Bringing Back Privacy
The Mark Zuckerberg hearings on Capitol Hill didn’t come close to lifting the veil on Facebook’s (or the internet’s) secreted privacy strategies. In fact, even the questions asked at the two hearings, with some noteworthy exceptions, showed a lack of understanding on how Facebook collects and shares its users’ personal information. Oh yes, House and Senate members went to great lengths identifying with the cause of consumer privacy; but remember, this is the same Congress that voted last year to dismantle the excellent consumer privacy protection rules passed in 2016 by the Federal Communications Commission (FCC). So much for the unity of rhetoric and performance.
I have written many times in this space about our policymakers’ inability to grasp and to tackle the myriad challenges with which the internet confronts us. It seems that most Members of Congress, regulators, and the media thought there was only one issue—net neutrality—and they spent all their time debating it. The overwhelming majority of Americans understand that strong net neutrality rules are the prerequisite of an open and citizen-friendly internet, and that we must fight mightily against the FCC and lawmakers in Congress as they seek to dismantle net neutrality. But the net’s challenges go far beyond that one issue. Think about the scary degree of corporate consolidation that gives a handful of giant internet companies control over what is supposed to be the people’s internet; or the cultural content under the lock and key of some of these “entrepreneurs” because of our absolutely ludicrous copyright laws; or the harm visited on journalism by an industry that uses the news and information others produce without compensating them for it; or the possible economic and social effects of artificial intelligence as it transforms the nature of the net. And, of course, the misuse of our personal data to enrich the corporate bottom lines. In this sense, then, it is good we are beginning a robust national conversation on at least one of these challenges—citizen privacy. I use the term “citizen” here rather than “consumer” because the effects of the privacy invasion threaten the very fundamentals of our society. When We the People become nothing more than products to be delivered to advertisers, something is wrong and our democracy is undermined
Our privacy framework no longer works. It must be changed. Now.
Let’s begin by requiring “opt-in.” Before any business shares our personal data, we should have to grant it permission to do so, up-front and right at the outset. No byzantine process by which we can “opt-out” if we’re lucky enough to navigate the ludicrous steps required to do so. I am talking about a simple “yes” or “no” if we wish to have our data shared. Some of us may be more comfortable than others with sharing our information, but I suspect many more are as discomfited as me. Opt-in should be a basic internet right for every user.
Then let’s simplify those ridiculous “terms of service agreements” that require our acceptance before we can even open up an app. Who reads them? I’m not ashamed to say I seldom give them more than a passing glance. If we can’t perform major emergency surgery on them right away, let’s at least require a 1-2 page summary that gives their gist with some degree of user-friendliness.
Going a step further, let’s require any site that wishes to change its terms of service to notify us that it is doing so AND tell us what those changes will be, BEFORE they are implemented. The same opt-in principle should apply that requires the company to obtain the user’s consent for these changes. As it now stands, we have to read through the entire agreement and then guess at what parts are being altered. I’ll bet there would be a lot fewer revisions to these “agreements” if there was a little more sunshine cast upon them.
Getting changes like these implemented is a two-step process, one legislative, one regulatory: First, Congress must pass a comprehensive privacy framework that guarantees users control over their data. Companies must be required, not urged, to do these things. Opt-in should be the law of the net. Companies would be required to provide clear notice about what data they are collecting and how they intend to use it. Congress should look to Europe’s General Data Protection Regulation, a good plan that goes into effect this month, for helpful guidance on how to do this. There are actually a few promising bills being discussed on Capitol Hill. For example, Senator Ed Markey’s CONSENT Act would require websites to obtain opt-in consent from their customers prior to sharing their personal data. Senator Markey has a similar opt-in bill that would apply to Internet service providers (ISPs) like Comcast, Verizon and AT&T. We need both, perhaps in one package.
Secondly, regulators must be empowered to implement and enforce these policies. There may well be the need for more than one cop on the beat to handle a problem this large. When it comes to ISPs like AT&T, Comcast and Verizon, the cop needs to be the FCC. Unfortunately, the current FCC seems to have sworn off privacy protection as one of its responsibilities, in a stunning reversal of its decades-old enforcement of safeguards for basic telephone customers. The FCC had, and should have again, clear, no-nonsense instruction to be the cop on the beat for the ISPs. The agency has rule-making authority and the expertise to deal with these problems. My preference would be for the FCC to do the same regarding the big internet companies like Facebook, Google, et al. Others prefer using the Federal Trade Commission (FTC) for these online companies, but right now the FTC lacks rule-making authority and can only act after a complaint comes in (and the damage is already done), whereas the FCC can write and publicize rules beforehand, so everyone can understand what the rules are. That’s good not just for us, but also for businesses so that they can understand what is expected of them going in. If Congress prefers for the FTC to do more on privacy protection, it should give it the tools it needs to do the job.
Finally, let’s realize there are other dimensions to privacy protection that need to be part of our discussion. Liability requirements, data security standards, removal of user-unfriendly arbitration clauses, and the proper role of state involvement are four such topics that should be part of a comprehensive solution.
If we are to get meaningful action from Congress, we must make our voices clearly heard. The lack of citizen control over personal data poses serious threats to our democracy. Companies can easily manipulate data to politically motivate voters or to engage in all kinds of discriminatory practices. Americans don’t trust the big telecom, cable, and internet giants to protect their privacy. This is why you should tell Congress how critically important comprehensive privacy legislation is to you.
I am not looking for government over-reach. What I have suggested here applies the same kind of common-sense approach that has applied to telecommunications for almost 85 years. Why should we be deprived of the safeguards our parents and grandparents took for granted?