Privacy advocates supported an ISP privacy bill in the District of Columbia Council. Countering President Donald Trump’s repeal of FCC broadband privacy rules, the bill would require carriers to get opt-in consent from customers about use and sharing of sensitive personal data and opt-out consent for nonsensitive private information (see 1707120053). In a Monday letter, the American Civil Liberties Union of D.C., Consumers Union and others urged D.C. Council Business and Economic Development Chair Kenyan McDuffie (D) to hold a hearing on B22-0403. After national Republicans repealed FCC broadband privacy rules, “it is incumbent upon local governments to fill that gap in protections for consumers,” the groups wrote. Like the FCC rules, the D.C. bill “essentially codifies existing business practices,” they said. “The public wants these protections.” A similar bill in California failed last week; several other state ISP privacy bills also failed to make it to the finish line this year.
The Alliance for Telecommunications Industry Solutions and Neustar said testing of caller authentication standards “is well underway” and 19 telecom companies signed on to tests in the ATIS testbed. “This industry interoperability testing is taking place through a virtualized testbed and software implementation at a facility exclusively hosted by the Neustar Trust Lab,” said in a Tuesday news release. The testbed was launched to support efforts of the Industry Robocall Strike Force (see 1610260053) to curb unwanted robocalls, a news release said. On Monday, FCC Chief of Staff Matthew Berry said curbing illegal and unwanted robocalls is a top FCC consumer focus (see 1709180015). ATIS said participation in the testbed shows commitment to the Secure Telephone Identity Revisited Signature-based Handling of Asserted information using toKENs approach to call authentication. “The growing number and variety of participants using the testbed -- communications service providers, network manufacturers, solution vendors and government agencies -- speaks to the urgency and the industry’s overall commitment to combatting unwanted robocalling and caller fraud,” said Hank Skorny, Neustar senior vice president.
European Justice Commissioner Vera Jourová "stressed the importance of a robust and trustworthy annual review [of the Privacy Shield], given the concerns of European stakeholders" to Commerce Secretary Wilbur Ross, said a European Commission spokesman in a statement Monday. Acting FTC Chairman Maureen Ohlhausen and representatives of European data protection in Washington also attended the launch of the EU-U.S. Privacy Shield review was also attended. The EC spokesman said Jourová emphasized the review should show how U.S. commitments are being met, that the underlying U.S. legal framework remains in place and oversight mechanisms, namely the State Department ombudsperson, are functional. Experts said the review may find faults within the framework, but expect the agreement to be maintained (see 1708210043). Jourová and Ross plan to meet Wednesday to discuss how the review went and areas to address or if more information is needed to complete it, the EC spokesman said. Jourová, he said, plans to issue a report in the second half of October. In a statement, Jourová said the meeting with Ross was "good and honest ... I am glad to be reassured that America First doesn't mean America only." Commerce didn't comment and the White House said last week the U.S.'s commitment "cannot be stronger." The Computer & Communications Industry Association and U.S. Council for International Business joined others (see 1709150024) supporting the agreement and review. USCIB said the framework is promoting stronger protections of people's personal data and is an effective mechanism for certification by small- and medium-sized businesses. It said longevity of the agreement is important. Nearly 2,500 businesses are certified under the agreement, according to the Privacy Shield website.
A California assemblymember promised to keep fighting for an ISP privacy bill to codify repealed FCC broadband rules, after his bill failed to pass the legislature Friday. "While I am disappointed that AB 375 was not taken up for a vote on the Senate floor, I remain committed to securing the right for California consumers to decide for themselves how their personal information can be used by their ISP," said bill author Ed Chau (D) in a statement Monday. The "common sense legislation" has "overwhelming bipartisan" public support, "and I will resume advancing this policy when we reconvene in a few months," he said. "In the dead of night, the California Legislature shelved legislation that would have protected every Internet user in the state from having their data collected and sold by ISPs without their permission," blogged the Electronic Frontier Foundation, accusing legislators of putting "profits of Verizon, AT&T, and Comcast over the privacy rights of their constituents." Others cheered. "Good riddance," blogged Doug Brake, senior telecom policy analyst at the Information Technology and Innovation Foundation. The bill "might have been good politics, but it was bad policy," he wrote: "The poorly balanced federal rules were the product of an ill-advised power grab by the [FCC] -- both Congress and California were right to nix them." American Enterprise Institute visiting scholar Roslyn Layton said the bill "probably" violated the U.S. Constitution's First Amendment free speech rights and Commerce Clause. "While states have some leeway to regulate commerce within their borders, Dormant Commerce Clause arguments have been used to challenge state-level internet regulation, showing that it discriminates against and unduly burdens commerce," she blogged. The "discriminatory" FCC rules target ISP efforts to tap advertising to support broadband, she wrote.
A California bill requiring ISPs to get express consent from consumers to use, disclose and sell personal data (see 1707170052) is heading for a Senate vote Friday, blogged Electronic Frontier Foundation Legislative Counsel Ernesto Falcon. That's the last day of the legislature's session and, if the bill passes, it would be sent to the governor this year, he said. The Senate Rules Committee Chair and Senate Leader Kevin de Leon decided Tuesday to move AB-375, which unanimously passed the Assembly in May, for a vote, among other procedural steps, blogged Falcon. "The bill’s final version continues to mirror the now repealed FCC broadband privacy rule and the bill as it stands now would effectively return power to California consumers over personal data that their ISP obtains from the broadband service," he wrote. "That means your browser history, the applications you use, your location when you use the Internet are firmly controlled by you." A call to confirm the vote with the office of Assemblymember Ed Chau (D), who introduced the bill, wasn't returned.
