127 posts categorized "Legislation" Feed

New Vermont Law Regulating Data Brokers Drives 120 Businesses From The Shadows

In May of 2018, Vermont was the first (and only) state in the nation to enact a law regulating data brokers. According to the Vermont Secretary of State, a data broker is defined as:

"... a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship."

The Vermont Secretary of State's website contains links to the new law and more. This new law is important for several reasons. First, many businesses operate as data brokers. Second, consumers historically haven't known who has information about them, nor how to review their profiles for accuracy. Third,  consumers haven't been able to opt out of the data collection. Fourth, if you don't know who the data brokers are, then you can't hold them accountable if they fail with data security. According to Vermont law:

"2447. Data broker duty to protect information; standards; technical requirements (a) Duty to protect personally identifiable information. (1) A data broker shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate... identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personally identifiable information, and a process for evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks... taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personally identifiable information consistent with applicable law; and (B) requiring third-party service providers by contract to implement and maintain appropriate security measures for personally identifiable information..."

Before this law, there was little to no oversight, no regulation, and no responsibility for data brokers to adequately protect sensitive data about consumers. A federal bill proposed in 2014 went nowhere in the U.S. Senate. You can assume that many data brokers operate in your state, too, since there's plenty of money to be made in the industry.

Portions of the new Vermont law went into effect in May, and the remainder went into effect on January 1, 2019. What has happened since then? Fast Company reported:

"So far, 121 companies have registered, according to data from the Vermont secretary of state’s office... The list of active companies includes divisions of the consumer data giant Experian, online people search engines like Spokeo and Spy Dialer, and a variety of lesser-known organizations that do everything from help landlords research potential tenants to deliver marketing leads to the insurance industry..."

The Fast Company site lists the 120 (so far) registered data brokers in Vermont. Regular readers of this blog will recognize some of the data brokers by name, since prior posts covered Acxiom, Equifax, Experian, LexisNexis, the NCTUE, Oracle, Spokeo, TransUnion, and others. (Yes, both credit reporting agencies and social media firms also operate as data brokers. Some states do it, too.) Reportedly, many privacy advocates support the new law:

"There’s companies that I’ve never heard of before," says Zachary Tomanelli, communications and technology director at the Vermont Public Interest Research Group, which supported the law. "It’s often very cumbersome [for consumers] to know where the places are that you have to go, and how you opt out."

Predictably, the industry has opposed (and continues to oppose) the legislation:

"A coalition of industry groups like the Internet Association, the Association of National Advertisers, and the National Association of Professional Background Screeners, as well as now registered data brokers such as Experian, Acxiom, and IHS Markit, said the law was unnecessary... Requiring companies to disclose breaches of largely public data could be burdensome for businesses and needlessly alarming for consumers, they argue... Other companies, like Axciom, have complained that the law establishes inconsistent boundaries around personal data used by third parties, and the first-party data used by companies like Facebook and Google."

So, no companies want consumers to own and control the data -- property -- that describes them. Real property laws matter. To learn more, read about data brokers at the Privacy Rights Clearinghouse site. Related posts in the Data Brokers section of this blog:

Kudos to Vermont lawmakers for ensuring more disclosures and transparency from the industry. Readers may ask their elected officials why their state has not taken similar action. What are your opinions of the new Vermont law?


New Bill In California To Strengthen Its Consumer Privacy Law

Lawmakers in California have proposed legislation to strengthen the state's existing privacy law. California Attorney General Xavier Becerra and and Senator Hannah-Beth Jackson jointly announced Senate Bill 561, to improve the California Consumer Privacy Act (CCPA). According to the announcement:

"SB 561 helps improve the workability of the [CCPA] by clarifying the Attorney General’s advisory role in providing general guidance on the law, ensuring a level playing field for businesses that play by the rules, and giving consumers the ability to enforce their new rights under the CCPA in court... SB 561 removes requirements that the Office of the Attorney General provide, at taxpayers’ expense, businesses and private parties with individual legal counsel on CCPA compliance; removes language that allows companies a free pass to cure CCPA violations before enforcement can occur; and adds a private right of action, allowing consumers the opportunity to seek legal remedies for themselves under the act..."

Senator Jackson introduced the proposed legislation into the sate Senate. Enacted in 2018, the CCPA will go into effect on January 1, 2020. The law prohibits businesses from discriminating against consumers for exercising their rights under the CCPA. The law also includes several key requirements businesses must comply with:

  • "Businesses must disclose data collection and sharing practices to consumers;
  • Consumers have a right to request their data be deleted;
  • Consumers have a right to opt out of the sale or sharing of their personal information; and
  • Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent."

State Senator Jackson said in a statement:

"Our constitutional right to privacy continues to face unprecedented assault. Our locations, relationships, and interests are being tracked without our knowledge, bought and sold by corporate interests for their own economic gain and conducted in order to manipulate us... With the passage of the California Consumer Privacy Act last year, California took an important first step in protecting our fundamental right to privacy. SB 561 will ensure that the most significant privacy protections in the nation are effectively and robustly enforced."

Predictably, the pro-business lobby opposes the legislation. The Sacramento Bee reported:

"Punishment may be an incentive to increase compliance, but — especially where a law is new and vague — eliminating a right to cure does not promote compliance," the California Chamber of Commerce released in a statement on February 25. "SB 561 will not only hurt and possibly bankrupt small businesses in the state, it will kill jobs and innovation."

Sounds to me like fearmongering by the Chamber. Senator Jackson has it right. From the same Sacramento Bee article:

"If you don’t violate the law, you won’t get sued... To have very little recourse when these violations occur means that these large companies can continue with their inappropriate, improper behavior without any kind of recourse and sanction. In order to make sure they comply with the law, we need to make sure that people are able to exercise their rights."

Precisely. Two concepts seem to apply:

  • If you can't protect it, don't collect it (e.g.,  consumers' personal information), and
  • If the data collected is so value, compensate consumers for it

Regarding the second item, the National Law Review reported:

"Much has been made of California Governor Gavin Newsom’s recent endorsement of “data dividends”: payments to consumers for the use of their personal data. Common Sense Media, which helped pass the CCPA last year, plans to propose legislation in California to create such a dividend. The proposal has already proven popular with the public..."

Laws like the CCPA seem to be the way forward. Kudos to California for moving to better protect consumers. This proposed update puts teeth into existing law. Hopefully, other states will follow soon.


California Seeks To Close Loopholes In Its Data Breach Notification Law

California pursues legislation to close loopholes in its existing data breach notification law. Current state law in California does not require businesses to notify consumers when their passport and biometric data is exposed or stolen during a data breach. The proposed law would close that loophole.

The legislation was prompted by the gigantic data breach at Marriott's Starwood Hotels unit. The sensitive information of more than 327 million guests was accessed by unauthorized persons. The data accessed -- and probably stolen -- included guests' names, addresses, at least 25 million passport numbers, and more. California Attorney General Xavier Becerra announced the proposed legislation:

"Though [Marriott] did notify consumers of the breach, current law does not require companies to report breaches if only consumers’ passport numbers have been improperly accessed... In 2003, California became the first state to pass a data breach notification law requiring companies to disclose breaches of personal information to California consumers whose personal information was, or was reasonably believed to have been, acquired by an unauthorized person... This bill would update that law to include passport numbers as personal information protected under the statute. Passport numbers are unique, government-issued, static identifiers of a person, which makes them valuable to criminals seeking to create or build fake profiles and commit sophisticated identity theft and fraud. AB 1130 would also update the statute to include protection for a person’s unique biometric information, such as a fingerprint, or image of a retina or iris."

Assembly member Marc Levine (D-San Rafael) introduced the proposed legislation to the California House, and said in a statement:

“There is a real danger when our personal information is not protected by those we trust... Businesses must do more to protect personal data, and I am proud to stand with Attorney General Becerra in demanding greater disclosure by a company when a data breach has occurred. AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation."

Good. There are too many examples of companies failing to announce data breaches affecting companies. TechCrunch reported that AB 1130:

"... comes less than a year after state lawmakers passed the California Privacy Act into law, greatly expanding privacy rights for consumers — similar to provisions provided to Europeans under the newly instituted General Data Protection Regulation. The state privacy law, passed in June and set to go into effect in 2020, was met with hostility by tech companies headquartered in the state... Several other states, like Alabama, Florida and Oregon, already require data breach notifications in the event of passport number breaches, and also biometric data in the case of Iowa and Nebraska, among others..."

