Hacker News new | past | comments | ask | show | jobs | submit login
Maine passes bill to prevent ISPs from selling browsing data without consent (techcrunch.com)
1077 points by pseudolus on May 31, 2019 | hide | past | favorite | 224 comments

I couldn't find links to the actual bill anywhere so I tracked it down:


The summary: "This bill prohibits a provider of broadband Internet access service from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. The bill provides other exceptions under which a provider may use, disclose, sell or permit access to customer personal information. The bill prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access. The bill requires providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access. The provisions of the bill apply to providers operating within the State when providing broadband Internet access service to customers that are billed for service received in the State and are physically located in the State."

Won’t the customer consent just become a line in the T&C’s and unless you accept it you can’t use their service? This would be a similar situation to the cookie disclaimers.

Isn't this covered by: > The bill prohibits a provider from refusing to serve a customer...if the customer...does not consent to the use, disclosure, sale or access [of their data]. ?

> The bill prohibits a provider

Nobody cares, what provider does. What matters is whether or not you sign a damn consent form.

Suppose, that there is a popular mobile App, written by Zhang Li Ltd. The App allows you to buy travel tickets, receive discounts in local stores and upload contents of your address book to it's servers. After a while you notice, that everyone uses it. Your local store no longer sells large amounts of grocery unless you make a reservation from The App. All train tickets must be booked by using The App. A bunch of local utilities stopped accepting payments unless you send them via The App. The thing is just so convenient!

One day you notice, that The App requires you to sign some "consent form" in order to use it's advanced features. A month later it threatens to delete your account if you don't "consent" (of course, it won't say so directly — "our ML algo detected, that you are Russian hacker! plz confirm your identity! account secuuuurity!" — that's how it will roll). The App is absolutely not connected to your ISP — it's authors just want to buy the data, that's all!

Reminds you of anything?

You're not forced to use an app.

You can go on a web browser even a phone browser and do almost all the activities you can do in an app, and not deal with the T&C of the app once declined. Of course, no one does because they can't be inconvenienced. Again, you might believe that you can't check your Facebook/tender/whatsapp/Snapchat/etc, but that's generally untrue for most of them..

In most places due to govt regulation, you only have one or two ISP's serving a geographic area. So the T&C in this case have an actual impact, not some mythical and perceived injustice by "big tech".

Those app providers have the right to suck every last detail from their meatspace, down to what color socks they like on Tuesday and sell it to Hanes.

The bill also requires providers allow consent to be withdrawn at any time.

What app do you have in mind? I don't live in the US so maybe I haven't heard about it. I searched for "Zhang Li app" but found only game apps

Without reading the bill, not necessarily.

It's entirely feasible to have two classes of customers, right? One that agreed to the provision, and one that didn't. One that gets a 500GB data cap, and one that gets 150GB, say.

Just because you serve a customer doesn't mean you must serve them equally. Afterall, technically, they are serving the customer, right?

wrong. it should take <1 minute to follow the link and read that section.

> (2) Charge a customer a penalty or offer a customer a discount based on the customer's decision to provide or not provide consent under paragraph A.

Providing extra bandwidth isn't necessarily a discount though, especially if you structure your offerings in a way that it's impossible to purchase the extra bandwidth.

It's against the spirit of the law of course, but maybe not the letter.

Extra bandwidth for the same amount of money is effectively a discount.

My joke about what an honest cookie prompt would read: “We use cookies to remember that one time you accidentally accepted our cookies.”

This law sound like it was written by data brokers. It does nothing at best and legitimizes corrupt practices at worst.

WTF is "consent" doing here? Why would ISP ever need to sell someone's data in order to operate? Do they also plan to explicitly prohibit ISPs from torturing customers and selling their organs? From selling illegal drugs to minors? Dear state of Maine, I too would like to waive all my legal liabilities by making my victims sign a bunch of paperwork!

Torturing is currently illegal. Selling customers' data is not currently illegal.

Won't the law only help then?

I wonder if they will make you sign a release when you sign up for a service. So you will need to consent to use the ISP.

And spying on people used to be illegal as well.

Now it is going to become legal in Maine — as long as you are an ISP.

Congress already made this legal in 2017. This is Maine fixing the issue.

Do we now need a Mann act for illegal transfer of protected data across state lines..


What kind of penalties could they face if they don't comply?

None are specified. Presumably tortuous relief.

Specifically (though there are proposed amendments) http://www.mainelegislature.org/legis/bills/getPDF.asp?paper...

I wonder what "use" means here. Is it now illegal for them to log your traffic at all? I think that would be the ideal way to phrase the law, you can't even write to a logfile/dbms much less do anything with that data unless the user opts in.

> The bill provides other exceptions under which a provider may use, disclose, sell or permit access to customer personal information.

There's probably a "as necessary to provide the service" exception more than large enough to encompass internal logging.

It is section 4

This is an accurate statement. The relevant exceptions are in section 4, and are quite broad.


Can anyone comment about m the language being strong enough to block incentives for selling user data through fast lanes?


Law is meant to be interpretive. Inflexible technical requirement that become law is what foments issues like South Korea's ActiveX requirements of 1996.

nice word of the day usage ;)

I look forward to the day when selling user's data requires the user's opt-in every single time a third party wants to access that data. No more "yes to all" or allowing blanket usage in TOS/EULAs.

People who use apps that sell their data should be bombarded with requests to use that data each and every single time, until they either decide the app isn't worth it or the app decides they should try a different business model.

And ad targeting should be included in that. Add a new notifications button to FB - companies that have requested advertising access to me. If I decline or don't answer, I never see their ads.

Each and every time? As a user who understands and consents to that request, that would be incredibly annoying.

Your consent should be considered an outlier and should not be used to hinder my lack thereof.

I don't think their consent is an outlier. Most users are somewhat ok with selling their data in exchange for free services. I mean I use Gmail, Google Search, Google Maps, etc. etc. knowing they hoover up my data because, in the end, I value the ability to have these services for free more than I care about Google's ability to collect useful statistics about me/its users.

> Most users are somewhat ok with selling their data in exchange for free services.

I think you're incorrect. I think most users recognize that they usually don't have a choice: they don't have money to provide for services that they need, so they are _forced_ to use services that are cheaper or free. And I think most users feel helpless to do anything about it because most politicians actively ignore them (because they're poor) or work against them (because not-poor businesses pay politicians), and also because most businesses providing free service do not provide any useful mechanism for human interaction. Ever have trouble with a free service? Your only recourse is to go on social media and complain and hope to catch enough public attention such that someone who works at the company will reply. And even then you're not guaranteed a resolution to your issue.

