Tag Archives: privacy

California IoT law requires manufacturers to build security into connected devices


A pair of linked bills passed by the California legislature and signed into law late last month by governor Jerry Brown require manufacturers to preload passwords or install other security features on any kind of device that’s directly or indirectly connected to the Internet, beginning in 2020. Assembly bill 1906, carried by assemblywoman Jacqui Irwin (D – Ventura) and senate bill 327, authored by senator Hannah-Beth Jackson (D – Santa Barbara) are aimed at protecting privacy, and preventing the rise of botnets – networks of online devices that are infected with malware and used by cybercriminals for their own purposes.

The new law isn’t limited to consumer electronics products. Commercial and industrial devices – anything that’s part of the Internet of Things (IoT) – fall under the legislation’s broadband definition…

“Connected device” means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.

Manufacturers will have to equip a device with “a reasonable security feature” that’s “appropriate” to its “nature and function” and the type of information it collects. Preprogrammed passwords are specifically mentioned as acceptable, as is forcing users to create a password or otherwise “generate a new means of authentication” the first time they use it.

Enforcement of the new law is limited to the attorney general, county district attorneys and city and county attorneys. It doesn’t create a new windfall for contingency fee lawyers.

Up until now, California law hasn’t had much to say about IoT security. A law passed in 2015 requires warnings on Internet-connected television sets with voice recognition features, and prohibits using recorded conversations for advertising purposes. A 2006 bill established similar consumer notice requirements for WiFi access points.

A third IoT-related bill – AB 2167 by assemblyman Ed Chau (D – Los Angeles) – died in the California senate on the final day of the legislative session. It was specifically aimed at “ingestible” sensors used for health monitoring.

California legislature to decide privacy, Internet commerce bills


Consumer privacy, police surveillance, online retailing, bots and social media were all targets of bills introduced this year in the California legislature. One major bill already passed, a couple are dead and the rest are queued up for a decision this week, as lawmakers prepare to finish up the 2018 session on Friday.

Assembly bill 375 established strict consumer data privacy rules. It was signed into law by the governor earlier this year. It’s being tweaked, though. Senate bill 1121 exempts some medical, financial and driving record information that’s already regulated by federal and/or state law. It also allows credit reporting agencies to continue to use personal information, whether or not consumers consent, to the extent permitted by federal law. It makes other changes, mostly regarding how the law is enforced.

As far as I can tell, the amendments are technical. But SB 1121 should put everyone on notice, too: the legislature can and will change California’s new data privacy law. Given the influence that lobbyists and their cash payments to lawmakers have in Sacramento, future changes may not be so benign.

Other bills introduced this year include…

  • AB 1906 and SB 327 – aimed at the Internet of things, these two, linked bills require passwords and other security features on Internet-connected devices. Awaiting floor votes in the senate and assembly, respectively. Each will have to go back to its “house of origin” for concurrence votes on amendments made along the way.
  • AB 2167 – defines information gathered by ingestible sensors that collect or send information about an individual, and linked apps and devices, as protected medical information. On the senate floor, with assembly concurrence needed.
  • AB 2511 – requires merchants to “take reasonable steps to ensure that the purchaser is of legal age” of anyone who might purchase or view age restricted products or services. It was originally targeted only at online sellers, but now includes all businesses. The range of products and services covered was narrowed, too. Waiting for a floor vote in the senate, then would go back to the assembly for concurrence.
  • AB 2935 – adds privacy protections to health monitoring programs, online and otherwise. Would have had implications for fitness and athletic social media, such as Strava. It died in a senate committee.
  • SB 1001 – requires bots – computer programs that mimic people, used by companies to chat with customers – to identify themselves as such. Only applies to websites that get 10 million visitors a month. On the assembly floor now, with senate concurrence also needed.
  • SB 1186 – required local governments to disclose the types and uses of law enforcement surveillance technology. Quietly killed in the appropriations committee by assembly leadership.
  • SB 1424 – formerly a far reaching attempt to police free speech on the Internet, it was neutered as it moved through the legislative process and now just calls for the California attorney general to study “the problem of the spread of false information through Internet-based social media platforms”. If someone donates the money to do it. Awaits an assembly floor vote and senate concurrence.

California consumer privacy law, online and off, now on the books


Californians will have control over the way their personal information is used by businesses, including online platforms. Probably. Governor Jerry Brown signed assembly bill 375 into law, after it was approved by the state senate and assembly in whirlwind fashion yesterday. According to the analysis prepared by staff for the assembly privacy and communications committee – which is chaired by the bill’s author, assemblyman Ed Chau (D – Monterey Park) – consumers will gain…

The right to know what [personal information (PI)] is being collected about them and whether their PI is being sold and to whom; the right to access their PI; the right to delete PI collected from them; the right to opt-out or opt-in to the sale of their PI, depending on age of the consumer; and the right to equal service and price, even if they exercise such right.

