14 minute read
DIGITAL PRIVACY
Cory Mangum
Digital privacy is a topic which America has grappled with since the beginning of the information age. The current state of affairs for consumers in America leaves people feeling powerless regarding the information collected on their private life. Americans’ privacy remains inadequately protected on a national level, which fuels the debate: does America need a modernized federal privacy law? Personalized ads have become uncomfortably relevant, imparting an uneasy feeling of unwelcomed surveillance. Today, each interaction with a digital device generates data detailing aspects of the user’s life. The smartphone’s omnipresent relationship with its users provides an endless source of this data. This collected information serves as the sole commodity of a data ecosystem generating profits over $200 billion annually. This commoditized data can range from a person’s seemingly trivial Instagram “Like,” to a gym membership or hobby. However, Personal Identifiable Information (PII) falls within this spectrum as well. PII represents any information that can identify an individual, which includes but is not limited to Social Security numbers, addresses, biometrics, and names. Data brokers are at the center of this industry, specializing in consumer data collection from every source possible. In a void of adequate federal regulation, this sector has thrived in the shadows and remains unbridled. Data broker companies presently lobby with power equivalent to Big Tech firms (Ng and Varner). An assortment of acronyms (HIPAA, FERPA, ECPA, etc.) stand for the existing patchwork of federal privacy regulations intended for antiquated circumstances (Klosowski). A handful of U.S. states have begun passing their own consumer protection laws. However, many fear inconsistencies among state laws will undermine each American’s long-term privacy rights. Currently, California, Virginia, and Colorado have passed their own variations of consumer privacy laws. Virginia’s law has been criticized by privacy advocates as too business friendly, namely for neglecting to address civil right protections. Allowing companies to continue harvesting data essentially unfettered is similarly contentious (Klosowski). The California Consumer Privacy Act of 2018 (CCPA) is regarded by experts as the strongest in America. Yet even the CCPA falls short on providing consumers the full spectrum of privacy by design protections. Particularly the opt-in consent by default is seen as counterproductive for data privacy (Klosowski). These laws can only produce results when backed by staunch enforcement. Virginia and Colorado granted exclusive authority to the Attorney General for enforcement. In contrast, California has established the Consumer Privacy Protection Agency (CPPA). Since many states lack legislation to address data use, privacy rights, and enforcement, a comprehensive federal law is needed to guarantee all Americans the fundamental human right of privacy.
Advertisement
First, data use has two key issues which need to be addressed, beginning with a perfect example of unnecessary personal data collection that most definitely falls outside the needs of the service provided. Metropolis, a parking validation app, is used nationwide to facilitate paid parking fees, a service that should require minimal data from a user. The company’s 4,000-word privacy policy depicts a conflicting situation. David Lazarus, a columnist for the Los Angeles Times, reported his findings within their policy: “Along with collecting a startling amount of user data, the policy says that Metropolis reserves the right to monitor pages that you visit before, during and after using the company’s online parking validation, as well as ‘information about the links you click’” (Lazarus). A straightforward service became hungry for data which falls far beyond the necessary information to carry out its stated purpose. Metropolis has no justifiable reason to monitor and harvest user data outside of providing its specified purpose, parking validation.
This is not an issue unique to mobile app companies. Internet service providers (IPS) monitor and collect customers’ browsing habits, a revelation to nobody in 2021. A staff report conducted by the U.S. Federal Trade Commission detailed far more surveillance,
The vertical integration of ISP services with other services like home security and automation, video streaming, content creation, advertising, email, search, wearables, and connected cars permits not only the collection of large volumes of data, but also the collection of highly-granular data about individual subscribers. (4)
The excessive harvesting of customer data needs to be eliminated. Shoshana Zuboff, author and professor emerita at Harvard Business School, coined the term “Surveillance Capitalism” (Laidler). Zuboff notes this surveillance capitalism was invented the same year of the 9/11 attacks. Consequently, the aftermath was the catalyst for the United States’ accelerated self-preservation method of maintaining absolute awareness through surveillance. This is further exacerbated by intelligence agencies tapping into and nurturing the capabilities of commercial technologies. Over the decades, selfregulated companies have taken advantage of the lack of legislation to determine the terms of engagement into the digital world. Washington legislators must regain control of the unquenchable beast it has unleashed upon its citizens. Data minimization would be a big step towards this goal. This entails restricting businesses to only handling data pertinent to the services provided.