Kudos to California for moving to better protect consumers. Hopefully, other states will also update their breach notification laws.


The Privacy And Data Security Issues With Medical Marijuana

In the United States, some states have enacted legislation making medical marijuana legal -- despite it being illegal at a federal level. This situation presents privacy issues for both retailers and patients.

In her "Data Security And Privacy" podcast series, privacy consultant Rebecca Harold (@PrivacyProf) interviewed a patient cannabis advocate about privacy and data security issues:

"Most people assume that their data is safe in cannabis stores & medical cannabis dispensaries. Or they believe if they pay in cash there will be no record of their cannabis purchase. Those are incorrect beliefs. How do dispensaries secure & share data? Who WANTS that data? What security is needed? Some in government, law enforcement & employers want data about state legal marijuana and medical cannabis purchases. Michelle Dumay, Cannabis Patient Advocate, helps cannabis dispensaries & stores to secure their customers’ & patients’ data & privacy. Michelle learned through experience getting treatment for her daughter that most medical cannabis dispensaries are not compliant with laws governing the security and privacy of patient data... In this episode, we discuss information security & privacy practices of cannabis shops, risks & what needs to be done when it comes to securing data and understanding privacy laws."

Many consumers know that the Health Insurance Portability and Accountability Act (HIPAA) governs how patients' privacy is protected and the businesses which must comply with that law.

Poor data security (e.g., data breaches, unauthorized recording of patients inside or outside of dispensaries) can result in the misuse of patients' personal and medical information by bad actors and others. Downstream consequences can be negative, such as employers using the data to decline job applications.

After listening to the episode, it seems reasonable for consumers to assume that traditional information industry players (e.g., credit reporting agencies, advertisers, data brokers, law enforcement, government intelligence agencies, etc.) all want marijuana purchase data. Note the use of "consumers," and not only "patients," since about 10 states have legalized recreational marijuana.

Listen to an encore presentation of the "Medical Cannabis Patient Privacy And Data Security" episode.


Google To EU Regulators: No One Country Should Censor The Web Globally. Poll Finds Canadians Support 'Right To Be Forgotten'

For those watching privacy legislation in Europe, MediaPost reported:

"... Maciej Szpunar, an advisor to the highest court in the EU, sided with Google in the fight, arguing that the right to be forgotten should only be enforceable in Europe -- not the entire world. The opinion is non-binding, but seen as likely to be followed."

For those unfamiliar, in the European Union (EU) the right to be forgotten:

"... was created in 2014, when EU judges ruled that Google (and other search engines) must remove links to embarrassing information about Europeans at their request... The right to be forgotten doesn't exist in the United States... Google interpreted the EU's ruling as requiring removal of links to material in search engines designed for European countries but not from its worldwide search results... In 2015, French regulators rejected Google's position and ordered the company to remove material from all of its results pages. Google then asked Europe's highest court to reject that view. The company argues that no one country should be able to censor the web internationally."

No one corporation should be able to censor the web globally, either. Meanwhile, Radio Canada International reported:

"A new poll shows a slim majority of Canadians agree with the concept known as the “right to be forgotten online.” This means the right to have outdated, inaccurate, or no longer relevant information about yourself removed from search engine results. The poll by the Angus Reid Institute found 51 percent of Canadians agree that people should have the right to be forgotten..."

Consumers should have control over their information. If that control is limited to only the country of their residence, then the global nature of the internet means that control is very limited -- and probably irrelevant. What are your opinions?


Senator Wyden Introduces Bill To Help Consumers Regain Online Privacy And Control Over Sensitive Data

Late last week, Senator Ron Wyden (Dem - Oregon) introduced a "discussion draft" of legislation to help consumers recover online privacy and control over their sensitive personal data. Senator Wyden said:

"Today’s economy is a giant vacuum for your personal information – Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database. But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared... It’s time for some sunshine on this shadowy network of information sharing. My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”

The press release by Senator Wyden's office explained the need for new legislation:

"The government has failed to respond to these new threats: a) Information about consumers’ activities, including their location information and the websites they visit is tracked, sold and monetized without their knowledge by many entities; b) Corporations’ lax cybersecurity and poor oversight of commercial data-sharing partnerships has resulted in major data breaches and the misuse of Americans’ personal data; c) Consumers have no effective way to control companies’ use and sharing of their data."

Consumers in the United States lost both control and privacy protections when the U.S. Federal Communications Commission (FCC), led by President Trump appointee Ajit Pai, a former Verizon lawyer, repealed last year both broadband privacy and net neutrality protections for consumers. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some internet service providers (ISPs).

With the repealed broadband privacy, ISPs are free to collect and archive as much data about consumers as desired without having to notify and get consumers' approval of the collection nor of who they share archived data with. That's 100 percent freedom for ISPs and zero freedom for consumers.

By repealing online privacy and net neutrality protections for consumers, the FCC essentially punted responsibility to the U.S. Federal Trade Commission (FTC). According to Senator Wyden's press release:

"The FTC, the nation’s main privacy and data security regulator, currently lacks the authority and resources to address and prevent threats to consumers’ privacy: 1) The FTC cannot fine first-time corporate offenders. Fines for subsequent violations of the law are tiny, and not a credible deterrent; 2) The FTC does not have the power to punish companies unless they lie to consumers about how much they protect their privacy or the companies’ harmful behavior costs consumers money; 3) The FTC does not have the power to set minimum cybersecurity standards for products that process consumer data, nor does any federal regulator; and 4) The FTC does not have enough staff, especially skilled technology experts. Currently about 50 people at the FTC police the entire technology sector and credit agencies."

This means consumers have no protections nor legal options unless the company, or website, violates its published terms-of-conditions and privacy policies. To solves the above gaps, Senator Wyden's new legislation, titled the Consumer Data Privacy Act (CDPA), contains several new and stronger protections. It:

"... allows consumers to control the sale and sharing of their data, gives the FTC the authority to be an effective cop on the beat, and will spur a new market for privacy-protecting services. The bill empowers the FTC to: i) Establish minimum privacy and cybersecurity standards; ii) Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives; iii) Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized; iv) Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it; v) Hire 175 more staff to police the largely unregulated market for private data; and vi) Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security."

Permitting companies to charge consumers who opt out of data collection and sharing is a good thing. Why? Monthly payments by consumers are leverage -- a strong incentive for companies to provide better cybersecurity.

Business as usual -- cybersecurity methods by corporate executives and government enforcement -- isn't enough. The tsunami of data breaches is an indication. During October alone:

A few notable breach events from earlier this year:

The status quo, or business as usual, is unacceptable. Executives' behavior won't change without stronger consequences like jail time, since companies perform cost-benefit analyses regarding how much to spend on cybersecurity versus the probability of breaches and fines. Opt-outs of data collection and sharing by consumers, steeper fines, and criminal penalties could change those cost-benefit calculations.

Four former chief technologists at the FCC support Senator Wyden's legislation. Gabriel Weinberg, the Chief Executive Officer of DuckDuckGo also supports it:

"Senator Wyden’s proposed consumer privacy bill creates needed privacy protections for consumers, mandating easy opt-outs from hidden tracking. By forcing companies that sell and monetize user data to be more transparent about their data practices, the bill will also empower consumers to make better-informed privacy decisions online, enabling companies like ours to compete on a more level playing field."

Regular readers of this blog know that the DuckDuckGo search engine (unlike Google, Bing and Yahoo search engines) doesn't track users, doesn't collect nor archive data about users and their devices, and doesn't collect nor store users' search criteria. So, DuckDuckGo users can search knowing their data isn't being sold to advertisers, data brokers, and others.

Lastly, Wyden's proposed legislation includes several key definitions (emphasis added):

"... The term "automated decision system" means a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers... The term "automated decision system impact assessment" means a study evaluating an automated decision system and the automated decision system’s development process, including the design and training data of the automated decision 14 system, for impacts on accuracy, fairness, bias, discrimination, privacy, and security that includes... The term "data protection impact assessment" means a study evaluating the extent to which an information system protects the privacy and security of personal information the system processes... "

The draft legislation requires companies to perform both automated data impact assessments and data protection impact assessments; and requires the FTC to set the frequency and conditions for both. A copy of the CDPA draft is also available here (Adobe PDF; 67.7 k bytes).