There's plenty of similarly priced alternatives out there that aren't as abusive as the big ad companies.

The problem isn't just that poor people are money poor. It's that they're also time poor. They're too busy making ends meet to care about this stuff. That Google collects so much of their data would probably not even be on their list of things to care about.

I think you're underestimating the average non-tech oriented user that simply uses. A lot of those considerations might be true for users conscious about data collection, but I'd imagine that's a very small subset of users.

> I think you're underestimating the average non-tech oriented user that simply uses.

While I certainly think it's possible, it doesn't echo with my personal anecdotes of friends and family. They all fit in with "I don't want to be tracked but I'm helpless to stop it!" crowd. All of my family, most of my friends.

> As a user who understands and consents to that request

They can't really consent, because no-one truly understands what it is that they are agreeing to. It is simply not possible to have informed consent about the use, re-sale, re-combination, re-identification, long-term storage, profiling, credit/employment/health/housing impacts, etc. It's not possible to consent because you can't tell what you are giving away about other people who you aren't aware that you're impacting, and don't have their permission to do so. There just isn't any way for someone to say 'I understand and consent' and have it be meaningful.

I do agree that this is probably the bigger issue. A lack of understanding of what exactly you are agreeing to. If that is solved, however, then a continual request for consent would be a non-starter for any service use, making the whole point moot.

> They can't really consent, because no-one truly understands what it is that they are agreeing to.

That is a supposition of yours. I'm pretty confident that I understand what i'm agreeing to. And I agree to it.

Maybe you do, but the vast majority of people do not. In that respect you definitely are an outlier.

Most people don't understand the value that comes from user data, and the potentially damaging effects it might have on their life (Facebook can detect that you are homosexual through your Facebook usage, and if you live in a country where they kill homosexuals you are going to be in serious trouble). Almost no users understand the impact of the third-party doctrine.

There are all sorts of other issues. If you talk to someone suspected of being a terrorist, then you are labeled as a suspected terrorist. Since this bill is about browsing data, if you read articles If you read articles that are seen as being objectionable (imagine reading articles about communism during McCarthyism) then you might be labeled as such even if you were reading them for purposes other than indoctrination. There is a reason that a court order is required to get the borrowing records of a particular library user and libraries cannot sell that information.

> I'm pretty confident that I understand what i'm agreeing to.

Ok, let's explore that. Can you describe, completely, what it is that you are agreeing to? And just so we are speaking at the same level "I agree that you can do anything you want" isn't a meaningful consent.

I consent to my location data being tracked, to the extent that I don't turn it off. Sometimes I choose to, but usually I don't. I consent to Google scanning my email to serve me relevant ads and provide useful information to me about arriving packages and the like. I consent to them monitoring my search habits, to the extent that I choose not to use incognito mode, in order to populate my Google Now feed and again, better target ads to me. I could go on enumerating more things for more companies, but I think you get the point.

There was a time where people willingly consented to being sold as slaves. Did they truly understand? Or was the circumstances "forced" upon it due to having no other options?

If you had to consent for the use of an incredibly popular app, is it really understanding? Or is it capitulation disguised?

> There was a time where people willingly consented to being sold as slaves.

I'm not going to categorically say that that's false, but I find that somewhat hard to believe, except under very contrived circumstances that could hardly be called 'willing' (e.g. "we'll kill your family if you don't"). Do you have a citation for that?

> Most users are somewhat ok with selling their data in exchange for free services.

I'm far from convinced that this is true. Most users don't actually know the extent to which their data is being collected. I suspect that a large percentage of people, if they were informed (and believed it), would object mightily.

I think it's far more likely that people don't want to know. By now I think most people are aware that their privacy is being violated, but feel powerless to do anything and don't want to resist the temptations of using addictive social media etc. They pity themselves for it, and try to ignore that it's a problem.

I agree partly with you but I don't think most users know the extend of information collected from those services, if people saw their profiles as really used by google I believe almost all of them would freak out.

The tech industry spent the last 15 years coming up with fancy new ways to make users part with their data. There has to be a way to fix the damage.

For clarity, I do not share the opinion that I stated, only recognized that people do have it.

I'm not too sure how one user consenting to the data sharing guidelines should affect your experience. Elaborate?

Saying "I think everyone who disagrees with me is an outlier" is not a particularly helpful way to further a discussion.

Would you care to present evidence?

This is such a peak HN comment. Evidence of what, exactly?

The configuration should be yes/no and always-ask/never-ask with the default being no and always ask.

Causing incredible annoyance is obviously the idea. It would drive away users, making business models that relied on it less efficient. It's a great idea.

Has this worked out in practice, say with cookie warnings? Or do most of us click Accept and move on?

You get asked to accept a cookie once per site. The proposal above is way more annoying.

No, I get asked to accept a cookie on every page view because I don't allow cookies.


I really don't understand the extreme hostility to data collection and data markets. No one likes ads, but no one wants to have to pay a subscription fee to every single site on the internet. If I'm going to see ads, I'd rather them be something I might potentially find useful than something irrelevant. If I end up buying their product, the exchange is mutually beneficial and both parties walk away with value from the exchange.

What's really great is that it can really help small businesses and startups over large corporations. Brands like Coca Cola can afford to canvas the world with their logo, but a business with a handful of employees must use their marketing budget very carefully. User data and profiling makes it realistic to find those people naturally through their internet habits.

Even if this is being used by politicians, I don't see the harm. If you think people can't think for themselves in the face of political advertising campaigns, then I don't see why you'd also believe that those same people can be trusted with the responsibility of the vote.

I can understand the need for treating data carefully and making sure the data is sufficiently scrubbed for personal identification, but this issue is something different.

> no one wants to have to pay a subscription fee to every single site on the internet.

If we had a reasonable micropayments system so I could spend a few cents per article I read online from non-subscription sites, I'd be thrilled. I do not want to see ads, ever. I do not want companies collecting or selling my activity patterns. If I've signed up for something, I don't want my personal details sold to someone else in order to fund the service. I will gladly pay my proportion of what's necessary to keep the service running in order to avoid the "you're not the customer, you're the product" mentality.

I totally understand that probably most people don't think the way I do. They are happy to exchange their privacy for free stuff, and in some cases wouldn't be able to afford to pay if this wasn't an option. But it's just sad that's the case.

Right? This is always the false dichotomy that gets put to us. "Either accept the ads or pay me 5 bucks a month"

5 bucks a month??!?! You were making 5 bucks a month off JUST ME WITH ADS?!!!!

