Tag Archives: privacy

New Privacy Law in California

The State of California often leads the country in addressing regulatory issues. This makes sense since the State has a population of nearly 40 million and an economy that would be the fifth largest in the world if California were a separate country.

There was a new law enacted on the last day of the California Legislature was signed by Governor Gavin Newson this month. The bill makes it easier for people who want to scrub information about themselves from the Internet. The State passed privacy legislation in 2018 that gives people the right to ask companies to remove personal information from the Internet or databases. However, it turns out that the process of extracting one’s identity from the Internet is a lot of work, and in many cases is nearly impossible.

One of the main problems is that there is now a huge industry of companies that make a living selling and reselling personal data. One of the provisions of the California privacy law in 2018 was that data brokers had to register with the State if they sell information on California citizens. Over 500 companies are now registered as data brokers on the California Attorney General’s website. Some are well-known companies like credit bureaus, but most are companies that the public has never heard of. Many data brokers are specialists who work for marketing companies, politicians, large corporations, or law enforcement.

The new law is Senate Bill 362 – Data Broker Registration: Accessible Deletion Mechanism, and was sponsored by Senator Josh Becker of Menlo Park. The purpose of the law is to make it easier for folks to decouple from the Internet. The new law would allow consumers to make a single request to be removed from the Internet and databases – a web version of the Do Not Call List for telephone calling. Data brokers would have to respond quickly to such a request and would have to recheck their databases every month to make sure that personal information isn’t reposted.

Privacy advocates are calling this a landmark law that gives rights to the public to take control of their own data and to stop other companies from monetizing data about them.

Of course, the data brokers had a long list of reasons why the law shouldn’t be enacted. They say that this would slow down the process of people being verified when they go to a new website. They claim this would starve non-profits by cutting them off from databases of likely donors. They claim that it would make it harder for law enforcement to investigate people. They warn that people who ask to be removed from the lists won’t like the consequences.

Obviously, the legislators thought differently. In the discussions leading to the passage of the bill, there were discussions about how companies can now buy tracking data from our cellphones to keep track of where we are, what we do, and where we shop. They say that the databases allow people to stalk others, including the possibility that folks with strong political views can track their opponents.

Some data about all of us is already public. Things like voting registration, home ownership, and other interfaces with governments are public. What a lot of folks find troubling is that data brokers also buy information from credit card companies, ISPs, telephone companies, and other sources of information that most people do not want to be openly shared.

Generally, laws that start in California eventually get discussed and considered elsewhere. I’m guessing that this is something that the public will really like. I’ll be honest – just knowing that there are over 500 data brokers sharing our data makes me uneasy.

Privacy in the Age of COVID-19

The Washington Post reports that a recent poll they conducted shows that 3 out of 5 Americans are unable or unwilling to use an infection-alerting app that is being developed jointly by Google and Apple. About 1 in 6 adults can’t use the app because they don’t own a smartphone – with the lowest ownership levels for those 65 and older. People with smartphones evenly split between those willing versus unwilling to use such an app.

The major concern among those not willing to use such an app comes from the distrust people have about the ability or willingness of those two tech companies to protect the privacy of their health data. This unwillingness to use such an app, particularly after already seeing the impact that the virus is having on the economy is disturbing to scientists who have said that 60% or more of the public would need to use such an app for it to be effective.

This distrust of tech companies is nothing new. In November the Pew Research Center published the results of the survey that showed how Americans feel about online privacy. That study’s preliminary finding was that more than 60% of Americans think it’s impossible to go through daily life without being tracked by tech companies or the government.

To make that finding worse, almost 70% of adults think that tech companies will use their data in ways they are uncomfortable with. Almost 80% believe that tech companies won’t publicly admit guilt if they are caught misusing people’s data. People don’t feel that data collected about them is secure and 70% believe data is less secure now than it was five years ago.

Almost 80% of people are concerned about what social media sites and advertisers know about them. Probably the most damning result of the survey is that 80% of Americans feel that they have no control over how data is collected about them.

Almost 97% of respondents to the poll said they have been asked to agree to a company’s privacy policy. But only 9% say they always read the privacy policies and 36% have never read them. This is not surprising since the legalese included in most privacy policies requires reading comprehension at a college level.

