Showing posts with label Big Brother. Show all posts
Showing posts with label Big Brother. Show all posts

Monday, 12 February 2018

AUSTRALIA CARD MARK II: no national digital ID number will mean no access to any Australian federal government services

“When signing up to the platform for the first time, users will be asked to provide their name, email address, and phone number, and verify their details via email or SMS. They will then be asked to provide information from three identity documents, which goes through the exchange to the identity provider for verification. The exchange receives encrypted details back which it passes on to the government service the user wants to reach, which then grants the user access.”  [IT News, 20 March 2015]

IT News, 8 February 2018:

The Department of Human Services looks set to become the federal government's exclusive manager of digital identities after being selected to build the identity provider solution that will be used for the Govpass platform.

The Govpass framework is a decentralised identity model that allows individuals to choose their identity provider - an organisation that issues identity documents, like Australia Post or the ATO - and access a range of public and private sector services through a single digital identity credential.

There is no limit on the number of identity providers outside of the Commonwealth that can be accredited for Govpass; Australia Post has already indicated it will seek to become the first non-government identity provider, using its Digital iD platform.
Several state and territory government agencies and private sector entities are also expected to become identity providers over time.

However, the federal government last year made the decision that only one identity provider would operate for the entire Commonwealth.

The Digital Transformation Agency revealed the decision following meetings with existing Commonwealth identity service providers, DHS and the ATO. Its rationale for the move was to focus security efforts in one place and avoid complex administrative structures.

iTnews revealed in October that the DTA was yet to make up its mind up on which of the two agencies would serve as the federal government’s sole identity provider for GovPass, even as testing of the new platform was taking place with the ATO’s new online tax file number application service.

Instead the DTA said it was working closely with the ATO and DHS on the “next steps” for the platform.

But in response to questions on notice from recent estimates hearings, DHS revealed it had been instructed to develop the federal government’s single identity provider platform, to be known as myGov IdP.

“The department was commissioned by the DTA to build the identity provider (IdP) for the whole-of-government,” it said.

“The myGov IdP will enable citizens to verify their identity online and use it to apply for government services.”

iTnews has made several attempts to clarify the statements with the DTA and DHS, but both refused to comment on the build and DHS’ apparent position as the single government identity provider.

The ATO similarly redirected questions about its involvement with Govpass, including whether it had also been asked by the DTA to build an identity provider solution, to the DTA.

Selecting DHS as the sole government identity provider would be an obvious choice for the DTA - the agency is the government’s current defacto whole-of-gov identity provider through the myGov digital services platform.

A private beta release of myGov IdP is currently planned for later this month.

Identity providers on Govpass will use the DTA-built identity exchange – and in turn the document verification service (DVS) and facial verification service (FVS) – to verify an individual’s credentials without revealing their identity to service providers.
[my yellow bolding]

NoteThe Face Identification Service (FIS) is a one-to-many, image-based identification service that can match a photo of an unknown person against multiple government records to help establish their identity. FIS is also available to police, security services, Dept. of Immigration and Dept. of Foreign Affairs. [Australian Attorney-General's Department, October 2017]

Saturday, 14 October 2017

Political Tweets of the Week

Tuesday, 10 October 2017

National ID Database: so you think if you do nothing wrong you'll have nothing to fear?

“There is also a tendency for technologies to converge, allowing for the creation of devices with increased surveillance capabilities. CCTV, for example, may be combined with facial recognition technology….to identify individuals from their images. Another example is modern mobile phones, which combine telephonic services with GPS tracking software, digital visual and sound recording capabilities, and connection to the internet. A consequence of the convergence of surveillance technologies is the greater ability of surveillance users to compile detailed pictures of members of the public, making it increasingly difficult for individuals to maintain their privacy and anonymity.” [Victorian Law Reform Commission – Surveillance in Public Places: Final Report 18, 2010]

This month the Turnbull Government, state and territory governments have agreed to add the photo IDs of all registered drivers to the Facial Biometric Matching Capability (FBMC) database (est. 16 November 2016) which already has access to passport photographs, visa application photos, airport surveillance images and arrest ID images from the criminal justice system.