AB 375 was briefly in the spotlight last year, when it was turned into an online privacy bill, only to be killed by tech and telecoms lobbyists. Its demise behind closed doors prompted a successful petition drive to put a tough consumer privacy initiative on the November ballot. Which scared those same big tech and telecoms companies. For two reasons: they would have to spend millions of dollars trying to defeat it, and if enacted by the voters, the legislature wouldn’t be able to change it.

That gave Chau an opening to resurrect his bill, and cut a deal with the initiative’s backers. If the legislature passed a sufficiently stringent consumer privacy bill, the backers – who faced an equally expensive campaign – would declare victory and withdraw the ballot measure. Yesterday was the withdrawal deadline, the legislature met it and the initiative was formally pulled.

The new law takes effect 18 months from now, in January 2020. That’s forever in political terms, though. The legislature will have plenty of opportunity and lobbyists will offer plenty of cash encouragement to water down the new law. They’ll want to do it as quietly as possible. It’s worth watching, if only to make sure it’s as noisy as possible.

Internet privacy bill rises from the dead at California capitol


California lawmakers have another shot at creating strong data privacy rules. Assembly bill 375, authored by assemblyman Ed Chau (D – Monterey Park), was originally aimed at Internet service providers. It would have reinstated ISP privacy rules that were scrapped by the republican majority on the Federal Communications Commission. It died last year after legislative leaders bowed to back door pressure and “dirty tricks” from ISPs, like AT&T and Comcast, and Silicon Valley’s big online players, like Google and Facebook.

But with angst over Facebook’s epic face plant and other data breaches reaching a fever pitch, attention turned to how companies – of all kinds – collect, keep and use data about and belonging to consumers. A petition drive appears to have collected enough signatures to get a sweeping online data protection law on the November ballot. To head that off, Chau and senator Robert Hertzberg (D – Van Nuys) rewrote AB 375 and, on Friday, put it on a fast track for potential approval this week.

As rewritten, AB 375 meets the needs of the initiative’s backers. It would give consumers the right to ask companies what kind of personal data they’re collecting, what they’re doing with it and who they’re sharing it with. Consumers could also tell online businesses to delete information and prevent them from sharing or selling personal information to others. Those backers will scrap it if the legislature approves AB 375 and governor Jerry Brown signs it into law by Thursday (the deadline for pulling the initiative).

According to a story by Taryn Luna in the Sacramento Bee, avoiding a ballot measure will also avoid a massively expensive campaign, fuelled by money from the big incumbent ISPs and online platforms that oppose it…

[Alastair Mactaggart, the main proponent of the initiative], who has dished out $3.5 million to support his own cause by paying signature gatherers to qualify the initiative, expected his opponents to spend as much as $100 million on the campaign against the Consumer Privacy Act before the Nov. 6 election. As of this week, the opponents of the initiative had given nearly $2.2 million to tank it.

You can count on those same companies to flood Sacramento with lobbyists this week, just as they did last week to oppose network neutrality bills.

U.S. supreme court rules on digital privacy, but the real issue is digital property


When most of the data you collect, create, buy or simply passively generate is stored on someone else’s server, what belongs to you and what belongs to the company storing it? What is your property?

That’s the question that the U.S. supreme court wrestled with in yesterday’s decision limiting police use of mobile phone tracking data. Every time a phone communicates with a cell site – which is pretty much all of the time – that contact is recorded by the mobile carrier. A bare 5 to 4 majority of the judges ruled that…

Cell phones and the services they provide are “such a pervasive and insistent part of daily life” that carrying one is indispensable to participation in modern society…an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through [cell-site location information].

The court decided that cops need to get a search warrant based on probable cause – a relatively high bar to clear – before rummaging through your cell location data, even though that data is, they say, owned by your mobile carrier.

But is it?

In an interesting dissent, the newest member of the U.S. supreme court, Neil Gorsuch, questioned that assumption. He objected to the decision on technical grounds, while at the same time saying, in effect, it didn’t go far enough…

Just because you entrust your data – in some cases, your modern-day papers and effects – to a third party may not mean you lose any Fourth Amendment interest in its contents…few doubt that e-mail should be treated much like the traditional mail it has largely supplanted— as a bailment in which the owner retains a vital and protected legal interest…

At least some of this Court’s decisions have already suggested that use of technology is functionally compelled by the demands of modern life, and in that way the fact that we store data with third parties may amount to a sort of involuntary bailment too…

No one thinks the government can evade [the existing] prohibition on opening sealed letters without a warrant simply by issuing a subpoena to a postmaster for “all letters sent by John Smith” or, worse, “all letters sent by John Smith concerning a particular transaction.” So the question courts will confront will be this: What other kinds of records are sufficiently similar to letters in the mail that the same rule should apply?…

It seems to me entirely possible a person’s cell-site data could qualify as his papers or effects under existing law. Yes, the telephone carrier holds the information. But [federal law] designates a customer’s cell-site location information as “customer proprietary network information” (CPNI), and gives customers certain rights to control use of and access to CPNI about themselves…Plainly, customers have substantial legal interests in this information, including at least some right to include, exclude, and control its use. Those interests might even rise to the level of a property right.

Gorsuch is arguing for a clearer and more fundamental definition of personal property in the digital age. He’s exactly right.

Police surveillance tech disclosure considered by California legislature


If a police department in California wants to use facial recognition software, or scrape social media platforms looking for evidence of criminal behavior, it would need to disclose the practice and, where practicable, get advance permission from its city council, if a bill working its way through the legislature makes it into law. Senate bill 1186, introduced by senator Jerry Hill (D – San Bruno), would require cities to decide on and publish policies for using “surveillance technology”, which it defines as…

Any electronic device or system with the capacity to monitor and collect audio, visual, locational, thermal, or similar information on any individual or group. This includes, but is not limited to, drones with cameras or monitoring capabilities, automated license plate recognition systems, closed-circuit cameras/televisions, International Mobile Subscriber Identity (IMSI) trackers, global positioning system (GPS) technology, software designed to monitor social media services or forecast criminal activity or criminality, radio frequency identification (RFID) technology, body-worn cameras, biometric identification hardware or software, and facial recognition hardware or software.

Any type of use would have to get blanket approval in advance, although after that it wouldn’t have to be reviewed on a case by case basis. If something unforeseen comes up, involving “danger of death or serious physical injury”, the cops could do whatever they need to do, but would have to disclose it later.

The bill had two hearings, in front of the California senate’s public safety and judiciary committees, where it was approved and sent on to the appropriations committee, with undisclosed amendments pending. Predictably, lawyers are in favor of it and police organisations are opposed. According to the public safety committee’s analysis, there have been 12 past attempts at similar legislation in recent years. Two, also carried by Hill, involving automatic license plate readers and mobile phone intercepts are now law. Most of the rest died in the legislature, although three made it to governor Jerry Brown’s desk and were vetoed. Given the sweeping scope of the current bill, a similar fate seems likely.

Silicon Valley joined with telcos, cable to defeat California privacy law, says EFF


An unholy alliance between big tech interests and big telecoms companies succeeded in spiking an Internet privacy bill in Sacramento this year, according to the Electronic Freedom Foundation. In a blog post, the EFF’s Ernesto Falcon says that “Google and Facebook locked arms with AT&T, Verizon, and Comcast to oppose” assembly bill 375…

How do we know? Because we were on the ground in Sacramento in September to witness every last-minute dirty trick to stop A.B. 375 from moving forward. But there is one positive outcome: ISP and Silicon Valley lobbyists have played their hand. When these tactics are deployed at the last minute by an army of lobbyists, false information is extremely hard to counter by citizens and consumer groups who lack special access to legislators. But over time legislators (and their constituents) learn the truth – and we’ll make sure they will remember it when this legislation comes back around in 2018.

Falcon’s post has links to a couple of anonymous “fact sheets” given to lawmakers. One takes on the EFF’s positions directly; the other is a classic piece of scaremongering that would be laughable if legislators didn’t lap it up like a dog going after a dropped ice cream cone. Preventing ISPs from selling your browsing history or medical records is going to lead to terrorist attacks? Come on.

He’s right in thinking that the balance might tip next year. Democratic legislators have to walk a fine line between the national party’s opposition to Trump administration policies, such as rolling back privacy protections, and the telco and cable agenda that’s backed by truckloads of cash contributions. They managed to finesse it this year by sliding AB 375 into the clubbable senate rules committee, where it could die a quiet death out of public view. If public activism increases next year, the ending could be quite different.

Californian ISP privacy rules wounded, but still twitching


One last try at baking Internet privacy rules into California law is underway. Assembly bill 375 was amended on Tuesday, just ahead of a new 72-hour deadline for posting the final version of proposed legislation – the California legislature’s current session clocks out tomorrow night.

Arguably, the changes are an improvement. Specific security and disclosure requirements were cut out, along with references to telephone service, with the result that the bill focuses on the core issue: what can Internet service providers do with information about and provided by their customers?

AB 375 would…

Prohibit broadband Internet access service providers, as defined, from using, disclosing, or permitting access to customer proprietary information, as defined…

[and] would prohibit those providers from refusing to provide broadband Internet access service, or in any way limiting that service, to a customer who does not waive his or her privacy rights guaranteed by law or regulation, and would prohibit those providers from charging a customer a penalty, penalizing a customer in any way, or offering a customer a discount or another benefit, as a direct or indirect consequence of a customer’s decision to, or refusal to, waive his or her privacy rights guaranteed by law or regulation.

