39 comments

[ 4.3 ms ] story [ 84.4 ms ] thread
A bit of a clickbaity HN link. Full article headline: "Forcing us to get consent before selling browser histories violates our free speech, US ISPs claim". And subhead: "That ain't the way life should be, Maine responds".
HN has a 80-character title limit and it's not always clear how to paraphrase a longer title.
How about "Forcing consent before selling browser histories violates free speech, say ISPs"?
Or perhaps "ISPs say selling browser histories without consent is free speech".

The difference is small, but it eliminates the tangles of who is doing what in the verbs "forcing" and "violates".

That's the usual issue with Reg headlines, they need some trimming before fitting in the title limit here.
I am not a lawyer but the argument in the lawsuit does not look compelling, insofar as the Register describes it. This seems like a tactic to tie up enforcement while the plaintiffs lobby for more favorable laws in Maine and elsewhere.
Although I am not at all sympathetic to these ISPs, I do agree that privacy protections ought to apply uniformly to all sellers and service providers.
I agree with you but there's arguably a line to be drawn between say the Facebooks or Googles of the world - where arguably you're giving consent by using the platform and there are others to choose from - and ISPs especially as there may only be one ISP available to you in rural Maine.
No need to go all the way to rural Maine. In NYC and SF, I've never had more than 2 options both of which are terrible and have the same faults and flaws. A 2 company oligopoly with high annoyance/cost of switching is not much better than monopoly.
> Although I am not at all sympathetic to these ISPs, I do agree that privacy protections ought to apply uniformly to all sellers and service providers.

ISPs are different because of the lack of competition. If you don't like Google you can use Duck Duck Go. If you don't like WhatsApp you can use Signal. If you don't like Windows 10 you can use Ubuntu (or, if you want to argue Windows is still a monopoly, Microsoft should move to the "monopolists" column and be subject to the stricter rules).

In particular, in those cases the competitors actually do have meaningfully more respect for privacy. In markets where every reasonably available provider snoops and the market has high barriers to entry, that's a different situation.

Lack of competition certainly limits customer options if there's no statutory privacy protection. However, I don't get how privacy protection is so distinguishable from statutory protection against fraud, for example.

Also, if competitors do respect privacy, why would statutory protection be burdensome?

> However, I don't get how privacy protection is so distinguishable from statutory protection against fraud, for example.

The issue is that "privacy" itself becomes ambiguous in many contexts.

For an ISP this is easy, because they can forward your traffic without ever storing any of it. They have no legitimate reason to keep it and they only want to in order to invade your privacy, so there is nothing good lost by prohibiting that.

By contrast, how do you make Waze work without user location data? How do you make recommendations based on viewing history without keeping viewing history? How do you ship a physical product to a customer without having their mailing address? In these cases it's not just a simple matter of not collecting the data.

So the problem is the complexity of the rules. "ISPs shouldn't store any user internet traffic or metadata" is simple and reasonable, and is necessary because without it the one or two local ISPs would all do the opposite and no one would have a choice.

Applying a much more complicated set of rules to companies that do have legitimate reasons to collect some data or use it for various things customers actually want has both higher costs from an administrative perspective and lower benefits because viable privacy-respecting competitors actually exist in real life for the people who don't consent.

I concede that privacy is less clear cut than fraud. But even fraud can be ambiguous. As in the recent thread about Amazon.

Anyway, it's my impression that ISPs already log some traffic metadata, given that I read about requests from police etc. And of course there are capabilities under CALEA.

And it's understandable that they'd like to earn some money from it, just as Google etc (and my bloody credit providers) do.

Selling and shipping stuff obviously requires information about customers, such as names, mailing addresses, phone numbers, and credit card numbers. But why should they get to monetize that information, in ways that don't benefit me? That's arguably as clear a distinction as ISPs being unable to monetize by traffic metadata.

I agree that it's more complicated for services that require browsing and location history. But I suspect that much more processing could be done locally. And where that was unworkable, information could be firewalled from other business units.

And even about ISPs without meaningful competition, customers can always use VPN services. That's become quite common in many places.

My ISP gets nothing from me except which VPN service I use, and throughput vs time. And that VPN service gets nothing from me except which VPN services I use through it. And so on until the last VPN service, unless I'm using Tor.

Also, the availability of privacy-respecting alternatives doesn't protect people who are too clueless to use them.

> I concede that privacy is less clear cut than fraud. But even fraud can be ambiguous. As in the recent thread about Amazon.

Fraud isn't a huge regulatory framework. The main reason for that is that you need intent to defraud, which can be ambiguous around the edges but it's pretty damn hard to do it by accident. The analogous thing for privacy would be prohibiting the sale of private data -- and that's probably a good idea. Because it's pretty hard to do that by accident and most honest businesses don't do it at all, so you're not putting a huge compliance burden on millions of unsuspecting businesses, only the few that actually sell data.

But there are still some nasty things you can do with private data without actually selling it. That's not as easy.

> Anyway, it's my impression that ISPs already log some traffic metadata, given that I read about requests from police etc. And of course there are capabilities under CALEA.