There is no mystery about why people are worried about the collection of personal data. There have been headlines for several years talking about how personal data has been misused. The Facebook / Cambridge Analytica data scandal showed a giant tech company selling personal data that was used to sway voters. The big cellular companies were caught several times selling customer location data that lets whoever buy it understand where people travel throughout each day. Phone apps of all sorts report back location data, web browsing data, and shopping habits and nobody seems to be able to tell us where that data is sold. Even the supposed privacy advocate Apple lets contractors listen to Siri recordings.

It’s not a surprise that with the level of distrust of tech companies that it’s becoming common for politicians to react to privacy breaches. For example, a bill was introduced into the House last year that would authorize the Federal Trade Commission to fine tech companies to as much as 4% of their gross revenues for privacy violations.

California recently enacted a new privacy law with strict requirements on web companies that mimic the regulations used in Europe. Web companies must provide California consumers the ability to opt-out from having their personal information sold to others. Consumers must be given the option to have their data deleted from the site. Consumes must be provided the opportunity to view the data collected about them. Consumers also must be shown the identity of third parties that have purchased their data.

The unwillingness to use the COVID-tracking app is probably the societal signal that the hands-off approach we’ve had for regulating the Internet needs to come to an end. Most hands-off policies were developed twenty years ago when AOL was conquering the business world and legislators didn’t want to tamp down on a nascent industry. The tech companies are among the biggest and richest companies in the world and there is no reason to not regulate some of their worst practices. This won’t be an easy genie to put back in the bottle, but we have to try.

Is Your Home Listening to You?

When I was a teenager, science fiction books envisioned a future where people talked to their home to take care of mundane tasks. For somebody willing to spend the money on new appliances and devices that future is here today.

Just consider the Amazon Alexa voice assistant, which is installed in the largest number of devices. GE has built Alexa into its new stoves, refrigerators, wall ovens, dishwashers, washers and dryers, and air conditioners. Samsung has built Alexa into refrigerators, washers, dryers, air conditioners, and vacuums. Alexa is built into smart light bulbs, smart wall plugs, televisions, thermostats, smart door locks, security cameras, speakers, and numerous other devices. The chips and/or software to add Alexa to devices are getting cheap and it shouldn’t be long until the app is built into most electronics you might buy.

The convenience of talking to home devices is not without a cost, and companies like Amazon, Apple, and Google are listening to you through the devices. Like other voice assistants, Alexa listens all of the time waiting for a ‘wake word’ that activates the app. There are major privacy and security concerns related to the constant listening. We have to trust the company controlling the device not to listen to us all of the time because there is nothing stopping them from doing so.

Amazon swears they don’t listen or record except for a short period of time after the wake word is spoken. They also swear that they only preserve those recordings in an effort to improve Alexa’s responses to questions. If you are going to use Alexa in your home, you are trusting that Amazon is telling the truth. Back in 2017 Samsung got a huge black eye when they were unable to make that promise concerning their smart TVs.

The other big concern is hacking. There is zero chance that all of the companies making devices that include a voice assistant have iron-clad security. While Amazon really might not be listening to you, a hacker will surely be willing to do so.

To make matters even more uncomfortable, a lot of lawyers and privacy experts believe that if a person knowingly installs a device that listens and transmits information to a third party, that person has waived their Fourth Amendment privacy rights and any rights granted by the Electronic Communications Privacy Act. The concept has not yet been challenged in a court, but if it’s true, then people have no recourse against Amazon or anybody else using the information gathered from a voice assistant device.

My house has four Amazon Echos that we bought when the devices first hit the market. They are convenient and I use them to listen to music, check the weather or news, check the hours at stores or restaurants, and to make the occasional reminder in the middle of the night. My family has gotten uncomfortable with being listened to all of the time and we now unplug the devices when we aren’t using them. This kills all of the spontaneous uses of the devices, but for now, that feels safer than being listened to.

I’m going to be leery about buying any new household appliance that can listen to me. If I can’t disable the listening function, I’m not going to buy the device. It’s impossible to feel secure with these devices right now. It’s impossible to take the word of big company that such devices are safe. You only have to look at the current experiences with the hacking of Ring cameras to know that smart home devices are currently anything but safe.

