[LINK] Do Not Track Bill Threat to American Way of Life

Roger Clarke Roger.Clarke at xamax.com.au
Tue May 10 10:47:56 AEST 2011 

[Mega-corps resort to 'the sky is falling' defence against privacy 
legislation.]


Google, Facebook: "do not track" bill a threat to California economy
By Matthew Lasar |
Published 3 days ago - twerps, i.e. c. 7 May 2011
ArsTechnica
http://arstechnica.com/tech-policy/news/2011/05/google-facebook-fight-california-do-not-track-law.ars

Google and Facebook are warning legislators of dire consequences if 
California passes a "do not track" bill. The proposed law would 
require companies doing online business in the Golden State to offer 
an "opt-out" privacy mechanism for consumers.

Senate Bill 761 "would create an unnecessary, unenforceable and 
unconstitutional regulatory burden on Internet commerce," says the 
letter in opposition to the measure. "The measure would negatively 
affect consumers who have come to expect rich content and free 
services through the Internet, and would make them more vulnerable to 
security threats."

*   Signed: Google, Facebook, Time Warner Cable, CTIA - The Wireless 
Association, the California Chamber of Commerce, and about thirty 
other associations and companies.

A method for consumers

The legislation in question comes from the office of state senator 
Alan Lowenthal (D-Long Beach). Lowenthal's bill would require the 
state's Attorney General to deploy regulations by July 1, 2012 
forcing any business that uses, collects, or stores online data to 
offer California consumers "a method to opt out of that collection, 
use, and storage of such information."

According to its summary, the bill would specify:
that such information, includes, but is not limited to, the online 
activity of an individual and other personal information. The bill 
would subject these regulations to certain requirements, including, 
but not limited to, a requirement that a covered entity disclose to a 
consumer certain information relating to its collection, use, and 
storage information practices. The bill would, to the extent 
consistent with federal law, prohibit a covered entity from selling, 
sharing, or transferring a consumer's covered information. The bill 
would make a covered entity that willfully fails to comply with the 
adopted regulations liable to a consumer in a civil action for 
damages, as specified, and would require such an action to be brought 
within a certain time period.

What would this "covered information" include? The "date and hour of 
online access," the location from which the information was accessed, 
the "means" (presumably the broadband device and its operating 
system) by which the data was obtained and stored, the user's IP 
address, "personal information" that would include but not be limited 
to postal and e-mail addresses, and government identification numbers 
such as drivers' licenses, passport numbers, and tax IDs. Credit card 
numbers and security codes are also part of the definition. 

Entities that do not collect "sensitive information" would be exempt 
from the law, however. These are defined as services that do not 
obtain and store information that relates directly to a consumer's 
medical history, ethnicity, religion, sexual orientation, or 
financial status.

Google/Facebook's case against 761

Google, Facebook, and company argue against this bill on a variety of 
grounds. First, they claim that various California laws already 
protect the privacy of online consumers. Although none are mentioned 
in the letter, laws like the Consumer Protection Against Computer 
Spyware Act bars enterprises from deceptively collecting personally 
identifiable information.

"All of these laws also contain important exceptions and balances so 
that they are workable," the letter contends. "SB 761 contains none 
of these limitations, and instead leaves the Attorney General's 
office the complex and delicate task of figuring out what to exempt."

Second, the letter points out that the four leading Web 
browsers-Internet Explorer, Firefox, Safari, and Google 
Chrome-already offer various means of preventing advertising 
companies from tracking users. Firefox's private browsing mechanism 
and Chrome's "incognito" windows would be examples of these, and some 
browsers are now supporting "do not track" headers as well. The 
letter also cites self-regulatory programs such as the Network 
Advertising Initiative and the Digital Advertising Alliance, which 
offer "easy-to-use mechanisms to opt out of interest-based 
advertising from more than 60 companies."

"The Federal Trade Commission and Department of Commerce have 
endorsed self-regulation in this area as the preferred policy 
approach-and these programs in particular, which have broad industry 
support and which already provide consumers with enhanced 
transparency and choice far more rapidly than cumbersome rulemaking," 
the missive adds.

However, the FTC has warned the industry that if self-regulation 
doesn't work, Federal "do-not-track" regulation is high on the agenda.

Third, the letter says that 761 would hurt California's 
economy. "California leads the world in Internet commerce; the sector 
employs an estimated 162,000 people, generates billions of dollars in 
revenue and is the fastest growing source of jobs in the state," the 
companies note. "SB 761 would create a second, conflicting set of 
standards to which companies would have to conform or else face class 
action lawsuits."

Finally, the companies call the legislation unconstitutional-an 
inherent appropriation of Congress's authority over interstate 
commerce, since every non-California-based company that wants to do 
business with California would have to alter its privacy practices. 
"As a result, any out-of-state company affected by the law would be 
entitled to bring a Commerce Clause challenge," they claim.

Analyzing data

To borrow a line from Hamlet's mother, there's a distinct 
the-lady-doth-protest-too-much quality to this letter-a summoning of 
everything in the rhetorical kitchen sink that might scare California 
politicians away from the bill. In fact, Lowenthal's proposed law 
permits the Attorney General some flexibility. Exemptions can be made 
on behalf of online companies that are:

(A) Providing, operating, or improving a product or service used, 
requested, or authorized by an individual, including the ongoing 
provision of customer service and support.

(B) Analyzing data related to use of the product or service for 
purposes of improving the products, services, or operations.
[and]

(F) Complying with a federal, state, or local law, regulation, rule, 
or other applicable legal requirement, including, but not limited to, 
disclosures pursuant to a court order, subpoena, summons, or other 
properly executed compulsory process.

Exemption B in particular seems wide enough to drive at least several 
digital trucks through. But whatever you think about this issue, the 
letter shines light on the degree to which Facebook and Google not 
only identify with advertising companies, but see themselves as such 
companies.

Legislative websites are notoriously slow to update bill status, but 
the California Senate portal says that Senate Bill 761 has been 
referred to its Committee on the Judiciary.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list