This is a good start. It is important... critical... to hold accountable both corporate executives and the automated decision systems their approve and deploy. Based upon history, outsourcing has been one corporate tactic to manage liability by shifting it to providers. Good to close any loopholes now where executives could abuse artificial intelligence and related technologies to avoid responsibility.

What are your thoughts, opinions of the proposed legislation?


New York State Attorney General Expands Investigation Into Fraudulent 'Net Neutrality' Comments Submitted To FCC

The Attorney General (AG) for New York State has expanded its fraud investigation regarding net neutrality comments submitted to the U.S. Federal Communication Commission (FTC) website in 2017. The New York Times reported that the New York State AG has:

"... subpoenaed more than a dozen telecommunications trade groups, lobbying contractors and Washington advocacy organizations on Tuesday, seeking to determine whether the groups submitted millions of fraudulent public comments to sway a critical federal decision on internet regulation... The attorney general, Barbara D. Underwood, is investigating the source of more than 22 million public comments submitted to the F.C.C. during the battle over the regulations. Millions of comments were provided using temporary or duplicate email addresses, while others recycled identical phrases. Seven popular comments, repeated verbatim, accounted for millions more. The noise from the fake or orchestrated comments appears to have broadly favored the telecommunications industry..."

Also this month, the Center For Internet & Society reported the results of a study at Stanford University (bold emphasis added):

"In the leadup to the FCC's historic vote in December 2017 to repeal all net neutrality protections, 22 million comments were filed to the agency. But unfortunately, millions of those comments were fake. Some of the fake comment were part of sophisticated campaigns that filed fake comments using the names of real people - including journalists, Senators and dead people. The FCC did nothing to try to prevent comment stuffing and comment fraud, and even after the vote, made no attempt to help the public, journalists, policy makers actually understand what Americans actually told the FCC... This report used the 800,000 comments Kao identified as semantic standouts from form letter and fraud campaigns. These unique comments were overwhelmingly in support of keeping the 2015 Open Internet Order - in fact, 99.7% of comments opposed the repeal of net neutrality protections. This report then matched and sorted those comments to geographic areas, including the 50 states and every Congressional District..."

An investigation in 2017 by the New York State AG found that about 2 million of the comments submitted to the FCC about net neutrality "stole real Americans' identities." A follow-up investigation found that more than 9 million comments "used stolen identities."

The FCC, led by Trump appointee Ajit Pai, a former Verizon lawyer, repealed last year both broadband privacy and net neutrality protections for consumers. The FCC has ignored requests to investigate comments fraud. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some ISPs.

Some of the organizations subpoenaed by the New York State AG include (links added):

"... Broadband for America, Century Strategies, and MediaBridge. Broadband for America is a coalition supported by cable and telecommunications companies; Century Strategies is a political consultancy founded by Ralph Reed, the former director of the Christian Coalition; and MediaBridge is a conservative messaging firm..."

Reportedly, the New York AG has requested information from both groups which opposed and supported net neutrality protections. The New York AG operates a website where consumers can check for fake comments submitted to the FCC. (When you check, enter your name in quotes for a more precise search. And check the street address, since many people have the same name.) I checked. You can read my valid comment submitted to the FCC.

This whole affair is another reminder of how to attack and undermine a democracy by abusing online tools. A prior post discussed how social media has been abused.


The DIY Revolution: Consumers Alter Or Build Items Previously Not Possible. Is It A Good Thing?

Recent advances in technology allow consumers to alter, customize, or build locally items previously not possible. These items are often referred to as Do-It-Yourself (DIY) products. You've probably heard DIY used in home repair and renovation projects on television. DIY now happens in some unexpected areas. Today's blog post highlights two areas.

DIY Glucose Monitors

Earlier this year, CNet described the bag an eight-year-old patient carries with her everywhere daily:

"... It houses a Dexcom glucose monitor and a pack of glucose tablets, which work in conjunction with the sensor attached to her arm and the insulin pump plugged into her stomach. The final item in her bag was an iPhone 5S. It's unusual for such a young child to have a smartphone. But Ruby's iPhone, which connects via Bluetooth to her Dexcom monitor, allowing [her mother] to read it remotely, illustrates the way technology has transformed the management of diabetes from an entirely manual process -- pricking fingers to measure blood sugar, writing down numbers in a notebook, calculating insulin doses and injecting it -- to a semi-automatic one..."

Some people have access to these new technologies, but many don't. Others want more connectivity and better capabilities. So, some creative "hacking" has resulted:

"There are people who are unwilling to wait, and who embrace unorthodox methods. (You can find them on Twitter via the hashtag #WeAreNotWaiting.) The Nightscout Foundation, an online diabetes community, figured out a workaround for the Pebble Watch. Groups such as Nightscout, Tidepool and OpenAPS are developing open-source fixes for diabetes that give major medical tech companies a run for their money... One major gripe of many tech-enabled diabetes patients is that the two devices they wear at all times -- the monitor and the pump -- don't talk to each other... diabetes will never be a hands-off disease to manage, but an artificial pancreas is basically as close as it gets. The FDA approved the first artificial pancreas -- the Medtronic 670G -- in October 2017. But thanks to a little DIY spirit, people have had them for years."

CNet shared the experience of another tech-enabled patient:

"Take Dana Lewis, founder of the open-source artificial pancreas system, or OpenAPS. Lewis started hacking her glucose monitor to increase the volume of the alarm so that it would wake her in the night. From there, Lewis tinkered with her equipment until she created a closed-loop system, which she's refined over time in terms of both hardware and algorithms that enable faster distribution of insulin. It has massively reduced the "cognitive burden" on her everyday life... JDRF, one of the biggest global diabetes research charities, said in October that it was backing the open-source community by launching an initiative to encourage rival manufacturers like Dexcom and Medtronic to open their protocols and make their devices interoperable."

Convenience and affordability are huge drivers. As you might have guessed, there are risks:

"Hacking a glucose monitor is not without risk -- inaccurate readings, failed alarms or the wrong dose of insulin distributed by the pump could have fatal consequences... Lewis and the OpenAPS community encourage people to embrace the build-your-own-pancreas method rather than waiting for the tech to become available and affordable."

Are DIY glucose monitors a good thing? Some patients think so as a way to achieve convenient and affordable healthcare solutions. That might lead you to conclude anything DIY is an improvement. Right? Keep reading.

DIY Guns

Got a 3-D printer? If so, then you can print your own DIY gun. How did this happen? How did the USA get to here? Wired explained:

"Five years ago, 25-year-old radical libertarian Cody Wilson stood on a remote central Texas gun range and pulled the trigger on the world’s first fully 3-D-printed gun... he drove back to Austin and uploaded the blueprints for the pistol to his website, Defcad.com... In the days after that first test-firing, his gun was downloaded more than 100,000 times. Wilson made the decision to go all in on the project, dropping out of law school at the University of Texas, as if to confirm his belief that technology supersedes law..."

The law intervened. Wilson stopped, took down his site, and then pursued a legal remedy:

"Two months ago, the Department of Justice quietly offered Wilson a settlement to end a lawsuit he and a group of co-plaintiffs have pursued since 2015 against the United States government. Wilson and his team of lawyers focused their legal argument on a free speech claim: They pointed out that by forbidding Wilson from posting his 3-D-printable data, the State Department was not only violating his right to bear arms but his right to freely share information. By blurring the line between a gun and a digital file, Wilson had also successfully blurred the lines between the Second Amendment and the First."

So, now you... anybody with an internet connection and a 3-D printer (and a computer-controlled milling machine for some advanced parts)... can produce their own DIY gun. No registration required. No licenses nor permits. No training required. And, that's anyone anywhere in the world.

Oh, there's more:

"The Department of Justice's surprising settlement, confirmed in court documents earlier this month, essentially surrenders to that argument. It promises to change the export control rules surrounding any firearm below .50 caliber—with a few exceptions like fully automatic weapons and rare gun designs that use caseless ammunition—and move their regulation to the Commerce Department, which won't try to police technical data about the guns posted on the public internet. In the meantime, it gives Wilson a unique license to publish data about those weapons anywhere he chooses."

As you might have guessed, Wilson is re-launching his website, but this time with blueprints for more DIY weaponry besides pistols: AR-15 rifles and semi-automatic weaponry. So, it will be easier for people to skirt federal and state gun laws. Is that a good thing?

