Hollings Introduces Privacy Bill

Dynedain writes "Senator Disney (aka Hollings) is apparently trying to get on techies' good side. ZDnet is reporting he is proposing a bill for 'net privacy' requiring opt-in agreements when companies want to sell 'sensitive' information (medical history, sexual preference, etc.) and opt-out agreements when selling non-sensitive (buying habits). US Chamber of Commerce is opposing this." Another article on Newsbytes notes that there are likely to be several privacy bills floating around, offering different levels of actual protection.

Great...

[Deluge]

Now /. has another guy to have a love/hate relationship with.

Anyways, he's not trying very hard. All information that could be shared should be opt-out. Sharing very private information, like medical histories, is already well protected, and people's tendency to not notice opt-out options for buying habits and such will do nothing to stem the flow of spam and junk mail. Oh well.

Its the classic 'common sense' issue

[rednuhter]

The idea that the opt-in is for 'sensitive' information and opt-out for 'non-sensitive' information should apeal to most people.
The problem lies in what is 'sensitive' information and 'non-sensitive' information.
It can vary wildly based on context and how the data is processed (the old, unique Id is the only directly identifing feature but link it to too many data references and you have the complete individual).
If you think about it, the proposal can never be policed.

Is /. going to bash him for this too?

[Argyle]

Is the /. crowd in favor of privacy legislation or do we take a Libertarian viewpoint on this as well and call privacy legistlation an affront to free speech?

Viddy well my droogs, you don't want to be hypocritical here.

Privacy bills like this will have a huge impact on the consumer's protection, but also have a huge cost to growing internet companies.

As Hollings said ...

[ProfMoriarty]

"Privacy fears are stifling the development and expansion of the Internet as an engine of economic growth," Hollings, chairman of the Senate Commerce Committee, said in a statement.

Replace the Privacy with Piracy, and you get the former CPDBODJTO (you know what I mean). Hey, at least a lot of his sound bites are already written.

When this bill actually comes out, we'll have to make sure there are NO RIDERS on it. This would be a perfect opportunity to do so, since this proposed legislation has a chance to pass.

Don't hold a grudge!!!

[lkaos]

Listen, if Hollings is sponsering this bill because he wants to "make-up" with the tech-community, then the worst thing the tech-community can do is continue to boycott him.

Make the message clear, that the community will support good bill but go ape-shit crazy on bad ones. If he gets a bad reaction still, he's just going to write off the tech community as a special interest group that he has no chance of winning over. In that case, he'll say screw you to all of us and just go on taking blood money from disney.

Don't make it personal, it's simply politics. We just have to play the game.

Buying habits aren't sensitive?

[Uruk]

and opt-out agreements when selling non-sensitive (buying habits

Since when are buying habits not sensitive? What if you're buying cream at the pharmacy for your genital warts? What if you're buying a particular product for your spouse, or for a friend? What if you're ordering porno over the net? (They don't ship it in brown paper covers to your house because nobody cares whether anyone else sees it or not) What if you're buying a drug for a medical condition that you'd rather nobody knew about? Sure, Mr. Jones, we don't have access to your medical records, but we see you've been buying AZT, and various magazines and books written by people infected with HIV as support tools. Hmmm.....

Sexual preference, medical history, and lots of other things are tied to what you buy. I don't see how they can say that buying habits aren't sensitive.

Non-sensitive privacy?

[irony nazi]

Hmmm. Let's see if the irony nazi can understand this...

Sensitive private characteristics:
Sexual Preference: Heterosexual
Medical History: Pretty healthy, alcoholism runs in family.
Crinimal record: One speeding ticket, not much else.

Yeah, those are pretty private

Non-sensitive private information:
Buying habits: Alcohol, Straight Pr0n, exercise stuff & vitamins, no medicine
Web browsing habits: /., weightlifting websites, finance, and geeky websites. straight pr0n.

Whoa. My non-sensitive information is extremely suggestive of my sensitive information, wouldn't you think? What gives? Is it more complicated to make all privacy information opt-in? It seems like it would be less complicated to the irony nazi.

Re:Well Even markiting information should be opt i

[SirSlud]

This got me thinking that when you go into a store, in the very least, employees and gauge the demographics they are catering to, and adjust the way the store operates accordingly.

You have to admit, much of the information they want when you buy (where ya from, how old are you) is 'casually' available in physical stores. Online retailers have no such luxery of asking their sales force (cause there is none) who's buying, so I really dont think it's asking to much for the companies to want the provision of that kind of information to be standard procedure when buying online.

The physical retailers can provide this information based on sales data, the retailers physical location, and by virtue of the sales force being physically located where the buyer is. Virtual retailers arn't asking for anything new, other than potentially the granularity (IE, you live in this zipcode instead of you shop in this zipcode.)