Additional images will probably be harvested from social media and added to this database which is to be used with CCTV footage of the general population going about their daily lives when considered necessary by police and security services. The biometric 'map' of an individual's face created by FBMC being easily applied to searches of video footage from public venue, shopping centre, street and road cameras as CCTV technology is now capable of recognising faces of people, vehicles, animals and bags automatically.

FBMC will involve using a Face Verification Service , Face Identification Service, One Person One Licence Service and Facial Recognition Analysis Utility Service in identity matching, along with a the Document Verification Service, Identity Data Sharing Service and/or any other government identity matching or data sharing service and, of course one of the areas it will be used is in so-called crime prevention.

Use of this facial recognition database will also be available to authorised private sector agencies and, like many new tools it is likely there will be function creep so that photo IDs will be required by more government agencies and private businesses when interacting with individuals in the future.

The Facial Biometric Matching Capability database will function alongside the Biometric Identification Services (BIS) which features national identification capability using fingerprints, palm prints, foot prints and facial recognition, person identity and evidence image case management, image enhancement tools and record auditing, matching services of one to one, one to few, one to many, and many to many, as well as photobook, photo line-up and witness viewing services.

But what’s the worry? After all if you are an ordinary person not committing a crime you have nothing to fear. Right?

Well there is this on the horizon…………..

Criminologists at Monash undertake cutting edge research in the areas of risk and security that is theoretically sophisticated, innovative and highly relevant to areas of pressing national and international concern. The discipline hosts two recipients of the Australian government’s prestigious Future Fellowship Award, Professor Sharon Pickering and Associate Professor Weber, both undertaking programs of research on border policing. Their jointly authored book Globalization and Borders: Death at the Global Frontier was awarded Australia’s most significant criminology publication award in 2013. The Border Crossing Observatory is the online repository of all border-related research undertaken by Monash Criminology and our national and international partners. Criminologists at Monash have received multiple highly competitive Australian Research Council grants to investigate a host of risk and security related topics, amongst them, counter terrorism laws and policing, immigration and exploitive labour practices, deportation, regional security, and the gendered nature of border crossing and transnational law enforcement. Our risk and security research expertise includes the interrelated topics of borders, counter terrorism, state crime, transnational crime, irregular migration, human trafficking, risk and disability, and pre-crime. [my yellow bolding]

What is “pre-crime”?

Put simply, “pre-crime” activity is a crime not yet committed – it is the suspicion that an individual might be capable of breaking an unidentified law at some unspecified time in the future.

Such suspicion does not mean there is a need to charge, prosecute or convict for a specific crime. Intervention at “pre-crime” stage is supposedly risk containment.

You don’t have to be researching bomb-building or Googling how to buy a weapon online to commit a “pre-crime” activity - it can be your thoughts and political opinions spoken aloud or written down, as well as your actions at a public meeting or protest rally.

It can even be allegedly ‘guilty knowledge’ in that you knew the time and place a small environmental activist group was going to confront their local MP or you saw a person painting an anti-government picket sign ahead of a planned street march.

Going to the media – social or mainstream – with a genuine complaint against a government department might be considered a “pre-crime” if you visibly persist in seeking answers, redress or apology. You could easily be labelled "fixated" by police if a government minister takes offence and decides to complain.

If you make a small donation to a group the police or government consider problematic, troublesome or obstructive of the aims of government or big business you may at some time in the future be considered politically partisan and displaying “pre-crime” tendencies.

These are just some of the groups that are already complained about by big business and politicians: Environment Victoria, Wilderness Society (Australia, Victoria & Queensland), Friends of the Earth, Victorian National Parks Association, Australian Conservation Foundation, Lock the Gate Alliance, Australia, the Nature Conservation Council of NSW, the Australian Youth Climate Coalition, the Australian Marine Conservation Society, Australian Marine Conservation Society, Friends of the Earth Australia, Politics in the Pub and GetUp! as well as Greenpeace and Sea Shepherd.

