You are nearly naked to the data industry, and Washington just offered you a mirror — but not pants.
Two decades after the invention of computer “cookies” allowed companies to track your use of the Internet, the White House on Feb. 27 floated a draft Consumer Privacy Bill of Rights that purports to provide “baseline protections for individual privacy.”
Focused on letting you know what information companies have about you, the draft energized the privacy debate. An Internet industry group and privacy advocates promptly shredded the draft (for different reasons), and a Democratic senator offered a partial alternative.
The White House draft “needs work,” said Lorrie Faith Cranor, director of Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory. “It’s hard to actually even tell what [the draft] does,” and even its definition of personal information is unclear, she said.
Though a few technology companies allow people to see their digital dossiers [see sidebar], there’s no law giving you the right to view, alter or erase your reflection in the data.
“There’s a digital data collection arms race that no one can find a way not to participate in,” said Jeff Chester, executive director of the Center for Digital Democracy, based in Washington, D.C.
That may not change this year. But pressure for privacy protection is building, and jockeying over what the rules will say, and who will write them, is intensifying.
The data flow
Your purchases, subscriptions, Web searches, app permissions and mouse clicks trickle into a river that flows through the sluices of the data brokering industry and is piped back to you in the form of targeted advertising.
In return for online tools, said Mr. Chester, we are “turning over details about ourselves, our family and our friends to companies, to politicians, to others, including those who may want to break into these databases.”
Marketers want to know what you want as soon as you do.
“Historically, these kinds of [consumer behavior] predictions were calculated periodically and stored on a file,” Little Rock-based data broker Acxiom wrote in a January report. “More often today they are calculated on the fly based on the most recent data possible, possibly data generated minutes or even seconds before the calculation.”
The White House, in announcing the draft bill, noted that “too many Americans still feel they have lost control over their data.”
Importantly, so does the rest of the world.
“The European data protection legislation, which went into effect in the late 1990s, prohibits the transfer of data to countries that do not have adequate privacy protections,” said Ms. Cranor. The European Union, stung by U.S. spying, is balking at renewal of a temporary agreement allowing American data firms to operate there.
Under the current system, multinational companies tend to draft policies that follow more stringent European Union rules only to turn around and draft new policies for the same product or service in the U.S., said Jerome Pesenti, chair of Pittsburgh DataWorkS and vice president of Watson Core Technology at IBM.
Some companies hope that new U.S. privacy rules would give them a better understanding of what they can and can’t do in terms of innovation and information sharing on both sides of the pond, he said.
“Uniformity is good because you can implement these policies within your system,” he said.
Others in the industry, though, are leery of the European model.
“People have to ask themselves what is unique about U.S. law and public policy that has fostered so much innovation and entrepreneurship in our economy,” said Abigail Slater, vice president of regulatory policy for the Internet Association, which represents some 30 Web companies, including Google and Facebook.
The industry does want the federal government to do one thing: Nix a growing number of state privacy laws. The White House draft would do that. Privacy advocates want to preserve the state laws, some of which are tougher than the draft.
Bill of rights?
The White House draft would require that companies show you “an accurate representation” of the data collected about you. The companies wouldn’t always have to correct errors.
Companies’ decisions on “reasonable” use of your data would be supervised by their own Privacy Review Boards, monitored by the Federal Trade Commission. Detailed rules would be drafted through a “stakeholder process” that privacy advocates fear would be dominated by industry.
Only the FTC — not individuals nor state attorneys general — could sue violators for money.
“I think you need a private right [to sue],” said John Simpson, privacy project director of Washington D.C.-based Consumer Watchdog. “I think the attorneys general have always been shown to be effective enforcers because the FTC can’t be everywhere at every time.”
The FTC could slap violators to the tune of $35,000 per day, or $5,000 per affected consumer, up to $25 million. Companies would have the right to fight such fines.
Many large companies could absorb the blow of a $35,000 or even a $25 million fine and still make a profit by selling huge chunks of data in a single day, according to Josh Knauer, CEO of Shadyside-based data analytics software firm Rhiza. He said “$35,000, when you’re talking about personal information, is nothing. It’s a tiny fraction of a percentage of the data’s value.”
Many small and new businesses would be exempted from the draft rules.
Mr. Knauer, who was a working group member with President Barack Obama’s Council of Advisors on Science and Technology from 2010 to 2011, said omitting small businesses from the law was politically prudent but could lead to technical nightmares if passed into law.
“There’s any number of different types of businesses where the data collected isn’t diabolical, they’re not doing anything bad or nefarious with collection of the data. But when you start piecing that data together with other pieces of data from other small businesses and they’re all exempt and you start putting that together into a larger data set, which computer science allows for very easily, that’s a loophole that doesn’t make any sense.”
Mr. Knauer said Rhiza, as a data analysis firm, doesn’t have the same financial stake in the game as advertising agencies or data brokers such as Google or Facebook. That said, he feels everyone from startups to conglomerates should follow the rules once they’re established.
Area legislators expressed lukewarm feelings about the draft, depicting it as “a good starting point,” in the words of a statement from Sen. Bob Casey, a Democrat.
“I’m pleased that the President is concerned about protecting consumers’ privacy,” said U.S. Rep. Mike Doyle, D-Forest Hills, who sits on a House subcommittee that focuses on electronic communications. “Like any first draft, the legislation isn’t perfect,” he added, but he said the administration was willing to embrace suggestions to strengthen it.
Still, he predicted, “Any legislation … is going to have a tough fight ahead of it in a Republican-held Congress.”
In a statement, U.S. Rep. Mike Kelly, R-Butler, acknowledged “major concerns with consumer privacy,” and said the draft “offers some decent elements,” but suggested that the focus now should be on data breaches.
Similarly, U.S. Rep. Tim Murphy, R-Upper St. Clair, wrote in response to questions that "we first must fully understand the scope of the threats in order to advance meaningful policy that touches on privacy" and security.
Elizabeth Anderson, a spokesperson for Sen. Pat Toomey, Pennsylvania’s Republican senator, said that concerns about privacy were “something he has heard about from Pennsylvanians,” and that he hoped to work with legislators and the White House on legislation this year.
“[E]fforts to safeguard personal data should follow a balanced approach that ensures the new regulations are efficient, effective, and not stifle innovation and economic growth,” she added.
U.S. Rep. Keith Rothfus, R-Sewickley, did not respond to requests for comment.
On Thursday, Sen. Edward Markey, D-Mass., who criticized the White House draft, released a bill focused narrowly on data brokers, like Acxiom, that collect and sell information on people. It wouldn’t touch online firms like Google and Facebook.
Under Mr. Markey’s bill, data brokers would have to let you see information that identifies you, and make requested corrections. They would have to allow you to express binding “preferences” on how your marketing profiles would and wouldn’t be used.
Attorneys general could halt illegal practices, and seek damages and civil penalties up to $16,000 per violation.
That left industry and advocates with two choices — neither of which is likely to pass.
“Nothing can move in today’s environment,” said Mr. Chester. “The companies have too strong a hold over the political process to see any meaningful legislation pass.”
That’s no reason to quit, said Pam Dixon, executive director of the San Diego-based World Privacy Forum.
“People are going to abandon discussion of [the White House] bill, but I think that’s a mistake,” she said. It sets “a benchmark. … Something is shifting.”