Skip to main content

Can the government regulate Internet privacy?

democrats sit in live stream joint session of congress
Image used with permission by copyright holder

The headlines are becoming so common we almost tune them out: major credit card breaches at Target and Neiman Marcus; a major security bug at the heart of Apple’s operating systems; the “heartbleed” bug at the heart of OpenSSL … on and on. This week it’s arts and crafts chain Michaels, which looks to have been taken for up to three million credit and debit cards over two eight-month periods. (Not that we’re judging.) And let’s not forget the ongoing Snowden revelations.

Are you numb? Or do you want the government to “do something” to protect your data?

Recommended Videos

The court of public opinion

Privacy problems and security breaches are battering some people’s confidence. A recent poll by market research firm GfK found that one in three consumers claimed to have been directly impacted by misuse of personal data in the last year, with 60 percent saying their concern about data privacy has increased in the last year. (Almost nine out of ten now say they’re at least “a little” concerned about the safety of their personal information.) Further, over half of respondents say the U.S. government is not doing enough to protect their data, and almost 80 percent said there should be strong regulations governing how data brokers and others can repurpose personal information.

Similarly, a survey conducted last year by the Pew Internet & American Life Project found 66 percent of adults said current privacy laws are “not good enough” to protect Internet users’ privacy – and, intriguingly, the concern was uniform across respondents’ reported political affiliations. Didn’t matter whether folks were liberals or Tea Party supporters: most were concerned about their online privacy. In January, a separate Pew survey found 18 percent of respondents had had important personal information stolen (like a credit card or Social Security number), while 21 percent – that’s one in five – had had an email or social networking account hacked.

There oughtta be a law!

Folks crying for regulations over how corporations handle our data and manage privacy breaches will be relieved to know there are laws. It’s just that they’re mainly state laws. Currently, forty-seven of the fifty states have passed varying forms of privacy protection legislation, with Kentucky getting in line just this week and New Mexico looking like it’ll be next.

“The biggest concern is that a federal bill might actually be weaker than a lot of the state laws.”

State requirements vary widely, and are mostly concerned with the conditions under which residents must be informed that their personal data has been (or might have been) compromised. In one state, a single consumer might be informed immediately if his or her personal information was exposed, but in another state businesses might not have to inform anybody unless a certain number of consumers are known to have been impacted, or where risk analysis finds a breach was likely to have caused actual harm. In some states businesses have to contact consumers directly; in others, they can just post a notice on some dim corner of their Web site.

It’s not as if the federal government is totally out of the picture. Section Five of the Federal Trade Commission Act prohibits “unfair or deceptive practices,” which the FTC has determined can apply to lax data security procedures. In fact, the FTC’s assertion was upheld up last week in a case against Wyndham Hotels, which stored credit card information as plain text, failed to change default passwords…and got taken to the cleaners by Russian hackers on several occasions. However, the FTC can’t assess penalties for violations; at best, it can force companies into settlement agreements in which they modify their practices, pay damages, and promise to play nice for a few years.

What if the feds got more involved?

Proposals for national data protection regulations have been around for years – but so far haven’t gotten much traction in Congress, and there’s little agreement on standards, thresholds, or requirements. Should suspicion of a data breach be enough to trigger notifications, or does actual harm have to have occurred? For instance, a 2011 proposal from the Obama administration would have required any business with information on more than 10,000 people to disclose breaches affecting more than 5,000 people, but only to credit agencies and the federal government, not to actual consumers.

“The biggest concern is that a federal bill might actually be weaker than a lot of the state laws,” said Justin Brookman, Director of Consumer Privacy at the Center for Democracy & Technology. “One of the main points of data breach notification is not necessarily to let everyone know, it’s to impose a liability cost on companies when they have these terrible situations. That way there’s a strong incentive not to have breaches. If a federal law makes that cost less, that’s not a great result.”

Data Security
Image used with permission by copyright holder

Speaking on background, executives at two nationwide retailers indicated American businesses might support a nationwide data breach law – even if it came with liability. One likened the varying state privacy laws to the sales tax situation in the United States, where rates, reporting, and collection vary widely by state, county, and municipal laws. A single privacy and data protection standard would be easier for businesses to manage and — in that executive’s view — exceed.

