TechHui

Hawaiʻi's Technology Community

Hawaii Lawmakers' Assault on Web Privacy

As I write this HB 2288, which requires anyone providing internet connectivity to keep detailed records of users' browsing history, is being heard in front of the Committee on Economic Revitalization. This is arguably the most aggressive privacy invading internet data retention measure introduced by any state.The ill conceived HB 2288 was introduced by Rep. John Mizuno and championed by Rep. Kymberly Pine. Companion bill SB 2530 was introduced in the senate by Sen. Jill Tokuda. These bills, which are vaguely worded, could easily impose onerous requirements on not only ISPs but also every coffee shop and internet cafe in the state. They provide no privacy protections or rules with regard to how the data is handled. HB 2288 and SB 2530 open up every resident of the state to the possibility of their browsing history being subpoenaed not only in criminal cases, but also in civil matters. This is no different than the state requiring telephone companies to retain all your conversations.

I submitted the following testimony to the committee:

"I write in strong opposition. I wish to provide testimony with regard to HB 2288, which requires ISPs to capture and store all customers' internet traffic for a period of two years. In these times, the record of a person's browsing history is as close as you can get to a record of their thoughts. Even forcing telephone companies to record everyone's conversations, which is unthinkable, would be less of an intrusion. This bill represents a radical violation of privacy and opens the door to rampant Fourth Amendment violations. As with a phone tap, the state should be required to seek a warrant to record a person's browsing activities. Internet traffic can be far more personal than a phone call. Why should the protection of access be held to a lower standard?"

Although techies can obviously get around this by, for example, using a proxy server to hide destinations and SSL to make data opaque, this is a clear assault on the privacy of the average users' browsing history. The assault is also happening at the federal level thanks to SOPA author Rep. Lamar Smith, who introduced a similar (although less aggresive) bill which he calls the "Protect Children from Pornographers Act". The name is, of course, ludicrous given that it has absolutely nothing to do with protecting children from pornography.

The bill currently has support from both sides of the isle (Pine is a Republican, Mizuno a Democrat), so it will take a concerted effort to defeat it. Lets fight the good fight to protect our privacy. We are already getting national attention.

Many thanks to Aryn Nakaoka for bringing this bill to our attention, Yuka Nagashima for providing in-person testimony on behalf of our industry, Neenz Faleafine for helping spread the word and Declan McCullagh for giving it national attention.

Update: HB 2288 has been tabled and we've heard from multiple sources that it is effectively dead. SB 2530 is likely DOA, but it could be revived with modifications based on testimony. See the comments below for discussion regarding the numerous other bills that have been introduced relating to internet regulation and interference with business activities including the odious HB 2762.

Two new bills, HB1778 & HB2147, promote unauthorized computer access to a class A felony. Class A is normally reserved for crimes such as rape, kidnapping and murder.

Views: 562

Comment

You need to be a member of TechHui to add comments!

Join TechHui

Comment by Daniela Stolfi on February 19, 2012 at 5:42pm

I am working on a response to some of the things said here, but in the meantime, here is an open letter to all of you on TechHui from Rep. Pine.  I sent her a link to this conversation as well as the video from the meeting and asked her to address your concerns and she sent me this response to post on her behalf.  http://www.techhui.com/profiles/blogs/from-rep-kym-pine-to-techhui?...

Comment by Jon Brown on February 19, 2012 at 2:42pm

Politics is a good example of why this is horrible law.   While I don't do political sites myself I have a friend (not in HI) who's done several sites for politicians AND for major media organizations on both sides of the political divide.   While I'm sure he would never use material provided by a prior client on a new site, it'd be trivial for a former client to use this sort of law to threaten him and harm future clients of differing political ideologies.

I can see a judge accepting the argument, "The web developer built me a WordPress site and now they're using WordPress to build my opponent a WordPress site, he's reusing code I paid for without my authorization".

Comment by Karen Chun on February 19, 2012 at 11:23am

[continued]

So just to be clear, I would never do what Rep Pine's website designer did. But now I am going on to defend him and explain why is use of her "unauthorized material" should NOT expose him to a felony indictment, as Rep Pine wants.

First, just because Rep Pine says the material is "unauthorized" does not make it illegal.  Politicians, their images and their words, are fair game for parody, commentary, reproduction, etc.  There's a clear area carved out in the copyright law, that makes public figures fair game.  That's why Rep Pine allegedly lost her lawsuit against the web designer.  She also lost because she allegedly did not pay the guy.  So the website, domain and so on for which she did not pay, did not legally belong to her and he was free to do with them what he wanted.

So putting into law that a web designers client can simply claim that the material was "unauthorized" and charge the designer with a felony is over-reaching to say the least.  The client is the only one who determines what is "authorized"? Whoa!  Any one of us could be charged with a felony by a disgruntled client.

This law would have unintended effects such as subjecting parody sites to felony charges.

Comment by Karen Chun on February 19, 2012 at 11:22am

Jon makes really good points.

Rep Pine introduced the "Make using unauthorized material a felony" bill because she is completely ignorant of what a web designer does and what laws already cover them.

She foolishly used a web designer who already had a history of going after nonpaying clients with mocking websites and then apparently she didn't pay him.  Like duh!  What on earth did she expect would happen.

So the lesson for the rest of us is: (as John said)  Check out the reputation of your web designer before you hire her/him.

I did have 2 deadbeat clients (before I started demanding a retainer before working).  One never paid me so I took down the website, with a notice saying "Hosting has expired.  Please email to reinstate".  A polite, nondamaging way to remove my work without ruining MY reputation by attacking a client, no matter how much of a deadbeat he was.

The second didn't like my $200 bill (a trivial amount for the work I did) so I told him, "Not a problem.  I guarantee my work.  I'll just put your website back the way it was before I worked on it and you won't owe me a thing." He quickly replied (in a panicked voic) "No, no, no...that's all right.  I'll send you the check."

Comment by Karen Chun on February 19, 2012 at 11:01am

Daniela - I agree that cyber attacks suck.  But these bills which track innocent users' pages ARE NOT EFFECTIVE.  They DO NOTHING to fight cyber attacks.

Really the only effective way to prevent cyber attacks is to:
Be sure you have installed all recommended measures to harden your installation.  That means, changing your wordpress login from "admin" to something else.  Password protecting you wp-admin folder.  Removing the OScommerce files that have vulnerabilities.  Using really long passwords.  Keeping an eye on your server (I use a monitoring script).  Making sure you sanitize all your database calls, etc. etc.  Also keep all your software updated.


Establish ownership of your sites with google so that google will alert you to any malicious software that is installed.

Make sure you regularly back up the software and databases AND email accounts and forwarders.

The FBI just doesn't have time to protect YOU.  You have to protect yourself.

Comment by Jon Brown on February 19, 2012 at 10:55am

Ok, dropping the licensing argument for a moment. A key problem with this law is that is doesn't define what a web developer is, it tries to but it fails miserably with "'web designer' or 'web developer' means a person who [for compensation] designs or creates a web page or website, or programs a web page or website, or both." Where does this stop? Again going back to the neighbors kid, say you tell them you'll pay them $1 to upload some photos to your Facebook page? Does that qualify ?

The same rules apply to hiring a web developer as any other unlicensed professional.

(1) Use in the web page or website design or programming any graphics or other material or software that the person is not authorized to use, including copyrighted material;

How is this not already covered under existing copyright law? Do we really need an additional law just for web developers?

(2) Design or program the web page or website to include material that is not approved by the customer;

Of COURSE I'm going to use material not approved by the customer. The customer can't understand 99% of the material that goes into building a web site. You really expect me to get approval of EVERYTHING?

(3) Claim ownership of the web page or website after the person has completed the job; or

In it's most simple form how is this not covered by existing property theft laws? Further it doesn't define "completed the job", my jobs are usually "complete" before receiving final payment and my terms clearly state I retain ownership until final payment is received. Further it does address the myriad of other arrangements for payment web developers have with clients, including on-going monthly fees. While I have never reposed a web site for nonpayment, I don't see why it should be treated differently than any other possession held as collateral.

(4) Use any material at any time obtained from the customer's computer, including e-mail and e-mail addresses, without authorization from the customer.

This seems reasonable… but how is this not covered by existing hacking laws. Perhaps we need a special law that say a housekeeper I gave a spare key can't steal my stuff or look through my filing cabinet?

We make choices ever day in who we hire to provide services to us, the same rules apply to web developers as any other professional service person. Get referrals and references from people you trust, check them out via the better business bureau or online rating services, read your contract with them. Ultimately consumers already have more than enough information to make an informed decision on who to hire. Licensing web developers won't change that, and regulating them without providing them the benefits of licensure will suffocate all but the big agencies.

Comment by Jon Brown on February 19, 2012 at 10:55am

In my first career I was and technically still am a licensed professional civil engineer. I mention this because HB2762 seems to try to regulate web developers (my second career) like licensed professionals which is something I'm familiar with from my former career. Web developers are not presently licensed professionals anywhere I know of and I think doing so would be a mistake for many reasons, but I bring up in the interest of discussion as it feels like that's where this law is headed and understanding the relationship of licensed professionals to state licensing boards is important.

Licensing professionals is a two way street in which the community gets an added level of reassurance about that professional and in exchange the professional gets added protection from competition from unlicensed professionals.

This law however is entirely one sided. I as a web professional gain nothing from it, I just get saddled with additional costs (overhead/paperwork/communication documentation) and risk (legal action from a client).

Another key factor in licensing professions is that only licensed professionals are allowed to practice within the jurisdiction. From that follows that if you happened to ask your neighbors 14 year old daughter to build you a web site and they did, they'd then be subject to prosecution for practicing without a license.

Comment by Karen Chun on February 19, 2012 at 10:25am

Daniela - I have had my client's servers attacked by criminal warez sellers AND have had to defend my copyrights from pirates and I absolutely oppose all of Rep Pine's get-even-with-my-webmaster bills.  They will do ABSOLUTELY NOTHING to help in either of these situations.

First: As all copyright holders will have experienced, the FBI works only for the big guys (FBI is in charge of copyright enforcement).  20 years ago they wouldn't even look at a case where the damages were less than $5million.  Now I imagine it is 10 times that.  So all the laws in the world aren't going to help anyone but Hollywood and Microsoft.  And Hollywood & Microsoft have their own enforcement organization and the money to pay the lawyers to enforce their copyrights.

Second: The real damaging hackers are usually based in Russia and there isn't a thing you can do about them as they move from server to server and expect to be shut down again and again.  They're using "orphan" ip's (IPs that were assigned to a company that is no longer in business) and these laws that Rep Pine introduced are useless against them.

So these laws as well as being redundant will have NO EFFECT OTHER THAN TO CREATE A POLICE STATE FOR LAW-ABIDING USERS.

Comment by Daniela Stolfi on February 18, 2012 at 10:34pm

um yeah, at the end there I mean fighting against cyber attacks....not doing them :)

Comment by Daniela Stolfi on February 18, 2012 at 10:30pm

I am sure I am going to get blasted for this but here goes. 

I watched Peter Kay talk about this at HIA and I know he rallies against government regulation of our industry.  He said that he likes the freedom we have to open dot coms and does not feel we should be restricted or regulated in anyway.  I believe he used a comparison to the hot dog vender.  Here is my thing.  I don't agree.  As much as I like the freedom we have now, I also know that the results of that freedom has left the door wide open for way too many dishonest people to do a lot of damage.  In a perfect world where ALL techies are honorable and trustworthy, I would totally agree not to want any kind of regulations put on us.  HOWEVER, there are far too many BAD guys in this industry.  RICO regulates plumbers.  And the worse thing they can do is rip me off or jack my plumbing up.  TECHIES have access to information and technology that can completely destroy our lives and our livelihoods. 

I hear you all complaining about HB2762 and that its redundant to copyright laws.  How many of you have had to either protect yourself or your client from a reputation or cyber attack?  Or copyright infringement?  The system can be slow and in some cases dead ends.  Its not perfect and people can re-shift their methods to attack you over and over with no recourse right now.  Savvy people like Eric Ryan is a great example. this is someone who is really good and knowing how to break the rules and get away with it by spoofing and bouncing proxy registrations, utilizing forwards and redirects with panama hosting that don't comply with DMCA, the list goes on.  ICANN is too backed up, google reports go nowhere, DMCA takedowns are only as good as the hosting company who will actually honor it.  And the best that can happen is you can maybe get damaging or infringing content removed, but what about the person who did the damage?  They are free to continue using some other form.  The process to defend against this is time consuming and frustrating.  And our law enforcement has no idea what to do.  

Hawaii is so far behind the mainland in that area.  Right now our laws are way behind where we need to be with technology.  I agree these Bills are not perfect, and not quite focused..yet. But I think there is some legitimate reasoning behind where some of its coming from. HB2762 should not be an issue for us, if we are doing our jobs right.  Yes, it needs to be better written to protect from non payment, but anyone who has had to defend themselves or their clients from issues that have come from what this bill addresses sees the value of it. 

Would love to hear the opposition here.  But as someone who has spent a whole lot of time doing reputation management, and "cyber" attacks, I can see that there is way too much freedom right now that is allowing.  And it sucks that the bad guys are going to ruin it for us but it is what it is.

Sponsors

web design, web development, localization

© 2024   Created by Daniel Leuck.   Powered by

Badges  |  Report an Issue  |  Terms of Service