Can the government regulate Internet privacy?

democrats sit in live stream joint session of congress

The headlines are becoming so common we almost tune them out: major credit card breaches at Target and Neiman Marcus; a major security bug at the heart of Apple’s operating systems; the “heartbleed” bug at the heart of OpenSSL … on and on. This week it’s arts and crafts chain Michaels, which looks to have been taken for up to three million credit and debit cards over two eight-month periods. (Not that we’re judging.) And let’s not forget the ongoing Snowden revelations.

Are you numb? Or do you want the government to “do something” to protect your data?

The court of public opinion

Privacy problems and security breaches are battering some people’s confidence. A recent poll by market research firm GfK found that one in three consumers claimed to have been directly impacted by misuse of personal data in the last year, with 60 percent saying their concern about data privacy has increased in the last year. (Almost nine out of ten now say they’re at least “a little” concerned about the safety of their personal information.) Further, over half of respondents say the U.S. government is not doing enough to protect their data, and almost 80 percent said there should be strong regulations governing how data brokers and others can repurpose personal information.

Similarly, a survey conducted last year by the Pew Internet & American Life Project found 66 percent of adults said current privacy laws are “not good enough” to protect Internet users’ privacy – and, intriguingly, the concern was uniform across respondents’ reported political affiliations. Didn’t matter whether folks were liberals or Tea Party supporters: most were concerned about their online privacy. In January, a separate Pew survey found 18 percent of respondents had had important personal information stolen (like a credit card or Social Security number), while 21 percent – that’s one in five – had had an email or social networking account hacked.

There oughtta be a law!

Folks crying for regulations over how corporations handle our data and manage privacy breaches will be relieved to know there are laws. It’s just that they’re mainly state laws. Currently, forty-seven of the fifty states have passed varying forms of privacy protection legislation, with Kentucky getting in line just this week and New Mexico looking like it’ll be next.

“The biggest concern is that a federal bill might actually be weaker than a lot of the state laws.”

State requirements vary widely, and are mostly concerned with the conditions under which residents must be informed that their personal data has been (or might have been) compromised. In one state, a single consumer might be informed immediately if his or her personal information was exposed, but in another state businesses might not have to inform anybody unless a certain number of consumers are known to have been impacted, or where risk analysis finds a breach was likely to have caused actual harm. In some states businesses have to contact consumers directly; in others, they can just post a notice on some dim corner of their Web site.

It’s not as if the federal government is totally out of the picture. Section Five of the Federal Trade Commission Act prohibits “unfair or deceptive practices,” which the FTC has determined can apply to lax data security procedures. In fact, the FTC’s assertion was upheld up last week in a case against Wyndham Hotels, which stored credit card information as plain text, failed to change default passwords…and got taken to the cleaners by Russian hackers on several occasions. However, the FTC can’t assess penalties for violations; at best, it can force companies into settlement agreements in which they modify their practices, pay damages, and promise to play nice for a few years.

What if the feds got more involved?

Proposals for national data protection regulations have been around for years – but so far haven’t gotten much traction in Congress, and there’s little agreement on standards, thresholds, or requirements. Should suspicion of a data breach be enough to trigger notifications, or does actual harm have to have occurred? For instance, a 2011 proposal from the Obama administration would have required any business with information on more than 10,000 people to disclose breaches affecting more than 5,000 people, but only to credit agencies and the federal government, not to actual consumers.

“The biggest concern is that a federal bill might actually be weaker than a lot of the state laws,” said Justin Brookman, Director of Consumer Privacy at the Center for Democracy & Technology. “One of the main points of data breach notification is not necessarily to let everyone know, it’s to impose a liability cost on companies when they have these terrible situations. That way there’s a strong incentive not to have breaches. If a federal law makes that cost less, that’s not a great result.”

Data Security

Speaking on background, executives at two nationwide retailers indicated American businesses might support a nationwide data breach law – even if it came with liability. One likened the varying state privacy laws to the sales tax situation in the United States, where rates, reporting, and collection vary widely by state, county, and municipal laws. A single privacy and data protection standard would be easier for businesses to manage and — in that executive’s view — exceed.

However, the other executive was wary of reporting requirements. If businesses were mandated to report every possible data breach for any number of customers regardless of whether any harm occurred, they might become the companies that cried wolf, he said. Consumers might receive so many warnings they simply tune them out – which also wouldn’t be a great result.

You mean we’d just get notices?

The approaches described so far focus on informing people whose information has been compromised after a breach. Surely, the better approach is to prevent data breaches in the first place. And what about data brokers, who collect and sell information about us to anyone with two nickels to rub together?

