Last week, Malwarebytes Labs began closing out our data privacy and cybersecurity law blog series, a two-month long exploration spanning five continents, 50 states, just as many data breach notification laws, three non-universal definitions of personal information and personal data, five pending US data protection laws, and one hypothetical startup’s efforts to just make sense of it all.
We published six high-level takeaways from that series, focusing on what companies can and should do for data privacy compliance in the US and around the world.
Today, we bring the focus back to users. Amidst never-ending data breaches and constantly-surprising company fiascos, here are six takeaways for anyone in the US who cares about protecting their online privacy, whether in a court of law or in a web browser.
From January 14 through February 15, 2019, Malwarebytes surveyed nearly 4,000 individuals across 66 countries, asking them about their approaches to online privacy and cybersecurity. Do they care about online privacy? Do they do anything to protect their information online? Where do they admittedly fail?
The results were clear: Almost everyone, no matter their age or postal code, cares about online privacy.
A full 96 percent of respondents said they care about protecting their personal information, while 97 percent said they take steps in protecting their online data. Those steps include refraining from posting any sensitive personal data online, using cybersecurity software on their machines, running software updates regularly, and verifying the security of websites before making any purchases.
Historically, the United States has approached data privacy legislation on a case-by-base basis, writing and passing laws that protect specific types of data collected by industry-specific companies.
There’s a law that protects health care data handled by health care providers (HIPPA). There’s a law protecting children’s data that applies to companies that knowingly market their products toward children (COPPA). There’s a law for video rental history, another for credit information, and another for banks, insurance companies, and certain financial institutions that collect personal information.
However, the sheer volume of these sector-specific data privacy laws never coalesces into comprehensive, legal data protection for Americans. Instead, the laws interlink to form more of a net—holes included.
As we wrote before:
> “If a company gives intimate menstrual tracking info to Facebook? Tough luck. If a flashlight app gathers users’ phone contacts? Too bad. If a vast network of online advertising companies and data brokers build a corporate surveillance regime that profiles, monitors, and follows users across websites, devices, and apps, delivering ads that never disappear? Welcome to the real world.”
When a certain type of data isn’t regulated by a certain law, consumers are left with little legal recourse, said Lee Tien, senior staff attorney for Electronic Frontier Foundation.
“In general, unless there is specific, sectoral legislation, you don’t have much of a right to do anything with respect to [data privacy],” Tien said.
There is one caveat though…
In the US, companies are bound by laws that prohibit “unlawful, unfair, or fraudulent” business practices, along with “unfair, deceptive, untrue, or misleading” advertising. Those laws also cover data protection practices.
So, if a company says it will not sell your data, but it does, that company has broken the law, and it can be hit with a lawsuit. This same principle applies when a German automaker lies to the public about its “clean diesel” engines, or when the world’s largest social media company allegedly violates a privacy decree it made many years prior.
While these types of lawsuits can be filed by individuals, their success is limited. If, say, an individual wants to sue a company because of a data breach, that individual must first show that they personally suffered harm. Because of the myriad variables involved in any data breach—the actual criminals who stole the data, the direct relation from a data breach to potential economic injury—such harm is exceedingly difficult to prove.
In 2017, an Uber driver failed to meet just this requirement when he sued the company for a data breach that affected up to 50,000 drivers.
The judge at his hearing told him:
> “It’s not there. It’s just not what you think it is…It really isn’t enough to allege a case.”
Fortunately, there is yet another caveat. State Attorneys General, county District Attorneys, and city attorneys can sue a company for its deceitful business practices without having to show personal harm.
Those lawsuits have worked.
Filing a successful lawsuit—or waiting around for a government attorney to file one for you—is not the only way to protect your online privacy. Today, there are multiple online privacy tools that protect users from invasive online tracking, helping to put a wall between users and persistent online ads.
Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, said that users can protect their online activity by using a number of both privacy-focused web browsers and tracker-blocking browser extensions. Though Privacy Rights Clearinghouse does not endorse any products, Stephens mentioned the web browsers Brave and Firefox Focus—which both automatically block online tracking—and the browser extension Disconnect, which the New York Times chose as its favored anti-tracking tool.
Stephens had more advice for users that want to protect their online information: Do not trust any app to leave your private data alone.
“We have this naïve conception that the information we’re giving an app, that what we’re doing with that app, is staying with that app,” Stephen said. “That’s really not true in most situations.”
Stephens pointed to several examples of mobile apps that have, for no discernible reason, vacuumed up user data, like the flashlight app that collected mobile contacts. To avoid this problem, Stephens suggested users navigate the Internet on their mobile devices with a privacy-focused browser and not through any company-developed app.
> “Quite frankly,” Stephens said, “I would not trust any app to not leak my data.”
Data privacy is, finally, a hot topic for US Congress members.
Last year, after the Guardian revealed how a political consultancy harvested the Facebook profiles of millions of unwitting users in a covert operation to sway the 2016 US presidential election, Congress responded. They called in Facebook CEO Mark Zuckerberg to testify. They peppered him with questions. They told him to his face that they would regulate his lurching social media behemoth.
Since then, they’ve held pursuit.
They invited Google, Alphabet, Twitter, and Facebook executives to explain what their companies were doing to curb Russian disinformation campaigns, and they balked at Google’s self-branded “error” in failing to disclose the microphones installed in its Nest home security products.
This new Congressional temperament has resulted in multiple legislative efforts to protect Americans’ data. Four US Senators and one digital rights nonprofit have all proposed individual federal bills that would regulate how companies collect, store, share, or sell user data. Even the private search engine DuckDuckGo threw its idea into the ring early this month.
Though the bills lack a clear frontrunner, data privacy itself could remain an important topic in the 2020 presidential election. Three Democratic candidates—Senators Amy Klobuchar of Minnesota, Cory Booker of New Jersey, and Michael Bennet of Colorado—have authored or co-sponsored data privacy legislation in the past year.