Update: This blog post has been modified since it was first published. Click here for more details, or scroll to the bottom to see the original text.
A pro-consumer, bipartisan data-breach bill was stripped of most its provisions before its feeble remains were finally passed by an Indiana Senate committee on Tuesday.
This came after two weeks of intensive lobbying by AT&T, Verizon, Microsoft, and LexisNexis, all of which wanted to kill the bill. For the most part, they were successful.
In a blog post last week, I explained how I had worked with my state Rep. Matt Pierce (D-Bloomington) to draft and submit a data-breach bill. The bill fixed a number of major loopholes in the existing laws and borrowed heavily from existing laws in pro-consumer states such as New York, California, and New Hampshire.
It also broke new legal ground and would have made Indiana the first state in the country to require that all data breach reports impacting state residents be put online at the state attorney general's Web site. This is something that the New Hampshire Department of Justice already does, but out of a voluntary effort to help consumers and not due to a legal mandate.
Indiana's existing data-breach statute has a number of major loopholes. The most critical of these is that companies are not required to disclose a data loss/theft incident, as long as the device in question is protected with a password. The law does not require encryption of all confidential user data, but instead lets companies off the hook as long as they employ a Windows log-in password. These passwords do little to protect data, as they can be broken in a matter of seconds using free tools--or an attacker can use a Linux boot CD to read the data directly off the drive.
In a committee meeting Tuesday morning, Republican committee members successfully eviscerated the bill, reducing it to a mere 17 lines of text from the original 72. The Web site report provision and the requirement that companies notify the state attorney general whenever a data breach is discovered were stripped. A section of the bill that created incentives for companies to follow encryption and key management practices "in a manner consistent with the best practices common in the industry" was also removed.
Thankfully, the most important part of the bill (which requires real encryption and not just a Windows log-in password) remains, for now.
It only took six votes to completely gut the bill--as the other five members of the committee failed to show up for the vote. On Tuesday afternoon, I spoke with state Sen. Tim Lanane, one of the two Democrats who voted on the bill.
"I certainly didn't support the amendment," he told me, "but I also heard Rep. Pierce (the author of the bill) say that he preferred to have a bill pass, as opposed to it dying in committee."
Lanane told me that his vote was strategic, as he knew that "the (Republican) chairman was not likely to pass the bill (as originally written). Rep. Pierce knew that too." In the end, he added, it was "better to have something come out of committee rather than nothing."
Lanane told me that it is still possible to have the original pro-consumer provisions added back into the bill once it reaches the full Senate, and later if it comes up in a House/Senate conference committee.
The bill sailed through the House of Representatives a few weeks ago, passing 94-0. Unfortunately, when I drove up to the state capital last week to testify in front of a Senate committee, I discovered that big business was gunning after the bill.
At least 10 lobbyists were waiting at the committee meeting, many having flown in from Washington D.C., and were going to do their best to have the bill eviscerated. The lobbyists represented household names such as AT&T, Microsoft, Verizon, Comcast, and LexisNexis.
The lobbyists claimed that consumers could be easily confused by online breach reports, that such reports could be misused by evil phishers and fraudsters as a way of adding authenticity to their attacks, and finally that the reports could act as an unfair scarlet letter for companies that make mild data-breach mistakes.
The New Hampshire Department of Justice has posted data breach reports to its Web site for over two years. In order to learn more about the site, I recently spoke with Lauren Noether, the bureau chief of the New Hampshire DOJ's Consumer Protection Office. She told me, "I think it's important for the public to know that there are these types of breaches." She added that "any information that helps a consumer to make decisions about with whom they want to do business is helpful."
With regard to the reports, she stated that "we have them online so that anyone--the media, the public--can look at them, just to see what's out there in the world of security problems."
She also noted that the reports have been useful for businesses that have recently suffered a breach. "People have called me and asked do I have a form?" She said that she is able to tell them that "you may want to take a look at the ways that other companies have reported it to us."
Noether told me that that she hasn't heard a single complaint about the Web site and that she hasn't received any information to suggest that criminals were using the site to add credibility to their phishing attacks.
So much for the claims of the lobbyists. It's worth noting, however, that LexisNexis, one of the firms that flew a Washington D.C. lobbyist to Indianapolis to testify against the bill, has three different data breaches from 2007 listed on the New Hampshire DOJ site. Perhaps the company should spend more resources on protecting its customers' data, and less on lobbying?
Update: The text below was deleted from the post on February 18th. More details on its removal can be seen here. The original text has now been put back.