A justifiable duration of storage that should be defined in regard to customer data which aligns the service provided, followed by deletion of the customer’s data after the completion of said service. Ending needless data collection would seriously hinder this aspect of the intrusive data ecosystem.
Next is the other troubled half of data use: collecting and sharing rights. Nonexistent federal data-privacy laws allow service providers to sell customer databases to third-parties. These third-parties go by many names: information brokers, data brokers, data controllers, and data processors. These companies specialize in acquiring mindbending volumes of personal and company information for marketing profiles. One of these brokers, Epsilon, was acquired by Publicis, a multinational advertising and public relations company. Patience Haggin, a reporter for The Wall Street Journal, describes the acquisition: “The deal. . .gives Publicis a trove of data on 250 million Americans [--] up to 7,000 attributes about each of them, such as age and income” (Haggin). Epsilon and other data-focused companies operate largely unregulated within the United States. This allows service providers to sell user’s information to data brokers. The risks for consumers are immeasurable when a single entity holds this amount of PII. Americans have continually felt the negative impacts of data brokers. In September 2017, the credit reporting agency Equifax, which also acts as a data broker, was hacked. AnnaMaria Andriotis, a reporter for The Wall Street Journal, detailed the consequences, “The issues add to consumers ire over the data breach, which has exposed vital personal identification data— including social security numbers, names, addresses and dates of birth—potentially as many as 143 million Americans’’ (Andriotis). Equifax delayed publicly disclosing the incident for over six weeks after the breach. Data brokers remain high profile targets for cybercrime due to the valuable nature of this data. Michael Harwood, a victim of identity theft, recounted his experience: “Initially, it’s really terrifying, especially having your Social Security number taken. . . .You’re worried about the tremendous implications this could have and the possibility of it going on for years” (qtd. in Hsu). Mr. Harwood had noticed an unauthorized attempt to transmit $1,000 out of his financial account. Harwood recalls, “It ends up being fairly far-reaching and inconvenient – you’re still making discoveries months later that there’s another account you have to correct” (qtd. in Hsu). Companies like Equifax acquire and exchange private data without consequence or consideration of the persons of origin. Consumer data has become the new oil, pumping its profits into the lucrative data ecosystem. This revenue model has crept into every sector and industry. The difficulty to efficiently participate in daily life without exposure to these detriments is substantial. Regulation should allow consumers to identify which companies hold their data. Additionally, enforcement should require a simple consistent mechanism to request the erasure of any data companies have collected. Also, regulation must bar the sale, exchange, and distribution of user data by companies without user consent. These measures are absolutely necessary for regulating data collection and sharing and would further improve the vital privacy protections of Americans.
Establishing a standard of fundamental privacy rights for Americans is essential to a federal consumer data protection law. State laws have and will continue to differ from each other. Inconsistencies from state to state will result in varying protections for U.S. citizens. The goal should be to create the same consumer protections for all Americans and prevent further confusion. Whitney Merrill, a privacy attorney and data protection officer, provided insight on this subject claiming, “We need a federal law that thinks about things in a much more consistent approach. . .to make sure that consumers understand and have the right expectation over rights that they have in their data” (qtd. in Klosowski). Privacy advocates can all agree on a core of protections paramount to consumers. First, the opt-in consent practice that requires companies to seek permission from the user if it may share or sell data to third parties. This eliminates the responsibility of the user to onerously opt-out of private data collection for every service. Also, the consumer has the right of requesting to view, obtain, rectify inaccuracies, and delete the data companies have collected on them. Moreover, the consumer is entitled to transfer data with ease from one service to another. Lastly, a consumer should be protected from discriminatory practices by companies when exercising their right to privacy. A form of this discrimination could be charging users a fee for withholding their data or offering a discounted service fee in exchange for a consumer giving in to data collection. Lawmakers failing to meet these principles will continue perpetuating the existing privacy-hostile landscape. The outlined protections will have profound impacts on America’s privacy climate. Having said that, regulation means very little without a mechanism to compel compliance.