Just belonging to a group or community association which speaks up on matters of social, economic, environmental or political concern could see you being eyed off as part of a potential conspiracy in the making.

In at least one Western country pre-crime can also manifest itself as a suspicion that you have come into a city centre with the intention of having a drink or two and you will be given a 48 hour direction-to-leave order.

With the notion of “pre-crime” there is no presumption of innocence and little more than lip service to due process if any arm of state or federal government decides you are a person of interest.

So how will pre-crime activity be monitored by police and security services? Well one of the methods used will be surveillance and this surveillance may involve use of the Facial Biometric Matching Capability database created by the Turnbull Government.

Surely this couldn’t possibly happen in Australia? you say. Think again. 

We already keep individuals in gaol long after their court-imposed sentence has been fully completed under continuing detention legislation, have preventative detention without charge and control orders which can be applied to both minors and adults, police are known to use spyware to enter, monitor and control home computers and, in certain circumstances your home can be entered and searched without your knowledge by police and security services.

And here in Australia we have a history of unwarranted surveillance based on an individual's political association (1950s Cold War era) and political dissent (1960s & early 1970s Viet Nam War era) as well as virtually unchallenged unlawful use of coercive powers (Border Force 2014 to 2017).

Police and security agencies are constantly pushing for more legislation which would allow amongst other matters the creation of a raft of pre-emptive, punitive measures based solely on suspicion and an individual’s “pre-crime” tendencies.

Right now in Australia governments are all about political and physical control of the population - they are not about human rights, 'civil liberties' or a free, open and democratic society.

As a society Australia has been sliding down that slippery slope towards an authoritarian destination for years now and in 2017 we appear to have reached the bottom of the slope.

“For years, there’s been ample evidence that authoritarian governments around the world are relying on technology produced by American, Canadian, and European companies to facilitate human rights abuses.  From software that enables the filtering and blocking of online content to tools that help governments spy on their citizens, many such companies are actively serving autocratic governments as "repression’s little helper."
The reach of these technologies is astonishingly broad: governments can listen in on cell phone calls, use voice recognition to scan mobile networks, read emails and text messages, censor web pages, track a citizen’s every movement using GPS, and can even change email contents while en route to a recipient. Some tools are installed using the same type of malicious malware and spyware used by online criminals to steal credit card and banking information. They can secretly turn on webcams built into personal laptops and microphones in cell phones not being used. And all of this information is filtered and organized on such a massive scale that it can be used to spy on every person in an entire country.” [Electronic Frontiers Foundation, accessed 7 October 2017]

“Australia’s leading privacy and civil liberties organisations condemn the decision by the Council of Australian Governments (COAG) to provide all images from state and territory driver’s licence databases to the federal National Facial Biometric Matching Capability.
The creation of such a comprehensive national facial database is an unnecessary and disproportionate invasion of the privacy rights of all Australians, is the foundation for suspicionless, warrantless mass surveillance and is fundamentally incompatible with a free and open society.

David Vaile, Chair of the Australian Privacy Foundation said, “This government has proven it is blind and deaf to privacy and personal information security threats. Make no mistake – this database will affect all Australians, even the most conscientious and law-abiding. It will likely generate massive ‘false positive’ lists that will flood our very effective police and security services with useless distractions. We’ve already seen calls for ‘scope creep’ to cover welfare enforcement, and there’s every reason to expect this capability will come to be used to identify people with unpaid fines and other minor issues that have nothing whatsoever to do with terrorism.” [Electronic Frontiers Australia, 6 October 2017]

“Every single portion of human rights activism overlaps, manifests or is exercised with the use of technology. That alone caused attackers and adversaries to recognize that technology itself is a good vehicle to get to these people and interfere with them or cause them harm.” [Claudio Guarnieri of Amnesty International quoted in Threat Post at Kapersky Lab, 4 October 2017]

Thursday, 20 July 2017

A new Australian Federal Government super ministry capable of deploying armed soldiers on our streets

“The first question to ask yourself is this: does handing Dutton that power sound like a good idea?” [journalist Katherine Murphy, The Guardian, 18 July 2017]

A new Australian Federal Government super agency capable of deploying armed soldiers on our streets? With a former Queensland police officer of no particular merit as its head?