AT&T donated over $170,000 to Indiana state legislators in the 2006 election cycle while Verizon donated $48,000. Furthermore, while I'm sure that all 11 of the senators on the committee are all upstanding and honest legislators, I think it's worth mentioning that only one senator (Arnold) has not received thousands of dollars from AT&T in the past. The rest have all taken Ma Bell's money: Steele (R), Bray (R), Drozda (R), Zakas (R), Waltz (R), Waterman (R), Howard (D) Young (D), Tallian (D), Lanane (D).
I'm sure this in no way influenced their votes on Tuesday, but it sure does give you food for thought.
Update 2: When I wrote that original blog post back in February, detailing which members of the committee had received donations from AT&T, I neglected to do a bit of research. My efforts had been focused on just the members of the Senate Committee. I completely forgot to look up the donation history of Senator Brandt Hershman, the Republican Majority Whip, Senate "sponsor" of HB 1197, and the author of the amendment that stripped away 3/4 of the provisions in the original bill.
It turns out that while the senators on the committee each received $2000 from AT&T over the past few years, Senator Hershman has received even more love from Ma' Bell. He received $4000 from AT&T in 2004, and another $2500 in 2006 -- AT&T was his top contributor that year.
Again, just as with the other senators, I'm in no way claiming that Senator Hershman's actions were motivated by the big fat checks he received from AT&T. I am sure that he amended the bill to strip out the parts hated by lobbyists only after carefully considering the issues, and coming to the conclusion that Indiana consumers do not need an easy way to find out about companies that lose their personal data.
Apple set the blogosphere on fire Monday when word leaked of the company's latest effort to limit iPhone unlocking. Recent media reports reveal that that the company has instituted a two-device-per-visit limit for iPhone purchases and has banned the use of cash for such transactions. However, the latest news indicates that Apple is now also banning the use of Apple Gift Cards for iPhone sales. Wired News confirmed the rumor on Monday afternoon. A representative from the Burlingame, Calif., Apple store told Wired News that "official" policy is now that gift cards will not be accepted for the sale of iPhones.
Before we get into the nitty gritty of this incident, lets step back and explore exactly how Apple describes the gift cards on its Web site:
Apple Gift Cards
(Credit: Apple)"An Apple Gift Card lets you take the guesswork out of gift-giving. Your friends and family can choose exactly what they want from any retail Apple Store, from the online Apple Store, or by calling 1-800-MY-APPLE in the United States."
Also...
"You can purchase just about anything sold by Apple (except another Apple Gift Card, an iTunes Gift Certificate or purchases at the iTunes Music Store), including products from both Apple and third-party makers."
There does not appear to be any small print on the gift card program Web site stating that Apple reserves the right to reject gift cards for any purchase or change the terms and conditions after the fact.
On Monday afternoon, I spoke with Professor Avery W. Katz, vice dean and Milton Handler Professor of Law at Columbia Law School. Katz regularly teaches classes in contracts, secured transactions, and payment systems.
When asked if he had heard of any other companies refusing to take their own store gift cards in the past, Katz replied that "(this is) a new one to me," and that he believes that "most customers will be surprised to learn that their gift cards will not be accepted" for the purchase of items from a company's official store.
Professor Katz noted that even if Apple's gift cards were covered by a small-print or shrink-wrap contract, "in the case of a consumer purchase, not everything in the fine print of a consumer contract is enforceable. This area is one of some controversy in contract law." In general, he said, "the enforceability of these fine-print terms depends on how reasonable the fine print is and what a consumer can reasonably expect of the sale."
Katz also confirmed that the courts did not expect consumers to have legal counsel read the terms of a gift card before they buy it in the store. He further noted that different states' laws apply, and in particular that some states' laws are far more pro-consumer than others.
Katz was not willing to speculate on the legal options available to consumers who purchased Apple Gift Cards and were no longer able to use them to buy iPhones. However, he did confirm that consumers have much stronger level of protection in cases where the gift cards were purchased with credit cards as opposed to cases where the gift cards were purchased with cash. In such cases, consumers have the right of "chargeback," in which they can dispute the purchase when they are not happy with the goods (in the event the item is defective, for example, or if a gift card is not redeemable in the way that the consumer believed it to be at time of sale).
Protesters show Apple some anti-DRM love
(Credit: quinnums / flickr)I also spoke to Russ Heimerich, a spokesperson for the California Department of Consumer Affairs. California has specific civil laws that relate to the sale and use of gift cards, although they mainly relate to expiration dates, fees, and the ability of consumers to get cash refunds for low amounts of trapped funds. Consumers who purchased gift cards with the intention of using them to buy iPhones should, Heimerich said, go back to the Apple store and ask for a refund. When asked about the legality of what some might consider to be a bait and switch by Apple, Heimerich said that "(the situation) doesn't sound right to me," and referred me to the California Attorney General's office, which has not yet returned my calls. Calls made to Apple have also yet to be returned.
