{"id":17280,"date":"2019-12-23T10:10:17","date_gmt":"2019-12-23T18:10:17","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/12\/23\/news-11016\/"},"modified":"2019-12-23T10:10:17","modified_gmt":"2019-12-23T18:10:17","slug":"news-11016","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/12\/23\/news-11016\/","title":{"rendered":"Online privacy in 2019: a legislative review"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Mon, 23 Dec 2019 17:41:31 +0000<\/strong><\/p>\n

For decades, the United States treated data privacy like an aging home, patching individual leaks and drafts only when a new storm hit. The country passed a law protecting healthcare-related information, and not much else. It then passed a law protecting video rental information, and not much else. It continued this way, repeatedly passing sector-specific laws while failing to address a problem that, in the past two years, became impossible to ignore. <\/p>\n

Data privacy, as protected by law, is broken. <\/p>\n

Americans enjoy no federal rights to access their data, correct their data, easily move their data from one company to another, or individually sue a company that invades their private lives online<\/a>. <\/p>\n

Harmed by the Equifax breach<\/a>? Good luck getting more than literal pennies in the settlement<\/a>. Shocked that a company shared menstrual tracking info with Facebook<\/a>? Oh, well. Want to fight back against invasive online trackers? Your options are limited<\/a>. <\/p>\n

Since mid-2018, several US Senators have sought to fix these types of failures<\/a>, introducing at least nine bills\u2014with six introduced in 2019 alone\u2014to provide comprehensive data privacy protections to every American. <\/p>\n

With so many bills, what’s the hold up on getting them passed? <\/p>\n

For starters, installing comprehensive data privacy protections is long, complex work\u2014the European Union spent more than five years drafting its own data privacy law, the General Data Protection Regulation (GDPR), and even after the EU approved the law, another two years passed before it took effect. Further, you could say that Congress is a little, um, busy<\/a> as of late. <\/p>\n

Finally, though every bill may focus on data privacy as an end goal, many disagree with how to get there. <\/p>\n

One data privacy bill simply aims to stamp out legalese-infused end-user agreements. Another data privacy bill seeks to grant similar protections as those afforded in GDPR<\/a>, like the rights to access, correct, and delete personal data. One proposal tries to stop invasive online tracking and data-sharing practices. The same proposal argues that dishonest tech CEOs should be jailed. Still more bills offer ideas like data ownership, data valuation, and something called \u201cinteroperability,\u201d which, in a perfect world, would let individuals talk to their friends on Facebook without actually needing a Facebook account. <\/p>\n

In combing through the many federal and state data privacy bills that emerged this year, we found some similarities. Here is a look at the legislative trends in data privacy for 2019. <\/p>\n

Data as property<\/strong><\/h3>\n

In November, one Democratic presidential hopeful latched onto a data privacy idea that has been around for at least six years: Paying people for their data. <\/p>\n

If data is more valuable than oil, as the candidate said, then shouldn\u2019t the people who produce that data get paid for it? Shouldn\u2019t Americans be compensated for their most valuable asset in today\u2019s data-driven economy? <\/p>\n

This is the \u201cdata as property\u201d model, and supporters of it argue that, by giving individuals the right to their own data, they can then control how their data is collected, shared, and sold. No more surprise data-sharing between one company and another. No more GPS location data falling into the hands of literal bounty hunters<\/a>. (Unless, of course, that\u2019s what you want.) And, perhaps most importantly, no more companies making it rich without consumers getting at least a little cut of the profit. <\/p>\n

Under a \u201cdata as property model,\u201d supporters believe that every day consumers could receive steady, passive income by selling their data on their own terms. Not only that, but data could be sold repeatedly, as it potentially maintains its value even after being sold. <\/p>\n

Earlier this year, US Senators Mark Warner of Virginia and Josh Hawley of Missouri hinted at this possible future<\/a> with their bill, the Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data, or DASHBOARD, Act. <\/p>\n

The DASHBOARD Act<\/a> would require certain companies to assess and disclose the value<\/em> of users\u2019 data, while also extending data privacy rights to consumers to delete all, or certain fields, of collected data.<\/p>\n

But privacy advocates argue that putting a price tag on data\u2014a process that is neither science or art\u2014only normalizes the idea that our data privacy<\/em> can be bought. Once that type of relationship is codified into law, the potential risks would disproportionately harm low-income, struggling communities, said Chad Marlow, senior advocacy and policy counsel at ACLU.<\/p>\n

\u201cIf you have parents who are struggling to put food on the table\u2014who are eating bread and drinking water for multiple dinners\u2014and you say \u2018I will give you money if you sell your data\u2019 and you don\u2019t even say how much, they will say yes immediately,\u201d Marlow said. \u201cBecause they cannot afford to say no.\u201d<\/p>\n

This is the \u201cpay-for-privacy\u201d problem. It showed up a few times this year. <\/p>\n

Pay-for-privacy <\/strong><\/h3>\n

In November 2018, Democratic Senator Ron Wyden introduced the \u201cConsumer Data Protection Act,\u201d a draft proposal that would have empowered American consumers to opt-out of having their data shared with multiple third parties. Unfortunately, according to the proposal, that decision could sometimes come with a price. <\/p>\n

As Malwarebytes Labs explained earlier this year<\/a>, this is how proposal would have worked:<\/p>\n

