The more we try to keep tabs on where our personal data travels through the internet abyss, the more complicated it becomes to find a “solution” to preventing breaches, misuse, and exposure. If anything, major data leaks have raised awareness about data privacy, but when it comes to the internet, companies have been free to employ a largely self-regulatory approach to handling and sharing data in the U.S. Changes might be upon us, though.
Stemming from concerted efforts to leave room for innovation in the U.S., this self-regulatory infrastructure allows for economic growth (with disruptors like Amazon leading the way). According to David O’Brien, senior researcher at the Berkman Klein Center for Internet and Society, “you could make the argument that it wouldn’t be possible to have started something like a Facebook in Europe, simply because the regulatory structure over there is so different.”
Headlines of seemingly unwarranted data exposure and dispersal tell a different story. In early March 2019, news broke that millions of email addresses and records of personally identifiable information (PII) were exposed at the hands of Verifications.io, a company that helps other companies remove inactive emails from newsletters. In a completely unrelated instance around the same time, Facebook admitted to storing millions of passwords in plaintext, leaving them vulnerable to employees’ eyes. Earlier, the company was found to be involved in facilitating several apps’ dispersal of sensitive health data — like menstrual cycles — for advertising purposes.
While there are a few internet hygiene tips you can implement to try to keep your information private — like making sure you’re using a WPA2-supported network, updating your device’s software, and not signing up for questionable-looking newsletters — it can be tough to keep tabs on it all.
States Are Leading the Way to New Legislation
According to Jeremy Gillula, Ph.D. and tech projects director at the Electronic Frontier Foundation (EFF), people are starting to care about where their data is going and who’s eyeing it, and the sentiments are trickling to Congress’ front doorstep. “They [Congress] have been kind of comically lethargic about privacy, but they are starting to hold hearings — there have been various bills proposed,” he says. “I think there’s also something to be said for the states leading today … I think as more states start to act, too, Congress is going to say, ‘Well, we’ve got to have something for the entire nation — and the public should demand that a nationwide bill be at least as strong as our strongest state legislation.’”
Right now, California leads the way. The Electronic Frontier Foundation actually stood in support of a proposal to revise the current version of the California Consumer Privacy Law, which would broaden the existing literature’s scope and require consent for information taken for all purposes — not just the “sale” of personal information. The revised version would also transform the law from a largely opt-out structure to an opt-in one. Meaning, rather than a company taking your data and then giving you the option to revoke your consent, it’d have to ask for permission to do so before touching any of your data in the first place.
Europe is setting the trends
This proposed revision somewhat mimics Europe’s General Data Protection Regulation (GDPR), an opt-in system that requires companies to provide clear, informed consent to users before selling or sharing data to third parties. On the user’s end, an opt-in structure may come in the form of more pages to weed through before accessing a site, but in return, you might get a clearer understanding of where your information is going.
“I find that in Europe, as a user, normally I’ll see more pages (not pop-ups) before I enter sites that explain how the site is using my data and requiring me to hit ‘accept’ on their terms, then it’ll take me to the site,” says Sydney Weigert, a trust and safety specialist for SoundCloud in Berlin, Germany. Weigert, who handles data protection and GDPR-related reports and issues for the company, said she was unable to answer questions in relation to SoundCloud, but from a personal perspective believes that the GDPR makes companies more careful and mindful of users’ data. “I would also like to say it makes things clearer … if people choose to read what they’re agreeing to.”
But full transparency can get complicated
Establishing an effective, widespread regulation that demands full transparency from companies in explaining how they extract and share user data will be tough, O’Brien says. Not only do companies use different techniques to extract and share data, but the processes in which they do so are also typically highly technical and difficult to explain in comprehensible terms.
“To give you an example — Facebook is able to calculate that I have a 30% chance of buying a new car within the next 30 days,” O’Brien says. “Trying to explain to a consumer what that information is that [the company] has inferred and how it inferred the information is going to be complicated … I think it will be hard to encourage or require transparency in a way that is meaningful to consumers.”
The Future of Online Privacy, Shaped by Congress and Beyond
Democratic Senator Elizabeth Warren of Massachusetts vocalized her support for the dismantling of big tech monopolies, and overall support for stricter privacy regulation seems to be gaining speed in the U.S. — NPR credits this to a Democratic majority and “younger, more tech-savvy lawmakers in both parties.”