But it's not that at all. It's simply that credit cards are so heinously inefficient and unreliable and costly to manage that they need to charge that amount of money to not lose money on average. Dealing with fraud and charge backs and the cut the banks take and the cost per transaction. It's just how terrible of a payment system credit cards really are.

If we were getting charged the actual price of the product, most people would happily pay! Load your browser up with 20 bucks and you'll have unobstructed internet for months.

I think this goal is pretty much what Brave is going for, they get a lot of criticism for their implementation here. Of course I'm not shocked, this is a hard problem, and the demand for the solution is irrationally low.

The individual user isn't worth 5 bucks in ads. But if you have millions, then they are worth that amount in aggregate, but only in aggregate. If they offered any price for subscribing ad free, the potential loss from the ad value of nonsubscribers could be well more than the gains in subscriber fees.

Therefore, to offset this, subscription fees needs to be much higher than the average ad revenue per user.

Legislating such a micropayments system would centralize the monetization of internet services in a way unprecedented since the advent of the internet. If you're worried a lack of Net Neutrality would suppress free speech, this would strangle it.

You'd create two internets: a bourgeoisie sphere of corporate sites with enough influence to be included in the micropayment system, and the unwashed masses, the sites deemed unworthy of monetization, forced to survive on crippled ad market. The handful of large corporate microtransaction payment processors would get to pick and choose who gets to be on the "good internet" without any oversight.

Who said anything about legislation? There's no need for legislation around this.

The problems so far with micropayments infra is that publications don't believe their readers will prefer payment over ads. Which is unfortunately largely true, so anyone starting a micropayments company will have a lot of trouble developing the network effects (both on payer and payee side) to be successful.

I don't know the solution to this, but I'd hope it's not legislation. Well -- a possible solution might be legislation that makes it economically infeasible to run sites on ad revenue and selling data. If we make it onerous or impossible to allow sites to collect and sell data, and make it harder for ad networks to target people, sites will have little choice but to implement subscription schemes, or, hopefully, adopt a micropayments-type structure.

But why can't you also legislate that micropayment processors cannot discriminate?

Which internet would this site be on?

"I will gladly pay my proportion of what's necessary to keep the service running in order to avoid the "you're not the customer, you're the product" mentality."

Since both are complementary and independent revenue streams, why do you assume that you paying cash for something does not mean you will be monetized in other ways as well?

That would be the deal. Either I "pay" via targeted ads, or I pay with cash. If you want to mix the two, then you've lost a potential customer (and I just continue to use my ad blocker).

Hopefully the other way would be made illegal.

Not micropayments. Macropayments.

Tiered to nominal standards of use.

Centrally collected over a large set of services.

With an open and public process of service determination and interest advocacy.

With a disinterested-party dispute resolution process.

Predicated on ability to pay.


All of the following is my opinion only.

> I really don't understand the extreme hostility to data collection and data markets.

I can easily explain my extreme hostility to this: that it happens without my consent and that companies put so much work into actively evading the defenses I put up against it.

> No one likes ads

This isn't about ads. This is about data collection. If ads existed without the spying, I wouldn't have an issue.

> What's really great is that it can really help small businesses and startups over large corporations.

No, that's not really great. I'm all for helping small businesses, but not by allowing them to abuse me.

> I can understand the need for treating data carefully and making sure the data is sufficiently scrubbed for personal identification

That's important too, but it doesn't address the issue of consent.

If data is being collected about me or my use of my machines without my informed consent, that's spying, period. I will treat anybody doing that as the attackers that they are.

Please correct me if I'm wrong, but you're saying your only issue here is consent? Surely you could just not use the sites and services that evade your consent then?

I'm sympathetic to the fact that "don't use services that track you" is easier said than done, but all the same, you do have that option.

"Surely you could just not use the sites and services that evade your consent then?"

No, really, you cannot.

FB maintains shadow profles, even for nonusers.

Google tracks virtually all Web traffic. And most email.

Amazon backs or provisions a tremendous amount on online sevices.

Comcast, TimeWarner, AT&T, and Verizon have absolute local, and effective national, monopolies on point-of-presence service across the US. Indigenous telco monopolies operate similarly elsewhere.

Cloudfront, Limelight, Akamai. and other CDN, DNS, and interconnectivity providers see requests and traffic aggregated across huge opulations.

Visa and Mastercard see a huge fraction of financial activity.

And this doesn't even start to touch the vast B2B data services markets in advertising, marketing, finance, credit, risk, tol collection, healthcare (denial) systems, licence plate scanner, retail backends, payments processing, debt collection, and more.

There really is no effective possibility of opting out. Even with denying yourself an effective role in modern society.

You haven't convinced me that the data they collect can harm you as an individual. How is your life actually negatively impacted? How is this a more rational concern than conspiracy theorists thinking the government is monitoring their private phone calls?

Convince me that removing all doors from toilets doesn't harm you when you use it?

data about you is private. The same as your business behind the bathroom door is private. Revealing it creates the "same" harm.

Dude, it's not a conspiracy. https://www.eff.org/nsa-spying

That's for targeting terrorists, not reading Joe Shmoe's email.

Because it's rife with bad actors due to a lack of regulation. And even the good actors are kind of forced to be bad actors in order to compete. Lacking better regulation it's just a horrible business model for consumers, with really no exceptions since anyone who plays nice will ultimately lose out to less scrupulous players.

> And even the good actors

This sounds like snark, but I don't intend it that way. I genuinely want to know.

Who are the good actors? I really can't see any.

I naively consider(ed?) Google a good actor. I still kind of buy that they want to be at least. I'm sure others think differently though and I'm definitely not going to defend them. (Android, Dragonfly)

Yeah, I think differently. I think Google is one of the major bad actors.

Could you provide some examples of the kinds of regulations that you believe are required?

Privacy mainly and ownership of data. Something along the lines of GDPR in spirit. I also think the details / fine print matter or loopholes will be found.

I think though that appropriate regulation is going to seriously hamper if not utterly destroy the business models of some really big players.

>but no one wants to have to pay a subscription fee to every single site on the internet

I want to pay for the ones I use! It is increasingly becoming clear that free stuff is horrible.

That's on the product advertiser. No one needs my data to figure out that if I'm browsing recipes.com I might be interested in $cookwareSale

My problem at least is the fog behind it all, let me make the choice of whether I let you sell my information or pay you directly, don't make me assume that everything free comes with strings attached.

> No one likes ads

It's not a problem with ads. It's a problem with tracking and data collection.

I do not want any company can follow my habits and have a list of my preferences, at least without my consent.

I like general ads (with moderation), not customized based on my past purchases, where I can find out something new and interesting. Like it is on magazines.