You probably have some thoughts and concerns. I do. There are plenty of issues and questions. Are DIY products a good thing? Who is liable? How should laws be upgraded? How can society facilitate one set of DIY products and not the other? What related issues do you see? Any other notable DIY products?


North Carolina Provides Its Residents With an Opt-out From Smart Meter Installations. Will It Last?

Wise consumers know how smart utility meters operate. Unlike conventional analog meters which must be read manually on-site by a technician from the utility, smart meters perform two-way digital communication with the service provider, have memory to digitally store a year's worth of your usage, and transmit your usage at regular intervals (e.g., every 15 minutes). Plus, consumers have little or no control over smart meters installed on their property.

There is some good news. Residents in North Carolina can say "no" to smart meter installations by their power company. The Charlotte Observer reported:

"Residents who say they suffer from acute sensitivity to radio-frequency waves can say no to Duke's smart meters — as long as they have a notarized doctor's note to attest to their rare condition. The N.C. Utilities Commission, which sets utility rates and rules, created the new standard on Friday, possibly making North Carolina the first state to limit the smart meter technology revolution by means of a medical opinion... Duke Energy's two North Carolina utility subsidiaries are in the midst of switching its 3.4 million North Carolina customers to smart meters..."

While it currently is free to opt out and get an analog meter instead, that could change:

"... Duke had proposed charging customers extra if they refused a smart meter. Duke wanted to charge an initial fee of $150 plus $11.75 a month to cover the expense of sending someone out to that customer's house to take a monthly meter reading. But the Utilities Commission opted to give the benefit of the doubt to customers with smart meter health issues until the Federal Communications Commission determines the health risks of the devices."

The Smart Grid Awareness blog contains more information about activities in North Carolina. There are privacy concerns with smart meters. Smart meters can be used to profile consumers with a high degree of accuracy and details. One can easily deduce the number of persons living in the dwelling, when they are home and the duration, which electric appliances are used when they are home, the presence of security and alarm systems, and any special conditions (e.g., in-home medical equipment, baby appliances, etc.).

Other states are considering similar measures. The Kentucky Public Service Commission (PSC) will hold a public meeting only July 9th and accept public comments about planned smart meter deployments by Kentucky Utilities Co. (KU) and Louisville Gas & Electric Company (LG&E). Smart meters are being deployed in New Jersey.

When Maryland lawmakers considered legislation to provide law enforcement with access to consumers' smart meters, the Electronic Privacy Information Center (EPIC) responded with a January 16, 2018 letter outlining the privacy concerns:

"HB 56 is a sensible and effective response to an emerging privacy issue facing Maryland residents. Smart meters collect detailed personal data about the use of utility services. With a smart meter, it is possible to determine when a person is in a residence, and what they are doing. Moreover the routine collection of this data, without adequate privacy safeguards, would enable ongoing surveillance of Maryland residents without regard to any criminal suspicion."

"HB 56 does not prevent law enforcement use of data generated by smart meters; it simply requires that law enforcement follow clear procedures, subject to judicial oversight, to access the data generated by smart meters. HB 56 is an example of a model privacy law that enables innovation while safeguarding personal privacy."

That's a worthy goal of government: balance the competing needs of the business sector to innovate while protecting consumers' privacy. Is a medical opt-out sufficient? Should Fourth Amendment constitutional concerns apply? What are your opinions?


Lawmakers In California Cave To Industry Lobbying, And Backtrack With Weakened Net Neutrality Bill

After the U.S. Federal Communications Commission (FCC) acted last year to repeal net neutrality rules, those protections officially expired on June 11th. Meanwhile, legislators in California have acted to protect their state's residents. In January, State Senator Weiner introduced in January a proposed bill, which was passed by the California Senate three weeks ago.

Since then, some politicians have countered with a modified bill lacking strong protections. C/Net reported:

"The vote on Wednesday in a California Assembly committee hearing advanced a bill that implements some net neutrality protections, but it scaled back all the measures of the bill that had gone beyond the rules outlined in the Federal Communications Commission's 2015 regulation, which was officially taken off the books by the Trump Administration's commission last week. In a surprise move, the vote happened before the hearing officially started,..."

Weiner's original bill was considered the "gold standard" of net neutrality protections for consumers because:

"... it went beyond the FCC's 2015 net neutrality "bright line" rules by including provisions like a ban on zero-rating, a business practice that allows broadband providers like AT&T to exempt their own services from their monthly wireless data caps, while services from competitors are counted against those limits. The result is a market controlled by internet service providers like AT&T, who can shut out the competition by creating an economic disadvantage for those competitors through its wireless service plans."

State Senator Weiner summarized the modified legislation:

"It is, with the amendments, a fake net neutrality bill..."

A key supporter of the modified, weak bill was Assemblyman Miguel Santiago, a Democrat from Los Angeles. Motherboard reported:

"Spearheading the rushed dismantling of the promising law was Committee Chair Miguel Santiago, a routine recipient of AT&T campaign contributions. Santiago’s office failed to respond to numerous requests for comment from Motherboard and numerous other media outlets... Weiner told the San Francisco Chronicle that the AT&T fueled “evisceration” of his proposal was “decidedly unfair.” But that’s historically how AT&T, a company with an almost comical amount of control over state legislatures, tends to operate. The company has so much power in many states, it’s frequently allowed to quite literally write terrible state telecom law..."

Supporters of this weakened bill either forgot or ignored the results from a December 2017 study of 1,077 voters. Most consumers want net neutrality protections:

Do you favor or oppose the proposal to give ISPs the freedom to: a) provide websites the option to give their visitors the ability to download material at a higher speed, for a fee, while providing a slower speed for other websites; b) block access to certain websites; and c) charge their customers an extra fee to gain access to certain websites?
Group Favor Opposed Refused/Don't Know
National 15.5% 82.9% 1.6%
Republicans 21.0% 75.4% 3.6%
Democrats 11.0% 88.5% 0.5%
Independents 14.0% 85.9% 0.1%

Why would politicians pursue weak net neutrality bills with few protections, while constituents want those protections? They are doing the bidding of the corporate internet service providers (ISPs) at the expense of their constituents. Profits before people. These politicians promote the freedom for ISPs to do as they please while restricting consumers' freedoms to use the bandwidth they've purchased however they please.

Broadcasting and Cable reported:

"These California democrats will go down in history as among the worst corporate shills that have ever held elected office," said Evan Greer of net neutrality activist group Fight for the Future. "Californians should rise up and demand that at their Assembly members represent them. The actions of this committee are an attack not just on net neutrality, but on our democracy.” According to Greer, the vote passed 8-0, with Democrats joining Republicans to amend the bill."

According to C/Net, more than 24 states are considering net neutrality legislation to protect their residents:

"... New York, Connecticut, and Maryland, are also considering legislation to reinstate net neutrality rules. Oregon and Washington state have already signed their own net neutrality legislation into law. Governors in several states, including New Jersey and Montana, have signed executive orders requiring ISPs that do business with the state adhere to net neutrality principles."

So, we have AT&T (plus politicians more interested in corporate donors than their constituents, the FCC, President Trump, and probably other telecommunications companies) to thank for this mess. What do you think?


Several States Updated Their Existing Breach Notification Laws, Or Introduced New Laws

Given the increased usage of data in digital formats, new access methods, and continual data breaches within corporations and governments, several state governments have updated their data breach notification laws, and/or passed new laws:

Alabama

The last state without any breach notification laws, Governor Kay Ivey signed in March the state's first data breach law: the Alabama Data Breach Notification Act of 2018 (SB 318), which became effective on June 1, 2018. Some of the key modifications: a) similar to other states, the law defined the format and types of data elements which must be protected, including health information; b) defined "covered entities" including state government agencies and "third-party agents" contracted to maintain, store, process and/or access protected data; c) requires notification of affected individuals within 45 days, and to the state Attorney General; and d) while penalties aren't mandatory, the law allows civil penalties up to $5,000 per day for, "each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions of this act."

Arizona

Earlier this year, Arizona Governor Doug Ducey signed legislation updating the state's breach notification laws. Some of the key modifications: a) expanded definitions of personal information to include medical or mental health treatment/diagnosis, passport numbers, taxpayer ID numbers, biometric data, e-mail addresses in combination with online passwords and security questions; b) set the notification window for affected persons at 45 days; c) allows e-mail notification of affected persons; d) and if the breach affected more than 1,000 persons, then notification must provided to the three national credit-reporting agencies and to the state Attorney General.