The Direct Marketing Association (DMA) said it continues to support industry self-regulation on privacy.

I support segreating 'opt-in', 'opt-out' not by what information is collected, but by what you are allowed to do with that information. 'opt-out' collection should allow retailers to do internal aggregated sales analytics, while you MUST provide 'opt-in' collection when you wish to use that information to proactively contact the customer.

This is how it works

[Mahrin Skel]

You have a bill you can't get considered by a certain committee, because the chairman is blocking it. You find some related issue that the chairman *won't* block. You introduce a bill for that issue. Later, as the author of the original bill, you may be able to have most or all of the original (blocked) bill added to the bill as an amendment.

--Dave Rickey

In Whose Hands?

[White Roses]

It seems to me, more and more, that privacy must be taken, and not granted. So our government wants to protect our privacy? And yet they've foisted Carnivore on us? Well, there's some more of my tax dollars cancelling each other out.

It all comes down to whom do you trust with your private information, and what information you yourself deem to be private.

Individuals are going to have to decide this for themselves. Trusting the government or advertising drones or Microsoft to keep your information private implies rather a lot of trust. Have you met these people? Told them about that time in 4th grade where you experimented with the chronic? Who knows stuff like that? Your closest companions at best.

Privacy must be individually taken, kept and defended. It's not a gift to be handed down from on high. Each person must learn to defend their privacy on their own, and determine just what they consider private.

Hate spam? Find a way to fight it, and keep your e-mail to yourself (or at worst, make up a free one). Don't believe the registration cards. Use a fake name on your phone number, or keep it unlisted. Give no one your SSN unless they can provide proof of needing it. Make sure you know what constitutes real proof. Never say hello twice when answering your phone. Turn off cookies. Set up trusted host lists.

It's hard, yes. Joe Public won't know how to do it. OTOH, Joe Public may not care, or may not spend 10 hours a day cruising the net, or may never buy anything from anyone online.

Know the risks, take pains to minimize them, and stay vigilant. It's the only real way to keep your privacy.

My Privacy Desires

[Trekologer]

I agree with the spirit of Hollings' proposed bill (and it pains me to say that). However, my "ideal" online privacy law would be:

1. Companies are forbidden to share/sell/reveal, intentionally or not, any information that a consumer gives to the company or authorizes the company to obtain unless expressly authorized by the consumer. So, anything that you give the company can not be shared with anyone else unless you give them permission to do so.

2. Companies are forbidden to share/sell/reveal, intentionally or not, any information created through consumers' transactions with the company that can be associated with a partifular consumer unless expressly authorized by the consumer. In other words, Company X can tell a marketing company that Y consumers purchased Product Z. They can NOT say that Consumer A purchased Product Z unless Consumer A authorizes it. If the company creates the data, they can use it, but can only associate the data with particular consumers with permission.

3. Any permission given for a company to use your data must be an informed decision. The company must provide to the consumer who they will share the data with (specific comapnies), what data will be shared, what the receiving company will do with the data, and what the company will get for sharing the data. This information must be provided to the consumer before she agrees to give permission, not something that can get received "on request" later after agreeing.

4. Companies that violate these three premises will be fined by the government and there will be a procedure set in place for consumers to collect damages.

Hopefully, this would prevent companies from playing fast and loose with your information and force them to make sure that their systems are secure (note the "intentionally or not" would cause the company to violate this "law" if some third party, such as a cracker, gets the data).

Self-regulation doesn't work. There will always be someone who will violate the "regulations" that the industry comes up with. The only solution is a legislative solution.

Re:Great...

[Stephen Samuel]

As someone else said: This legislation does very little other than place in stone what the DMA is already doing. Not many people have the sensitive information that he's requiring the opt-in for, anyways (it's the nature of 'sensitive' information). In any case it doesn't matter.

They can't tell me your sexual preference or your medical history, but they can tell me that:

• You are male,
• You visit 'beefcake' porn sites a lot
• you buy AZT on the 'net because it's cheaper.

I can figure out the rest from there.

Medical Information

[Anonymous Coward]

I don't see how the "selling" of medical information is legal at all. I worked for a company who made software for the health care industry, and there's some serious laws regarding protection of medical information. Both parties sending and receiving any information must have written signed guarentees that the information will be kept private. This act is the Health Care Protection and Acountability Act (HIPAA).
A simple opt-in (ala Yahoo! i'm asuming here) wouldn't abide by the laws set forth in HIPAA.

I'm surprised Hollins even brings medical information to the Internet. Most medical facilities I worked with had stricit protocols or strict seperation regarding sensitive data and the Internet. If any information was sent at all, it was either via FAX, hardcopy, or on a secure connection (via CarbonCopy, or similar program).