I'm not certain why this viewpoint, a completely valid one, was down-voted. This is simply the other side of the argument.

It has been one year since the EU's GDPR law went into effect. What they did and why they did it is described in the PDF linked below. Some of their rationale is spelled out in Section 1.1.1. Key principles in Section 3.


There are plenty of opportunities for abuse here in the US, and we're all reminded of them constantly. The proliferation of ad-blockers and anti-tracking software shows that 'extreme hostility' is widespread. I have yet to see any substantial animus in the EU over the reasonable measures they've taken. Hopefully action on a state-by-state basis in the US will encourage the industry to demand explicit legal restrictions.

I agree and this points to the problem of "high level, usable TOS/EULA". Today's EULA "culture" is so hopelessly broken. Whereas the software is interactive and intuitive, using readable labels and buttons, the EULA is a couple dozen pages of non-interactive legal fine print. Companies will continue to get away with evil until we come up with better requirements for this nonsense.

Like the cookie question where everyone clicks yes anyway?

I live there and I am proud our lawmakers took this seriously. It seems too common for lawmakers to not understand the ramifications of what was at stake.

There was a campaign by the Maine Chamber of Commerce running against it on the grounds that the privacy protections didn't go far enough. They only applied to ISPs (carriers) not to companies higher in the stack (Facebook, etc.). [1]

I couldn't quite work out of this campaign was done out of legitimate concern or was a cynical attempt to derail it? I mean, I agree with them that privacy legislation should apply broadly, but then I'm happy to at least start somewhere.

[1] https://privacy.mainechamber.org/

I feel like industry groups often use the "perfect as the enemy of the good" tactic to try and sabotage any starting point on progress.

Industry groups in favorable contexts would say this is fine, then for the "didn't go far enough" part they just lobby some changes in definitions next year, another change in scope the year after that, etc. Pretty soon it's exactly what they wanted and nobody's the wiser.

and of course they never propose any "perfect" solution that they'd actually support.

This isn't "progress", it's the silicon valley oligopoly on traffic data trying to maintain its position through legislation. If we're going to hold as a societal standard that it's okay for companies to sell traffic data, then more competition is better. The more centralized the control, the easier it is for the companies in power to exploit the general public.

> I couldn't quite work out of this campaign was done out of legitimate concern or was a cynical attempt to derail it?

I would bet on "cynical attempt to derail it", since it conflates two things that are not remotely comparable: providing internet service itself and providing a service that uses the internet.

Me too! Now we just need to get some ISP competition. Spectrum has a complete monopoly in my area. Their service is spotty at best, and they also accidentally blocked my account from paying digitally. Now I have to drive to their office with a couple hundred dollars cash once a quarter to prepay my bill...

For all practical purposes it won't make a difference. When you sign up for ISP service there will be a new small paragraph buried deep in the long 10000+ word contract text that says you consent to them selling your browsing data, which you have to sign to start the service, which nobody reads anyway.

The bill explicitly prevents that behavior.

  "The 'opt-in' nature...would set it apart from other
  state internet privacy laws...
  the proposed Maine law also would prohibit any [ISP] from
  making the sale of customer data part of its mandatory
  [TOS]. It also could not charge higher fees to customers
  who refuse to opt in"

They can't charge more for refusing to opt in, so nobody will opt in. The only alternative seems to be a hike in rates for everybody. Which isn't necessarily bad, it's arguably better that people actually know what cost they're paying. It's just naive to assume that this is ISPs getting some "extra money" on the side. This is factored into the revenue from the service. Now they'll have to adjust their models.

> The only alternative seems to be a hike in rates for everybody.

My naive understanding of the market is that the market doesn't work this way -- you charge what the market will bear. How much a product costs to make has nothing to do with how much you should charge for it; you charge what people will pay you.

So if the market is already buying a product at a given price point, and you find a way to save some money or make some extra money on the side, you shouldn't lower your prices in response unless a competitor forces you to -- and the ISP market has notoriously low competition. You happily take the extra margin and move on with your life.

In the same way, if a margin on a product goes down, but the market still refuses to pay more for it, you shouldn't necessarily expect prices to rise. Sometimes products just have different percentage margins.

In other words, if a company like Apple has good data that people are perfectly willing to buy iPhones at $1200, and they figure out a manufacturing trick that allows them to save $100 on each iPhone they build, they're not just going to drop the price to $1100. Similarly, if Apple has good data that people are only willing to buy iPhones at $1200 (and presumably they do, or else they would charge more), then a buyback or warranty program that loses them $100 per iPhone isn't necessarily going to mean a price increase.

Of course, economic majors are welcome to correct me if I'm oversimplifying this.

For an ISP in the US, at least, normal market forces are largely irrelevant, as most areas do not have competition.

In my area, there is a lot of competition among ISPs, but I have to talk to sales people on the phone in order to get the best price. The prices advertised online are much higher than what individual sales people are authorized to offer. It often feels weird to haggle, but that's a natural effect of a free market.

I thought about this as well. I guess I'd say you're basically right if this ISP is really a monopoly, and everybody has an Internet connection. But I don't know if that's quite right. "The market will bear" whatever price they're selling at now because the consumer would opt to not buy it at a higher price. I imagine the ISP's optimal situation is a price that leads to fewer than 100% of people paying for the connection, even as a monopoly. "People are willing to buy at X price" isn't really meaningful. The question is always how many people.

I certainly don't think they will pass all of the cost onto the customers; that's never how it works. But, since the costs per connection are still the same, and the revenue per connection is now lower, they probably won't be at their optimum anymore. They'll probably find a new optimum by raising their prices, making a bit more revenue per customer and losing some customers. Basic supply/demand curve stuff. Again, those curves are not quite the same in a monopoly market, but iirc it still applies to an extent. If the monopoly really had total control, they would take the customers for everything they have, and it's not quite that bad.

:shrug: maybe the actual effect will be marginal. I'm not an economist either.

> Which isn't necessarily bad

One positive is that it changes the criteria of success in the market from "who can provide quality internet at a low price, and mine and sell the most data" to simply "who can provide quality internet at the lowest price".

When new companies enter the internet market (if such a thing still happens?) they will be asking "how can we provide good internet?" instead of "how can we mine more data from our users?"

> One positive is that it changes the criteria of success in the market from "who can provide quality internet at a low price,

Since only one ISP is available in my (and many other's) area, there is no pressure to provide quality internet at a low price at all.

This is not a competitive business. It’s just monopoly companies grabbing what they can. They don’t need to sell data, they just do because they can. Nobody weeps for the poor ISPs, ultimately perhaps the owner will get a slightly less tall stack of money each year.

