violated. If the Commission authorizes an investigation, the investigation is conducted by the Commission, which reports its findings to the Commission. If the Commission thinks that the Commission’s findings warrant an enforcement action, the Commission issues a complaint. The Commission’s complaint that a Commission rule has been violated is then prosecuted by the Commission and adjudicated by the Commission. This Commission adjudication can either take place before the full Commission or before a semi-autonomous Commission administrative law judge. If the Commission chooses to adjudicate before an administrative law judge rather than before the Commission and the decision is adverse to the Commission, the Commission can appeal to the Commission. If the Commission ultimately finds a violation, then, and only then, the affected private party can appeal to an Article III court. But the agency decision, even before the bona fide Article III tribunal, possesses a very strong presumption of correctness on matters both of fact and of law.
I'm triple checking with the FCC on this though.