Small ISPs have never worried much about the devices that people hang off their networks. ISPs provide the bandwidth pipe, and how people use data has not been a concern for the ISP. However, that is slowly changing. I have a lot of clients that are now offering smart thermostats, smart security systems, and other smart devices as a way to boost revenue. ISPs need to be careful of any claims they make to customers. Somebody advertising safety for a smart security system might have liability if that system is hacked and the customer exploited.

Maybe I’m being overly cautious, but the idea of somebody I don’t know being able to listen to everything said in my house makes me uncomfortable. As an industry person who has been following the history of IoT devices, I’m even more uncomfortable since it’s now obvious that most smart home devices have lousy security. If you don’t think Amazon is listening to you, I challenge you to activate Alexa and say something vile about Jeff Bezos, then see how much longer it takes to get your next Amazon shipment. Go ahead, I dare you!

The Battle over DNS

One of the hottest topics in the computer world this year is controversy over DNS-over-HTTPS (or DoH). DNS stands for domain name system and is the protocol that acts like the telephone directory for the web. The DNS system translates domain names, such as ‘https://www.google.com/’ to an IP address so that the request can be routed over the Internet. Every device connected to the Internet has a unique IP address, and the DNS system helps to establish a 2-way connection across the web, in this example, between a Google server and a user.

DNS is one of the oldest protocols on the web and hasn’t changed much since it was created. Domain name requests are sent in plain text to an ISP which then converts the domain name to an IP address and routes the user’s request to connect.

DoH takes the ISP out of the picture since web browsers will initiate the DSN lookup. Currently, DoH is built into a few browsers such as Mozilla Firefox and Google Chrome, and most of the major browsers have plans to enable DoH. A web brower will use the DoH protocol to encrypt a domain name request and send it to a third party DNS database provider for routing.

Proponents of DoH cite several advantages of the new routing protocol. First, DoH stops ISPs from recording browser history – one of the biggest privacy concerns, since an ISP knows every web site visited. A user’s browser history reveals a huge amount of information. Of course, some new entity will take over the role of DNS routing and could also create a browser history. Mozilla is using Cloudflare to route DNS, and Cloudflare says that it deletes all browser history every day. This same promise of privacy may not be true for all DoH providers and users might want to think twice before choosing somebody like Google to initiate DoH and collect browser history.

DoH also stops man-in-the-middle attacks. That’s where somebody intercepts a DNS request and sends the user to a different web site. There have been cases in the past where viruses rerouted user traffic to specific web sites to stimulate web usage. Other schemes have rerouted traffic to fake banking or shopping sites to try to coax credit card or account numbers out of users.

DoH also makes it harder for ISPs to engage in targeted advertising. This is something the big ISPs have been eyeing as they try to chip away at the huge advertising revenues earned by Google and Facebook. One of the most interesting benefits of DoH is that it makes it harder for authoritarian regimes to track the web activity of dissidents.

DNS-over-HTTPS is not the only alternate DNS routing protocol and web companies are also exploring DNS over TLS (DoT), which uses the transport layer security protocol on the web to encrypt the DNS request. Over time, the safest alternate protocol will likely prevail, but the goal of both of these new protocols is to encrypt the DNS process to make it safer, with a secondary goal of improving privacy.

Many big ISPs clearly hate the alternate DNS routing schemes since they lose access to customer browsing history. Vice recently reported about a big lobbying effort by Comcast to convince lawmakers to disallow DoH. The protocol is causing controversy in Great Britain where ISPs are required to block pornography unless a user specifically allows it. For now, Mozilla does not offer DoH in Great Britain, but there will be no easy way to stop it after it gets built into the core Android browser and other ubiquitous platforms. Corporate IT staff are also worried about DoH because it makes it more difficult to track employees visiting social media during work hours or browsing dangerous parts of the dark web.

There will be more public discussion about DoH routing as more web browsers include the protocol. Before the dust settles there is likely to be an ongoing tug-of-war between big ISPs, big web companies, and users as the public demands privacy.

Are You Paying to Spy on Yourself?

Geoffrey A. Fowler of the Washington Post recently engaged a data expert to track everything going on behind the scenes with his iPhone. What he found was surprising since Apple touts itself as a company that doesn’t invade user privacy. The various apps on his phone were routinely handing out his personal data on a scale that shocked him.

