Now that California’s Broadband Privacy Bill, A.B. 375, is headed for a final vote in the California legislature, Comcast, Verizon, and all their allies are pulling out all the stops to try to convince state legislators to vote against the bill. Unfortunately, that includes telling legislators about made-up problems the bill will supposedly create, as well as tweeting out blatantly false statements and taking out online ads that spread lies about what A.B. 375 will really do. To set the record straight, here are three lies big Internet providers and their allies are spreading—and the truth about how A.B. 375 will protect your privacy and security online.
Lie #1: A.B. 375 Will Prevent Internet providers From Stopping Future Cyberattacks
In their opposition letter to legislators, big Internet providers and their allies claim that A.B. 375 “prevents Internet providers from using information they have long relied upon to prevent cybersecurity attacks.”
That’s a lie.
A.B. 375 explicitly says that Internet providers can use customer’s personal information (including things like IP addresses and traffic records) “to protect the rights or property of the BIAS provider, or to protect users of the BIAS and other BIAS providers from fraudulent, abusive, or unlawful use of the service.” In other words, A.B. 375 explicitly allows Internet providers to use the same information they’ve always used to detect intrusion attempts, stop cyber-attacks, and catch data breaches before they happen. And they can still work with other Internet providers to prevent attacks by sharing this vital security information, so long as they de-identify the data first by making sure it’s not linkable to an individual or device.
The truth: A.B. 375 will have no impact on what Internet providers can do to protect their customers’ security. If big Internet providers really think otherwise, we challenge them to publicly explain how—because so far all they’ve done is spread FUD.
Lie #2: A.B. 375 Will Lead to Pop-Ups(?!)
In their letter to legislators, big Internet providers also claim that A.B. 375 would “lead to recurring pop-ups to consumers.” We’ve seen the same claim about pop-ups in an online ad circulated by opponents of A.B. 375.
This claim is a lie too, and we have no idea how any rational person could read A.B. 375 and think “maybe that will mean more pop-ups.” The best we can come up with is that since A.B. 375 would require Internet providers to get your consent before sharing your data, maybe they think that if they constantly pester people with pop-ups, they’ll succeed in wearing people down until they give their consent. If that’s really what Comcast and Verizon are implying, then lawmakers should understand the claim for what it really is: a threat to hold consumers hostage in the fight for online privacy. As with Lie #1, if big Internet providers have a better explanation, we challenge them to provide it publicly.
As an aside, it’s worth nothing that if anything A.B. 375 will likely result in fewer pop-ups, not to mention fewer intrusive ads during your everyday browser experience. That’s because A.B. 375 will prevent Internet providers from using your data to sell ads they target to you without your consent—which means they’ll be less likely to insert ads into your web browsing, like some Internet providers have done in the past.
Lie #3: A.B. 375 Will Expose You to Hackers
Not only are opponents of A.B. 375 so desperate that they’re making stuff up (see Lie #2 above), they’re also trying to scare lawmakers into thinking that A.B. 375 will do the opposite of what it really does. In particular, they’re claiming that it will expose consumers to hackers. Of course, big Internet providers and their allies won’t explain how this would happen—even when we’ve asked them politely for a direct explanation.
Let’s set the record straight.
Contrary to the FUD Comcast, AT&T, Verizon, and their allies are spreading, A.B. 375 will make it less likely that your information can be targeted by privacy thieves, and will make it harder for hackers to target you online.
In order for Internet providers to make money off your browsing history, they first have to collect that information—what sort of websites you’re browsing, metadata about whom you’re talking to, and maybe even what search terms you’re using. Internet providers will also need to store that information somewhere, in order to build up a targeted advertising profile of you…
[But] Internet providers haven’t exactly been bastions of security when it comes to keeping information about their customers safe. Back in 2015, Comcast had to pay $33 million for unintentionally releasing information about customers who had paid Comcast to keep their phone numbers unlisted. “These customers ranged from domestic violence victims to law enforcement personnel”, many of whom had paid for their numbers to be unlisted to protect their safety. But Comcast screwed up, and their phone numbers were published anyway.
And that was just a mistake on Comcast’s part, with a simple piece of data like phone numbers, [which wasn’t even triggered by an outside attack]. Imagine what could happen if hackers decided to [actively] target the treasure trove of personal information Internet providers start collecting. People’s personal browsing history and records of their location could easily become the target of foreign hackers who want to embarrass or blackmail politicians or celebrities. To make matters worse, FCC Chairman (and former Verizon lawyer) Ajit Pai recently halted the enforcement of a rule that would require Internet providers to “take reasonable measures to protect customer [personal information] from unauthorized use, disclosure, or access”—so Internet providers won’t be on the hook if their lax security exposes your data.
With A.B. 375, the scenario described above is much less likely, because Internet providers won’t have as much incentive to collect your data in the first place. The logic is simple: no treasure trove of data, no target for hackers; no target for hackers, nothing for them to expose.
But the benefits of A.B. 375 go beyond reducing the risk of identity theft to consumers. A.B. 375 will also help reduce consumers’ exposure to dangerous cyber-attacks. That’s because many of the ways big Internet providers want to monetize your data have a side-effect of reducing your security online, including:
- A standard called Explicit Trusted Proxies, proposed by Internet providers, which would allow your Internet provider to intercept your data, remove the encryption, read the data (and maybe even modify it), and then encrypt it again and send it on its way. The cybersecurity problem? According to a recent alert by US-CERT, an organization dedicated to computer security within the Department of Homeland Security, many of the systems designed to decrypt and then re-encrypt data actually end up weakening the security of the encryption, which exposes users to increased risk of cyber-attack. In fact, a recent study found that more than half of the connections that were intercepted (i.e. decrypted and re-encrypted) ended up with weaker encryption.
- Inserting ads into your browsing. Here we’re talking about your Internet provider placing additional ads in the webpages you view (beyond the ones that were already placed there by the publisher). Why is this dangerous? Because inserting new code into a webpage in an automated fashion could break the security of the existing code in that page. As security expert Dan Kaminsky put it, inserting ads could break “all sorts of stuff, in that you no longer know as a website developer precisely what code is running in browsers out there. You didn't send it, but your customers received it.” In other words, security features in sites and apps you use could be broken and hackers could take advantage of that—causing you to do anything from send your username and password to them (while thinking it was going to the genuine website) to install malware on your computer.
- Pre-installing spyware on your mobile phone. In the past, Internet providers have installed spyware like Carrier IQ on phones, claiming it was only to “improve wireless network and service performance.” So where’s the cybersecurity risk? As we’ve explained before, part of the problem with Carrier IQ was that it could be configured to record sensitive information into your phone’s system logs. But some apps transmit those logs off of your phone as part of standard debugging procedures, assuming there’s nothing sensitive in them. As a result, “keystrokes, text message content and other very sensitive information [was] in fact being transmitted from some phones on which Carrier IQ is installed to third parties.” Depending on how that information was transmitted, eavesdroppers could also intercept it—meaning hackers might be able to see your username or password, without having to do any real hacking.
The common thread in all three of these cybersecurity risks is that the strongest reason an Internet provider would have for introducing them is to make money by collecting your data, selling it, and using it to target ads at you. A.B. 375 would remove that motivation. If A.B. 375 passes, Internet providers won’t have any reason to weaken your security in order to collect your data or insert ads into your web browsing.
Privacy and security are two sides of the same coin, and when you strengthen one you strengthen the other. That’s why we need to do everything we can to make sure A.B. 375 passes the California legislature. Please, if you live in California, call your state legislator today and tell them not to believe the lies Comcast, AT&T, Verizon, and their allies are spreading. Tell them to support A.B. 375.