Rounding out a comprehensive approach to federal regulation hinges on effective enforcement. Tech companies wield vast financial, human, and technical resources. An enforcement body must hold this sector, plus others accountable for adhering to a legal framework set forth. While enforcement is, with no doubt, a formidable task, the United States should learn vicariously from other jurisdictions’ enforcement efforts – specifically, the European Union’s (EU) General Data Protection Regulation (GDPR), being touted as the world’s most comprehensive privacy law upon its implementation in 2018. However, European regulators have experienced the inadequacies of enforcement, straining the GDPRs noble ideals. Johnny Ryan, a leading campaigner for privacy regulation, said, “If you don’t have strong, robust enforcement and investment, this law is a fantasy. . . .We have failed to realize the potential of G.D.P.R. thus far” (qtd. in Satariano). Ryan also serves as the chief policy officer at Brave, a web browser focused on privacy measures limiting intrusive data tracking and marketing. Over the course of several weeks, Ryan scrutinized the budgets and staffing details from the data regulators of 28 European countries. Detailed in Ryan’s published report, most counties staffed a handful of investigators with inadequate expertise to carry out their functions. Additionally, only the United
Kingdom, Germany, and Italy were found to have annual data authority budgets over €25 million. Ulrich Kelber, the chairman of Germany’s data protection authority, professed, “We have a lack of enforcement.
. . .Most of the European governments don’t give enough resources to the data protection authorities” (qtd. in Satariano). Kelber motioned to combine resources and responsibilities among EU countries, a more centralized approach to police the biggest companies. Currently, disproportionate regulatory responsibility falls upon particular EU countries. This is dictated by the borders in which the companies’ European headquarters reside. Ireland’s disproportionate burden in this scheme has attracted criticism. Facebook, Google, Twitter, Apple, along with many other companies have their European headquarters in Ireland. The fines issued by the GDPR are perceived to be ineffective as well. The regulation’s fines cap at up to four percent of a company’s global revenue, a trivial amount for some of the top earning companies in the world. The culmination of the enforcement difficulties facing the EU’s GDPR provides a reference for the U.S. in shaping its own enforcement structure.
Some officials have suggested the Federal Trade Commission (FTC) as a possible candidate for enforcement. Nevertheless, the FTC already faces funding and staffing problems. The creation of a federal data privacy protection agency has been considered as well. Key factors in ensuring effective compliance are evident. Ample resources and funding for an enforcement agency are crucial to its ability to be effective; initially this will involve the willpower of lawmakers and voters. Once operational revenue is established from fines, agencies can be selfsustaining entities, financed by the results of investigations. Next, a skilled workforce must be in place to match the capabilities of the private sector. Compensation rates and benefits cannot severely pale in comparison to its commercial counterparts. Competitive employment packages will be necessary to limit the gap of knowledge and skill between enterprise and regulator. Finally, the fines issued by this agency must scale accordingly with the offender’s revenue. Small fledgling companies will require different penalty considerations in contrast to behemoths like Google or Facebook. A quarterly slap on the financial wrist will not change corporate cultures decades in the making. Potential lawbreakers must fear the ensuing repercussions when in violation. Repeat offenders should be treated in a more severe manner. Meaningful enforcement has the ability to reshape America’s relationship with digital technology for the better.