I wish that would make much of a difference, but likely there will just be a small paragraph under the main TOS with a big checkbox next to it, that almost no one will read and almost everyone will check.

The bill prevents the company from denying or penalizing you for opting out of the data selling, and gives consumers the right to opt out at any time.

It should be opt-in but ... hey. It's something.

According to the bill text someone else linked (https://news.ycombinator.com/item?id=20062182) it’s out-in, requiring “express, affirmative consent” which should also rule out burying it in a footnote of the fine print.

May as well forbid it outright at that point.

(They should. Everybody deserves protection from this, even the people who don't understand the threat it poses. The uninformed, ignorant or naive all deserve protection, since preying on ignorance or naivety is generally considered abhorrent by anybody who's not totally morally defective.)

> May as well forbid it outright at that point.

I was wondering about that point myself. I am thinking that they may not have the authority to create such law, so they still allow ISPs the ability to track but make it as restrictive as possible.

I think it's just the equivalent of "you can't stab someone unless they give you express prior permission to do so". It may technically be less restrictive, but in practice noone is ever going to opt-in to that without coersion. Of course, in actual practice, we'll probably see a dozen different loopholes inside a year, but I'm willing to give them credit for at least pretending to fix this particular part of the problem; it's just matter of keeping up the pressure and momentum.

Could be. Where might such a restriction be coming from though? I don't think it would run afoul of interstate commerce stuff. Is there something in their state constitution that interferes with it?

Alternatively maybe they didn't have the votes necessary for a more potent law. Maybe some of the politicians were scared of doing anything too dramatic maybe?

You are opted-out of them sharing by default. It allows you to opt-in to share

From the article:

The bill prohibits a provider from refusing to serve a customer, ... if the customer does or does not consent to the use, disclosure, sale or access.

So if they do as you say, they will be in violation of the law.

I agree. I also see this as protecting the ISPs from any future litigation from consumers since now the consumer has no choice but to give consent.

> the consumer has no choice but to give consent.

The law makes that illegal as well

> the proposed Maine law also would prohibit any internet service provider from making the sale of customer data part of its mandatory terms of service. It also could not charge higher fees to customers who refuse to opt in, or penalize them in any way.


I can predict the "Dark Patterns" right now. Giant Accept button and 6pt font opt-out link.

There needs to be some law against dark patterns because nothing is enforceable anymore. I'm not sure what can be done but I know that the death of our society is due to people/companies that are using loop holes and all sorts of tricks to game the system and undermine basic trust. It used to be that these "tricks" were used only sparingly but as more and more bad actors engage in this type of behavior it only makes it more normalized, and even causing more people to resort to the same behavior in order to survive.

It's like bad drivers. If you have more and more people cutting cars exiting a freeway exit, people at the end will never make it off the freeway in a timely manner. Thus, people have to start being bad drivers themselves or else they will never get to their destination on time.

What you are describing is a form of race to the bottom, if all you competitors (in business or life generally) get ahead and away with behaving unscrupulously the only rational course is to behave unscrupulously.

What is particularly tragic is that all it takes to get this rolling is the perception that others are doing something and people will move to follow.

Campaign attack adds, lying about diesel emissions, doctoring footage, falsifying compliance to environmental regulations and on and on.

The perception is becoming that if you obey the rules you are a fool and that is horrifically dangerous position.

Society by and large runs on a trust (but verify) model, I trust that when I walk down the street a random person isn't going to murder me but when that trust is eroded things go bad fast.

Scares the crap out of me and I'm not sure what we could do at this point, more genuine openness from government/authorities, properly funded government watchdogs with independent oversight that kind of thing but they are expensive and easy for either side to rally against "big government"/"the man".

100% seconding your observation; I've been arguing something similar myself for a while too. That's why I'm totally serious when I say, ban the shit out of the advertising industry. Burn it to the ground, with legislative fire. Half of this crap comes from advertisers and ad-supported sites (the other probably mostly from airlines).

This won't solve everything, but would be a nice start. There will always be scoundrels, but the current market dynamics seems to be pretty good at making manipulative and dishonest behaviour successful. We need to work on corrections that would promote honest businesses instead.

As a secondary avenue, I wish we could somehow have a cultural shift. "Dark patterns" isn't a new phenomenon; its very name has been a commonly-known term for years now. And yet, instead of avoiding them, most successful companies seem to look at them as sources of inspiration. Hell, they're becoming a part of "UX standard practice" these days.

Turn on feature you really don’t want? <later> <yes>

Combined with asking you constantly if you say no and never asking again if you say yes.

I hate that shit and it creates a negative feeling for me towards whatever product is doing it, if I’m aware you are trying to trick me why would I trust you.

It must work (for some set of work) though or they wouldn’t do it.

> It must work (for some set of work) though or they wouldn’t do it.

Tired people, busy people, people who don't understand any of it. I too sometimes just click through consent forms without reading, 'cause ain't nobody has time for this crap, but I'm happy with the knowledge that GDPR makes this mostly safe (and in cases where it doesn't, at some point I'll start sending data access and removal requests just out of spite).

This is a really good point about GDPR making it mostly safe. Making consumer's feel secure in the knowledge that they can ignore massive legal documents on some random website is a win in my book.

Can they email you a "Change of Terms of Service" link (that nobody reads) that explains you auto accept if you continue using their service or some BS?

No, the law as written states "if the customer gives the provider express, affirmative consent to such use, disclosure, sale or access." - ignoring an e-mail or any other 'auto accept' don't qualify as express, affirmative consent.

Legally dubious as you can't prove wether someone has read an email or not. Official correspondence has to occur through verifiable means (ex: having them login to a portal, certified mail) in order to handle the approval in order to stand up to a challenge in court.

I'm not a legal professional, and my advice shouldn't be taken as rule. Please consult an attorney.

They consider you read emails after a set period of time, regardless of you (do/did/have) actually read. It works like that in Europe not the least.

You assume they put an opt-out link on the button and not have it buried in either the Terms of Service, a customer request or an entirely separate EULA.

Just mail a letter to this PO box and we'll have your information removed in 8-12 weeks with no way to verify we did it!

> “But the TOS and EULA were on display…”

> “On display? I eventually had to go down to the cellar to find them.”

> “That’s the display department.”

> “With a flashlight.”

> “Ah, well, the lights had probably gone.”

> “So had the stairs.”

> “But look, you found the TOS and EULA, didn’t you?”

> “Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”

Yeah that's my understanding too. What I mean is the opt-in will be a Giant "Accept" button with a minuscule "No thanks" link somewhere on the bottom right.