\u201cSay a user, Alice, no longer feels comfortable having companies collect, share, and sell her personal information to third parties for the purpose of targeted ads and increased corporate revenue. First, Alice would register with the Federal Trade Commission\u2019s \u2018Do Not Track\u2019 website, where she would choose to opt-out of online tracking. Then, online companies with which Alice interacts would be required to check Alice\u2019s \u2018Do Not Track\u2019 status.<\/p>\n

\u201cIf a company sees that Alice has opted out of online tracking, that company is barred from sharing her information with third parties and from following her online to build and sell a profile of her Internet activity. Companies that are run almost entirely on user data\u2014including Facebook, Amazon, Google, Uber, Fitbit, Spotify, and Tinder\u2014would need to heed users\u2019 individual decisions. However, those same companies could present Alice with a difficult choice: She can continue to use their services, free of online tracking, so long as she pays a price.<\/p>\n

\u201cThis represents a literal price for privacy.\u201d<\/p>\n

Nearly one year after Sen. Wyden introduced this draft proposal, he formally introduced the \u201cMind Your Own Business Act<\/a>\u201d before the US Senate with many of the same ideas\u2014including the same pay-for-privacy scheme. <\/p>\n

The problems with pay-for-privacy schemes are the same with the \u201cdata as property\u201d model\u2014the individuals most able to assert their data privacy rights will be those who can literally afford it. If such models move forward, we risk creating a world of the \u201cprivacy-have\u201d and \u201chave-nots\u201d\u2014a mirrored image of the already visible socioeconomic striation in America. <\/p>\n

These concerns are not hypothetical. <\/p>\n

In 2015, AT&T offered a broadband service package<\/a> with a $30-a-month discount so long as users agreed to have their Internet activity tracked. That type of browsing activity, AT&T said, included \u201cthe webpages you visit, the time you spend on each, the links and or ads you see and follow, and the search terms you enter.\u201d <\/p>\n

Privacy is a human right, and online privacy should be no exception. That means no commodity pricing, and no selling it to the highest bidder. <\/p>\n

Thankfully, at least one state this year passed a law that explicitly forbid pay-for-privacy schemes. <\/p>\n

Over the summer this year, the governor of Maine signed into law<\/a> a bill that prohibits Internet Service Providers from sharing and selling Maine residents\u2019 data without their explicit approval<\/a>. <\/p>\n

The law includes another protection that does not allow ISPs to \u201ccharge a customer a penalty or offer a customer a discount based on the customer\u2019s decision to provide or not provide consent\u201d to having their data sold, shared, or accessed by third parties. <\/p>\n

Score one for data privacy. <\/p>\n

Interoperability <\/strong><\/h3>\n

In late October, three US Senators introduced a bill that they believed would increase data privacy by doing something else\u2014increasing competition with Big Tech. <\/p>\n

The idea, the Senators argued, was simple: Empower American consumers to leave the platforms that invade their online privacy without losing access to their social networks, where their friends, family, and acquaintances may still reside. <\/p>\n

Under the proposal, Americans would enjoy the benefits of data portability\u2014which would enable consumers to pack up their data and take it to another platform\u2014and interoperability\u2014a feature that would potentially allow different chat services to interact with one another. Think of it like Facebook\u2019s massive integration plan announced earlier this year for its chat platforms Messenger, WhatsApp, and Instagram, but for nearly the entire Internet. <\/p>\n

As we wrote before about this bill<\/a>, called the ACCESS Act: <\/p>\n

\u201cThese rules\u2026 would presumably allow Americans to, for example, download all their data from Facebook and move it to privacy-focused social network Ello<\/a>. Or talk directly to Twitter users while using the San Francisco-based company\u2019s smaller, decentralized competitor, Mastodon<\/a>. Or even, perhaps, log into their Vimeo account to comment on YouTube videos.\u201d<\/p>\n

Responses to the bill were mixed. <\/p>\n

Avery Gardiner, senior fellow of competition, data, and power for the Center for Democracy and Technology, lamented the lack of competition facing Big Tech, but she said that data privacy for Americans should come in a data privacy bill, not a competition bill. <\/p>\n

Cory Doctorow, a writer, activist, and research affiliate with MIT Media Lab, welcomed the bill because, unlike other efforts in Congress, it did not focus strictly on single bad actors in Big Tech, like Facebook. <\/p>\n

\u201cThis aims to fix the Internet,\u201d Doctorow said, \u201cso that Facebook\u2019s behavior is no longer so standard.\u201d<\/p>\n

What\u2019s next for 2020? <\/strong><\/h3>\n

On January 1, 2020, California\u2019s own privacy law, the California Consumer Privacy Act, takes effect. Passed in 2018, the law has survived multiple, legislative attempts to weaken and defang it<\/a>, and it has inspired similar legislation in other states. <\/p>\n

With the law’s enormous scope, it will likely serve as a trial run for any federal data privacy bill. <\/p>\n

Will companies receive serious fines, or will enforcement be lax? What will the first enforcement action be? What company will it be against? If penalties are severe, at what point will companies bandy together to prevent similar legislation from passing at the federal level? Hint: They’re already trying<\/a>.<\/p>\n

None of this is to mention, of course, next year’s mindshare-absorbing presidential election, too. <\/p>\n

Until then\u2014and after it\u2014Malwarebytes Labs will closely watch this space. We can only predict it will get more interesting, more complex, and more important. <\/p>\n

The post Online privacy in 2019: a legislative review<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Mon, 23 Dec 2019 17:41:31 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Americans enjoy no federal rights to access their data, correct their data, easily move their data from one company to another, or individually sue a company that invades their private lives online. Several US Senators want to change that. <\/p>\n

Categories: <\/p>\n