Who's trying to break the internet today?

NovaSaber

Well-known member
Citizen

Today, it's California.

Problems With the Bill

Unwanted Consequences of Age and Identity Authentication. Structurally, the law tries to sort the online population into kids and adults for different regulatory treatment. The desire to distinguish between children and adults online has a venerable regulatory history. The first Congressional law to crack down on the Internet, the Communications Decency Act, had the same requirement. It was struck down as unconstitutional because of the infeasibility. Yet, after 25 years, age authentication still remains a vexing technical and social challenge.

Counterproductively, age-authentication processes are generally privacy invasive. There are two primary ways to do it: (1) demand the consumer disclose lots of personal information, or (2) use facial recognition and collect highly sensitive face information (and more). Businesses don’t want to invade their consumers’ privacy these ways, and COPPA doesn’t require such invasiveness either.

Also, it’s typically impossible to do age-authentication without also doing identity-authentication so that the consumer can establish a persistent identity with the service. Otherwise, every consumer (kids and adults) will have to authentication their age each time they access a service, which will create friction and discourage usage. But if businesses authenticate identity, and not just age, then the bill creates even greater privacy and security risks as consumers will have to disclose even more PI.

Furthermore, identity authentication functionally eliminates anonymous online activity and all unattributed activity and content on the Internet. This would hurt many communities, such as minorities concerned about revealing their identity (e.g., LGBTQ), pregnant women seeking information about abortions, and whistleblowers. This also raises obvious First Amendment concerns.

Enforcement. The bill doesn’t specify the enforcement mechanisms. Instead, it wades into an obvious and avoidable tension in California law. On the one hand, the CPRA expressly negates private rights of action (except for certain data security breaches). If this bill is part of the CPRA–which the introductory language implies–then it should be subject to the CPRA’s enforcement limits. CADOJ and CPPA have exclusive enforcement authority over the CPRA, and there’s no private right of action/PRA. On the other hand, California B&P 17200 allows for PRAs for any legal violation, including violations of other California statutes. So unless the bill is cabined by the CPRA’s enforcement limit, the bill will be subject to PRAs through 17200. So which is it? ¯\_(ツ)_/¯

Adding to the CPPA’s Workload. The CPPA is already overwhelmed. It can’t make its rule-making deadline of July 1, 2022 (missing it by months). That means businesses will have to comply with the voluminous rules with inadequate compliance time. Once that initial rule-making is done, the CPPA will then have to build a brand-new administrative enforcement function and start bringing, prosecuting, and adjudicating enforcements. That will be another demanding, complex, and time-consuming project for the CPPA. So it’s preposterous that the California legislature would add MORE to the CPPA’s agenda, when it clearly cannot handle the work that the California voters have already instructed it to do.

Trade Secret Problems. Requiring businesses to report about their DPIAs for every feature they launch potentially discloses lots of trade secrets–which may blow their trade secret protection. It certainly provides a rich roadmap for plaintiffs to mine.

Conflict with COPPA. The bill does not provide any exceptions for parental consent to the business’ privacy practices. Instead, the bill takes power away from parents. Does this conflict with COPPA such that COPPA would preempt it? No doubt the bill’s basic scheme rejects COPPA’s parental control model.

I’ll also note that any PRA may compound the preemption problem. “Allowing private plaintiffs to bring suits for violations of conduct regulated by COPPA, even styled in the form of state law claims, with no obligation to cooperate with the FTC, is inconsistent with the treatment of COPPA violations as outlined in the COPPA statute.” Hubbard v. Google LLC, 546 F. Supp. 3d 986 (N.D. Cal. 2021).

Conflict with CPRA’s Amendment Process. The legislature may amend the CPRA by majority vote only if it enhances consumer privacy rights. As I’ve explained before, this is a trap because I believe the amendments must uniformly enhance consumer privacy rights. In other words, if some consumers get greater privacy rights, but other consumers get less privacy rights, then the legislature cannot make the amendment via majority vote. In this case, the AADC undermines consumer privacy by exposing both children and adults to new privacy and security risks through the authentication process. Thus, the bill, if passed, could be struck down as exceeding the legislature’s authority.

In addition, the bill says “If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.” A reminder of what the CPRA actually says: “The rights of consumers and the responsibilities of businesses should be implemented with the goal of strengthening consumer privacy, while giving attention to the impact on business and innovation.” By disregarding the CPRA’s instructions to consider impacts on businesses, this also exceeds the legislature’s authority.

Dormant Commerce Clause. The bill creates numerous potential DCC problems. Most importantly, businesses necessarily will have authenticate the age of all consumers, both in and outside of California. This means that the bill would govern how businesses based outside of California interact with non-Californians, which the DCC does not permit.
 

NovaSaber

Well-known member
Citizen

Pocket

jumbled pile of person
Citizen
The big three cell phone providers are required to lease their towers out to third parties at competitive rates, which is why smaller providers like Mint and Boost and Cricket are able to exist. The same should happen with the cable lines.
 

Ungnome

Grand Empress of the Empire of One Square Foot.
Citizen
Yea, the big telecoms HATE competition with a passion. They successfully blocked a municipal ISP out of Chattanooga from expanding outside of city limits based on trumped up claims of 'unfair competition' simply because the ISP was technically owned by the City of Chattanooga. They would also put up roadblock after roadblock when Google was expanding it's broadband service to various cities. They are a cartel and they KNOW it, they also know that the US Government won't enforce the antitrust laws we currently have on the books because their lobbyist have so many members of congress in their pocket.
 

Pocket

jumbled pile of person
Citizen
I should note that some of the smaller cell providers piggybacking on the big three networks are themselves operated by the major cable companies. You'd think the big three's lobbyists would have some choice words to say about the lopsided nature of that deal, if nothing else.
 