However, the ways in which to regulate these big tech companies tread thin lines between what’s beneficial for the digital economy and what’s best for user privacy, as some say the two don’t always work in harmony. In a debate hosted by the Information Technology and Innovation Foundation (ITIF), Will Rinehart, director of technology and innovation policy at the American Action Forum, said that the U.S. needs to look elsewhere than the GDPR to mimic a regulatory structure, as it “stifles startups,” and that GDPR fines are “too harsh, especially for companies that don’t yet understand the law.”
Data privacy, data protection
Data privacy refers more to what others (i.e., third parties) can learn about you, whereas data protection is more about how a company secures the private information collected about you. O’Brien says that he thinks we’ll see more data protection-focused laws and company initiatives in the U.S. — meaning the U.S. could impose new laws or companies could choose to make changes of their own in favor of user privacy. In this case, companies will likely still be able to learn about you (via your browsing behavior, demographics, etc.), but they may be more explicit about the security measures used to store this data.
Security isn’t a cut-and-dried topic, either
For an example of how tricky it is to assess company initiatives regarding data collection and security, take Facebook’s self-imposed future privacy proposal.
“I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won’t stick around forever. This is the future I hope we will bring about,” Mark Zuckerberg wrote in a statement in early March 2019.
Does this mean that your information would stay within the confines of Facebook’s private messaging platforms? Not necessarily. Nothing in Zuckerberg’s statement suggests that the company would shift its business model or stop engaging in digital advertising. In fact, even if the company does everything Zuckerberg proposes, end-to-end encrypted messages don’t necessarily limit how much the company knows about you.
“Even though FB wouldn’t have access to the contents of a message between users, it would presumably be in a position to know who is talking to whom, how often, when, and so on,” says O’Brien. “It’s [metadata] roughly equivalent to the addressing information on an envelope, and when combined with other pieces of tracked information, a lot can be learned from it without ever having access to communications content.”
Privacy isn’t the only concern with Zuckerberg’s new proposal. End-to-end encryption might also make it tougher for law enforcement to identify dangerous users. “Zuckerberg’s statement is vague about how Facebook will consult with ‘safety experts, law enforcement, and governments on the best way to implement safety measures’ and what that will mean for how Facebook responds to government data requests,” Gennie Gebhart, associate director of research at the EFF, wrote in a March 2019 blog post.
What the U.S. could see
Congress could also make sweeping changes and surprise us all. It’s difficult to know exactly what will happen to the tech sector in the U.S., but here are a few things we might see (and are already seeing):
- Pressure for more competition: Facebook and Google accounted for nearly 75% of all digital advertising revenue growth in the U.S. during the last quarter of 2018. In late February 2019, the Federal Trade Commission (FTC) launched a task force dedicated to monitoring mergers and making sure large tech companies follow antitrust laws in an effort to ensure “free and fair competition” in the technology sphere — giving users more options when it comes to internet. In Europe, Google is facing a $1.7 billion fine for violating antitrust laws by imposing contractual advertising restrictions on competitors, solidifying its dominance in the market.
- Shifts in breach notification laws: There are currently 50-plus different breach notification laws in the U.S. They’re all relatively similar, but the language and standards for notifying users differ among each — meaning companies have to comply with variations of state standards in the event of a breach (read: having to send 50 different emails stating there’s been a breach if they serve customers in 50 different states). Some lawmakers are calling for a unified federal regulation to alleviate some of the issues posed by differing state regulations.
But there are a lot of unknowns when it comes to a federally mandated breach notification law, including whether states could still have a hand in data protection and security requirements in the event it were enacted. “That’s important because states like California are laboratories for creating and testing new privacy regulatory regimes, some of which are eventually subsumed into federal policy,” O’Brien says.
- Even more state action: For example, Utah is making moves, but in a different manner than California. On March 12, 2019, Utah legislators voted to pass legislation that requires law enforcement to first obtain a warrant before accessing certain data collected by third parties.
The bottom line? We’ll have to wait and see, but changes — which might or might not resemble a GDPR — are around the corner in the tech sphere. We plan to keep you updated with movement as we see it.