Your privacy is being debated by lawmakers in Sacramento and Washington D.C., and there's a good chance you're going to lose out. In Congress, a poorly written bill could erode your privacy, while in the California Legislature, a good bill that would protect your privacy is coming under fierce attack.
Internet companies — including Google, Facebook and Amazon — have for years been collecting vast amounts of personal data about their users and often share that information with other companies, particularly Internet marketing firms. The two bills under consideration could significantly affect who has access to that personal data and how much users must be told about how their data is used.
The before Congress, the Cyber Intelligence Sharing and Protection Act, or CISPA for short, is nominally intended to allow the government and companies to more effectively respond to coordinated computer attacks on their networks. The bill, which passed the House earlier this month but has now reportedly stalled in the Senate, would allow companies to share with federal agencies information about cyberattacks without requiring those agencies to get a warrant.
With the growing number of cyberattacks and the danger they could cause to the electrical grid, defense systems and more, it's understandable Congress would want to help companies and the government defend themselves. The problem is that the bill would allow companies under attack to release all kinds personal data they hold to the government. It leaves vague the definition of what constitutes a "cyber threat" and what information could be shared about it.
The bill doesn't require companies to leave out personal information about the users of their services. Worse, companies wouldn't have to tell their users that they shared users' information with the government, and — as long as they were acting in good faith — would be given immunity from potential privacy violations for sharing the data.
Civil liberties advocates fear that companies would end up sharing all kinds of their users' personal information because removing such information would take extra effort, even when such information wasn't directly relevant to the cyberattack. If Netflix came under cyberattack, for example, advocates fear that it could release to the FBI the names, addresses and known family members of everyone who recently watched a movie about computer hacking, which could lead to perfectly innocent people being caught up in a government dragnet.
Senate staffers have said the body won't vote on the bill. But senators are working on their own version of it, which could include similar provisions. Even if that doesn't pass, the issue likely won't go away; this is the second year in a row that CISPA has been debated, and Congress appears eager to show that it's doing something about cyber threats, even at the expense of privacy.
The California bill, by contrast, could be a boon for consumers' privacy. Dubbed the "Right to Know Act," and sponsored by Assemblywoman Bonnie Lowenthal, D-Long Beach, it would update an existing state law requiring direct marketers to disclose to their customers, when requested, the information they collect about them and with whom they share that information.
The current law just applies to telemarketing companies and companies that market to consumers via email or the regular mail. The proposed law would also cover the Googles and Yahoos of the world and companies that have created mobile applications. As The Wall Street Journal pointed out in a series of articles, those types of companies are closely following their users' moves both online and in the physical world.
Notably, the Right to Know Act wouldn't prohibit companies from collecting that information. And individual users would have the right to request information on what data was being collected and who it was being shared with just once a year. It's a fairly modest bill to protect consumer privacy, yet faces fierce opposition from the tech companies that profit from gathering data on the users of their services.
Internet marketers claim the bill is unworkable, that it would put an undue burden on them and would open them up to frivolous lawsuits from customers claiming they didn't get the information they requested in a timely fashion. But direct marketers have had to live within this kind of law for the past eight years, and online companies that operate in Europe already have to comply with similar transparency laws there.
You can bet that the real reason they're putting up such a fuss is because they don't want you to know just how much information they're collecting or who they're selling it to. According to the bills' analysis, some companies have placed as many as 100 tracking tools on their websites. The information they're harvesting can include sensitive financial, health and location information. According to supporters of the bill, access to that kind of information has caused real harm, including the unwilling outing of gay teens and physical harm done to women whose location was disclosed to their abusers.
"People want to have control and knowledge about what information is being gathered and what it's being used for," said John Simpson director of the privacy project at Consumer Watchdog, an advocacy group. "That's not an unreasonable expectation."
Here's a look at two bills that could affect your privacy.
Title: Cyber Intelligence Sharing and Protection Act (CISPA)
Bill number: HR 624
Legislative body: U.S. Congress
Status: Passed by the House of Representatives, referred to the Senate, where the bill has reportedly stalled
Intent: To help government and companies defend against cyberattacks by allowing them to share information about attacks without requiring a warrant.
Privacy implications: Would allow companies that collect personal information on consumers to provide that information to the government — including to intelligence, security and law enforcement agencies. Companies wouldn't have to disclose to customers that they gave such information to the government, and they couldn't be sued for providing it, as long as they acted in good faith.
Tech industry position: Many tech companies, represented by trade groups such as TechAmerica, support the bill, in part for its immunity provisions.
Title: Right to Know Act
Bill number: AB 1291
Legislative Body: California Legislature
Status: Proposed in the California Assembly; initial hearing is scheduled for next month
Intent: To update a California law that requires direct marketing companies to reveal to consumers upon request the information they have collected on them and with whom they are sharing that information.
Privacy implications: Would require companies, upon request, to tell consumers what information they are collecting about them and with whom they are sharing that information
Tech industry position: Online marketers, represented by TechAmerica, are adamantly opposed to the bill and have demanded that its author, Assemblywoman Bonnie Lowenthal, D-Long Beach, drop it.
Mercury News research