However, the other executive was wary of reporting requirements. If businesses were mandated to report every possible data breach for any number of customers regardless of whether any harm occurred, they might become the companies that cried wolf, he said. Consumers might receive so many warnings they simply tune them out – which also wouldn’t be a great result.

You mean we’d just get notices?

The approaches described so far focus on informing people whose information has been compromised after a breach. Surely, the better approach is to prevent data breaches in the first place. And what about data brokers, who collect and sell information about us to anyone with two nickels to rub together?

Don’t expect the federal government – or states, for that matter – to attempt to legislate data security practices. The bottom line that that laws and regulation move much more slowly than technology and business practice, and while governments may have requirements for particular contracts or services performed with the private sector, no one expects the government will try to broadly dictate how companies protect consumer data.

Much of the online economy is driven by tracking, analyzing, and reselling information about consumers.

What about data brokers? Consumers are wary of information being traded about them. That GfK survey mentioned earlier found the majority of people in every measured age group distrusted marketers with their personal data, and last year’s Pew study found 86 percent of consumers have taken some steps to minimize online tracking.

Some data security bills introduced before Congress have had provisions addressing data brokers, potentially obligating them to let consumers see, correct, or even delete information that has been collected about them. However, much of the online economy is driven by tracking, analyzing, and reselling information about consumers – think of all the targeted advertising and personalized services we see every day. Companies like Google, Facebook, and Amazon are likely to be wary of any requirement to let consumers control how data is collected and generated about them.

What are the chances of federal regulations regarding data brokers?

“Congress is so ossified, there’s so little floor time to move bills, it’s hard to see anything that’s not utterly uncontroversial getting traction,” said Brookman. “It’s possible something could move, but I think Republicans, Democrats, consumer advocates, and business probably want somewhat different things.”

So don’t hold your breath.

[Final image courtesy of scyther5/Shutterstock]

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Facebook’s new privacy tool convinced me to delete my account
facebook hacked

For years, my Facebook account has practically sat dormant. It's a nostalgic relic of the past that lets me occasionally walk down the memory lane of my life’s first two decades. But it's also a weak link in my digital privacy. I've known for years that Facebook is constantly watching, studying me as I wander through the web. Still, I never gathered up the courage to delete my account and burn it to the ground once and for all. Until last week, that is.
The final nail in the Facebook coffin
A few days ago, I found myself staring wide-eyed at the rundown of all the nearly 1,400 websites and apps that have gathered data on me and shared it with Facebook. I was looking at the Off-Facebook Activity tool, one of the recent additions to Facebook’s suite of security options for users that I had fortuitously stumbled upon. Moments later, my cursor was hovering over the Delete Account button.

Facebook knows a lot about you. After the countless controversies and privacy “bugs,” you probably already knew that. What most people are not familiar with, however, is the vast network of third parties that has enabled Facebook to invade nearly every app you use, and become the data superpower it is today.

Read more
U.K. internet service providers lift caps on broadband data

As people around the world shift to remote work and look to the internet for personal communication and entertainment, unlimited access is more important than ever. Now, the U.K. government has reached an agreement with telecommunications companies to lift all data allowance caps on broadband plans to ensure people can continue to use the internet during the pandemic involving coronavirus, officially called COVID-19.

Major British broadband providers including BT/EE, Openreach, Virgin Media, Sky, TalkTalk, O2, Vodafone, Three, Hyperoptic, Gigaclear, and KCOM have all agreed to lift their data caps. The providers have also agreed to consider further actions, such as working with customers who are struggling to pay their bills due to the coronavirus outbreak, offering new affordable packages for both mobile and landline-based internet for those who don't yet have internet access at home, and providing alternative methods of communication for customers who experience problems with their internet access.

Read more
Hackers expose personal details of 10 million MGM hotel guests
russia hotel wi fi hack hacking hacker lifestyle pc keyboard

A major security breach has hit MGM Resorts hotels after the personal details of 10.6 million guests were posted on a hacking forum this week.

The stolen data belongs not only to regular tourists but also to celebrities, tech CEOs, and government officials -- among them Twitter CEO Jack Dorsey and Canadian singer Justin Bieber.

Read more