Colorado

Colorado Governor John Hickenloope signed on May 29th several laws including HB-1128, which will go into effect on september 1, 2018. Some experts view HB-1128 as the strongest protections in the country. Some of the key modifications: a) expanded "covered entities" to include certain "third-party service providers" contracted to maintain, store, process and/or access protected data; b) expanded definitions of "personal information" to include biometric data, plus e-mail addresses in combination with online passwords and security questions; c) allows substitute notification methods (e.g., e-mail, post on website, statewide news media) if the cost of basic notification would exceed $250,000; d) allows e-mail notification of affected persons; e) sets the notification window at 30 days, if the breach affected more than 500 Colorado residents; and f) expanded requirements for companies to protected personal information.

Louisiana

Louisiana Governor John Edwards signed in May 2018 an amendment to the state’s Database Security Breach Notification Law (Act 382) which will take effect August 1, 2018. Some of the key modifications: a) expanded definition of ‘personal information’ to include a state identification card number, passport number, and “biometric data” (e.g., fingerprints, voice prints, eye retina or iris, or other unique biological characteristics used to access systems); b) removed vagueness and defined the notification window as within 60 days; c) allows substitute notification methods (e.g., e-mail, posts on affected company's website, statewide news media); and d) tightened required that companies utilizing "computerized data" better protect the information they archive.

South Dakota

The next-to-last state without any breach notification laws, Governor Dennis Daugaard signed into law in March the state’s first breach notification law (SB 62). Like breach laws in other states, it provides definitions of what a breach is, personal information which must be protected, covered entities (e.g., companies, government agencies) subject to the law, notification requirements, and conditions when substitute notification methods (e.g., e-mail, posts on the affected entity's website, statewide news media) are allowed.

To Summarize

New Mexico enacted its new breach notification law (HB 15) in March, 2017. With the additions of Alabama and South Dakota, finally every state has a breach notification law. Sadly, it has taken 16 years. California was the first state to enact a breach notification law in 2002. It has taken that long for other states to catch up... not only catch up with California, but also catch up with technological changes driven by the internet.

California has led the way for a long time. It banned RFID skimming in 2008, co-hosted privacy workshops with the U.S. Federal Trade Commission in 2008, strengthened its existing breach law in 2011, and introduced in 2013 privacy guidelines for mobile app developers. Other states' legislatures can learn from this leadership.

Want to learn more? Detailed reviews of new and updated breach laws are available in the National Law Review website.


U.S. Senate Vote Approves Resolution To Reinstate Net Neutrality Rules. FCC Chairman Pai Repeats Claims While Ignoring Consumers

Yesterday, the United States Senate approved a bipartisan resolution to preserve net neutrality rules, the set of internet protections established in 2015 which require wireless and internet service providers (ISPs) to provide customers with access to all websites, and equal access to all websites. That meant no throttling, blocking, slow-downs of selected sites, nor prioritizing internet traffic in "fast" or "slow" lanes.

Federal communications Commission logo Earlier this month, the Federal Communications Commission (FCC) said that current net neutrality rules would expire on June 11, 2018. Politicians promised that tax cuts will create new jobs, and that repeal of net neutrality rules would encourage investments by ISPs. FCC Chairman Ajit Pai, appointed by President Trump, released a statement on May 10, 2018:

"Now, on June 11, these unnecessary and harmful Internet regulations will be repealed and the bipartisan, light-touch approach that served the online world well for nearly 20 years will be restored. The Federal Trade Commission will once again be empowered to target any unfair or deceptive business practices of Internet service providers and to protect American’s broadband privacy. Armed with our strengthened transparency rule, we look forward to working closely with the FTC to safeguard a free and open Internet. On June 11, we will have a framework in place that encourages innovation and investment in our nation’s networks so that all Americans, no matter where they live, can have access to better, cheaper, and faster Internet access and the jobs, opportunities, and platform for free expression that it provides. And we will embrace a modern, forward-looking approach that will help the United States lead the world in 5G..."

Chairman Pai's claims sound hollow, since reality says otherwise. Telecommunications companies have fired workers and reduced staff despite getting tax cuts, broadband privacy repeal, and net neutrality repeal. In December, more than 1,000 startups and investors signed an open letter to Pai opposing the elimination of net neutrality. Entrepreneurs and executives are concerned that the loss of net neutrality will harm or hinder start-up businesses.

CNet provided a good overview of events surrounding the Senate's resolution:

"Democrats are using the Congressional Review Act to try to halt the FCC's December repeal of net neutrality. The law gives Congress 60 legislative days to undo regulations imposed by a federal agency. What's needed to roll back the FCC action are simple majorities in both the House and Senate, as well as the president's signature. Senator Ed Markey (Democrat, Massachusetts), who's leading the fight in the Senate to preserve the rules, last week filed a so-called discharge petition, a key step in this legislative effort... Meanwhile, Republican lawmakers and broadband lobbyists argue the existing rules hurt investment and will stifle innovation. They say efforts by Democrats to stop the FCC's repeal of the rules do nothing to protect consumers. All 49 Democrats in the Senate support the effort to undo the FCC's vote. One Republican, Senator Susan Collins of Maine, also supports the measure. One more Republican is needed to cross party lines to pass it."

"No touch" is probably a more accurate description of the internet under Chairman Pai's leadership, given many historical problems and abuses of consumers by some ISPs. The loss of net neutrality protections will likely result in huge price increases for internet access for consumers, which will also hurt public libraries, the poor, and disabled users. The loss of net neutrality will allow ISPs the freedom to carve up, throttle, block, and slow down the internet traffic they choose, while consumers will lose the freedom to use as they choose the broadband service they've paid for. And, don't forget the startup concerns above.

After the Senate's vote, FCC Chairman Pai released this statement:

“The Internet was free and open before 2015, when the prior FCC buckled to political pressure from the White House and imposed utility-style regulation on the Internet. And it will continue to be free and open once the Restoring Internet Freedom Order takes effect on June 11... our light-touch approach will deliver better, faster, and cheaper Internet access and more broadband competition to the American people—something that millions of consumers desperately want and something that should be a top priority. The prior Administration’s regulatory overreach took us in the opposite direction, reducing investment in broadband networks and particularly harming small Internet service providers in rural and lower-income areas..."

The internet was free and open before 2015? Mr. Pai is guilty of revisionist history. The lack of ISP competition in key markets meant consumers in the United States pay more for broadband and get slower speeds compared to other countries. There were numerous complaints by consumers about usage-based Internet pricing. There were privacy abuses and settlement agreements by ISPs involving technologies such as deep-packet inspection and 'Supercookies' to track customers online, despite consumers' wishes not to be tracked. Many consumers didn't get the broadband speeds ISP promised. Some consumers sued their ISPs, and the New York State Attorney General had residents  check their broadband speed with this tool.

Tim Berners-Lee, the founder of the internet, cited three reasons why the Internet is in trouble. His number one reason: consumers had lost control of their personal information. The loss of privacy meant consumers lost control over their personal information.

There's more. Some consumers found that their ISP hijacked their online search results without notice nor consent. An ISP in Kansas admitted in 2008 to secret snooping after pressure from Congress. Given this, something had to be done. The FCC stepped up to the plate and acted when it was legally able to; and reclassified broadband after open hearings. Proposed rules were circulated prior to adoption. It was done in the open.

Yet, Chairman Pai would have us now believe the internet was free and open before 2015; and that regulatory was unnecessary. I say BS.

FCC Commissioner Jessica Rosenworcel released a statement yesterday:

"Today the United States Senate took a big step to fix the serious mess the FCC made when it rolled back net neutrality late last year. The FCC's net neutrality repeal gave broadband providers extraordinary new powers to block websites, throttle services and play favorites when it comes to online content. This put the FCC on the wrong side of history, the wrong side of the law, and the wrong side of the American people. Today’s vote is a sign that the fight for internet freedom is far from over. I’ll keep raising a ruckus to support net neutrality and I hope others will too."