Fowler’s information was being gathered by trackers. This is software built directly into apps and is different than ad tracking cookies that we pick up from web sites. App makers deliberately build trackers into apps and a user can’t get rid of them without getting rid of the app.

Most apps on his phone had these trackers. That included sites like Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post, and the Weather Channel. Some apps came with numerous trackers. He had a food delivery service called DashDoor that included nine separate trackers. Third parties must be paying to share app space because the DashDoor app included trackers for Facebook and Google – those two companies know every time that app is used to order food.

Almost none of these apps disclosed the nature of what they were tracking. When first loaded, most apps ask for somewhat generic permission to track user certain data but don’t disclose the frequency and the extent to which they will gather data from a user.

This issue has relevance beyond privacy concerns because the apps on Fowler’s phone could collectively use as much as 1.5 gigabytes of data per month on his phone. Industry statistics show that the fastest-growing segment of Internet traffic is machine-to-machine communication, and these app trackers make a significant contribution to that traffic. Put bluntly, a lot of machine-to-machine traffic is either being used to back up files or to spy on us.

This has to be concerning to people who are still on measured cellular data plans. This unintended usage can cost real money and a user can end up paying to have trackers spy on them. Our cellphones are generating broadband usage without our knowledge, and mostly without our explicit permission. I’ve had months where I’ve barely roamed with my cellphone and still have seen more than a gigabyte of usage – I now understand where it’s probably coming from.

PCs and tablets have the same problems, with the data tracking coming more from marketing cookies that are loaded when we visit web sites. I scrub these cookies from my computer routinely. My desktop is only used for work and I still find 40 – 100 cookies every week. One of my blogs last year mentioned a guy who had gone on vacation for a month and was shocked when he returned and discovered that his home network had used several gigabytes of data in his absence.

There are ways to block the trackers on your phone, but this mostly involves deleting apps or turning off permission in your privacy setting, and that largely means the apps won’t work. You can also take steps to disguise your data by passing everything through a VPN, but that doesn’t stop the data from being transmitted.

The phone manufacturers are complicit in this tracking. I just got a new Samsung Galaxy and my new phone came with over 300 apps – most for services I don’t use like Facebook, Spotify, and ton of others. These various companies must have paid Samsung (or perhaps AT&T) to include their apps and their trackers. I’ll be spending a few days deleting or disabling most of these apps. I find it creepy that Facebook follows me even though I stopped using the site several years ago. And unlike when I download a new app, I didn’t have the opportunity to allow or deny permission to the many apps on my new phone – I assume AT&T gave that permission.

It might be a generational thing, but it bothers me to have companies reaping my personal data without my permission, without disclosing what they are gathering, and how they are using it. I know young people who are not bothered by tracking and assume that this is just a part of being connected.

The other big concern is that the tracking apps are contributing to the capacity problems on cellular network. I just saw last week that the average US cellphone now uses about 6 GB of data per month. If trackers are pushing out even half a gigabyte per month in usage that is a significant contributor to swamped cellular networks. Cellphone companies are working furiously to keep ahead of the demand and it must be maddening to cellular network engineers to know that 15% – 20% of network usage is being created behind the scenes with app trackers and not from actions taken by users.

In an ideal world, this is something regulators would be investigating to establish rules. Apps like DashDoor shouldn’t be allowed to install a Facebook tracker on your phone without asking for specific and explicit permission. All trackers should have to disclose the exact information they gather about a user and the frequency of that tracking. Unfortunately, this FCC has walked away from any regulatory role in this area. Congress could address the issue – something that European regulators are considering – but this doesn’t seem to be high on anybody’s radar.

A Corporate Call for Privacy Legislation

Over 200 of the largest companies in the country are proposing a new set of national privacy laws that would apply to large companies nationwide. They are pushing to have this considered by the upcoming Congress.

The coalition includes some of the largest companies in Silicon Valley like Apple and Oracle, but it doesn’t include the big three of Facebook, Google and Amazon. Among the other big businesses included the group are the largest banks like Bank of America and Wells Fargo, big carriers like AT&T and big retailers like Walmart.

