HB 230-TELECOMMUNICATIONS & INTERNET PRIVACY  2:21:56 PM CHAIR CLAMAN announced that the first order of business would be HOUSE BILL NO. 230, "An Act relating to the collection of customer information by telecommunications and Internet service providers; and establishing an unfair trade practice under the Alaska Unfair Trade Practices and Consumer Protection Act." 2:22:23 PM REPRESENTATIVE HARRIET DRUMMOND, Alaska State Legislature, advised that in March 2017, the United States Congress passed a bill that repealed an FCC regulation known as "Protecting the Privacy of Customers of Broadband and Other Telecommunication Services." She explained that this regulation mandates that internet service providers (ISPs) must receive permission from users before harvesting personal data. The repeal of this regulation allowed an opening for ISPs and telecommunication companies to collect data without the consent of the customer whose data was being collected. She stressed that there are absolutely no accusations here that any of Alaska's telecommunication companies or ISPs are doing this, and they have been clear in letting her office know that they do not use this type of trade practice. However, she remarked, there is a need to protect the privacy of Alaskans by solidifying into statute a civil penalty that can be used on a telecommunications company or ISP if they are found to have been doing so by an Alaska court. This legislation implements a new section under AS 45.48.800 to establish the collection of personal data and information by an ISP or telecommunication company as an unfair trade practice. She further advised that this legislation will keep Alaskans' information safe and will allow the state to bring action against violators of the new section, and hopefully it will never be used. 2:24:14 PM PATRICK FITZGERALD, Staff, Representative Harriet Drummond, Alaska State Legislature, paraphrased the sectional analysis as follows [original punctuation provided]: Sec. 1. Establishing the collecting of personal information by Telecommunications companies or Internet service providers without the consent of the customer or user of service is considered (1) Effect on public interest (2) Not a reasonable method of conducting or preserving business (3) is an unfair trade and deceptive practice of business operations. Sec. 2 AS 45.48 is amended by adding a new section to read: Article 6A. Information Disclosure Sec. 45.48.800 Approval required for Information disclosure. Telecommunications Company or Internet service providers are not allowed to collect personal information without the expressed written approval of the customer. Telecommunications Company or Internet service providers may not discriminate a paying customer solely because a customer denied the right for the Telecommunications Company or Internet service providers to collect information. Telecommunications Company is defined as Cable, telegraph, telephone, or broadcasting. Sec. 3 AS 45.50.471 Adds a new paragraph AS 45.48.800 explaining violation of credit/debit card information sharing now includes Internet and telecommunications providers. Sec. 4 AS 45.48.800 Definition of "Telecommunication service" and establishes an effective date. 2:26:05 PM REPRESENTATIVE LEDOUX asked the type of personal information being collected because if she googles Antarctica, for example, and the next thing she knows is that advertisements for vacations in that area pop up on her screen. She questioned whether that is the type of personal information being collected that would no longer be available to harvest. REPRESENTATIVE DRUMMOND opined that Representative LeDoux's example takes place through Facebook's or Google's algorithms, and this is not about the software companies that run those programs on the internet, but rather it is about the people who send that information to our homes and offices initially. She explained that this legislation is for those service providers to whom consumers pay their bills for internet access, and she is trying to keep sensitive information out of the hands of those providers. She said she does not know what can be done about issues such as Representative LeDoux's example, although the federal government is trying to deal with Facebook and its privacy issues. This bill is simply about the GCIs, the ACSs, the APTIs, and the other service providers in Alaska because the FCC withdrew this rule that protects consumer privacy. Therefore, she pointed out, the states need to step in, and many state legislatures have stepped up to help ensure their constituents' privacy from "their ISPs prying fingers." MR. FITZGERALD added that the sponsor's office has information from the Council of State Governments and other states with legislation similar to HB 230, which advised that many areas in the country have only one internet service provider for certain areas. Under those circumstances, he said, a person has relatively no option as far as their information being used and shared, which is one of the reasons for this legislation. 