They'll just make it a mandatory part of the ToS.

> The bill will go into effect if Gov. Mills signs it

She'll sign it. Mainer here who's been following what's been going on (she's our first female governor), she's been very committed to making sure our state is modernized. She quoted Kurt Vonnegut in her inaugural speech.

Still can't wrap my head around the idea that they even have my browsing data. Just connect me to the Internet and mind your own business.

Boy have I got a surprise for you. I was an engineer at a web analytics firm a decade ago and yes, ISPs have your web browsing data and are selling it left and right. Also apps, Cell phone companies, etc. Our company bought all that data. and when that wasn't enough, we created apps that collected even more. Every click and ajax request, etc.... timestamped.

Yes, there are analysts sifting through your browsing data (if you're lucky, vaguely anonymized). Yes, I heard countless stories of this data being abused and misused. I simply can't imagine it has gotten much better by now.

> ISPs have your web browsing data

Since you worked in this area: What specific things do they track, and by what technical mechanism? DNS requests? (Do they capture those that don't go to their servers?) IP addresses? HTTP snooping? Full HTTP (non-TLS) MITM?

I wasn't responsible for the data intake, but I know that the data was extensive, and always included time on page, full URL, other request information (often post stuff).

I know that HTTPS provided a technical hurdle that our company and data providers worked around after about 6 months.

My guess is that some MITM-type collection? Some data providers gave us IPs and some just gave us some Tokenized ID. I don't know if ISPs provided IPs, but probably not.

Note that we did lots of data linking. Let's say an ISP provided us your age, URL, and Timestamp. We would link that into another data provider that provided past purchases, URL, and Timestamp (shopping toolbar/plugins do this) to get a bigger picture of who you are.

>get a bigger picture of who you are.

Sorry if I'm reading too much into this, but are you saying this data being collected and sold contains PII?

Well, PII is a bit of a nebulous term. Some websites still transfer some signup/user info in url parameters or unencrypted responses. We would even see SSNs pop up now and then.

Most data being sold has some good faith effort to remove PII, but that's never 100% complete, and by utilizing multiple data sources, an industrious person or team could de-anonymize your data. We were mostly doing this type of work for segmentation and persona analysis. Targeting an individual was never a goal, but would not have been terribly difficult.

I'll give you an example. We might receive all urls a person visited. Many contain person information that would not be caught in usual PII filtering process: https://mail.google.com/mail/u/1/#search/my+viagra+prescript...

ISPs use a variety of techniques, such as deep packet inspection.

Many ISP support centers use commercial software [1] to display a detailed analysis of website usage whenever a customer calls in for support.

This includes the top websites visited, how much data was transferred for each site (yes, including those of a more salacious nature), the number and type of devices inside a home, nearby Wi-Fi networks, etc. [1]

This information can then be queried and used used for marketing purposes at the subscriber level (or to individuals within a dwelling).

[1] https://www.calix.com/content/calix/en/site-prod/library-htm...

[2] https://www.calix.com/compass/access-analyze.html

[3] https://www.calix.com/compass/consumer-connect-plus.html

They're tracking the TLS ones too. DNS & Server Name Indication reveals which site you're going to. DPI means they're watching the content of the HTTP pages you go to as well.

My hope is that a high tracking rejection rate will cause these companies running data vacuums on the side to reconsider the RoI of investing in data vacuums - it could result in a sort of herd immunity to advertising, if 95% of people opt-out the other 5% may be effectively opted out since advertising to just 5% of consumers becomes unprofitable.

Section 4-B says it's acceptable to use a customer's personal data:

"To advertise or market the provider's communications-related services to the customer;"

With ISPs that own networks, e.g. Comcast -> NBC, would a service like NBC Sports be considered a communication-related service of Comcast's? If yes, then could they feed that customer data into NBC's advertising infrastructure? If so, could NBC then sell that data?

Do Maine judges tend to honor the spirit or the letter of the law more often?

Kind of ironic, when I click it I am presented with a huge oath overlay saying how much they care about my privacy without a "Reject all" button anywhere in sight.

Really we need to stop relying on third parties to use our data "correctly" no-one has the time and expertise to carfully read and understand what these third parties say they intend to do with the data and then actually verify that they did what they said.

It is much easier to just assume these third parties will do whatever they want and either not share the data or accept that it will be used in ways you can't control.

I agree, but I can't imagine a world where the internet works any different than currently in your scenario.

Eg, right now (or at least a few years ago) companies could basically do anything with your data. And they did. It's getting worse too, with advanced techniques on identifying individuals across website bounds, etc.

That is what is spawning these sorts of debates, laws, etc. So my question to you is while I agree that we have to assume malice (for ease of discussion), we can't actively allow or encourage malice right? So if we do nothing, do we just accept that they do who knows what with our data?

Ie, I think we mostly agree that what is going on right (with our data) now is bad. So don't we have to do something? What do you see as the right solution?

Probably not strict enough. ISPs are just going to shrinkwrap their contracts with an extra clause saying they're selling your data unless you write them a letter to some address which they will check at a ridiculously low frequency or have to call through a call center and deal with every salesman and their brother and sister flabberghasted at such a request while passing it on to their "superior" for an hour at a time while you sit on hold waiting... and in the meantime will sell your data. The law really should have made it completely opt-in only (which nobody would reasonably do) or just bar it completely.

They already know all the tricks to stop people getting out of their contracts, they're just going to start applying that to this kind of opt-out situation too.

Define consent. Because I’m pretty sure the only outcome of this will be some new language tucked away in the fine print of every customer’s monthly bill giving consent unless they cancel service or something like that.

Is this personally identifiable? I don't see any issue with collecting and selling anonymized observations.

It would be like police setting up cameras and using them to train a machine learning model on drunk driver detection. It's not collecting who is driving, just observing how normal cars subtly drift in and out of a lane and brake vs. intoxicated drifting/braking and using that to train a DUI detection model.

> I don't see any issue with collecting and selling anonymized observations.

In this day and age when correlating and analyzing data from a wide variety of sources is commonplace, the only effectively "anonymized" data is data that has been discarded.

Right so you are basically saying companies/governments should not be able to make generic observations about anything involving people in any way without their consent because it is impossible to have truly anonymous data.

I don't know if I agree with that.

No, I'm not saying that.

It is possible, for instance, to collect individual data, tally up certain characteristics in the aggregate, then discard the individual data points and only keep the aggregate statistics.

With certain narrow exceptions, though, no data about me personally should be collected without my explicit permission regardless.

> With certain narrow exceptions, though, no data about me personally should be collected without my explicit permission regardless.