Don’t expect the federal government – or states, for that matter – to attempt to legislate data security practices. The bottom line that that laws and regulation move much more slowly than technology and business practice, and while governments may have requirements for particular contracts or services performed with the private sector, no one expects the government will try to broadly dictate how companies protect consumer data.

Much of the online economy is driven by tracking, analyzing, and reselling information about consumers.

What about data brokers? Consumers are wary of information being traded about them. That GfK survey mentioned earlier found the majority of people in every measured age group distrusted marketers with their personal data, and last year’s Pew study found 86 percent of consumers have taken some steps to minimize online tracking.

Some data security bills introduced before Congress have had provisions addressing data brokers, potentially obligating them to let consumers see, correct, or even delete information that has been collected about them. However, much of the online economy is driven by tracking, analyzing, and reselling information about consumers – think of all the targeted advertising and personalized services we see every day. Companies like Google, Facebook, and Amazon are likely to be wary of any requirement to let consumers control how data is collected and generated about them.

What are the chances of federal regulations regarding data brokers?

“Congress is so ossified, there’s so little floor time to move bills, it’s hard to see anything that’s not utterly uncontroversial getting traction,” said Brookman. “It’s possible something could move, but I think Republicans, Democrats, consumer advocates, and business probably want somewhat different things.”

So don’t hold your breath.

[Final image courtesy of scyther5/Shutterstock]

Smart Home

Booth babes, banned sex toys, and other mishaps at CES 2019

From female sex toys bans, to fake Tesla/robot collision stories, there was some weird stuff going on at CES 2019 this year. Here are some of the biggest mishaps and flubs at the world's biggest tech show.

Fortnite V-Bucks being used by criminals for money laundering on dark web

Criminals are using Fortnite's V-Bucks for money laundering schemes on the dark web. Epic Games, apparently, is not doing enough to prevent the game from being used for the illegal activity.
Smart Home

Project Alias is a ‘smart parasite’ that stops smart speakers from listening

Two designers chose to do something about nosy smart speakers. The result is Project Alias, a "smart parasite" that whispers nonsense to Google Home and Alexa until it hears a specific wake word.
Product Review

Kwikset Kevo Contemporary review

Tired of carrying around keys? Make keyless entry so easy that all you have to do is have your phone nearby to open the door. It’s a little pricey, but sleek lines and simple features make the Kwikset Kevo Contemporary a great choice for…

Best tax software deals from TurboTax, H&R Block, and more

Do you dread doing your taxes? Luckily for you, there are plenty of tax software options available to guide you through the process. And guess what? Some of them are even on sale today! Check out deals from TurboTax, H&R Block, and…

Shutdown makes dozens of .gov websites insecure due to expired TLS certificates

The US government shutdown is causing trouble in internet security. As the shutdown enters day 22, dozens of government websites have been rendered insecure or inaccessible due to expired transport layer security (TLS) certificates.
Social Media

A quick swipe will soon let you keep bingeing YouTube on mobile devices

The YouTube mobile app has a new, faster way to browse: Swiping. Once the update rolls out, users can swipe to go to the next (or previous) video in the recommended list, even while viewing in full screen.

Our favorite Chrome themes add some much-needed pizzazz to your boring browser

Sometimes you just want Chrome to show a little personality and ditch the grayscale for something a little more lively. Lucky for you, we've sorted through the Chrome Web Store to find best Chrome themes available.

Cathay Pacific messes up first-class ticket prices — again

A couple of weeks ago, an error on Cathay Pacific's website resulted in first-class seats selling for a tenth of the price. On Sunday, January 13, the airline made the error again. The good news is that it'll honor the bookings.

Reluctant to give your email address away? Here's how to make a disposable one

Want to sign up for a service without the risk of flooding your inbox with copious amounts of spam and unwanted email? You might want to consider using disposable email addresses via one of these handy services.
Social Media

YouTube to crack down on dangerous stunts like the ‘Bird Box’ challenge

YouTube already bans content showing dangerous activities, but new rules published by the site go into greater detail regarding potentially harmful challenges and pranks, including certain blindfold- or laundry detergent-based stunts.

Pinning websites to your taskbar is as easy as following these quick steps

Would you like to know how to pin a website to the taskbar in Windows 10 in order to use browser links like apps? Whichever browser you're using, it's easier than you might think. Here's how to get it done.

Want to save a webpage as a PDF? Just follow these steps

Need to quickly save and share a webpage? The best way is to learn how to save a webpage as a PDF file, as they're fully featured and can handle images and text with ease. Here's how.

Delete tracking cookies from your system by following these quick steps

Cookies are useful when it comes to saving your login credentials and other data, but they can also be used by advertisers to track your browsing habits across multiple sites. Here's how to clear cookies in the major browsers.