For too long, the privacy rights of Americans have been disregarded. The United States federal government has instead prioritized corporate profits and unethical surveillance. Americans have accepted the status quo of this ecosystem as the cost of participating in digital technology. This misconception must be eradicated. Technology can exist within society without pervasive surveillance if the people demand it. Americans must take it upon themselves to improve awareness and basic insight on privacy rights and consumer protections. The efforts of individuals will quickly lead to many harsh realizations. One is that of the double standard which currently exists; U.S. based companies treat American’s data with less privacy protections in contrast to their European counterparts. These unjust truths will evoke a pivotal shift in public perception triggering widespread anger and outrage. The subsequential duty of informed Americans is to channel this indignation, overwhelming lawmakers with demands for privacy regulation. Washington legislators characterized by disinterest and inaction in the fight for privacy must be met with the public’s vote for new, willing alternatives in leadership. Furthermore, consumers must reject commercial enterprises that abuse their privacy. Users must research and choose alternative service providers focused on privacy by design. An exodus of privacy-minded customers from businesses rooted in the practices of surveillance capitalism can shape an alternative ecosystem. This will open the door for users to recalibrate their relationship and expectations with a new type of technology company. However, without effort at the individual level to address these issues,
Works Cited
Andriotis, AnnaMaria. “Equifax Customer Complaints Continue to Pile Up.” The Wall Street Journal, 10 Sept. 2017, www.wsj.com/articles/equifax-customercomplaints-continue-to-pile-up-1505080789.
Editorial Board. “America, Your Privacy Settings Are All Wrong.” The New York Times, 6 Mar. 2021, www.nytimes. com/2021/03/06/opinion/data-tech-privacy-opt-in.html.
Haggin, Patience. “Advertising (A Special Report) -Big Ad Agencies Hope to Gain Edge by Buying Data Companies.” The Wall Street Journal, 18 June 2019, ProQuest, www.proquest.com/usmajordailies/ docview/2241926072/17750687EBD1409DPQ/1?accountid=227.
Hsu, Tiffany. “Data Breach Victims Talk of Initial Terror, Then Vigilance.” The New York Times, 9 Sept. 2017, www.nytimes.com/2017/09/09/business/ equifax-data-breach-identity-theft-victims.html.
Klosowski, Thorin. “The State of Consumer Data Privacy Laws in the US (And Why It Matters).” The New York Times, 6 Sept. 2021, www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.
Laidler, John. “High Tech is Watching You.” The Harvard Gazette. 4 Mar. 2019, www.news.harvard. edu/gazette/story/2019/03/harvard-professor-sayssurveillance-capitalism-is-undermining-democracy/.
Lazarus, David. “Column: Your ISP Says it Cares About Your Privacy. Not so Much, Actually, Says FTC.” Los Angeles Times. 12 Nov. 2021, www.latimes.com/business/ story/2021-11-12/column-internet-service-providers-privacy.
Lefkowitz, Peter. “Why America Needs a Thoughtful Federal Privacy Law.” The New York Times, 25 Jun. 2019, www.nytimes. com/2019/06/25/opinion/congress-privacy-law.html.
Ng, Alfred, and Maddy Varner. “The Little-Known Data Broker Industry is Spending Big Bucks Lobbying Congress.” The Markup, 1 Apr. 2021, www.themarkup org/privacy/2021/04/01/the-little-known-data-brokerindustry-is-spending-big-bucks-lobbying-congress.
Satariano, Adam. “Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates.” The New York Times, 27 Apr. 2020, www.nytimes.com/2020/04/27/ technology/GDPR-privacy-law-europe.html.
U.S. Federal Trade Commission. A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers. A FTC Staff Report, 21 Oct. 2021, p. 4-44, www.ftc.gov/system/files/documents/reports/look-whatisps-know-about-you-examining-privacy-practices-six-majorinternet-service-providers/p195402_isp_6b_staff_report.pdf.
