The Privacy-Law Debate Is Heating Up Again in D.C.
The Senate Commerce Committee is holding a hearing on Wednesday called “Examining Safeguards for Consumer Privacy.” But the committee invited only executives from AT&T, Amazon, Apple, Charter, Google and Twitter to “review the current state of consumer data privacy” and “discuss possible approaches to safeguarding privacy more effectively.”
The failure to invite even one public-interest group to represent real people and to counter industry talking points at this kick-off hearing on consumer-privacy proposals is astonishing (though committee leadership has vaguely promised additional hearings).
Letting technology companies set the terms of the privacy debate in Congress inevitably means that concerns about civil-rights violations, disparate impacts, and predatory data collection and advertising practices will take a back seat to industry talking points. Many of the companies invited to this hearing have spent years attempting to water down and outright undermine attempts to protect people’s privacy.
The way these companies use the information we give them on sites and services across the internet ecosystem affects everyone’s day-to-day lives. Target famously knew a teen girl was pregnant due to her shopping habits and announced it to her family before she did. The government is investigating Facebook for housing discrimination for allowing landlords to target housing ads by race. Big data used in new algorithmic credit-scoring applications are replicating the same kinds of biases their proponents suggested they could eliminate — locking people out of loans and other financial opportunities because of the particulars of individuals’ online social networks.
All of this raises the stakes for Wednesday’s privacy hearing.
Free Press has worked at the Federal Trade Commission, the Federal Communications Commission and in Congress to ensure that the voices of those most impacted by commercial surveillance technologies are heard. As this hearing goes forward, we’ll make sure Congress hears from ordinary people about how inadequate privacy rules affect their lives.
A year of tech hearings
This hearing is the latest in a series of high-profile hearings regarding technology companies’ business practices.
Public and congressional scrutiny of those practices came to a head in March with the revelation that Facebook’s weak privacy and data-security rules allowed Cambridge Analytica to build detailed profiles of people in the United States and then provide that information for use in the 2016 election. Companies like Facebook, Google and Twitter have been asked to appear before the House and Senate as Congress has begun investigating their business practices and their data-protection and privacy policies, including how they moderate content on their platforms.
Despite all the skepticism and grandstanding on display during these hearings (see Sen. John Kennedy’s quip that Facebook’s user agreement “sucks”), industry has been remarkably successful at fending off privacy legislation by raising the specter of harms to “innovation.” Some lawmakers have begun to repeat that line: Sen. John Thune, the Commerce Committee chairman, announced his intention with this week’s hearing to put forward a privacy bill that “promote[s] clear privacy expectations without hurting innovation.”
ISPs have already blocked strong consumer-privacy protections
AT&T, Amazon, Apple, Charter, Google and Twitter have a mixed record when it comes to protecting privacy. If Apple’s commitment to encryption and refusal to bow to the FBI’s attempts to break it are a bright point, then AT&T’s collaboration with the NSA and continued work to undermine consumer privacy represent a low point for companies in the internet ecosystem.
In fact, for all of the rightful attention to privacy abuses by Facebook, Google and other online companies, the major broadband providers have been at least as successful or more than those companies at rolling back privacy regulations.
In early 2016, the FCC began a process to adopt strong broadband-privacy rules, following the agency’s mandate in the Communications Act to protect the confidentiality of all telecommunications customers’ proprietary information.
Civil-rights groups urged the FCC to enact strong protections. They recognized that ISPs using browsing histories to determine what kinds of job advertisements individuals see and what kinds of loans are marketed to them is as pernicious as other forms of redlining. These practices, the civil-rights groups noted, have “discriminatory intent and impacts on the poor and communities of color.”
After a rulemaking process that lasted almost a year, the agency issued rules that prevented ISPs from snooping on their customers’ web traffic without first getting those users’ affirmative consent.
The ISPs fought this proposal tooth and nail, as did internet companies like Google, which claimed that requiring customers to “opt in” for web-history surveillance would be “infeasible.” These companies kept fighting even after they lost at the FCC.
Their effort to gut these protections culminated in early 2017 as the Republican-controlled Congress voted to overturn the FCC’s rules, leaving people where they are today: with practically no protections against ISPs spying on their location or web traffic.
The industry gambit
In the run-up to the Senate Commerce hearing, various industry groups released their privacy principles and proposals. Those groups include the U.S. Chamber of Commerce, the Business Software Alliance and notably the Internet Association, which includes companies like Amazon, Facebook, Google and Twitter.
The Internet Association’s proposal may look like an inoffensive attempt at addressing privacy issues, but in reality it’s full of holes large enough for these internet companies to continue their current poor practices.
It proposes that:
Users should be given control over their information — but only up until the point where that “does not unreasonably interfere with … a company’s business operations”.
Individuals should be notified of data breaches — but only if that breach hits a “harm-based” trigger, supposedly to avoid “notice fatigue.” (Translation: Companies want to keep customers in the dark about data breaches as much as possible.)
Users’ information should be protected based on its “sensitivity,” meaning fewer protections for information that companies deem “non-sensitive.” Free Press has argued that neither companies nor the government should get to decide what kind of information is and is not sensitive for individuals. People should make those determinations for themselves.
A national privacy framework should supersede all state efforts at protecting privacy. This proposal would preempt strong state laws on privacy, undercutting safeguards for people in those states. But these Internet Association proposals are far too weak to make the bargain of supplanting state laws worth it.
A better way
Federal privacy legislation should be a strong floor — not a low ceiling — for people’s privacy rights. It should focus on protecting people’s rights, not preserving the industry’s current practices. That means respecting people’s right to make their own decisions about the kinds of information they’d like to share with companies, and to know the kinds of inferences companies make about them from the constellation of information shared.
Companies should not be able to unduly coerce their users — through exploitative financial incentives and other means — into sharing information unrelated to providing a service (and even then people ought to be in control of how that information is used). Any good privacy law should give people the enforcement tools to rectify discriminatory impacts, and also look beyond individuals to address systemic and society-wide harms stemming from data breaches, privacy violations, commercial surveillance and exploitative advertising practices.
We’ll be watching this hearing and any others that may follow and will fight to pass strong privacy proposals in Congress. The alternative — continued surveillance and exploitation of our most personal information — is unacceptable.