Well, I don't agree with that. I don't see any reason people should have a right to "own" information observed about them.

I make observations all the time about other people. You can't force me to forget what I've observed. Computers make it easier to "remember" and process observations, true, but at the root there is no difference between me observing stuff and writing it down and a computer observing stuff and writing it down.

I suspect your objection may mostly fall into what I consider exceptions, such as things done in public spaces (although I don't think it's sustainable to assert that you give up all privacy rights in public spaces).

> at the root there is no difference between me observing stuff and writing it down and a computer observing stuff and writing it down.

If that computer isn't talking with other computers, I agree. I actually don't have much of a problem with individuals making individual observations of public behavior and writing them down or storing them in a computer.

My concern is more about the parameters around sharing that data (mostly because of the existence of databases and data mining). Further, I'm far more concerned about data collected about me on the internet than in the physical public square.

That said, I do and will continue to go out of my way to avoid as much surveillance as possible even in physical public spaces. For instance, any store using those surveillance devices intended to analyze my shopping behavior, moods, etc., in order to target ads at me is a store I won't be stepping into.

The true test is if the anonymized data can be filtered and cross-referenced in a way to still link back to people[0].


You can always de-anonymize data given enough resources so that argument seems bogus.

Anonymous data: Red car observed on Dawn Road at 23:34 on May 31 2019. DUI predictor - likely sober. Speed - 53 mph.

Can this information be de-anonymized? Sure can!

Police: "The suspect fled 7-11 Around 23:30 and either went on Dawn Road or Lost Haven Road. Let's filter all red car observation events that happened that night between 23:30 and 23:40 on Dawn and Lost Haven. Yup, found him"

So you are saying we have to scrub it further? You end up removing all information until there is nothing left.

"car observed on May 31"

It would depend on what is included in the data and what other data is available for reference. You can have medical data that tracks all of the symptoms reported by a patient without prompt ("What brings you in?"), symptoms reported by a patient with prompt ("Can you describe the pain? Where is it located?"), and the diagnosis by the doctor. It tells you nothing about the patient nor the doctor, but it still provides useful information.

The example, run anonymously, can be no more than unsupervised clustering. In order to train "a DUI detection model" there must be actual DUIs and BACs recorded, which isn't anonymous.


This might make it worth having me park a server in the state and get my internet feed through a VPN to that server.

There's a lot of reliability problems with Maine internet because lobsters keep snipping the cable.

I don't know what this site has against jokes, but you can have my upvote.

The site guidelines are here https://news.ycombinator.com/newsguidelines.html

Jokes aren't explicitly against the guidelines either, but I think the site likes to emphasize high quality content that will not alienate people who don't understand obscure references.

Username checks out.

So given that this law and others like it are necessary, does this imply that court verdicts and silence have neutered the right to privacy?

Actually I wonder, have there been any major decisions since Roe v Wade that have affirmed a right to privacy?

https://en.wikipedia.org/wiki/Lawrence_v._Texas is an example. But these constitutional decisions are about the validity of particular State laws; they don't create free-standing rights that can be enforced against companies that violate your privacy.

Good, now we just need to overcome corrupt crooks in Congress and also pass strong Net Neutrality bill, or at least prevent the fake one from passing to avoid cementing perpetual loopholes.

Why not just prevent them from collecting it in the first place?

A significant amount of the data is stuff that will normally be logged for diagnostics, billing, complying with legal requests etc, ie normal ISP business.

I don't think the commercial department gets access to the data collected under lawful intercept regulation.

M'lord pseudolus another great article that we opened can fest on. Another 1000+ points article

It's needed, I can tell you from anecdotally someone is feeding these habits to the advertising surveillance bots

They should not be allowed to even collect data about particular user browsing.

At this point, given the relentless barrage of evidence of 'dark pasterns' and worse in 'consent' luring, the practice should just be outlawed full stop.

lets see what kind of slap on the hand fines these ISPs will pay to continue profiting off user data.

Just ban it period. Stop the madness.

Note that this is only necessary because the 2018 Republican Congress voted to allow ISPs to sell user data.


You seem to be under the impression that this didn't happen before 2018.

This has been going on for a very very long time.

The FCC passed a regulation to stop the practice and Congress voted to overturn that regulation.

...so it was happening before 2018. And therefore has nothing to do with that bill because it was never law?

...so if Congress had not taken that 2018 vote this Maine legislation would not be necessary. Just like I said.

That’s what you should have said then, instead of they changed something which resulted in this.

Which isn't even technically possible in the first place. So voting to allow it doesn't do anything

Gotta make it easier for the Russians to target you.

"Eschew flamebait. Don't introduce flamewar topics unless you have something genuinely new to say. Avoid unrelated controversies and generic tangents."


This never would have been possible with Paul LePage aka Trump-lite in office.

ISPs don't (can't) have your browsing data anyway... Not sure what the point of this law is.

They got the ip, time stamp and data amount of every request you make. So unless you use a proxy with https they know quite a lot of valuable things about you.

Why not ban browser companies, operating system companies, computer/phone companies, email providers, etc. too?

We should ban collecting tons if info about people, for all companies, period. We won't, because banks and CC companies are very into doing that and the politicians love them, but we should.

No. Because many businesses rely on data available. FAANG would be out of business then.

AAN actually sell stuff other than hyper-targeted ads. F and G (and AAN) still can sell ads, just less targeted ones. They would suffer a bit (or a bit more), but not outright be forced out of business. And same goes for most if not all other FAANG-tier companies not explicitly included in that acronym.

As for the "improving service" angle, e.g. Netflix could ask if it's OK to collect history to improve/personalize recommendations.

And a lot of "improvements" and metrics do not really need detailed data collection per person anyway. Collecting anonymous data in broader groupings is often quite fine. E.g. "Strange Things is really popular our total-views counter says ergo order a new season". There is no need for Netflix to know exactly who specifically watched the show to make such a decision.

Is this a generational thing, or an industry-you're-in blindness thing? Or both? We had an economy, and even advertising (so, so much of it) before spyvertising was such a huge thing. It was fine. The sky did not fall. For some reason there's a set of people who seem to think it'll be the end of the world if we stop letting companies operate private dragnet spy operations.

I didn't see this before I posted my reply. I'm so glad I'm not the only one who is seeing this. I would go so far as instead of saying:

> It was fine.

To say that "it was better", because there was more competition.

That's a keen insight, that it might be a "generational thing". I remember things, in general, working better before the Shermann Antitrust Act stopped applying to technology companies.

> Netflix could ask if it's OK to collect history to improve/personalize recommendations.