Ungnome

Grand Empress of the Empire of One Square Foot.
Citizen
Heck, Cricket is owned by ATT, Metro PCS is owned by T-Mobile and Boost was owned by Sprint(until it was sold to Dish Network before Sprint's merger with T-Mobile).

I'm pretty sure Xfinity mobile's very existence was a compromise between Comcast and Verizon. Comcast was considering getting into the cell provider business, probably even eyeing up T-mobile or Sprint, while Verizon was delivering fiber broadband in certain markets. Verizon severely slowed down rolling out fiber in more areas a few years before they inked the deal to be the contracted carrier for Xfinity Mobile cellular traffic.
 

NovaSaber

Well-known member
Citizen
"Protect the children" by making everything less private, and putting a porn site that's had data breaches in charge of age verification for the whole internet?

 

NovaSaber

Well-known member
Citizen

At stake are fundamental questions about how the internet works, and what kind of content we will all see online. Currently, algorithms and similar behind-the-scenes automation determine everything from what content we see on social media to which websites we find on search engines to which ads are displayed when we surf the web. In the worst-case scenario for the tech giants, a loss in Gonzalez could impose an intolerable amount of legal risk on companies like Google or Facebook that rely on algorithms to sort through content.

At the same time, there is also very real evidence that these algorithms impose significant harm on society. In 2018, the sociologist Zeynep Tufekci warned that YouTube “may be one of the most powerful radicalizing instruments of the 21st century” because of its algorithms’ propensity to serve up more and more extreme versions of the content its users decide to watch. Someone who starts off watching videos about jogging may be directed to videos about ultramarathons. Someone watching Trump rallies may be pointed to “white supremacist rants.”

If the United States had a more dynamic Congress, lawmakers could study the question of how to maintain the economic and social benefits of online algorithms, while preventing them from serving up ISIS recruitment videos and racist conspiracies, and potentially write a law that strikes the appropriate balance. But litigants go to court with the laws we have, not the laws we might want. And the outcome of the Gonzalez lawsuit turns on a law written more than a quarter-century ago, when the internet looked very different from how it does today.
 

Pocket

jumbled pile of person
Citizen
My answer: Create a new government department dedicated to digital technology, and require every tech company to make their source code available for that department to review. Even Microsoft lets outsiders look at their source code, to a limited degree, to provide second opinions how secure it is, so there's really no excuse.
 

Rhinox

too old for this
Citizen
Sure would be nice if people who wrote laws about technology knew what the **** they were talking about. Ah, pipe dreams.
 

Ungnome

Grand Empress of the Empire of One Square Foot.
Citizen
That's the whole reason Congress divested some of their regulatory power to things like the FCC and EPA... Lot of good it's doing us now, though.
 

KidTDragon

Now with hi-res avatar!
Citizen
That's the whole reason Congress divested some of their regulatory power to things like the FCC and EPA... Lot of good it's doing us now, though.
It was a great idea until the Republicans decided that they should be run by stooges of the industries they were created to regulate.
 

Pocket

jumbled pile of person
Citizen
Two bills are in the works right now that would severely mess things up: the "Kids Online Safety Act" and the "Journalism Competition and Preservation Act". The latter is just straight-up terrible, as it is just the latest attempt to mandate a "link tax" on anyone who posts a link to a news source anywhere on the internet. This is a dumb-as-rocks idea, as you don't need to understand technology to know that this would punish people for providing free traffic to the very news organizations that are bitching that they're not getting enough traffic. I don't know how this keeps getting traction.

The former is more complicated; what it's calling for sounds like just more oversight on websites' ability to collect personal information on minors, but various advocacy groups like the EFF are warning that it could backfire, turning into another backdoor for people who want to ban minors from accessing LGBT-friendly content. How, exactly, isn't being elaborated on, which is unfortunate because this feels like a repeat of the COPPA controversy a couple years ago—Big Tech is found to be breaking a law designed to protect kids online, they take the path of least resistance to correct the problem, punishing their users in the process, and foist the blame off on the Big Bad Government, the public eats it up and concludes, once again, that Government Should Just Let Big Tech Do Whatever They Want, just as intended.
 

NovaSaber

Well-known member
Citizen
And as that link also mentions, just determining which users are minors in the first place requires collecting more personal information than many sites currently do.
 

Dekafox

Fabulously Foxy Dragon
Citizen
The tl;dw is that the Supreme Court is hearing a Section 230-related case next week over Google's recommendation algorithm, and if by suggesting results the website acts as a content creator and promoter of the content rather than neutral towards it like 230 stipulates, by taking a narrower reading of "publisher" rather than the layman's reading. And the blowback could have a SESTA/FOSTA-like effect on social media, among other things.
 

CoffeeHorse

*sip*
Staff member
Council of Elders
Citizen
"If there wasn't an algorithm to sort through this deluge of videos, the only way to sort through them would be a fire hose of viewing every video chronologically, which nobody wants. It would be that or doing a pointed search to try and find content, but then you'd never be exposed to content you actually do want to watch but didn't know that you wanted to seek it out."

I'll live.
 

Ungnome

Grand Empress of the Empire of One Square Foot.
Citizen
The algorithm is busted anyway and has been for years.
 

Pocket

jumbled pile of person
Citizen
Honestly I'm starting to think that destroying the internet wouldn't be the worst thing we could do, at this point.
 

Ungnome

Grand Empress of the Empire of One Square Foot.
Citizen
Don't know about destroying it outright, but maybe taking some of the control back from the large corporations might be in order.
 


Top Bottom