What could possibly go wrong with a rigid, far-right, professed ‘Christian’ property millionaire having oversight of a super portfolio which would reportedly bring together the Australian Security Intelligence Organisation (ASIO), the Australian Federal Police (AFP) Australian Border ForceAustralian Criminal Intelligence Commission and AUSTRAC along with a database on ordinary citizens, ‘intellectuals’ and perfectly legal organisations, going back literally generations?

How long will it take before any industrial action or protest event would be quickly labelled as terrafret and armed soldiers sent to disperse people exercising their democratic right?

Australia’s been down that painful path before during the last 229 years and been the worse for it.

Turnbull at Holsworthy Barracks, Forbes Advocate,17 July 2017

“The measures I am announcing today will ensure that the ADF is more readily available to respond to terrorism incidents, providing state and territory police with the extra support to call on when they need it.”  
[Prime Minster Malcolm Turnbull, media release, Holsworthy NSW,17 July 2017]

Malcolm Turnbull has confirmed a dramatic shake-up of Australia's security, police and intelligence agencies that will put Immigration Minister, Peter Dutton, in charge of a sprawling new Home Affairs security portfolio.

The department of Home Affairs will bring together domestic spy agency ASIO, the Australian Federal Police, the Australian Border Force, the Australian Criminal Intelligence Commission, AUSTRAC and the office of transport security and will be put together over the next year.

And Mr Turnbull has also announced the government would, in response to the 
L'Estrange review of Australia's intelligence agencies, establish an Office of National Intelligence and that the Australian Signals Directorate will also be established as an independent statutory authority. 

The new Office of National Intelligence will co-ordinate intelligence policy and is in line with agencies in Australia's "Five Eyes" intelligence partners in the US, Britain, Canada and New Zealand…..

The changes are to be finalised by June 30, 2018 - subject to approval of the National Security Committee of Cabinet -  with Mr Dutton to work with Senator Brandis in bedding down the changes.

Senator Brandis will lose responsibility for ASIO under the changes but, crucially, retain sign-off power on warrants for intelligence agency. 

Mr Turnbull said the Attorney-General's oversight of Australia's domestic security and law enforcement agencies would be strengthened, with the Inspector-General of Intelligence and Security and the independent national security legislation monitor moving into his portfolio. 

The Prime Minister said Australia needed these reforms "not because the system is broken, but because our security environment is evolving quickly…..

However that L'Estrange review – part of a routine reassessment of national security arrangements – is understood not to specifically recommend such a super-portfolio.

Mr Turnbull has been dropping strong hints lately that he is inclined to make a significant change, rejecting what he's branded a "set and forget" policy on national security and warning that Australia must keep up with an evolving set of threats from terrorism to foreign political influence.

Security and intelligence agencies themselves are also believed to have concerns about such a change, while some former intelligence heads have publicly said they do not see any need for change.

However, a well-placed source in the intelligence community said a Home Affairs office - as opposed to a US-style Department of Homeland Security - was the preferred options for police and intelligence agencies.

That was because a Home Affairs department would potentially be broader, including agencies such as the Computer Emergency Response Team, the Australian Cyber Security Centre, Crimtrac, the Australian Criminal Intelligence Commission and the new Critical Infrastructure Centre, rather than just police and intelligence agencies.

The Guardian, 18 July 2017:

Peter Jennings, the executive director of the Australian Strategic Policy Institute, put it well on Tuesday when he said any “grit” in the Dutton/Brandis relationship could be problematic for intelligence operations, which is obviously problematic for all of us, given we rely on the efficiency of the counter-terrorism framework to keep us safe.

So we’d better hope for the best, to put it mildly.

We’d also better hope it’s a good use of the time of our intelligence services and public servants to nut out how the Big Idea is going to work in practice, which will be a reasonably complex task, at a time when these folks already have a serious day job.

Recapping that specific day job again: trying to disrupt national security threats, in a complex environment. Pretty busy and important day job, that one.