As you might expect, a proposed law coming from the large corporations would be favorable to them. They are proposing the following:

  • Eliminate Conflicting Regulations. They want one federal set of standards. States currently have developed different standards for privacy and for issues like defining sensitive information. There are also differing standards by industry such as for medical, banking and general corporations;
  • Self-regulation. The group wants the government to define the requirements that must be met but don’t want specific methodologies or processes mandated. They argue that there is a history of government technical standards being obsolete before they are published;
  • Companies Can Determine Interface with Consumers. The big companies want to decide how much rights to give to their customers. They don’t want mandates for defining how customer data can be used or for requiring consumer consent to use data. They don’t want mandates giving consumers the right to access, change or delete their data;
  • National Standard for Breach Notification. They want federal, rather than differing state rules on how and when a corporation must notify customers if their data has been breached by hackers;
  • Put the FTC in Charge of these Issues. They want the FTC to enforce these laws rather than State Attorney Generals;
  • Wants the Laws to Only Apply to Large Corporations. They don’t want rigid new requirements on small businesses that don’t process much personal data.

There are several reasons big companies are pushing for legislation. There are currently different privacy standards around the country due to actions brought by various State Attorney Generals and they’d like to see one federal standard. But like most laws the primary driver behind this legislation is monetary. Corporations are seeing some huge hits to the bottom line as a result of data breaches and they hope that having national rules will provide a shield against damages – they hope that a company that is meeting federal standards would be shielded from large lawsuits after data breaches.

I look at this legislation both as a consumer and as somebody working in the small carrier industry. With my consumer hat on there are both good and bad aspects of the proposed rules. On the positive side a set of federal regulations ought to be in place for a complex issue that affects so many different industries. For example, it is hard for a corporation to know what to do about a data breach if they have to satisfy differing rules by state.

But the negatives are huge from a consumer perspective. It’s typical political obfuscation to call this a privacy law because it doesn’t provide any extra privacy for consumers. Instead it would let each corporation decide what they want to disclose to the public and how companies use consumer data. A better name for the plan might be the Data Breach Lawsuit Protections Act.

There are also pros and cons for this for small carriers. I think all of my clients would agree that we don’t need a new set of regulations and obligations for small carriers, so small carriers will favor the concept of excusing smaller companies from some aspect of regulations.

However, all ISPs are damaged if the public comes to distrust ISPs because of the behavior of the largest ISPs. Small ISPs already provide consumer privacy. I’ve never heard of a small ISP that monitors customer data, let alone one that is trying to monetize their customers’ data. Small ISPs are already affording significant privacy rights to customers compared to the practices of AT&T, Verizon or Comcast who clearly view customer data as a valuable asset to be exploited rather than something to protect. The ISP industry as a whole would benefit by having rules that foster greater customer trust.

I’m not sure, however, that many small ISPs would automatically notify customers after a data breach – it’s a hard question for every corporation to deal with. I think customers would trust us more if there were clear rules about what to do in the case of a breach. This proposed law reminds me that this is something we should already be talking about because every ISP is vulnerable to hacking. Every ISP ought to be having this conversation now to develop a policy on data breaches – and we ought to tell our customers our plans. Small ISPs shouldn’t need a law to remind us that our customers want to trust us.

Small ISPs and the Internet Bill of Rights

Recently Ro Khanna, a California Congressman, worked with some of the biggest thinkers in Silicon Valley to develop what he’s calling an Internet bill of Rights – the document included at the end of this blog. This Bill of Rights lays forth the ideal basic right of privacy that users most want out of the Internet.

This document is possibly the start of the process of discussing regulation for the big Internet companies – something that doesn’t exist today. Currently the Federal Trade Commission theoretically can pursue web companies that rip off the public and the Justice Department can tackle monopoly abuses – but otherwise the web companies are not regulated.

It’s becoming increasingly clear in the last few years that web companies have grown to the size where they value profits first, and any principles that were loosely followed in the early days of the Internet are long gone. There are constant headlines now declaring abuses by web companies. Recent Congressional hearings made it clear that the big companies are misusing customer data – and those hearings probably barely uncovered the tip of the iceberg.

The European Union has begun the process of trying to reel in some of the biggest abuses of the web companies. For example, web companies in Europe now have to disclose to users how they intend to use their data. In this country we’re starting to see sentiment from both Democrats and Republicans that some level of regulation is needed.

It won’t be easy to regulate the big web companies, which are now gigantic corporations. I read recently that there are now more lobbyists in DC working for web companies like Facebook and Google than work for the big telcos and ISPs. There will a major pushback against any form of regulation and it would obviously require a significant bipartisan effort over many years to create any worthwhile regulations.