If they ask for the data for that purpose, then they should only be allowed to use the data for that purpose.

"Businesses rely on being shitty so we can't outlaw being shitty or they might have to find a way to operate without being shitty, or else stop operating" isn't really convincing me.

I don't understand comments like this. I see this sentiment adopted, and echoed by so many really smart people who should know better. They talk about FAANG like they're essential services, like the food supply, or water. Almost as if it's not a real option for ANY business to fail or be overtaken by a competitor. Regardless of their current size and scope, if they all disappeared over the course of a month, do you honestly think nothing would rise up to take their places almost immediately? I mean, I would definitely move a product or two to market and attempt fill some of the demand left in their wake. Wouldn't you?

This is absolutely false.

This isn't true of Facebook. This isn't true of Apple. This isn't true of Amazon. This isn't true of Netflix. Google... likely they would be wounded, but it definitely wouldn't make them go out of businesses.

I worked at Amazon, which has a ton of data about your shopping habits that allow them to make targeted decisions on a customer's behalf. You know what? The vast majority of that data (at the time) came from observing customer behavior on properties owned by Amazon.

In my mind, that's perfectly reasonable - what I do within the boundaries of their business is our shared interaction and we both have the opportunity to make decisions based on those interactions. The major exception for Amazon is affiliate links, which, for the business i was in, weren't used as data sources.

Apple is not significantly different. Between Apple and me, who else knows our business and what does Apple know about me outside of my interactions with them (maybe more now with Apple Pay).

For the most part, Netflix is the same. Sure they know what I watch, but why does that matter if they're only using it to improve their own business and make programming choices?

Google and Facebook, on the other hand, blanket the internet with tracking beacons, read my email, keep shadow profiles (I don't have a facebook account, never have had one, but I'm sure they know more about me than I'd like), eavesdrop on conversations (I suppose Amazon is in that business now, too), track locations, steal contact data, trick people training their ML algos, etc. As is said, "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.", FB and Google have far more than that and a single bad actor with access to that data could make life extremely difficult for just about anyone in the world.

If FAANG business depends on data which should be private then FAANG should be out of business.

Businesses relying on collecting data without explicit permission should go out of business.

Only if they fail to adapt. And if they can't adapt, then good riddance. The history books are littered with examples of huge corporations that failed to adapt then died. FAANG isn't special.

Yeah, good. I value my privacy far more than somebody's profit.

The solution to all of this buying and selling of information is simpler than we all think. We will be creating a credit reporting type agency but for data privacy. This will tell us who pulled your information as a credit reporting agency does when you sign up for a Credit Card. Now to what extent does it disclose what what captured we as citizens will have to stand up and fight for that.

Not only that, but credit card companies, banks, tv providers, insurance agencies, charities, service providers, political organizations, _every business I interact with_. Unless I explicitly provide permission, why should any business I interact with be able to sell information about that transaction to another business that is unrelated to the transaction?

This is one _huge_ advantage to cash in the current market, but that doesn't apply to the dozens of other ways companies are tracking people.

Every journey begins with a single step.

Why not just nip it in the bud and unplug the physical infrastructure of the WWW?

This is exactly it. The reason tech companies are so big on supporting regulations against ISPs is because those rules are narrowly carved out to not apply to them, eliminating a large chunk of their competition.

Imagine if this law also applied to Google and Facebook, and they couldn't charge more when you opt out of their data collection?

To use a physical analogy, ISPs are like roads. Google and Facebook are like places you can drive to on the roads.

You argument is essentially that it is not right to ban persuasive surveillance on the roads if it is possible for people to use those roads to reach destinations where surveillance is allowed.

That analogy is completely arbitrary though, and only drawn to serve tech companies' interests. Because Facebook and Google are platforms, not end destinations in themselves.

In your analogy, perhaps the ISPs are the highways, and tech companies are the neighborhood streets, but they're both roads. Because you're not trying to get to Facebook, you're trying to get to your grandma's photo album, that unfortunately you can only get to through Facebook.

You can only get to grandma's photo album because she put it on Facebook. She could have put it on Flickr, or iCloud, or numerous other places.

No matter which she chooses, though, to get to it a large number of people only have one choice for high speed internet access to go through.

ISPs are low level infrastructure tied to specific geographical locations. If you don't like the infrastructure where you live then generally you only way to pick something better is to move to another region.

If you don't like your photo hosting site, or you blog hosting site, or you online backup site, or your stock tracking site, etc., an alternative is a URL change away.

That's why different regulatory handling of ISPs and the places you reach through those ISPs makes sense.

Facebook is more like a bar or club or church in the physical world analogy than it is like a street. You go there to interact with other people who go there, but it is a destination, competing with other destinations that those people could meet at instead.

That said, Facebook does offer communication services, and so some regulation of communication services that makes sense would make sense to apply to both them and ISPs.

"an alternative is a URL change away" isn't really a true statement. You can move off of Facebook, but you can't move your friends and family off of Facebook. You can use a YouTube alternative to watch videos, but all the videos you want to watch are not going to be there.

Pretending platforms are a wholly different thing than infrastructure, and easily switchable seems willfully ignorant of the real world. Moving platforms is almost as difficult as moving real world locations. And popular opinion aside, most people have two or more ISP options. (I have three wired residential ISPs here, two offering gigabit connections, and at least four wireless carriers.)

It's all political marketing to make consumers continue to feel good about being screwed over more and more by corporate policy following demands of the very wealthy.

Could you please stop posting ideological flamebait to HN? It breaks the guidelines and is not what this site is for.


How is it a flamebait?

If you create and pass toothless legislation that can be nullified by agreeing to a private contractual agreement that overrules said legislation, it doesn't serve anything but a facade to mislead those it purports to protect. Intent is of course always questionable and unknowable but if the trend is passing legislation with deceitful naming conventions and summaries that confuse the average citizen, it's shameful.

There are cases where private contracts have been ruled invalid when they step deeply on constitutional rights, but even those are typically the exception, not the rule, and require time, money, and risk to pursue litigation on behalf of the individual which not all are inclined or even capable of pursing.

What’s the point of this level of cynical response when a good bill passes? Let’s give some props and do more good things, not sulk.

This is passed legislation (and it's not yet clear to me if it's passed one or both houses).

It has yet to be signed into law, enforced, or litigated.

Given past track records on such matters, there's ample room for pessimism.

It's a good bill iff it proves effective. I'm optimistic that it will, but that still remains to be seen.

(An ineffective bill can be worse than none at all, since it's existence may confuse people who believe they have protection when in reality the legislation is less effective than their perception of it.)

Good, and good enough, are two totally different things.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact