For decades, the United States treated data privacy like an aging home, patching individual leaks and drafts only when a new storm hit. The country passed a law protecting healthcare-related information, and not much else. It then passed a law protecting video rental information, and not much else. It continued this way, repeatedly passing sector-specific laws while failing to address a problem that, in the past two years, became impossible to ignore.
Data privacy, as protected by law, is broken.
Americans enjoy no federal rights to access their data, correct their data, easily move their data from one company to another, or individually sue a company that invades their private lives online.
Harmed by the Equifax breach? Good luck getting more than literal pennies in the settlement. Shocked that a company shared menstrual tracking info with Facebook? Oh, well. Want to fight back against invasive online trackers? Your options are limited.
Since mid-2018, several US Senators have sought to fix these types of failures, introducing at least nine billsâwith six introduced in 2019 aloneâto provide comprehensive data privacy protections to every American.
With so many bills, whatâs the hold up on getting them passed?
For starters, installing comprehensive data privacy protections is long, complex workâthe European Union spent more than five years drafting its own data privacy law, the General Data Protection Regulation (GDPR), and even after the EU approved the law, another two years passed before it took effect. Further, you could say that Congress is a little, um, busy as of late.
Finally, though every bill may focus on data privacy as an end goal, many disagree with how to get there.
One data privacy bill simply aims to stamp out legalese-infused end-user agreements. Another data privacy bill seeks to grant similar protections as those afforded in GDPR, like the rights to access, correct, and delete personal data. One proposal tries to stop invasive online tracking and data-sharing practices. The same proposal argues that dishonest tech CEOs should be jailed. Still more bills offer ideas like data ownership, data valuation, and something called âinteroperability,â which, in a perfect world, would let individuals talk to their friends on Facebook without actually needing a Facebook account.
In combing through the many federal and state data privacy bills that emerged this year, we found some similarities. Here is a look at the legislative trends in data privacy for 2019.
In November, one Democratic presidential hopeful latched onto a data privacy idea that has been around for at least six years: Paying people for their data.
If data is more valuable than oil, as the candidate said, then shouldnât the people who produce that data get paid for it? Shouldnât Americans be compensated for their most valuable asset in todayâs data-driven economy?
This is the âdata as propertyâ model, and supporters of it argue that, by giving individuals the right to their own data, they can then control how their data is collected, shared, and sold. No more surprise data-sharing between one company and another. No more GPS location data falling into the hands of literal bounty hunters. (Unless, of course, thatâs what you want.) And, perhaps most importantly, no more companies making it rich without consumers getting at least a little cut of the profit.
Under a âdata as property model,â supporters believe that every day consumers could receive steady, passive income by selling their data on their own terms. Not only that, but data could be sold repeatedly, as it potentially maintains its value even after being sold.
Earlier this year, US Senators Mark Warner of Virginia and Josh Hawley of Missouri hinted at this possible future with their bill, the Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data, or DASHBOARD, Act.
The DASHBOARD Act would require certain companies to assess and disclose the value of usersâ data, while also extending data privacy rights to consumers to delete all, or certain fields, of collected data.
But privacy advocates argue that putting a price tag on dataâa process that is neither science or artâonly normalizes the idea that our data privacy can be bought. Once that type of relationship is codified into law, the potential risks would disproportionately harm low-income, struggling communities, said Chad Marlow, senior advocacy and policy counsel at ACLU.
âIf you have parents who are struggling to put food on the tableâwho are eating bread and drinking water for multiple dinnersâand you say âI will give you money if you sell your dataâ and you donât even say how much, they will say yes immediately,â Marlow said. âBecause they cannot afford to say no.â
This is the âpay-for-privacyâ problem. It showed up a few times this year.
In November 2018, Democratic Senator Ron Wyden introduced the âConsumer Data Protection Act,â a draft proposal that would have empowered American consumers to opt-out of having their data shared with multiple third parties. Unfortunately, according to the proposal, that decision could sometimes come with a price.
As Malwarebytes Labs explained earlier this year, this is how proposal would have worked:
âSay a user, Alice, no longer feels comfortable having companies collect, share, and sell her personal information to third parties for the purpose of targeted ads and increased corporate revenue. First, Alice would register with the Federal Trade Commissionâs âDo Not Trackâ website, where she would choose to opt-out of online tracking. Then, online companies with which Alice interacts would be required to check Aliceâs âDo Not Trackâ status.
âIf a company sees that Alice has opted out of online tracking, that company is barred from sharing her information with third parties and from following her online to build and sell a profile of her Internet activity. Companies that are run almost entirely on user dataâincluding Facebook, Amazon, Google, Uber, Fitbit, Spotify, and Tinderâwould need to heed usersâ individual decisions. However, those same companies could present Alice with a difficult choice: She can continue to use their services, free of online tracking, so long as she pays a price.
âThis represents a literal price for privacy.â
Nearly one year after Sen. Wyden introduced this draft proposal, he formally introduced the âMind Your Own Business Actâ before the US Senate with many of the same ideasâincluding the same pay-for-privacy scheme.
The problems with pay-for-privacy schemes are the same with the âdata as propertyâ modelâthe individuals most able to assert their data privacy rights will be those who can literally afford it. If such models move forward, we risk creating a world of the âprivacy-haveâ and âhave-notsââa mirrored image of the already visible socioeconomic striation in America.
These concerns are not hypothetical.
In 2015, AT&T offered a broadband service package with a $30-a-month discount so long as users agreed to have their Internet activity tracked. That type of browsing activity, AT&T said, included âthe webpages you visit, the time you spend on each, the links and or ads you see and follow, and the search terms you enter.â
Privacy is a human right, and online privacy should be no exception. That means no commodity pricing, and no selling it to the highest bidder.
Thankfully, at least one state this year passed a law that explicitly forbid pay-for-privacy schemes.
Over the summer this year, the governor of Maine signed into law a bill that prohibits Internet Service Providers from sharing and selling Maine residentsâ data without their explicit approval.
The law includes another protection that does not allow ISPs to âcharge a customer a penalty or offer a customer a discount based on the customerâs decision to provide or not provide consentâ to having their data sold, shared, or accessed by third parties.
Score one for data privacy.
In late October, three US Senators introduced a bill that they believed would increase data privacy by doing something elseâincreasing competition with Big Tech.
The idea, the Senators argued, was simple: Empower American consumers to leave the platforms that invade their online privacy without losing access to their social networks, where their friends, family, and acquaintances may still reside.
Under the proposal, Americans would enjoy the benefits of data portabilityâwhich would enable consumers to pack up their data and take it to another platformâand interoperabilityâa feature that would potentially allow different chat services to interact with one another. Think of it like Facebookâs massive integration plan announced earlier this year for its chat platforms Messenger, WhatsApp, and Instagram, but for nearly the entire Internet.
As we wrote before about this bill, called the ACCESS Act:
âThese rules⊠would presumably allow Americans to, for example, download all their data from Facebook and move it to privacy-focused social network Ello. Or talk directly to Twitter users while using the San Francisco-based companyâs smaller, decentralized competitor, Mastodon. Or even, perhaps, log into their Vimeo account to comment on YouTube videos.â
Responses to the bill were mixed.
Avery Gardiner, senior fellow of competition, data, and power for the Center for Democracy and Technology, lamented the lack of competition facing Big Tech, but she said that data privacy for Americans should come in a data privacy bill, not a competition bill.
Cory Doctorow, a writer, activist, and research affiliate with MIT Media Lab, welcomed the bill because, unlike other efforts in Congress, it did not focus strictly on single bad actors in Big Tech, like Facebook.
âThis aims to fix the Internet,â Doctorow said, âso that Facebookâs behavior is no longer so standard.â
On January 1, 2020, Californiaâs own privacy law, the California Consumer Privacy Act, takes effect. Passed in 2018, the law has survived multiple, legislative attempts to weaken and defang it, and it has inspired similar legislation in other states.
With the lawâs enormous scope, it will likely serve as a trial run for any federal data privacy bill.
Will companies receive serious fines, or will enforcement be lax? What will the first enforcement action be? What company will it be against? If penalties are severe, at what point will companies bandy together to prevent similar legislation from passing at the federal level? Hint: Theyâre already trying.
None of this is to mention, of course, next yearâs mindshare-absorbing presidential election, too.
Until thenâand after itâMalwarebytes Labs will closely watch this space. We can only predict it will get more interesting, more complex, and more important.
The post Online privacy in 2019: a legislative review appeared first on Malwarebytes Labs.