My guess is that the public wants some sort of protection. Nobody wants their data released to the world through data breaches. Most people want things like their medical and financial records kept private and not peddled between big companies on the web. Almost everybody I know is uneasy with how the big web companies use our personal data.

I think this creates an opportunity for small ISPs. There are aspects of this Bill or Rights that the big ISPs will oppose. They are clearly against net neutrality. All of the big ISPs have purchased companies to help them better mine customer data – they obviously want to grab a slice of the money being made by Google and Facebook off user data. The big ISPs are likely to fight hard against regulation.

It’s virtually impossible for small ISPs to violate any of these principles. That creates an opportunity for small companies to differentiate themselves from the big ISPs. I think small ISPs need to tout that they are for net neutrality, that they value customer privacy and that they will never misuse customer data. I have a few clients that do this, but very few make this one of the key ways to differentiate themselves from the big ISPs they compete against.

I strongly recommend giving this some thought. Supporting consumer data rights can be made a key part of small ISP advertising. Some statements akin to the Internet Bill of Rights can be made prominent on web sites. These concepts should be prominent in your terms of service. These are concepts your customers will like and it shouldn’t be hard for any small ISP to embrace them.

Internet Bill of Rights

The internet age and digital revolution have changed Americans’ way of life. As our lives and the U.S. economy are more tied to the internet, it is essential to provide Americans with basic protections online.

You should have the right:

(1) to have access to and knowledge of all collection and uses of personal data by companies;

(2) to opt-in consent to the collection of personal data by any party and to the sharing of personal data with a third party;

(3) where context appropriate and with a fair process, to obtain, correct or delete personal data controlled by any company and to have those requests honored by third parties;

(4) to have personal data secured and to be notified in a timely manner when a security breach or unauthorized access of personal data is discovered;

(5) to move all personal data from one network to the next;

(6) to access and use the internet without internet service providers blocking, throttling, engaging in paid prioritization or otherwise unfairly favoring content, applications, services or devices;

(7) to internet service without the collection of data that is unnecessary for providing the requested service absent opt-in consent;

(8) to have access to multiple viable, affordable internet platforms, services and providers with clear and transparent pricing;

(9) not to be unfairly discriminated against or exploited based on your personal data; and

(10) to have an entity that collects your personal data have reasonable business practices and accountability to protect your privacy.

The Dawson Internet Act of 2018

A few days ago I wrote that we are not likely to get any significant telecom legislation this year. That’s unfortunate because we really need a major new Act to update all of the regulatory rules concerning broadband, telephone and cable TV. That got me thinking what I might write into such an act if I was the author, so following are the highlights of the envisioned Dawson Internet Act of 2018 (it’s time we stop calling this the telecom industry):

Cable TV. It’s time to scrap all requirements that dictate cable tiers. Cable companies need to be able to offer whatever channels they think make economic sense, including offering a la carte channels, if that’s what the public wants. I’d also scrap the must-carry rules for major network stations. The retransmission costs for those channels are one of the primary culprits for rate increases and removing the requirement to carry channels will return cable companies to a position of fair bargaining for price since they could walk away from any local station that wants too much.

Telephone. Other than a few rules that govern customer privacy I’d totally scrap federal regulations for landline service. I’d eliminate the CLEC classification and deregulate traditional telephone and VoIP equally to put the products on a non-regulated level playing field. I think I would retain the historic monopoly service territories, although I’d have to give that a lot more thought.

Interconnection. I’d keep the mandate that network owners must continue to interconnect with other carriers. They can’t be allowed to shut out a competitor by refusing to give them access to the underlying backhaul networks. But since I would eliminate the CLEC status, the big network owners need to be required to interconnect with anybody who meets specified technical standards.

ETC Status. Today a company must become an Eligible Telecommunications Carrier in order to participate in Universal Service Funds or other federal funding programs. I’d eliminate this requirement because it’s nothing more than a paperwork barrier to market entry. The current rules also disallow certain types of providers, such as owners of open access networks, although customers almost universally prefer that operating model.

Broadband. The FCC needs to regulate broadband, even if they elect to regulate it lightly. Congress can mandate this and get rid of the nonsense of trying to make broadband fit under Title II and just explicitly give the FCC the authority and obligation to regulate it.