It’s cartoonish to say this is all about the prime minister rewarding old mate Dutton, on the basis you keep your friends close, and your (potential) enemies closer.

Nothing is ever that simple outside a House of Cards storyboard– although it remains an irrefutable fact that Dutton wanted this to happen, and if Dutton really wanted it to happen, it would have been difficult for Turnbull, in his current position, to say no.
The Australian, 19 July 2017:         
The pressure points lie in the risk calculations that link intelligence to response. In a liberal democracy, we rightly demand high certainty of the intention to carry out an act of violence before we are comfortable with our security services pre-emptively taking someone off the streets. Usually when an attack happens, here or in the US or Europe, it’s because the calibration of risk hasn’t worked. It’s not because security services weren’t concerned about an individual’s beliefs and actions or couldn’t find him.
For those of us without access to national security data, the evidence suggests that Australia does these important risk calculations relatively well. Our list of foiled terrorist attacks is quite a bit longer than the list of attacks. The reason for this is the national security structures we have evolved: the combination of separate national security agencies, each with highly developed specialist capabilities and slightly different cultures and perspectives, working in close, 24/7 collaboration.
When calculating risk, separation and diversity are a strength because they build contestation, careful deliberation and stress testing into the system. Britain, the US, France and Belgium have chosen more centralised structures, and the evidence is that their systems do not work as well as ours. Bringing our highly effective agencies into a super-department cannot help but disrupt their inner structures and cultures. Such enterprises inevitably lose sight of the goal — keeping Australians safe — as they become driven by the desire for efficiencies and cultural homogenisation, and the urge for bureaucratic tidiness. Look no further than the creation of the Department of Immigration and Border Protection, a process that has consumed enormous amounts of resources in reconciling two incompatible cultures, with no apparent benefits and a list of embarrassing blunders.
Creating one security super-department places a major imperative on the government to get everything right, first time. Separate but closely collaborating security agencies create a powerful check against underperformance: a struggling agency or a leader who’s not up to it are spotted and called out quickly. But underperformance in a federation-style conglomerate is not so easy to see and to call out. And in the meantime, it’s the safety of Australians that will be the price for underperformance.
If the Turnbull government were serious about national security, it would not engage in evidence-free experimentation with our national security. It should instead be building on what’s working well and making it even stronger. We need better co-ordination and cross agency connectivity, not big-bang organisational redesign.
We should be getting these sorts of issues right in a system that is working, rather than indulging in the risk-riddled gesture politics of a grand restructure.
Michael Wesley is professor of international affairs and dean of the College of Asia and the Pacific at the Australian National University.

Wednesday, 5 July 2017

Would you trust these men with your personal health information?

The darknet vendor says they are “exploiting a vulnerability which has a much more solid foundation which means not only will it be a lot faster and easier for myself, but it will be here to stay. I hope, lol.” [The Guardian, 4 July 2017]
Left to Right: Minister for Human Services and Liberal MP for Aston, Alan Tudge
& Minister for Health and Liberal MP for Flinders, Greg Hunt

These two federal politicians have portfolio responsibility for some of the largest government databases in Australia.

One has portfolio responsibility for those sensitive e-health records which are due to be rolled out nationally on an opt-out basis by 2020.

This is how secure your personal information is on their watch…….

The Australian Federal Police is investigating reports Australians' personal Medicare details are being accessed and sold on the dark web, an apparent breach that has been labelled an "internet catastrophe".

According to a Guardian Australia report, an online vendor can pull up the full Medicare card details of any Australian on request — and is selling them for around $30 each — indicating a security hole somewhere in the health system.

Human Services Minister Alan Tudge said the government was taking the matter seriously. 

The sales are reportedly listed on an undisclosed dark web marketplace, in which the vendor claims to be "exploiting a vulnerability" in order to run software that pulls the data. The vendor calls it "the Medicare Machine".

"Leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare patient details in full", the listing says, adding that the nature of the security hole being utilised means the vendor will be "here to stay".

In a statement, Mr Tudge said any authorised access to Medicare card numbers was "of great concern" and his department was also conducting its own investigation. 