A mess, indeed, created by Chairman Pai. A December 2017 study of 1,077 voters found that most want net neutrality protections:

Do you favor or oppose the proposal to give ISPs the freedom to: a) provide websites the option to give their visitors the ability to download material at a higher speed, for a fee, while providing a slower speed for other websites; b) block access to certain websites; and c) charge their customers an extra fee to gain access to certain websites?
Group Favor Opposed Refused/Don't Know
National 15.5% 82.9% 1.6%
Republicans 21.0% 75.4% 3.6%
Democrats 11.0% 88.5% 0.5%
Independents 14.0% 85.9% 0.1%

Why did the FCC, President Trump, and most GOP politicians pursue the elimination of net neutrality protections despite consumers wishes otherwise? For the same reasons they repealed broadband privacy protections despite most consumers wanting broadband privacy. (Remember, President Trump signed the privacy-rollback legislation in April 2017.) They are doing the bidding of the corporate ISPs at the expense of consumers. Profits before people. Whenever Mr. Pai mentions a "free and open internet," he's referring to corporate ISPs and not consumers. What do you think?


Oakland Law Mandates 'Technology Impact Reports' By Local Government Agencies Before Purchasing Surveillance Equipment

Popular tools used by law enforcement include stingrays, fake cellular phone towers, and automated license plate readers (ALPRs) to track the movements of persons. Historically, the technologies have often been deployed without notice to track both the bad guys (e.g., criminals and suspects) and innocent citizens.

To better balance the privacy needs of citizens versus the surveillance needs of law enforcement, some areas are implementing new laws. The East Bay Times reported about a new law in Oakland:

"... introduced at Tuesday’s city council meeting, creates a public approval process for surveillance technologies used by the city. The rules also lay a groundwork for the City Council to decide whether the benefits of using the technology outweigh the cost to people’s privacy. Berkeley and Davis have passed similar ordinances this year.

However, Oakland’s ordinance is unlike any other in the nation in that it requires any city department that wants to purchase or use the surveillance technology to submit a "technology impact report" to the city’s Privacy Advisory Commission, creating a “standardized public format” for technologies to be evaluated and approved... city departments must also submit a “surveillance use policy” to the Privacy Advisory Commission for consideration. The approved policy must be adopted by the City Council before the equipment is to be used..."

Reportedly, the city council will review the ordinance a second time before final passage.

The Northern California chapter of the American Civil Liberties Union (ACLU) discussed the problem, the need for transparency, and legislative actions:

"Public safety in the digital era must include transparency and accountability... the ACLU of California and a diverse coalition of civil rights and civil liberties groups support SB 1186, a bill that helps restores power at the local level and makes sure local voices are heard... the use of surveillance technology harms all Californians and disparately harms people of color, immigrants, and political activists... The Oakland Police Department concentrated their use of license plate readers in low income and minority neighborhoods... Across the state, residents are fighting to take back ownership of their neighborhoods... Earlier this year, Alameda, Culver City, and San Pablo rejected license plate reader proposals after hearing about the Immigration & Customs Enforcement (ICE) data [sharing] deal. Communities are enacting ordinances that require transparency, oversight, and accountability for all surveillance technologies. In 2016, Santa Clara County, California passed a groundbreaking ordinance that has been used to scrutinize multiple surveillance technologies in the past year... SB 1186 helps enhance public safety by safeguarding local power and ensuring transparency, accountability... SB 1186 covers the broad array of surveillance technologies used by police, including drones, social media surveillance software, and automated license plate readers. The bill also anticipates – and covers – AI-powered predictive policing systems on the rise today... Without oversight, the sensitive information collected by local governments about our private lives feeds databases that are ripe for abuse by the federal government. This is not a hypothetical threat – earlier this year, ICE announced it had obtained access to a nationwide database of location information collected using license plate readers – potentially sweeping in the 100+ California communities that use this technology. Many residents may not be aware their localities also share their information with fusion centers, federal-state intelligence warehouses that collect and disseminate surveillance data from all levels of government.

Statewide legislation can build on the nationwide Community Control Over Police Surveillance (CCOPS) movement, a reform effort spearheaded by 17 organizations, including the ACLU, that puts local residents and elected officials in charge of decisions about surveillance technology. If passed in its current form, SB 1186 would help protect Californians from intrusive, discriminatory, and unaccountable deployment of law enforcement surveillance technology."

Is there similar legislation in your state?


The 'CLOUD Act' - What It Is And What You Need To Know

Chances are, you probably have not heard of the "CLOUD Act." I hadn't heard about it until recently. A draft of the legislation is available on the website for U.S. Senator Orrin Hatch (Republican - Utah).

Many people who already use cloud services to store and backup data might assume: if it has to do with the cloud, then it must be good.  Such an assumption would be foolish. The full name of the bill: "Clarifying Overseas Use Of Data." What problem does this bill solve? Senator Hatch stated last month why he thinks this bill is needed:

"... the Supreme Court will hear arguments in a case... United States v. Microsoft Corp., colloquially known as the Microsoft Ireland case... The case began back in 2013, when the US Department of Justice asked Microsoft to turn over emails stored in a data center in Ireland. Microsoft refused on the ground that US warrants traditionally have stopped at the water’s edge. Over the last few years, the legal battle has worked its way through the court system up to the Supreme Court... The issues the Microsoft Ireland case raises are complex and have created significant difficulties for both law enforcement and technology companies... law enforcement officials increasingly need access to data stored in other countries for investigations, yet no clear enforcement framework exists for them to obtain overseas data. Meanwhile, technology companies, who have an obligation to keep their customers’ information private, are increasingly caught between conflicting laws that prohibit disclosure to foreign law enforcement. Equally important, the ability of one nation to access data stored in another country implicates national sovereignty... The CLOUD Act bridges the divide that sometimes exists between law enforcement and the tech sector by giving law enforcement the tools it needs to access data throughout the world while at the same time creating a commonsense framework to encourage international cooperation to resolve conflicts of law. To help law enforcement, the bill creates incentives for bilateral agreements—like the pending agreement between the US and the UK—to enable investigators to seek data stored in other countries..."

Senators Coons, Graham, and Whitehouse, support the CLOUD Act, along with House Representatives Collins, Jeffries, and others. The American Civil Liberties Union (ACLU) opposes the bill and warned:

"Despite its fluffy sounding name, the recently introduced CLOUD Act is far from harmless. It threatens activists abroad, individuals here in the U.S., and would empower Attorney General Sessions in new disturbing ways... the CLOUD Act represents a dramatic change in our law, and its effects will be felt across the globe... The bill starts by giving the executive branch dramatically more power than it has today. It would allow Attorney General Sessions to enter into agreements with foreign governments that bypass current law, without any approval from Congress. Under these agreements, foreign governments would be able to get emails and other electronic information without any additional scrutiny by a U.S. judge or official. And, while the attorney general would need to consider a country’s human rights record, he is not prohibited from entering into an agreement with a country that has committed human rights abuses... the bill would for the first time allow these foreign governments to wiretap in the U.S. — even in cases where they do not meet Wiretap Act standards. Paradoxically, that would give foreign governments the power to engage in surveillance — which could sweep in the information of Americans communicating with foreigners — that the U.S. itself would not be able to engage in. The bill also provides broad discretion to funnel this information back to the U.S., circumventing the Fourth Amendment. This information could potentially be used by the U.S. to engage in a variety of law enforcement actions."

Given that warning, I read the draft legislation. One portion immediately struck me:

"A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

While I am not an attorney, this bill definitely sounds like an end-run around the Fourth Amendment. The review process is largely governed by the House of Representatives; a body not known for internet knowledge nor savvy. The bill also smells like an attack on internet services consumers regularly use for privacy, such as search engines that don't collect nor archive search data and Virtual Private Networks (VPNs).

Today, for online privacy many consumers in the United States use VPN software and services provided by vendors located offshore. Why? Despite a national poll in 2017 which found the the Republican rollback of FCC broadband privacy rules very unpopular among consumers, the Republican-led Congress proceeded with that rollback, and President Trump signed the privacy-rollback legislation on April 3, 2017. Hopefully, skilled and experienced privacy attorneys will continue to review and monitor the draft legislation.

The ACLU emphasized in its warning:

"Today, the information of global activists — such as those that fight for LGBTQ rights, defend religious freedom, or advocate for gender equality are protected from being disclosed by U.S. companies to governments who may seek to do them harm. The CLOUD Act eliminates many of these protections and replaces them with vague assurances, weak standards, and largely unenforceable restrictions... The CLOUD Act represents a major change in the law — and a major threat to our freedoms. Congress should not try to sneak it by the American people by hiding it inside of a giant spending bill. There has not been even one minute devoted to considering amendments to this proposal. Congress should robustly debate this bill and take steps to fix its many flaws, instead of trying to pull a fast one on the American people."