Network Neutrality. I would make network neutrality the centerpiece of broadband regulation. The most important aspect of network neutrality is prohibiting paid prioritization – because once the ISPs start doing that all of the nightmare scenarios of a broken Internet emerge.

Spectrum. I think the FCC is already on a good path to free up spectrum for broadband. But I think they are missing the boat by not providing more spectrum for public access. One only has to look at the huge economic boom created by WiFi to see that giving all spectrum to big monopolies is not the best answer. I’d also make a firmer use-it-or-lose it rule for rural spectrum. A huge amount of spectrum sits unused in rural America but is still under control of the big carriers who purchased large-area licenses. Finally, rather than turn spectrum auction proceeds over the US Treasury I’d redirect these revenues towards meeting universal service goals.

Universal Service. I’d maintain the requirement that the FCC monitor broadband connectivity and require them to try to find solutions for areas without good broadband. I’d also prohibit them from funding any broadband programs like CAF II that support technologies that are slower than the federal definition of broadband. I’d also mandate an ongoing process for defining the official speed of broadband.

Privacy. I like what I’m reading about the European Union privacy rules. They are allowing ISPs and others to monitor and track customers only with customer consent. That will allow people who care about privacy to maintain it while allowing others who choose to sacrifice privacy for services to allow tracking. The penalties for violating customer privacy must be economically severe.

Municipal Broadband. I’d eliminate all barriers to municipal competition. Local communities ought to be able to decide themselves if they want to tackle the risk of building broadband. This is particularly needed in rural America where, in many cases, the local government might be the only one willing to tackle funding a network.

Access to Poles, Ducts and Dark Fiber. I’d make these assets available to anybody that can meet technical standards to use them. I’ve still not decided how I feel about federal one-touch rules, but I’d have the FCC institute a major rulemaking to get more facts on the issues involved.

I’m sure everybody in the industry has a different list than mine. I remember all of the discussions and negotiations leading up to the Telecommunications Act. That Act took  some political bravery since Congress was taking on the big telcos for the greater public good – and that Act did a fairly good job of promoting competition. But I don’t see this same courage in Washington today and most of the topics on my list are sadly not even being discussed.

Who Owns Customer Data?

Our homes are starting to get filled with Internet-enabled devices. I recently looked around my own home, and in addition to the expected devices like computers, printers, tablets and smartphones we have many other devices that can connect to the Internet. We have a smart TV, an eero WiFi network, three Amazon Echos, several fitness trackers, and a smart watch. Many homes have other Internet-connected devices like smart burglar alarms, smart thermostats, smart lighting and even smart major appliances. Kids can have smart toys and game consoles these days which have more computing power than most PCs.

Every one of these devices gathers data on us and a good argument can be made that we are all being spied on by our devices. Each device witnesses a different part of our lives, but add them all together and they paint a detailed picture of the activity in your home and of each person living there.

There are numerous examples of companies that we know are using our data:

  • Last year it was revealed that Roomba was selling detailed information about the layouts of homes to data brokers.
  • The year before we found out that Samsung smart TVs were capable of listening to conversations in our living rooms and also had backdoor connections to the Internet.
  • There has been an uproar about smart talking toys that not only interact with kids but also listen and essentially build profiles on them.
  • Smart devices like smart phones, tablets and computers come with software that is aimed at gathering data on us for marketing purposes. This software generally is baked in and can’t be easily removed. Some companies like Lenovo (and their Superfish malware) went even further and hijacked user web traffic in favor of vendors willing to pay Lenovo.
  • Buyers of John Deere tractors found out that while they own the tractor they don’t own the software. The company penalizes customers who try to repair their tractor by anybody other than an authorized John Deere repairperson.

Probably the most insidious result of all of this spying is that there are now data brokers who gather and sell data that can paint a detailed profile of us. These data profiles are then used to market directly to us or are sold to politicians who can target those most sympathetic to their message. It’s also been reported that smart criminals are using this data to choose victims for their crimes.

I’m sure by now that everybody has searched for something on the web, and then noticed that for the next few weeks they are plastered with ads trying to sell them the subject of their search. This happened to me a few years ago when I was looking at new pick-up trucks on the web. But today this goes a lot farther and people complain about getting medical ads after they have searched the web about an illness.