Medicare's database was always a honeypot waiting to be exploited once governments embraced data matching, data retention and data sharing with much enthusiasm but little understanding.

Once someone decides they want your Medicare details ID theft is now just 0.0089 bitcoin away - as is your abusive former spouse/partner or that anonymous stalker or Internet troll that has been making your life a misery.


Anthony Baxter, 4 July 2017:

You supply the person with name, date of birth and gender and around $30 of Bitcoin they'll give you the person's Medicare number. This is pretty bad, as it allows idemtity thieves to forge them - a Medicare card is usually worth 25 points on the standard 100 point ID check here. The AU govt had no idea this was happening until the journo from The Guardian let them know.

It turns out there's a portal that any health care provider can use to look up Medicare numbers this way. In case you've lost your card or whatever. Likely it's someone who works for one of them selling access, or someone's popped a PC there (more on that to come).

When asked, the relevant government minister (the same guy who presided over the Census fuckup last year (update: I misremembered, that was a different clown), the accidental publishing of PBS data that was poorly deidentified and the ongoing Centrelink robodebt nightmare) claimed it's OK because you can't get access to someone's medical records through the shiny new online electronic health records system with just a Medicare number. Aside from ignoring the ID theft issue there's a liiiiiittle bit of an issue here.

Guess what information you need along with the Medicare number to pull someone's medical records? Did you guess "name, date of birth and gender"? Collect your prize.

According to the folks who did the Privacy Impact Assessment on the electronic health records system were told it would be secure because you needed Medicare number as well as name/DOB/gender and weren't told you could use the latter to look up the former.

It Gets Worse.

In theory you can only look up this stuff from a secure endpoint, with a client side certificate installed. Which in practice means maybe 20K PCs scattered across every doctors office in the country. Worse still, many of these client certs were originally sent out via unencrypted email, and a nontrivial number were "lost". And you reckon all or even a significant fraction of these 20K boxes are running modern Windows with up to date patches? Me neither. I can't count the number of times I've been left alone in a room with an unlocked doctor's PC while he went to check something.

It (Incredibly) Gets Even Worse.

They have a Two Factor Auth system which doctors are supposed to use. One of the ways to get the 2FA key is, and I wish I was joking here, email.

So get access to a box running some XP/Win7 version that's ludicrously unpatched that's also logged into the doctors email, collect health care records. Australian government cannot computer.

At the moment the electronic health records thing is opt-in, at some point next year they'll be moving to an opt-out scheme with a window to opt-out. There's an email form here where you can sign up to be notified when the window to opt the hell out is opened and I urge everyone to do so A


The federal government was warned more than three years ago of security deficiencies surrounding personal Medicare data, with the Department of Human Services told it was not fully complying with spy agency rules.

Questioning the department's ability to keep the data safe from "security threats from external and internal sources", the government auditor made a series of recommendations in April 2014 but it is unclear if they were fully implemented.

Friday, 9 June 2017

The American Resistance has many faces and here are just seventeen of them (8)

According to the American Civil Liberties Union (ACLU):

In April 2017…. President Trump signed a law overturning strong, commonsense privacy rules that gave consumers control over what internet service providers (ISPs) could do with their data. The rules that were overturned would have prevented ISPs from sharing our browsing history with advertisers, forced ISPs to be clear about what information they’re collecting, and required ISPs to take reasonable steps to protect our data from hackers.

The response from many states was almost instantaneous. State legislators around the nation are now considering laws to restore the privacy protections that Congress and President Trump eviscerated……..

States where legislation has been introduced
Alaska’s HB 232, and the similar HB 230, prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer giving them consent to collect personal information.

States where legislation has been introduced
A proposed version of Hawaii’s SB 1201 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information. However, the current version of the legislation does not include any privacy language.

States where legislation has been introduced
Kansas’s HB 2423 prevents ISPs that do business within the state from collecting or otherwise storing the personal information from a resident of Kansas without express, written consent. It also prevents ISPs from refusing to provide their service to a resident of Kansas who has not given approval for the collection, storage or sale of their personal information.