I agree. Seems like this bill creates far more problems than it solves. Plus, something this important should be openly and thoroughly discussed; not be buried in a spending bill. What do you think?


Banking Legislation Advances In U.S. Senate

The Economic Growth, Regulatory Relief, and Consumer Protection Act (Senate Bill 2155) was approved Wednesday by the United States Senate. The vote was 67 for, 31 against, and 2 non voting. The voting roll call by name:

Alexander (R-TN), Yea
Baldwin (D-WI), Nay
Barrasso (R-WY), Yea
Bennet (D-CO), Yea
Blumenthal (D-CT), Nay
Blunt (R-MO), Yea
Booker (D-NJ), Nay
Boozman (R-AR), Yea
Brown (D-OH), Nay
Burr (R-NC), Yea
Cantwell (D-WA), Nay
Capito (R-WV), Yea
Cardin (D-MD), Nay
Carper (D-DE), Yea
Casey (D-PA), Nay
Cassidy (R-LA), Yea
Cochran (R-MS), Yea
Collins (R-ME), Yea
Coons (D-DE), Yea
Corker (R-TN), Yea
Cornyn (R-TX), Yea
Cortez Masto (D-NV), Nay
Cotton (R-AR), Yea
Crapo (R-ID), Yea
Cruz (R-TX), Yea
Daines (R-MT), Yea
Donnelly (D-IN), Yea
Duckworth (D-IL), Nay
Durbin (D-IL), Nay
Enzi (R-WY), Yea
Ernst (R-IA), Yea
Feinstein (D-CA), Nay
Fischer (R-NE), Yea
Flake (R-AZ), Yea
Gardner (R-CO), Yea
Gillibrand (D-NY), Nay
Graham (R-SC), Yea
Grassley (R-IA), Yea
Harris (D-CA), Nay
Hassan (D-NH), Yea
Hatch (R-UT), Yea
Heinrich (D-NM), Not Voting
Heitkamp (D-ND), Yea
Heller (R-NV), Yea
Hirono (D-HI), Nay
Hoeven (R-ND), Yea
Inhofe (R-OK), Yea
Isakson (R-GA), Yea
Johnson (R-WI), Yea
Jones (D-AL), Yea
Kaine (D-VA), Yea
Kennedy (R-LA), Yea
King (I-ME), Yea
Klobuchar (D-MN), Nay
Lankford (R-OK), Yea
Leahy (D-VT), Nay
Lee (R-UT), Yea
Manchin (D-WV), Yea
Markey (D-MA), Nay
McCain (R-AZ), Not Voting
McCaskill (D-MO), Yea
McConnell (R-KY), Yea
Menendez (D-NJ), Nay
Merkley (D-OR), Nay
Moran (R-KS), Yea
Murkowski (R-AK), Yea
Murphy (D-CT), Nay
Murray (D-WA), Nay
Nelson (D-FL), Yea
Paul (R-KY), Yea
Perdue (R-GA), Yea
Peters (D-MI), Yea
Portman (R-OH), Yea
Reed (D-RI), Nay
Risch (R-ID), Yea
Roberts (R-KS), Yea
Rounds (R-SD), Yea
Rubio (R-FL), Yea
Sanders (I-VT), Nay
Sasse (R-NE), Yea
Schatz (D-HI), Nay
Schumer (D-NY), Nay
Scott (R-SC), Yea
Shaheen (D-NH), Yea
Shelby (R-AL), Yea
Smith (D-MN), Nay
Stabenow (D-MI), Yea
Sullivan (R-AK), Yea
Tester (D-MT), Yea
Thune (R-SD), Yea
Tillis (R-NC), Yea
Toomey (R-PA), Yea
Udall (D-NM), Nay
Van Hollen (D-MD), Nay
Warner (D-VA), Yea
Warren (D-MA), Nay
Whitehouse (D-RI), Nay
Wicker (R-MS), Yea
Wyden (D-OR), Nay
Young (R-IN), Yea

The bill now proceeds to the House of Representatives. If it passes the House, then it would be sent to the President for a signature.


Legislation Moving Through Congress To Loosen Regulations On Banks

Legislation is moving through Congress which will loosen regulations on banks. Is this an improvement? Is it risky? Is it a good deal for consumers? Before answering those questions, a summary of the Economic Growth, Regulatory Relief, and Consumer Protection Act (Senate Bill 2155):

"This bill amends the Truth in Lending Act to allow institutions with less than $10 billion in assets to waive ability-to-repay requirements for certain residential-mortgage loans... The bill amends the Bank Holding Company Act of 1956 to exempt banks with assets valued at less than $10 billion from the "Volcker Rule," which prohibits banking agencies from engaging in proprietary trading or entering into certain relationships with hedge funds and private-equity funds... The bill amends the United States Housing Act of 1937 to reduce inspection requirements and environmental-review requirements for certain smaller, rural public-housing agencies.

Provisions relating to enhanced prudential regulation for financial institutions are modified, including those related to stress testing, leverage requirements, and the use of municipal bonds for purposes of meeting liquidity requirements. The bill requires credit reporting agencies to provide credit-freeze alerts and includes consumer-credit provisions related to senior citizens, minors, and veterans."

Well, that definitely sounds like relief for banks. Fewer regulations means it's easier to do business... and make more money. Next questions: is it good for consumers? Is it risky? Keep reading.

The non-partisan Congressional Budget Office (CBO) analyzed the proposed legislation in the Senate, and concluded (bold emphasis added):

"S. 2155 would modify provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd Frank Act) and other laws governing regulation of the financial industry. The bill would change the regulatory framework for small depository institutions with assets under $10 billion (community banks) and for large banks with assets over $50 billion. The bill also would make changes to consumer mortgage and credit-reporting regulations and to the authorities of the agencies that regulate the financial industry. CBO estimates that enacting the bill would increase federal deficits by $671 million over the 2018-2027 period... CBO’s estimate of the bill’s budgetary effect is subject to considerable uncertainty, in part because it depends on the probability in any year that a systemically important financial institution (SIFI) will fail or that there will be a financial crisis. CBO estimates that the probability is small under current law and would be slightly greater under the legislation..."

So, the propose legislation means there is a greater risk of banks either failing or needing government assistance (e.g., bailout funds). Are there risks to consumers? To taxpayers? CNN interviewed U.S. Senator Elizabeth Warren (Dem- Mass.), who said:

"Frankly, I just don't see how any senator can vote to weaken the regulations on Wall Street banks.. [weakened regulations] puts us at greater risk that there will be another taxpayer bailout, that there will be another crash and another taxpayer bailout..."

So, there are risks for consumers/taxpayers. How? Why? Let's count the ways.

First, the proposed legislation increases federal deficits. Somebody has to pay for that: with either higher taxes, less services, more debt, or a combination of all three. That doesn't sound good. Does it sound good to you?

Second, looser regulations mean some banks may lend money to more people they shouldn't have = persons who default on loan. To compensate, those banks would raise prices (e.g., more fees, higher fees, higher interest rates) to borrowers to cover their losses. If those banks can't cover their losses, then they will fail. If enough banks fail at about the same time, then bingo... another financial crisis.

If key banks fail, then the government will bail out (again) banks to keep the financial system running. (Remember too big to fail banks?) Somebody has to pay for bailouts... with either higher taxes, less services, more debt, or a combination of all three. Does that sound good to you? It doesn't sound good to me. If it doesn't sound good, I encourage you to contact your elected officials.

It's critical to remember banking history in the United States. Nobody wants a repeat of the 2008 melt-down. There are always consequences when government... Congress decides to help bankers by loosening regulations. What do you think?


New Data Breach Legislation Proposed In North Carolina

After a surge in data breaches in North Carolina during 2017, state legislators have proposed stronger data breach laws. The National Law Review explained what prompted the legislative action:

"On January 8, 2018, the State of North Carolina released its Security Breach Report 2017, which highlights a 15 percent increase in breaches since 2016... Health care, financial services and insurance businesses accounted for 38 percent, with general businesses making up for just more than half of these data breaches. Almost 75 percent of all breaches resulted from phishing, hacking and unauthorized access, reflecting an overall increase of more than 3,500 percent in reported hacking incidents alone since 2006. Since 2015, phishing incidents increased over 2,300 percent. These numbers emphasize the warning to beware of emails or texts requesting personal information..."