2:29:22 PM REPRESENTATIVE LEDOUX requested an example of the information Mr. Fitzgerald was discussing, what information is being shared, and whether it includes her social security number. MR. FITZGERALD answered that the definition of personal information varies, and the sponsor requested a memorandum from Legislative Legal and Research Services on that definition, and issues such as state identification numbers, social security numbers, billing information, and so forth. 2:30:22 PM REPRESENTATIVE LEDOUX questioned how GCI or ACS would even receive her state identification number. REPRESENTATIVE DRUMMOND responded that all of this information travels from her keyboard through the software, such as Facebook or a shopping website, and the hardware that is provided by the person's internet service provider to get that signal to her. Those entities have the ability to "grab that information along the way," never mind what Facebook marketing is doing with it as that is dealt with in a different manner. Many of these devices have the capability to retain the memory of account numbers, social security numbers, credit card information, medical information, and online purchases, she advised. The passage of HB 230 would put into law that the telecommunication companies and internet service providers must be given consent by the user of any service or device before they can sell, trade, or gift the information entered by a private citizen. She offered that the entity may already have this information because all of this information passes through its equipment and at any point it can reach in and grab the information. This legislation directs that the entities cannot grab the information without permission. This is something that can easily take place since the consumer pays the service provider hundreds of dollars in fees every month, and in exchange it needs to get permission to use any information that might be harvested. 2:32:26 PM REPRESENTATIVE LEDOUX asked whether it was likely the service providers have a form that is similar to form she see when logging onto the state internet stating, "You agree to the terms." REPRESENTATIVE DRUMMOND answered, "Probably yes." 2:33:14 PM REPRESENTATIVE REINBOLD asked whether this bill deals solely with internet service providers and it has nothing to do with software or apps. REPRESENTATIVE DRUMMOND replied that this legislation is solely about telecommunication companies and internet service providers, "not the Microsoft, Facebook Zuckerberg's of the world," unless Microsoft is an internet service provider. Her only concern, she remarked, is with Alaska's internet service providers and the impacts of protecting the privacy of Alaska's citizens through this legislation. 2:35:01 PM REPRESENTATIVE REINBOLD asked whether there is any way to "get them on the hook," as she would look forward to an amendment to target these people and in dealing with the software aspect as well. REPRESENTATIVE DRUMMOND commented that this is a good conversation to have and AT&T and GCI are both telecommunication companies that lease the use of phones to Alaskans, for example. In the event the legislature directs those entities to protect Alaskans' privacy, they will need to come up with a manner in which to protect that privacy or obtain a customer's permission before using any of the data. This legislation is aimed at the closest people it can impact, and AT&T and GCI are close at hand, she explained that those are the people this legislation is talking to, not Microsoft or Facebook. 2:36:29 PM REPRESENTATIVE REINBOLD noted that she was unsure whether it was real, but there were contracts between AT&T and NSA all over Facebook. She offered that could be a broader conversation that "they are working with or whether they are not. I think that that may be another intriguing aspect of this conversation." 2:37:01 PM REPRESENTATIVE EASTMAN suggested that it would probably be in the best interests of the committee to have a definition of personal information somewhere in the bill, or at least point to a definition somewhere else that will apply. He commented that "As I look at just personal information, it would seem to me from just reading the bill that if I don't want to give my full name to an ISP, that I don't have to. And, if they want to bill me they are going to have to find some other way, some non- personal information way, if I refuse to give consent to give that kind of information." He asked the impact the sponsor foresees as to the passage of this bill having on law enforcement. For example, if someone is committing crimes and the ISP is aware, except it is not allowed to keep any of ... CHAIR CLAMAN advised that Representative Eastman had passed his one-minute time limit, and said that the question is, what is the impact on law enforcement. MR. FITZGERALD replied that the sponsor has looked into that question and it is awaiting an official response from the Legislative Legal and Research Services drafter and a legal opinion. However, he said, it is his informal knowledge that court ordered warrants are specific and this legislation does not stop any warrant from being issued if there is suspicion of illegal activity taking place through any sort of ISP or any individual using their own personal computer "for things." He said he would provide the committee with any information he receives. 