Tomorrow, the House Financial Services Committee is scheduled to markup H.R. 2205, the Data Security Act of 2015. Over the past several months, the Open Technology Institute has released a number of materials highlighting elements of this and other bills that would have concerning implications for the privacy of communications records. As I wrote in Future Tense in March about a different bill that contained the same language (and that, thankfully, has not passed),
[C]ounter to its name, this piece of legislation would actually eliminate key legal protections for phone, cable, and satellite records.
What would this mean for you? You could no longer assume that any information your phone, cable, or satellite provider collects about you is protected, and companies would no longer be obligated to tell you if that information is compromised. The results could be disastrous. Just a list of the phone numbers called by a customer would reveal not only information about that customer’s ties to other individuals, but also ties to organizations, health-related entities, hotlines, support groups, and so on. That list of numbers could reveal that the customer had called a hotline for suicidal thoughts or domestic violence. It could indicate that the customer likely had an abortion, needed 911 services, battled addiction, or struggled to come to terms with her sexual orientation.
. . . .
Phone records also contain location information. Even when customers turn off GPS on their phones, carriers keep a record of which network antenna is communicating with the phone during every call. As computer scientist Vitaly Shmatikov explained last year in a letter to the Federal Communications Commission, this information can be used to reconstruct a customer’s movements, revealing the path someone takes to drive to work or walk to her children’s school, or the location of his gym or place of worship.
As for cable and satellite customers’ viewing histories, it’s hard to imagine a class of information with greater potential for humiliation than an account of what we watch in the privacy of our own homes. Indeed, Congress was so spooked by the publication of Supreme Court nominee Robert Bork’s innocuous video rental history in 1988 that they almost immediately passed the Video Privacy Protection Act, which protects records about video rentals.
For ease of reading, consider the following chart, which explains how protections for sensitive communications would fare under the new bill on a category-by-category basis:
This chart and a few other important details about the bill under consideration are available here, in a one-pager OTI has put together on the bill and its implications for communications records. Relatedly, I also testified before the Committee in May, and in my testimony outlined may of the same concerns.
In recognition of these and other concerns regarding the bill, OTI joined 16 other privacy and consumer advocacy groups today on a letter to Committee members urging them to oppose H.R. 2205.
Legislation called the "Data Security Act of 2015" should improve consumer protection by enhancing data holders' duties to protect sensitive information. It shouldn't eliminate the strong protections we already have for broad categories of communications information.