To make matters worse, we have a government regulatory policy in this country that benefits the corporations that are spying on us. Last year Congress passed privacy rules that let ISPs and anybody else gathering raw digital data off the hook. There are essentially no real privacy rules today. Data privacy is now under the purview of the Federal Trade Commission. They might intervene in a particularly egregious case of invasion of privacy, but their rules are not proactive and only can be used to find companies that have already broken the rules. Unless fines grow to be gargantuan it’s unlikely that the FTC will change much of the worst practices using our data.

The European Union is in the process of enacting rules that will clamp down on data gathering. Their rules that go into effect in a few months will require that customers buy-in to being monitored. That is great in concept, but my guess that it’s going to take a decade of significant fines to get the attention of those companies that gather our data. Unless the fines are larger than the gains from spying on people then companies will continue to monitor us, and they will just work harder to hide evidence of spying from the government.

I think there are very few of us who don’t believe our data should belong solely to us. Nobody really wants outsiders knowing about their web searches. Nobody wants unknown companies tracking their movement inside their homes, their purchases and even their conversations. But for now, the companies that are gathering and using our data have the upper hand and are largely free do nearly anything they want with our data.

The New European Privacy Standards

It’s worth keeping an eye on the new European privacy standards that go into effect in May. Titled the General Data Protection Regulation (GDPR), the new rules provide significant privacy protection for European Union citizens. The new rules are required for all companies doing business in the EU, so that means it applies to the majority of web companies operating in the US. The GDPR rules also apply to brick and mortar companies that collect customer data like banks and doctors. The privacy rules apply to companies that collect data directly from customers (data controllers) as well as any secondary companies that process that data (data processors). Interestingly, under the new rules a data controller is responsible to know what data processors do with the data they provide to them.

The major basis for the new rules are that consumers own and have control of their own data and companies can only use data if there is at least one lawful basis for doing do. This includes:

  • A consumer gives specific permission to use personal data for one or more specific purposes;
  • Processing the data is necessary to meet a contractual arrangement with a consumer;
  • Processing the data is necessary to meet a legal obligation which applies to the consumer;
  • Processing is necessary to protect the vital interests of the consumer or some other natural person;
  • Processing is allowed for the performance of a task carried out in the public interest, such as by the government;
  • Processing is necessary to pursue legitimate interests of the data controller or a third party.

For the most part the new laws require consumers to give explicit consent to use their data, including the specific purpose for the use. Just like in the US, there are provisions for law enforcement to gain access to customer data through subpoena or court order.

Larger companies are expected to create the position of Data Protection Officer who is tasked to make sure that all parts of a company are compliant with the law. As you might expect, meeting these requirements is a major change for many companies and there has been a two-year transition period leading up to the May implementation.

The new law also changes the way that companies store customer data to minimize the impact of data breaches. For example, companies are encouraged to store data in such a way that the stored data cannot be attributed to a specific person without the use of additional data. The law calls this pseudonymisation which means encrypting stored data and storing it in a manner to make it hard for an outsider to use. For example, a company would not store things like a social security number, date of birth, address and email address all in the same record.

The law has teeth and allows for fines up to 4% of the worldwide revenues of a business for massive violations of the rules. The expectation is that there will probably have to be a few serious fines levied to get most companies to get serious about following the new rules.

Overall this law creates a drastic change in the handling of customer data. Companies will not be allowed to mine and sell customer data without specific customer approval. It seems to particularly discourage the practice of selling data to brokers who can then use the data in any manner they choose. In this country companies like Google and Facebook make huge revenues from data mining and the big ISPs are now leaping into this same business line. In Europe this is going to greatly restrict the value of selling customer data.

This new law is worth following since the big web companies that are so predominant in this country are going to be complying with the new rules. This means it would be relatively easy at some point to require similar rules here concerning customer data.

The GDPR data storage rules also have the purpose of limiting the value of data breaches. If we see a great reduction in damaging hacking in the EU because of this law, then companies here might begin following the EU recommended data storage methods even if the privacy rules are never implemented here. Some of the most damaging hacks we’ve seen here are when a hacker gets records that provide multiple data points for a given customer. If a hacker can’t use the data to put together a coherent picture of a given customer then the value of a breach is greatly reduced.