Whether they do it or not, there's no technical necessity to do it in order to deliver internet packets. There could be a law outright prohibiting it and it wouldn't make them any worse at being an ISP.

And if there is some interesting thing the user wants that could be done by logging internet traffic, let it be done at the endpoints by some independent company which doesn't have so much leverage over the user.

> Selling and shipping stuff obviously requires information about customers, such as names, mailing addresses, phone numbers, and credit card numbers. But why should they get to monetize that information, in ways that don't benefit me?

The problem is how to distinguish what benefits you. That turns out to be a very complicated question, and governments manage complexity very inefficiently. So it's usually better to leave most of that to individual choices -- as long as the choices are available, i.e. there is adequate competition.

> I agree that it's more complicated for services that require browsing and location history. But I suspect that much more processing could be done locally. And where that was unworkable, information could be firewalled from other business units.

Right, so it's technically possible but in order to get there you have to do a detailed analysis and everybody will have different opinions about the relative trade offs.

That's hard to make a regulation out of -- either you hard-code detailed information which then quickly becomes outdated and which nobody really agreed was right to begin with, or you try to be flexible which means nobody really knows how to comply with it and huge companies with lawyers have enough ambiguity to argue their way out of anything.

Either it needs to be much simpler than that, or you need exemptions for everybody but megacorps in which case you can use the inflexible detailed long-form regulations without worrying about the compliance costs bankrupting anybody, since it only applies to entities capable of absorbing the cost. An example of which is applying it only to large ISPs.

> And even about ISPs without meaningful competition, customers can always use VPN services. That's become quite common in many places.

I think this would be a better argument if a majority of people actually used them. As it is you essentially have a knowledge barrier which prevents them from serving as viable competition.

> Also, the availability of privacy-respecting alternatives doesn't protect people who are too clueless to use them.

And maybe that's the real answer. Don't go to the government for regulations at all, instead go to them for money, DARPA style, to get the things that use local processing and aren't dependent on advertising to fund development into a state that the majority of people are actually using them.

> Fraud isn't a huge regulatory framework. The main reason for that is that you need intent to defraud, which can be ambiguous around the edges but it's pretty damn hard to do it by accident. The analogous thing for privacy would be prohibiting the sale of private data -- and that's probably a good idea. Because it's pretty hard to do that by accident and most honest businesses don't do it at all, so you're not putting a huge compliance burden on millions of unsuspecting businesses, only the few that actually sell data.

I'd settle for sale being illegal.

> But there are still some nasty things you can do with private data without actually selling it. That's not as easy.

True. But as you say, that quickly gets complicated.

> And maybe that's the real answer. Don't go to the government for regulations at all, instead go to them for money, DARPA style, to get the things that use local processing and aren't dependent on advertising to fund development into a state that the majority of people are actually using them.

That would be very cool.

> ISPs are different because of the lack of competition. If you don't like Google you can use Duck Duck Go.

This is very much not the case both ways. Yes, you could use DuckDuckGo instead of Google. But by the same logic you can always use some local DSL provider for your ISP. That is still a thing in most places. Of course, you will get 1.5Mbps instead of 50Mbps via Comcast, but it is not like DDG provides the same range of service as Google either.

This is a bad comparison for 2 reasons:

1. [Opinion] As someone who uses DDG for 95%+ of my queries, the sacrifice is orders of magnitude less than using the local DSL provider in your example.

2. [Fact] Switching ISPs has a much higher cost. Switching back to Google for a few minutes if DDG isn't getting the job done is three keystrokes: " !g".

There is also a third reason. Having the option of DSL doesn't do any good if the DSL provider doesn't respect privacy either.

The question isn't whether a viable competitor exists, it's whether a viable competitor that respects privacy exists.

Further to this, in Canada at least, all DSLs are subleasing lines in bulk from one single backbone provider (Bell). Competition is legislatively required but de facto questionably existent; in addition I would be surprised that Bell doesn't have all the aggregate data on traffic through subleasing ISPs as well.
Does DDG do spreadsheets? Document editing? Maps and direction finding? Video streaming? Photo management? DDG is nowhere near providing the services that Google provides.
They are not comparable at all.
Why? The original comment I was replying to claimed that Google is not a monopoly because you can easily replace Google with DDG. Which is bullshit. Google provides dozens of services (search, gdocs, photos, youtube, maps etc) where DDG only provides one. And even with the one it does provide, the search results are a lot less useful in about 50% of the searches I do. Which is why I don't use DDG even for search. So yeah, if you are going to argue that I can replace Google with DDG, I am going to argue that you can replace gigabit fiber connection with dial-up.
Internet speed matters. If you can't watch streaming video, just for example you're not really getting the same service. The FCC divided access types by whether they are "broadband" or not (currently defined as 25 Mbps down / 3 Mbps up). The number of ISPs which offer broadband access to a given home is usually exactly 1.
I'm always surprised when I see posts about only having a single option for broadband. I've got three options currently, with Verizon 5G Home literally a block away.