So, fraudsters have tricked many North Carolina residents and employees into both opening fraudulent e-mail and text messages, and then responding by disclosing sensitive personal information. Not good.

Details about the proposed legislation:

"... named the Act to Strengthen Identity Theft Practices (ASITP), announced by Representative Jason Saine and Attorney General Josh Stein, attempts to combat the data breach epidemic by expanding North Carolina’s breach notification obligations, while reducing the time businesses have to comply with notification to the affected population and to the North Carolina Attorney General’s Office. If enacted, this new legislation will be one of the most aggressive U.S. breach notification statutes... The Fact Sheet concerning the ASITP as published by the North Carolina Attorney General proposes that the AG take a more direct role in the investigation of data breaches closer to their time of discovery...  To accomplish this goal, the ASITP proposes a significantly shorter period of time for an entity to provide notification to the affected population and to the North Carolina Attorney General. Currently, North Carolina’s statute mandates that notification be made to affected individuals and the Attorney General without “unreasonable delay.” Under the ASITP, the new deadline for all notifications would be 15 days following discovery of the data security incident. In addition to being the shortest deadline in the nation, it is important to note that notification vendors typically require 5 business days to process, print and mail notification letters... The proposed legislation also seeks to (1) expand the definition of “protected information” to include medical information and insurance account numbers, and (2) penalize those who fail to maintain reasonable security procedures by charging them with a violation under the Unfair and Deceptive Trade Practices Act for each person whose information is breached..."

Good. The National Law Review article also compared the breach notification deadlines across all 50 states and territories. It is worth a look to see how your state compares. A comparison of selected states:

Time After Discovery of Breach Selected States/Territories
10 calendar days Puerto Rico (Dept. of Consumer Affairs)
15 calendar days North Carolina (Proposed)
15 business California (Protected Health Information)
30 calendar days Florida
45 calendar days Ohio, Maryland
90 calendar days Connecticut
Most expedient time & without
unreasonable delay
California (other), Massachusetts, New York, North Carolina, Pennsylvania, Puerto Rico (other)
As soon as possible Texas

To learn more, download the North Carolina Security Breach Report 2017 (Adobe PDF), and the ASITP Fact Sheet (Adobe PDF).


U.S. Senate Moves Closer To Vote On Net Neutrality

Yesterday, The Hill reported:

"A Senate bill that would reverse the Federal Communications Commission’s (FCC) decision to repeal net neutrality received its 30th co-sponsor on Monday, ensuring it will receive a vote on the Senate floor. Senator Claire McCaskill (D-Mo.) announced her support for the bill on Twitter, putting it over the top of a procedural requirement to bypass committee approval.

The bill, which is being pushed by Senator Ed Markey (D-Mass.), would use Congress’s authority under the Congressional Review Act (CRA) to reverse the FCC’s rollback of its popular net neutrality rules... Under the CRA, if a joint resolution of disapproval bill has enough support it can bypass committee review and be fast-tracked to a floor vote... Lawmakers have 60 legislative days after the FCC submits its regulations to Congress to pass the CRA. The repeal order is currently awaiting approval from the Office of Management and Budget.

With Republicans in control of both the House and Senate, the bill faces long odds to win the simple majorities it needs to reach the president’s desk."


More Year-End Considerations Given The Coming Likely Republican Tax Plan

A prior post discussed the questionable benefits and year-end considerations for middle-class taxpayers of the likely Republican tax reform plan making its way through Congress. The likely tax plan includes lower tax rates paired with many deductions eliminated.

The professional who prepares my taxes provided another warning:

"Dear clients:
It looks like almost a sure thing that, if you itemize deductions, beginning in 2018, you will no longer be able to take a deduction for the Excise Tax on your car or the income taxes that you pay to Massachusetts and other states. You will PROBABLY still be able to deduct your real estate property taxes up to $10,000 a year. If you currently pay the Alternative Minimum Tax (line 45 of your Form 1040), check with me before you follow these recommendations.

All others who itemize, I recommend that you consider the following actions this month (December):

  1. If your total property taxes (including those for a second home) are more than $10,000, pay your city or town as much as you possibly can in December.
  2. Be sure to pay... maybe even over-pay... as much of your State Income Tax as possible by December 31st. If you make estimated payments, your 4th quarter Massachusetts payment is due by January 15th. YOU SHOULD DEFINITELY PAY IT IN DECEMBER INSTEAD.
  3. Even if you don't usually make Estimate Payments to Massachusetts, you should consider making one in December... For example, if you made a payment of $1,000, you might save $150 or $250 or more on your 2017 federal tax return. You will save NOTHING on any state income taxes that you pay in 2018.

I will reach out again if and when the tax bill is finalized and signed into law if there are any other changes that might affect your plans in December."

Obviously, you should consult the professional that prepares your income taxes, since your situation and state may dictate different actions. And, I am not an income tax professional. New legislation always has consequences, and it seems wise to be aware. hence, this informational blog post.

Some additional thoughts. Capping the real estate property tax deduction at $10,000 might help pay for the increased deficits the Republican tax plan would generate, but it will also hurt persons living in high-cost areas (e.g., cities, states with high state taxes, areas with high real estate prices). Plus, the tax cuts are temporary for individuals but permanent for corporations. Slick, eh? Is it fair? Seems not.

My college friends and I are discussing via e-mail the considerations listed above and in my prior blog post. The proposed elimination of deductions for state and local taxes (SALT) is a hot topic. You can find online articles discussing the advantages and disadvantages of eliminating SALT deductions. Regardless, more to discuss with your accountant and/or income tax professional.


The Consequences From Unchecked Development Without Zoning Laws

While there has been plenty of news about hurricane Harvey and the flood in Houston, there hasn't been much news about an important, related issue which affects all taxpayers. This report by the QZ site highlights the consequences of unchecked development while ignoring environmental concerns:

"... Houstonians have been treating its wetlands as stinky, mosquito-infested blots in need of drainage. Even after it became a widely accepted scientific fact that wetlands can soak up large amounts of flood water, the city continued to pave over them. The watershed of the White Oak Bayou river, which includes much of northwest Houston, is a case in point. From 1992 to 2010, this area lost more than 70% of its wetlands, according to research (pdf) by Texas A&M University."

Unchecked development affects all taxpayers when federal bailout money is spent to repair the damage in areas subject to repeated, frequent floods:

"... the flooding caused by Hurricane Harvey has raised water levels in some parts of the watershed high enough to completely cover a Cadillac. The vanished wetlands wouldn’t have prevented flooding, but they would have made it less painful, experts say. The Harvey-wrought devastation is just the latest example of the consequences of Houston’s gung-ho approach to development. The city, the largest in the US with no zoning laws, is a case study in limiting government regulations and favoring growth—often at the expense of the environment. As water swamps many of its neighborhoods, it’s now also a cautionary tale of sidelining science and plain common sense..."

The consequences from lax laws favoring unchecked development:

"Wetland loss... The construction of flood-prone buildings in flood plains is another one: The elderly residents of La Vita Bella, a nursing home in Dickinson, east of Houston, were up to their waists in water before they got rescued. The home is within the Federal Emergency Management Agency’s (FEMA) designated flood zone... too few people have flood insurance. Although federal rules require certain homeowners to carry it, those rules are based on outdated flood data. Only a little over a quarter of the homes in “high risk” areas in Harris County, where Houston sits, have flood insurance."

So, not everyone who should be is paying their fair share (via flood insurance). And, it seems that things will get worse. All of the above was:

"... before [President] Trump came into office and started removing layers of regulation. Just 10 days before Harvey struck, the president signed an executive order that rescinded federal flood protection standards put in place by his predecessor, Barack Obama. FEMA and the US Housing and Urban Development Department, the two federal agencies that will handle most of the huge pile of cash expected for the rebuilding of Houston, would have been forced to require any rebuilding to confirm to new, safer codes. Now, they won’t."

Lax laws allowing the repair and construction of new buildings in high-risk areas subject to repeated flooding sounds foolish. It's basically throwing taxpayers' hard-earned money out the window. Do you want to pay for this? I don't. A few local developers may get rich, but at the expense of taxpayers nationwide.

There are always consequences -- intended and unintended. Be sure to demand that your elected officials consider and understand them.