States where legislation has been introduced
Maine’s LD 1610 prohibits an ISP from using, disclosing, selling, or permitting access to a customer’s personal information without express, affirmative consent (absent certain emergency and other exceptions). The bill defines personal information as including web browsing history, app usage, and precise geolocation information, among other sensitive types of data. It prohibits conditioning the sale of a service, or changing a penalty for that service, if a customer does not provide consent. The bill also requires ISPs to take reasonable measures to protect customer’s personal information against unauthorized use, disclosure or access.

States where legislation has been introduced
A bill was introduced just six days before the end of the legislative session and failed to pass through Maryland’s state legislature, SB 1200, due to the lack of time to consider the issue. It would have prohibited ISPs from selling or transferring a customer’s personally identifying information—which includes browsing history and IP address—for marketing purposes without affirmative consent from the customer (absent certain legal exceptions). It would have prevented ISPs from showing ads to customers from the ISP based on the customer’s browsing history, without affirmative permission. The bill would have prevented ISPs from conditioning service on a customer giving them consent to collect personal information. And the bill would have required the state’s Joint Committee on Cybersecurity, Information Technology, and Biotechnology to monitor enforcement of the act and provide recommendations on future changes needed to the law.

States where legislation has been introduced
There are several internet privacy bills pending in Massachusetts. HB 3698 prohibits an ISP from collecting, using, disclosing, or permitting access to a customer’s sensitive propriety information without opt-in consent (absent certain emergency and other circumstances). Sensitive proprietary information includes financial and health information, information about children, precise geolocation, browsing history, and app usage, among others. The bill also requires that ISPs disclose, at the point of sale or during significant changes to their practices, the types of information the ISP wishes to collect, the purposes for which it would use the information, and the types of third-parties who would receive the information when asking the customer for opt-in consent.
S 2062 would prohibit ISPs from collecting, using, disclosing or permitting third-party access to a customer’s proprietary information, which includes web browsing history and app usage, without affirmative consent (absent certain emergency and other exceptions). It also requires the ISP to ask for opt-in approval when material changes are made to the company’s privacy policy, and it requires that customers be given a conspicuous notice of what information is collected, the purpose for which it would be disclosed, and the type of third-party it would be disclosed to. It also prohibits conditioning the sale of a service, or changing a penalty for that service, if a customer does not provide consent.

States where legislation has been introduced
A number of similar broadband privacy amendments were attempted in Minnesota. HF 2209 has a provision that prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. HF 2579HF 2606, and HF 2309 have the same language but also prohibit conditioning the sale of a service on a customer given them consent to collect personal information.

States where legislation has been introduced
LR 136, designates the Transportation and Telecommunications Committee to conduct an interim study of the effects of the overturning of the FCC’s broadband privacy rule. If the study concludes that repeal of the rule does impact the privacy of Nebraskans, it may consider state legislative and administration options to restore privacy protections to consumers. The bill was introduced with bi-partisan support.

States where legislation has been introduced
An amendment to HB 305, which was not adopted, prohibited ISPs from using, disclosing, selling or permitting access to a customer’s personal information without affirmative consent (absent certain emergency and other exceptions). The amendment defined personal information as the content of communications, demographic information, browsing history, financial and health information, information pertaining to children, app usage, and precise geolocation, among others. The amendment also required ISPs to take reasonable steps to protect customer personal information from unauthorized use, disclosure, or access.

States where legislation has been introduced
SB 3156 requires ISPs to keep their customer’s personally identifiable information—which includes browsing history and precise geolocation—confidential unless the customers provide affirmative consent. It also provides that ISP give written notice of this requirement to each customer. The provisions of the bill do not apply to investigations undertaken pursuant to the “New Jersey Wiretapping and Electronic Surveillance Control Act. Importantly, an ISP cannot refuse to offer internet service to customers simply because the customer does not consent to disclosure of personal information.
AB 3027 instructs the Board of Public Utilities, in consultation with the Division of Consumer Affairs and the Department of Law and Public Safety, to undertake a public awareness campaign to promote consumer understanding of ISP’s information disclosure practices. The campaign would include information about state and federal privacy laws, the circumstances under which ISPs can disclose customer information, and guidance for how consumers can access and understand the privacy policies of ISPs. The bill does not specifically address how the campaign will be clear and accessible to the public.