2:39:04 PM REPRESENTATIVE EASTMAN commented that that did not answer his question, and said that the bill read that it is illegal for the telecommunications service provider to collect a person's information. In the event he was a member of law enforcement "and I go with that search warrant to collect the information from you, you would have first, as the ISP, had to have collected that information to begin with. And, if you don't hold onto it in some way, which is usually called 'collecting' then there may be nothing for the search warrant to go back to. You may say, hey, we'd like to help you but we just don't know any information to help you out with your search warrant." MR. FITZGERALD clarified that this legislation makes it illegal to collect information without the user's consent. That being said, he opined that (audio difficulties) reason to suspect illegal activity taking place with an individual's computer, then law enforcement would be able to go through the ISP and serve a warrant for a search. 2:40:50 PM REPRESENTATIVE EASTMAN referred to the violations "in the memo you provided," wherein it spells out that for each violation, the person must be subject to a penalty of not less than $1,000 fine or more than $25,000 fine. He asked how that might impact a willingness for the companies to stay in this market if they will now be liable, especially if it is an accidental technical error that results in 5,000 customers being affected. In the event each one of those customers is a violation, that could put a company out of business, impact insurance rates, or customer service charges, he said. MR. FITZGERALD responded that the sponsor does not believe the risk of a company that does not handle their customer's privacy diligently should be exempt from penalties. 2:42:09 PM REPRESENTATIVE KOPP asked whether the intent of this legislation is that no information, such as a phone number or address, can be retained by an internet service provider or a telecommunication provider unless they have the consumer's consent. REPRESENTATIVE DRUMMOND responded that obviously the internet service provider requires some information from the consumer in order to provide the service. Information such as a consumers' telephone number, address, credit card numbers, bank account number with which the consumer pays their invoices, and anything else collected by that service provider must stay private. She said that she assumes the service provider would want that information and that they should be able to keep it private in order to provide their services. Beyond that, she explained, service providers do not get to profit from collecting that information, or share it with marketing companies, or any other entity, without the consumer's permission. She stated that in her opinion it should simply be that when a person signs up for service with GCI, AT&T, or any other service provider, there is a simple "yes or no" box to check indicating whether the consumer's personal information can be shared. 2:44:02 PM REPRESENTATIVE KOPP surmised that this bill is not so much about the collection of data, but what actions are taken with the personal information data. REPRESENTATIVE DRUMMOND answered in the affirmative. 2:44:20 PM REPRESENTATIVE KOPP commented that he has served many search warrants for pagers and cells phones, and on internet service providers for particular IP addresses which shows associations, dates and times, exactly when the criminal act occurred, and when all the communication stopped because "the deed is done so these people do not need to talk to each other anymore." (Audio difficulties) wanting to make sure the bill sponsor's intent is more about commercially selling a consumer's information and being pulled into whatever marketing someone else offered. REPRESENTATIVE DRUMMOND answered in the affirmative. 2:45:31 PM CHAIR CLAMAN opened public testimony on HB 230. REPRESENTATIVE EASTMAN asked Jonathan Clement, Department of Law, (audio difficulties) having on law enforcement. 2:46:50 PM JONATHAN CLEMENT, Assistant Attorney General, Commercial and Fair Business Section, Department of Law (DOL), advised that he works in the area of consumer protection and Representative Eastman's question would be better directed to the Department of Law, Criminal Division. He offered to work with the bill sponsor to have someone available to answer the question at the next hearing. 2:47:16 PM CHAIR CLAMAN, after ascertaining no one wished to testify, closed public hearing on HB 230. 2:47:26 PM REPRESENTATIVE REINBOLD referred to the Constitution of the State of Alaska, Article 1, Sec. 22, which read as follows: Right of Privacy. The right of the people to privacy is recognized and shall not be infringed. The legislature shall implement this section. [Amended 1972] REPRESENTATIVE REINBOLD commented that she believes this is a bill that could possibly be agreed upon because legislators swore to defend the constitution. 2:47:52 PM REPRESENTATIVE EASTMAN commented that he values the intent of this legislation, he appreciates the protection for privacy being pursued, and that his questions were in the form of devil's advocate because attorneys do not always catch where legislators are trying to go with legislation. [HB 230 was held over.]