Security is very important of course, and ISPs should give customers proper notice about privacy policies too, but there are already rules in place that address at least some of those concerns. Core ISP privacy regulations, on the other hand, were completely scrapped by the federal government earlier this year. A simple and focused fix for that one, specific problem has advantages, not least that it offers clarity for ISPs and consumers alike.

One change, though, isn’t so helpful. If the bill passes, California’s ISP privacy law won’t take effect until 1 January, 2019. That gives the bill’s opponents – big political contributors like AT&T, Comcast and other incumbents – all of 2018 to kill it, via a court challenge, federal preemption or new legislation in Sacramento. That’s also an election year, when the scramble for campaign cash reaches manic levels.

But AB 375 isn’t law yet. As of this morning, it is still stuck in the powerful and very opaque senate rules committee, a club for party leaders of both persuasions. Unless it’s released for floor votes in the senate and assembly before tomorrow, it’ll die a quiet death.

California Internet privacy bill trimmed, but not gutted


Whose choice is it?

A bill establishing strong Internet privacy rules in California has been watered down a bit, but still has teeth . Assembly bill 375, carried by Ed Chau (D – Monterey Park), would reinstate restrictions on use of customer information by Internet service providers that were scrapped at the federal level.

Originally, it required opt-in consent – an affirmative grant of permission in advance – from subscribers for any disclosure of personal information to third parties. That’s been scaled back. As it reads now, AB 375 would allow an ISP to freely share “nonsensitive customer proprietary information” until and unless a subscriber opts out – takes the initiative to say no. Disclosure of “sensitive customer proprietary information”, on the other hand, would still require opt-in permission.

What’s the difference? Non-sensitive information is anything that’s not sensitive, which is defined in the bill

“Sensitive customer proprietary information” includes all of the following:

  1. Financial information.
  2. Health information.
  3. Information pertaining to children.
  4. Social security numbers.
  5. Precise geolocation information.
  6. Content of communications.
  7. Call detail information.
  8. Web browsing history, application usage history, and the functional equivalents of either.

The question now is whether this change is enough to overcome opposition from telephone, cable and other telecoms companies with stacks of campaign cash and platoons of lobbyists to hand it out. The answer is probably not, but lawmakers are being careful not to be too obvious about it. AB 375 is stuck in the senate rules committee, where legislative leaders can quietly kill it and protect their political cash flow simply by doing nothing. If it does make it to a floor vote, then it should have a fighting chance. Senators, particularly democratic ones, won’t want to upset consumer groups back home by voting against it.

Two other broadband related bills – AB 1665 and senate bill 649 – are likewise stuck in committees. AB 1665, which would gut California’s broadband infrastructure subsidy program – the California Advanced Services Fund – and give hundreds of millions of dollars to AT&T, Frontier and other incumbents, hasn’t resurfaced yet. It’s sitting in the senate energy, utilities and communications committee. SB 649 is parked in the assembly appropriations committee. That’s the bill that would give wireless companies open access to public property at below market rates.

California lawmakers revive Internet privacy rules dumped by Trump administration


California is stepping into the privacy vacuum created by federal policy makers when they scrapped consumer protection rules adopted last year. Assembly bill 375 was approved by the senate’s energy, utilities and communications committee yesterday. It would put sharp restrictions on what Internet service providers can do with their customers’ information…

An Internet service provider may use, disclose, sell, or permit access to customer personal information if the customer gives the Internet service provider prior opt-in consent, which may be revoked by the customer at any time. The mechanism for requesting and revoking consent under this subdivision shall be clear and conspicuous…not misleading, in the language primarily used to conduct business with the customer, and made available to the customer at no additional cost. The mechanism shall also be persistently available on or through the Internet service provider’s Internet Web site, or mobile application if it provides one for account management purposes.

The bill is supported by consumer groups and carried by assemblyman Ed Chau (D – Monterey Park). The opposition was led by the California cable industry’s lobbying front, the California Cable and Telecommunications Association, with AT&T, Frontier, Comcast and Charter singing back up.

That wasn’t enough to stall it. Internet privacy is one of the battle line issues between California democrats and the Trump administration, as several senators made clear. It’s become a high profile one too, judging by the TV news cameras in the room.

Committee chair Ben Hueso (D – San Diego) set the tone at the beginning of the hearing, with a rambling discourse on the essential nature of telecommunications services and the importance of privacy, including detours into the evils of communism and the role of Russian hackers in the last election. Although the telecoms industry lobbyists claimed they should be treated like any other Internet business, committee members pointed to the lack of choice consumers have when buying broadband service and argued for even tighter privacy rules.

In the end, they approved it, albeit with scant support from republicans. AB 375 now moves to the senate judiciary committee and from there, it seems likely, on to a full floor vote.