The only people who need my medical information are my health care providers.

Nope. Just hate-hate.

[bricriu]

How is this a good bill? On the plus side, yeah, we have to give someone permisssion to sell our "critical" data. But who's to say that won't be buried in an EULA?

And as Yahoo! has recently proved, automatically opting people in to recieve spam (since that's what the 2nd part of this legislations basically proposes, after all... they sell your info, you get spam) and making them opt-out leads to people getting bent out of shape. Why should companies get the right to ASSUME that I want to recieve spam from whoever they feel like hawking my info to?

A privacy law with teeth would have opt-ins across the board, and a clause saying that each opt-in must be clearly labelled as such, with no "bundling" of opt-ins implicit in any other action.

The incredible state of almost.

[Paul Neubauer]

The incredible state of almost is where this comes from. I suppose some compromise will have to happen, but in an ideal world, to me, things would opt-in, and any change would be required to be very explicit and specific. That is, if one opts into Company A for XYZ, even Company A can't bug one about JKL as that was not opted into.

I'm not entirely sure I want law for privacy, as omissions in it might be seen as an invitation to do questionable things. But then having no law seems to be doing the same.

Perhaps a law of reciprocity? If someone want information about me, first they must supply me with the equivalent about them. For any limit they want on what I do with that, I get to put a limit on what they do with my information - and it need not be the same limit (since I'm not doing what they are, most likely). Dream world? Yep, alas.

Click-through licensing will negate this bill

[greensquare]

It doesn't really matter if I need to opt-in. The day after the Bill is signed into Law, Lawyers will add the following line to the click-through licenses on their spyware products. "I here by grant full access to all personal data...."

Re:Well Even markiting information should be opt i

[Anonymous Coward]

How do you define internal? Are subsiduaries internal? Are alliances internal? If company A sends a consultant team to company B for 1 year, are they internal employees? If I sign a nondiscosure agreement that makes me a temporary employee, am I internal? What's internal and what's external is extremely vague in the corporate world.

Re:Great...

[gclef]

True. In fact, one thing I'd like to make sure this law does *not* do is to override the protections put in place for medical information by HIPAA. The privacy protections put in by HIPAA are actually pretty well done. I'd rather they not be weakened by a "We got you to click ok, so we're spamming the globe with your surgery results now" rule.

Great idea but what about amateurs?

[sterno]

I run a website that uses slashchode. Now, this asks for certain bits of information. I don't have any intention of doing anything with this information and I'm not any sort of commercial entity. Am I to be held to the same standards about opt-in and opt-out agreements?

Opt-out vs opt-in

[smack_attack]

This is a very simple debate if you look at the type of data being collected. A vocal majority of web users know that a good deal of information about them is tracked every time they go to a website or their favorite porn site. Most are content with allowing this information to be tracked as well as long as it is under the premise of being anonymous. When a site tries to tie in personal information, that is where the line needs to be drawn and opt-in needs to be specifically required (without questionable tactics such as pre-checking boxes allowing the user to be mailed by 3rd-parties).

People are willing to give up a lot of information about themselves when you promise that the data will be anonymous or in aggregate format, and for the most part, companies have no problem with this. The ire of the masses is resounding when companies don't use this information in the manner intended or attempt to use it to create marketing profiles per user. I don't mind buying things, but I also do not want "HOT!!! DEALS!" crammed in my inbox and down my throat.

So to Senator Hollings, I ask that instead of laying more restrictions on companies that will either get blown off or result in a plethora of legalese every time you sign up for a mailing list, he should focus more on making sure that his proposal is simple and understandable by both parties (COPA is a good example of how ALL personal data should be handled).

Why do you need to wait to see what he does?

[Mr Guy]

It isn't exactly hidden.

1. Have law giving companies too much data control blocked
2. Create law that protects privacy
3. Use to law to mark data as ownable and prosecutable
4. Acknowledge law 'did not do enough'
5. Toughen law, adding companies in to protect their data
6. Companies prosecute for sharing their 'private' data, such as music, movies....

Observation

[AntiNorm]

ZDnet is reporting he is proposing a bill for 'net privacy' requiring opt-in agreements when companies want to sell 'sensitive' information (medical history, sexual preference, etc.) and opt-out agreements when selling non-sensitive (buying habits

An interesting observation I just made:

When the data belongs to the consumer, Hollings (D-Disney) wants the data to be copyable. He'd be committing political suicide to not ask for at least some restrictions, so he introduces bills like this. As for the 'non-sensitive' opt-out data, I don't consider opt-out to be a restriction at all. I'll still get the spam, and (especially seeing how email spammers work) it's not exactly easy to trust anybody to honor opt-out requests.