Apple is no stranger to class action lawsuits. With respect to the current gift card issue, the company has sold the cards to consumers stating that consumers can use the gift cards to purchase "exactly what they want from any retail Apple Store." And now, once people have given the company money, Apple has decided to no longer accept lawfully purchased gift cards for one of the most popular items it sells. I'm no gambling man, but if Apple doesn't see a lawsuit or attorney general investigation into this incident in the next six months, I'll sell my open-source Linux-based Nokia N800, and buy an iPhone.
According to The New York Times, analysis of Apple's recent financial statements indicates that the company receives up to $18 per customer per month from AT&T. Over the life of a two-year contract, Apple stands to earn up to $432. Add in the cost of the iPhone device itself, and Apple earns more than $830 from every iPhone customer who signs up for an AT&T contract. Compare this to the cost of the physical components that go into the iPhone, which was reported to be $220 back in July of this year, and it's clear that the iPhone is a gold mine.
There seems to be some uncertainty among commentators and even some legislators over the iPhone. Let's get one thing straight: the iPhone is subsidized. The fact that Apple makes almost $200 profit on every iPhone sold is irrelevant. Apple sells the iPhone for less than its expected profit from the device with the expectation that the other $400 will come from its profit-sharing agreement with AT&T. Customers who buy the phone, unlock it, and use it with T-Mobile or an international carrier are denying Apple the funds that it expected to receive.
With more than 250,000 iPhones sold since June 29 without being activated on AT&T's network (phones most likely unlocked and used elsewhere), Apple has been denied subscriber-generated profit of more than $100 million. Thus, it's not too difficult to see why Apple "unintentionally" turned unlocked iPhones into bricks and then, most recently, limited the sale of iPhones to two per customer and banned cash and gift card transactions. The company doesn't want people buying the phones, unlocking them, and then reselling them, either in the U.S. or in even more-profitable foreign markets.
Now, lets take a deeper look at the issues at play here. In particular, which other companies try to limit the number of devices that customers can purchase?
In August 2006, three Arab-American men were arrested in Michigan; the men had in their possession more than 1,000 prepaid mobile phones, most of which had been purchased at Wal-Mart stores around the state. Local prosecutors initially charged them with collecting or providing materials for terrorist acts, although these charges were later dropped. The three men from Michigan were engaged in a modified form of arbitrage: they bought heavily subsidized devices, removed the software, and resold them to consumers wishing to use them on other networks. Tracfone, the company whose telephones the men had purchased, claims that it is losing millions of dollars a year from the practice.
Apple: No tinkering with our hardware!
(Credit: Wysz / Flickr)Unfortuntely for Tracfone, in November 2006 the Librarian of Congress cemented the right of consumers to hack their own phones and created a new exemption to the anti-circumvention provisions of the Digital Millennium Copyright Act. With the law no longer on its side, Tracfone had to shift tactics, and as of October 2006, major retailers such as Wal-Mart began limiting customers to two prepaid phones per visit.
That's right--Apple has now adopted the same tactics as Tracfone, a prepaid-phone company that targets low-income consumers who do not have the credit necessary to enter into a contract.
I've written about Tracphone's troubles, as well as the more general problems faced by other companies in similar markets, in a new research paper Caveat Venditor: Technologically Protected Subsidized Goods and the Customers Who Hack Them, which will be published later this fall in the Northwestern Journal of Technology and Intellectual Property. While I recommend that you read my paper, the take-home lesson from it is that by not giving consumers a non-locked iPhone (albeit at a higher price in order to make up for the lack of AT&T profit sharing), Apple is only inviting hackers and tinkerers. For those of you who claim that the iPod Touch is just this: remember that only the iPhone has a camera and Bluetooth, which are essential features for anyone wants to create VoIP and videoconferencing software for the device.
Apple has fought (and lost, thankfully) a very public legal battle against the right of bloggers to remain anonymous. Thanks to its its trigger-happy legal department, it has made lifelong enemies of a number of security researchers. Now, over the space of just a few years, the company has gone from a much-loved underdog in the personal-computer space to the DRM-loving 800-pound gorilla of the online music business, and now has adopted the tactics of low-end prepaid phone companies whose products are sold at 7-Eleven.
Oh, how the mighty have fallen.
- prev
- 1
- next