States where legislation has been introduced
New York has the most currently pending bills of any state. A 7191 and S5603 prohibit any ISP that do business within the state from collecting or disclosing a customer’s personal information—which includes browsing history and the contents of data-storage devices—without affirmative consent . However, the bills have a number of exceptions for the consent requirement, including provisions that would allow law enforcement to access customer data without a warrant. The bills also require ISPs to take reasonable data security steps and provide a cause of action for ISP violations of its provisions.
A 7236 and S 5576 require ISPs to obtain affirmative consent from a customer prior to using, sharing or selling that customer’s sensitive information, which includes browsing history, financial and medical data, biographical data, the content of communications, and internet usage. Non-sensitive data, which includes aggregate data or subscription data, does not require consent for disclosure. The bills also require ISPs to provide customers with a copy of a privacy policy that includes: data collection and use practices; the ISP’s relationships with third-parties, the purposes for which the ISP collects data; and information for how consumers can exercise control over their privacy. Any ISP that violates the provisions would be guilty of a misdemeanor and subject to fines.
A 7495 and S 5516 require ISPs to keep confidential, unless given affirmatives consent, customer information including biographical information, browsing history, financial and health information, and information about political affiliation, among others. The ISP is also required to provide written notice of the requirements of the bill to each customer.
S 3367 requires ISPs to keep all customer information confidential unless affirmative consent is provided. The bill also creates a find of $500 per offense for any ISP found to be in violation.

States where legislation has been introduced
HB 2090, which has been passed by the Oregon legislature, makes it a violation of that state’s consumer protections law for a company to engage in practices that are inconsistent with its stated privacy policy.
HB 2813 prohibits an ISP from disclosing, selling, or permitting access to a customer’s personal information without affirmative consent (absent certain emergency or other exceptions). The bill defines personal information to include demographic information, browsing history, app usage, the content of communications, information about finances, health or children, and precise geolocation, among others. The bill also prohibits an ISP from conditioning service on or charging a higher rate to customers that do not provide consent for their information to be used. The bill requires ISPs to take reasonable measures to protect customer personal information from unauthorized use, disclosure, or access. And the bill gives a private right of action against an ISP that discloses or sell their information in violation of the bill’s provisions.

States where legislation has been introduced
HB 6086 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information.

States where legislation has been introduced
HB 4154 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information.

States where legislation has been introduced
HB 2200, which has already passed the House twice, prohibits an ISP from selling or transferring a customer’s proprietary information, which includes communications content, browsing history, precise geolocation, and financial and health information, among others, without opt-in consent. The bill also prohibits an ISP conditioning service on a customer’s consent to use their proprietary information, and further must disclose the terms and conditions of any financial incentive provided to a customer that consents to having their information used by the ISP.
SB 5919 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information.

States where legislation has been introduced
HB 535 directs the Attorney General, in consultation with the Commissioner of Public Services to adopt privacy and data security rules for ISPs. SB 147 uses similar language, but also requires that the rules adopted include disclosure requirements for ISP privacy policies, opt-in or opt-out procedures for obtaining customer approval to use and share sensitive or non-sensitive customer propriety information, and data security and breach notification requirements.
SB 72 directs the Attorney General, in consultation with the Commissioner for Public Service and industry and consumer stakeholders, to submit a recommendation or draft legislation regarding whether and to what extent the state should adopt privacy and data security rules for ISPs.

States where legislation has been introduced
SB 233 prohibits an ISP from using, disclosing or permitting access to a customer’s proprietary information without affirmative consent (absent certain emergency and other exceptions). The bill defines proprietary information as the content of communications or information that relates to the quantity, technical configuration, type, destination, location, or amount of use of an ISP’s service. The bill also requires that ISP provide notice to consumers about how they collect and use their information and it requires reasonable data security practices and notification of data breaches.