BUT...when the data belongs to a corporation, he doesn't want it to be copyable at all. Witness the DMCA and the SSSCA/CBDTPA.

Now. Try and tell me he isn't biased against consumers and towards corporations.

this won't change anything

[bilbobuggins]

why do we need laws to tell us what information is too sensitive and what isn't?

you know what? if you get asked about your religion and it offends you... DON"T ANSWER.

if you know of a site that tracks you and you don't want them to sell that information... DON'T SHOP THERE.

and you know what? maybe, just maybe, the free market will regulate itself when people stop shopping at intrusive vendors.

this is _not_ government's job. this bill will not stop spam. most legit companies already have well defined privacy policies on their websites so you know what you're getting yourself into.

all in all, this bill accomplishes actively nothing, and yes it is nothing more than a front to appease opponents of his other bills...

Why not a Fair Use Bill and...

[mcwop]

Will he just attach his stupid new copyright bill to this privacy bill in the dead of night?

Re:Is /. going to bash him for this too?

[Dr.Dubious DDQ]

The cost results from the smaller base of people that will opt-out

Ah, I love "spin"...

As comes up in several other debates (e.g. Napster/etc.), this is NOT a "cost", despite the fact that corporate mouthpieces insist on calling it that in fits of melodramatic doomsaying. This is a "reduction of extra profits."

In other words, us not giving them our personal information to sell to the aforementioned whoremongers is not us "taking something from them", it is us "giving them less". I think this is an important, if subtle, distinction that needs to be made...

If a homeless person begging for money gets and average of $0.75 from every person who gives him any, and I give him $0.25, have I "cost" him $0.50?....

Re:History Repeats itself

[Rogerborg]

Well said. When the bill does surface into the light of day, let's bear something in mind. If Hollings is proposing a bill that guarantees Federally protected privacy (ahem) for your information, might the corollary be that it becomes an offence to provide dis-information, even when there's no fraudulent intent, just caution?

Before you scoff and dismiss this, consider his track record, and apply the appropriate spin. How about "Promoting a culture of mutual trust in a value add win-win proposition for both peon^H^H^^H consumers and master^H^H^H^H^H^ business." And remember, you heard it here first.

Re:Medical Information

[geekoid]

"The only people who need my medical information are my health care providers."

or a loved one who wants to know why you died on the table.

The fact that he put Medical information in the bill tells me he wants to "scare" people into thinking its need so he can get this bill passed for some reason.

Re:A stopped clock is right twice a day...

[el_chicano]

The government should keep its hands out of technology, period.

So tech companies should not be regulated by the EPA and should be able to pollute left and right? Or their employees should not be covered by labor regulations and forced to work long hours with no overtime or comp time? Or tech companies should not be covered by antitrust regulations, allowing them to monopolize what should be an open and free market?

NO government intervention can be just as bad as TOO MUCH government intervention.

Also, don't forget that in the 1960's and 1970's the government's funding of NASA and the Internet served to spur growth in technology faster than if it would have been left solely to the free market...

Re:Don't hold a grudge!!!

[LordNimon]

That's pretty harsh, dude. You really don't understand politics, do you? Every long-term Congressman has, at one time or another, proposed a bill that was bad. That's why bills go through a review process and a vote before being made into law. And that's only for the few bills that actually get that for - the overwhelming majority of ideas never make it to bills, let alone laws. The debate and decision process is vital to our country, and so you can't begrude anyone for using it. He certainly shouldn't apologize for doing his job. And yes, listening to other people and proposing bills to address a problem is his primary job.

Hollings thought he had a good idea. He's not very knowledgeable about technology, just like you know little about politics. He has learned the hard way that the SSSCA and its kin are not good bills.

If you don't allow people to learn from their mistakes, then they will continue to make them. If this privacy bill is a good one, then perhaps we can count Hollings as a future ally. History is FULL of individuals who made big mistakes, realized them, and then changed sides. Perhaps Hollings will be the next example.

Re:I'm Psychic

[Hard_Code]

"You, the liberty loving individual, don't want big bad governments and corporations using data about you without your permission. You want control over that data.

Purveyors of digitized content don't want tiny bad people "pirates" using their data without their permission. They want control over that data."

Uh, except that we as consumers are not actively in the business of selling our data while the media industry is.

I don't see any similarity here. The media industry wants to control information even after they have sold it, whereas as a consumer I don't even want to give out this information in the first place.

Besides, I see a distinct qualitative difference between salable works of art/literature/content, and personal, non-artistic demographic data. Now if I created a piece of art based on my personal demographic data, and sold it, and then wanted to control how people used it, I would probably be in the same position as the media industry.