I'm in a Detroit suburb, but I guess I'm an outlier.

ISPs are often given franchises by local governments. They agree to make service available to a certain % of residents, even if they are not individually profitable, and provide decent speeds to schools etc. In exchange they get access to rights-of-way to run cables and other things that make competition difficult. It's kind of a natural monopoly anyway since keeping up all the physical plant is expensive and there's no reason for multiple companies to do it, kind of like water or power companies.
They could share infrastructure, as electricity providers do.
I think this could recreate the problem to some extent, as the shared infrastructure would be owned/administrated by someone, who then would have lots of aggregate data to sell.
Why is DSL so bad in the US? In the UK dsl runs at something like 70mbit. Sure that can drop if you’re a long way from the cabinet, but there’s nothing about dsl that’s particularly slow
The market of "local DSL providers" no longer exists in the way you're invoking. While you used to be able to get a slower but customer-friendly circuit from eg Speakeasy or local dialup ISPs that moved into DSL, such general competition has withered. Outside of dense markets with decent competition, "DSL" has come to mean one single budget option from the incumbent phone company, also operating as a monopoly.

The argument is also a bit of a red herring, because even with vibrant DSL competition, the same argument could be made by the monopoly ILEC against a privacy-respecting CLEC.

> If you don't like Google you can use Duck Duck Go

This is not true. Sure, you can stop searching with Google. But Google, being a surveillance company, collects data from many sources besides search. They have gotten most websites to implement their bugs (Analytics and Recaptcha), and buy troves of data from other surveillance companies (Experian, LexisNexis, etc), so it is impossible to just "stop" being abused by them.

I personally believe that the best way is to fix the longstanding security problems in web browsers that leak all of this personal information in the first place. But as long as we're talking about legalistic approaches, then it seems eminently reasonable to condemn all surveillance companies for unilaterally snooping (including the faux consent of purported "contracts"), the same way that if I leave my curtains open and someone snaps a picture of me naked, they're not free to openly sell it.

> Sure, you can stop searching with Google. But Google, being a surveillance company, collects data from many sources besides search.

So choose alternatives to the other things too and/or install a browser plugin that blocks their tracking bugs.

> and buy troves of data from other surveillance companies (Experian, LexisNexis, etc)

The perpetrators in that case are the other surveillance companies. But now we're getting into the real trouble here -- there are places you can get a loan without credit reporting, but you won't get the same interest rate, because the lower interest rate from the places that use credit reporting is a direct result of the way in which credit reporting affects likelihood to repay the loan. So what do you expect to happen to loan interest rates if you make it illegal to set the interest rate based on whether the user consents to credit reporting?

It's problems like that which make privacy regulations hard, and justify applying them primarily to companies that lack effective competition.

> So choose alternatives to the other things too

It's only appropriate to say this in the context of what one can possibly try doing, not as a justification based on failing to have done this. The amount of websites deploying surveillance is the sheer majority of all websites, especially for many specific sectors.

> and/or install a browser plugin that blocks their tracking bugs

I did say that I have the highest hope in technical solutions, but once again this eventual hope is not a justification for writing off legalistic approaches.

> So what do you expect to happen to loan interest rates if you make it illegal to set the interest rate based on whether the user consents to credit reporting?

For one, secured interest rates wouldn't changed appreciably because there is collateral to foreclose. Even so, any increase would make asset prices drop such that more people would be able to own things rather than renting them from banks. Surveillance and financialization are both centralizing forces, and I am generally opposed to both.

As for the general idea of legitimate interests for consumer surveillance, these records should ultimately be under the control of the surveillance subjects ourselves rather than unaccountable hostile parties. At the very least, a surveillance subject should be able to request a copy of all records, request that they be deleted, and request that they be reinstated from a signed export (and ideally only processed for a very narrow purpose).

The real headline should be that government agencies in the US are too addicted to getting easy data from ISPs via nearly due-processless administrative subpoena (or just by asking) to prosecute their unlawful wiretaps for what they are (e.g. 18 U.S. Code § 2511 federally, various laws at state level), so instead are wasting time and money twiddling around the edges and trying to restrict the selling instead of doing anything that would endanger the collection.
This data shouldn't even be collected in the first place.
Why not? It's simply too valuable not to be collected.
Because collecting it leads to using it, and using it leads to the surveillance dystopia we're just starting to get a taste of.
All privacy constraints violate free speech. HIPAA? Free speech violation. Banking privacy/secrecy regulations? Free speech violation. Protecting the identity of crime victims? Free speech violation.

For that matter, laws against slander? Free speech violation. Laws against false accusation? Free speech violation. Laws against false advertising? Free speech violation. Laws against filing false tax returns? Free speech violation. Laws against perjury? Free speech violation.

So, if free speech is your only lens through which you view the legal system, there are a lot of free speech violations that are currently (and correctly) encoded into law. Privacy violations are one major area. So this violates the ISPs free speech, in order to protect their customers' privacy? Sounds perfectly fine (and normal) to me...