When a California state legislator proposed new broadband privacy rules that would mirror the federal rules previously killed by Congress, broadband industry lobbyists got to work.

The lobbyists were successful in convincing the state legislature to let the bill die without passage last month, leaving Internet users without stronger rules protecting the privacy of their Web browsing histories.

This week, the Electronic Frontier Foundation (EFF) released documents that lobbyists distributed to lawmakers before the vote. The EFF described one as "an anonymous and fact-free document the industry put directly into the hands of state senators to stall the bill" and the other as "a second document that attempted to play off fears emerging from the recent Charlottesville attack by white supremacists." You can read them here and here.

The California bill, introduced by Assembly-member Ed Chau (D-Monterey Park), was modeled on now-defunct Federal Communications Commission rules and would have required Internet service providers to obtain customers' permission before they use, share, or sell the customers' Web browsing and application usage histories.

Rules would disrupt fight against terror, lobbyists claim

Internet usage histories are valuable to ISPs that want to serve up personalized advertisements. But that's not the argument made in the documents distributed to legislators. Instead, among other things, the documents claimed the rules would present a homeland security threat.

"The bill would bar ISPs from sharing potentially identifiable information with law enforcement in many circumstances," one of the documents claimed. "For example, a threat to conduct a terror attack could not be shared (unless it was to protect the ISP, its users, or other ISPs from fraudulent, abusive, or unlawful use of the ISP's service. AND the bill instructs that all such exceptions are to be construed narrowly."

The second document got more specific, saying that "ISPs who inadvertently learned of a right-wing extremist or other violent threat to the public at large could not share that information with law enforcement without customer approval. Even IP address of the bad actor could not be shared."

Those claims simply aren't true, EFF Legislative Counsel Ernesto Falcon wrote:

There is absolutely nothing true about this statement. AB 375 [the privacy bill] specifically said that an ISP can disclose information without customer approval for any "fraudulent, abusive, or unlawful use of the service." More importantly, it also included what is often referred to as a "catchall provision" by allowing ISPs to disclose information "as otherwise required or authorized by law."

That catchall provision makes a big difference, because existing laws that would not have been disrupted by the privacy bill would have let ISPs continue providing information to police in emergencies, he wrote.

Websites and ISPs joined in opposition

While the documents released this week are anonymous, they expand on claims made previously in a letter signed by AT&T, Comcast, Charter, Frontier, Sprint, Verizon, and some broadband lobby groups. That letter was also signed by advertiser groups such as the Association of National Advertisers and the Data & Marketing Association, as well as the Internet Association, which represents Internet companies such as Facebook and Google.

Chau's bill would not have imposed requirements on websites, but the Internet Association was apparently worried that the restrictions would eventually spread beyond ISPs. We asked Chau today if he knows who was spreading the documents to legislators and will provide an update if we get one.

Through their membership in the Internet Association, "Google and Facebook locked arms with AT&T, Verizon, and Comcast to oppose this critical legislation," Falcon wrote. "What is worse, they didn’t just oppose the bill, but lent their support to a host of misleading scare tactics."

“The great, fake pop-up scare”

One of the two lobbyist documents released this week responded directly to the EFF's arguments, comparing what the EFF called a "myth" to the "facts" as determined by lobbyists trying to kill the privacy bill.

For example, the EFF had called it a myth that the bill would inundate Internet users with pop-ups asking for permission to have their data used. Consumers would only have to consent to information sharing once, "not every time they use the Internet," the EFF argued.

But according to lobbyists, "new requests for consent would be required for any use not specifically included in the initial request for consent. This would likely annoy consumers."

Falcon called this "the great, fake pop-up scare." While the bill would have required getting customers' permission before monetizing customers' Internet usage history, "it did not mandate that people have to constantly receive pop-ups to obtain that consent," Falcon wrote. "In fact, once you said no, they couldn’t keep asking you over and over again without violating this law and likely laws that regulate fraud and deceptive acts by businesses."

If you agreed to information sharing and the ISP changed the terms of that agreement, "they would have to ask your permission again," he noted. But that ensures that ISPs can't "sneak through new invasions of privacy" without telling customers first, he wrote.

The EFF expects further battles to enact privacy laws in 2018 and said it "plan[s] to make sure that every legislator who was bamboozled by companies like Google, Facebook, Comcast, and AT&T is given the facts."