California legislators shouldn’t rush a vote on proposed ISP privacy rules because AB-375 hasn’t received “full policy vetting,” California Cable & Telecommunications Association President Carolyn McIntyre told us. She said CCTA supports holding AB-375 in the Senate Rules Committee, which would prevent a vote by the Sept. 15 legislative deadline. The bill was amended last month to align it more closely to the FCC rules that President Donald Trump repealed but “the legislation completely disregards the 170 page order that provided guidance and detailed explanations, analysis, and clarifications of how the rules are to be interpreted and applied,” McIntyre said. “The legislation would be open to broad interpretation that could only be resolved through costly litigation.” The California Chamber of Commerce also supported holding the bill, but the Electronic Frontier Foundation and other privacy advocates seek a vote because they said the majority of the California legislature supports the bill (see 1709060053).
Reversing a policy instituted in November, Uber will again give riders the option of whether to allow the company to track their location data after they're dropped off, which drew praise from Senate Privacy, Technology and the Law Subcommittee ranking member Al Franken, D-Minn., who criticized the practice (see 1612210039). An Uber spokeswoman said Tuesday riders told the company last year's policy change, which sought to improve user experience, "missed the mark." She said Uber is trying to "make things right" with the reversal. Post-trip collection is suspended for iOS and Android systems, and the new settings will appear in the next few weeks for iOS users, which gives them three options: always have Uber collect location information, do so only while using the app or disable location services altogether. Franken urged the company in December to rethink its policy. He now said Americans have a basic privacy right and "deserve a meaningful opportunity to decide for themselves the fate of their personal data." Two weeks ago, the company settled with the FTC over privacy and security allegations (see 1708150010).
Web hosting company DreamHost will face DOJ in District of Columbia Superior Court Thursday over the government's demand for information on protesters in a criminal investigation of the Jan. 20 protests. Justice initially sought information about 1.3 million IP addresses that visited disruptj20.org (see 1708140063) but said in a Tuesday filing it has "no interest" in those records. "What the government did not know when it obtained the Warrant -- what it could not have reasonably known -- was the extent of visitor data maintained by DreamHost that extends beyond the government's singular locus in this case," the filing said. DOJ said it modified its warrant to minimize information collected. It said it tried to talk to DreamHost but "those attempts have proven unproductive" since the company says the warrant is improper. DOJ's move to narrow the scope of data sought is a "huge win" for privacy, blogged the company, saying much of the original demand for information is in place and that's "problematic." Justice said it still wants DreamHost to provide records for the account in question, such as subscribers' names, addresses, email addresses, phone numbers and means of payment. The department said a small group of individuals used the site to publicly spread information but also privately communicate among a small group "whose intent included planned violence." It said the investigation resulted in 19 guilty pleas and nearly 200 pending criminal cases. DOJ said the warrant won't be used to identify political dissidents.
Uber settled with the FTC over allegedly deceiving consumers by failing to oversee employee access to sensitive consumer data and reasonably securing such information stored in the cloud. Commissioners voted 2-0 Thursday to issue the administrative complaint and accept the consent agreement. Comments are due Sept. 15. Acting FTC Chairman Maureen Ohlhausen said in a conference call with reporters that the investigation began after media outlets in November 2014 reported that Uber employees accessed personal consumer data. The order requires the company to create "culture of privacy sensitivity," she said. Under the settlement, Uber must avoid misrepresenting how it internally monitors access to customers' personal data and how it protects their data. The company must implement a comprehensive privacy program addressing risks from current and new products and services and the confidentiality of the personal data collected. Within 180 days and every two years after that for the next 20 years, Uber must get independent, third-party audits certifying the privacy policy meets or exceeds the order's requirements. Ohlhausen said no financial penalty was imposed because the agency can get money only when it can point to financial losses. She said if Uber violates the order, the FTC can pursue a civil penalty. A spokesman said the company has "significantly strengthened our privacy and data security practices since [2015] and will continue to invest heavily in these programs." Uber hired its first chief security officer at the time and "now employ hundreds of trained professionals dedicated to protecting user information." Uber has been under FTC scrutiny in other cases. Consumer Watchdog in April lodged a complaint that the company deceptively tracked its app users after they deleted the app from their iPhones (see 1704270014). The FTC has said it doesn't comment on investigations. In January, the agency over allegations Uber misled prospective drivers about potential earnings and overstated favorable terms for car financing (see 1701200002).
Verizon received nearly 139,000 subpoenas, orders, warrants and emergency requests, from federal, state and local law enforcement agencies for the first half of 2017, almost 3,000 more requests than the same period last year, said the telco's transparency report Monday. The company received 9,500 fewer demands in the last half of 2016, it said. Of the 2017 demands, more than 68,000 were subpoenas, more than 32,300 were orders and more than 28,300 general orders, more than 10,700 were warrants and nearly 27,500 emergency requests from law enforcement. The company said it rejected about 3 percent of all demands it received because they were legally invalid and may need a "different type of legal process" for the requested information. The report doesn't include statistics for AOL acquired in 2015, nor Yahoo, bought in June. Those companies, now called Oath, will issue a separate report, the telco said. The company said it also received between 0-499 national security letter demands for the first half of this year. General Counsel Craig Silliman blogged that the company will file a joint amicus brief with other tech companies in a Supreme Court case that will determine whether customers have a reasonable expectation of privacy in their cellsite data conveyed to their providers. The high court said in June it will hear Carpenter v. U.S. (see 1706050006). Silliman urges Congress to pass updates to the Electronic Communications Privacy Act (see 1707270043) and approve the International Communications Privacy Act (see 1708010053).