Two online-privacy bills introduced in Congress this week don’t do enough to guard consumers’ personal data and in fact only scratch the surface of a deep-rooted problem, security and privacy groups said.
The first bill, an online “bill of rights” introduced in the Senate on Tuesday (April 12) by Sen. John Kerry (D-Mass.) and Sen. John McCain (R-Ariz.), aims to give consumers control over their personal information collected by companies via the Internet.
A day later, Rep. Cliff Stearns (R-Fla.) put forward a similar proposal in the House of Representatives. His legislation, co-sponsored by Rep. Jim Matheson (D-Utah), would require commercial entities to provide a way for consumers to understand what information was being collected from them and how the information was being used.
As Chris Calabrese, legislative counsel for the American Civil Liberties Union (ACLU) told SecurityNewsDaily, “Consumers need to have some control back, so they can visit provocative sites or read whatever they want, because the Constitution allows them to do so, without companies monitoring their activity.”
How companies use your data
Web surfing on the Internet may at times feel anonymous, but companies are in fact continually monitoring and collecting data about the sites you visit, the things you buy and the people with whom you interact online.
The companies that collect this valuable information often share it with or sell it to third parties, ranging from social networking sites to advertisers.
Consumers currently don’t have legal rights to control how their personal data is shared, a fact that worries privacy experts.
Security experts reason that the more companies possess an individual’s personal data, the more likely it is to be stolen by identity thieves.
Sens. Kerry and McCain’s bill — called the Commercial Privacy Bill of Rights Act of 2011 — would require any company that collects information from more than 5,000 people each year to provide privacy protections to its users, including giving consumers the power to opt out of some data collection.
It would also give Web users the ability to access the information collected about them, and would compel companies to delete or no longer use an individual’s personal data once he severs his relationship with the company.
“Whether you are posting a picture on Facebook or doing a Google search, you are leaving a trail,” the ACLU’s Calabrese said.
Calabrese said his concerns go beyond the fact that data is being collected about Internet users.
“The information is also being aggregated to build profiles so companies can keep track of Web user activity and behavior. It could be shared with companies, the government, employers and others,” he said.
To track or not to track
Although the two bills are steps forward in protecting consumer privacy, the ACLU believes they are still incomplete.
“The Kerry-McCain bill is definitely a good step in the right direction, but there should be a ‘Do Not Track’ or ‘Opt Out’ option, so people can refuse to grant companies permission to share their information with others,” Calabrese said. “The ACLU wants to make sure the bill is something consumers can rely on.”
A “do not track” mechanism, which at the moment can be controlled via a setting on consumers’ Web browsers, would give people the opportunity to decide whether to allow the collection of data regarding their online searching and browsing activities.
The Federal Trade Commission, which would enforce the provisions of the Kerry-McCain bill if it passes, in December recommended that the private sector give consumers a “do not track” option in Web browsers and when setting up accounts on websites.
In February, Rep. Jackie Speier (D-Calif.), introduced a bill called the “ Do Not Track Me Online Act of 2011 ” which would authorize the FTC to implement “do not track” regulations. A similar bill was introduced this month in the California state senate.
The latest versions of the Microsoft Internet Explorer, Mozilla Firefox and Google Chrome browsers already have “do not track” features added as a response to the FTC’s recommendation, and the next version of Apple Safari is expected to as well.
The House alternative
In contrast to the Senate bill, Rep. Stearns’ proposal — called the “ Consumer Privacy Protection Act ” — does not include “opt-in” requirements for the collection of sensitive personal information, including health and financial records. Under the Stearns bill, such data would be collected by default unless a consumer chose not to share it.
The exclusion of this feature alone, according to Calabrese, makes Sens. Kerry and McCain’s bill significantly more appealing for the public.
“Stearns’ bill is substantially weaker than the Kerry-McCain bill in a lot of ways,” Calabrese said. “There are no access requirements for people to view their own information and there is nothing mentioned in there about opting in, which would require a company to get the permission of a consumer to collect sensitive information.”
Calabrese also noted that an opt-out option in the Stearns bill allows the sharing of information with anyone if an agreement is made to keep it confidential.
“The Stearns bill also uses broader language so states would be barred to do anything in this area,” Calabrese said. “Meanwhile, the Kerry-McCain bill would protect data-breach laws that already exist in some states, and overall, it would give consumers much more protection.”
More groups speak up
Although the ACLU believes the Senate bill is stronger than Stearns’ proposal, security and privacy groups are not entirely happy with Sen. Kerry and McCain’s bill.
For example, Rainey Reitman, activism director at the San Francisco-based Electronic Frontier Foundation (EFF), said there are more areas that the bill needs to address.
“The bill seems to be focused on transparency of practices and providing users with notice and some choice in the collection process — which is a good start — but it doesn’t do much to stop the rampant data collection that happens online,” Reitman said.
The Senate bill also has some other open gaps, including one the EFF is calling the “Facebook Loophole,” she added.
“When you are on Facebook, you know you are on the site and they are collecting information about you,” Reitman said. “But if you are reading a New York Times article about a certain subject and then hit the ‘Like’ button, new information is collected.”
There’s also a misconception about how consumer privacy protections would jeopardize business interests, Reitman said.
“Something like a ‘Do Not Track’ option could be beneficial to advertisers, because if a consumer wants to protect their online privacy, the only solution for people would be to turn off advertisements all together on their browsers,” she said. “If they just turned off tracking, they would still be able to see the ads.”
“Many people may actually end up choosing to be tracked by companies,” Reitman added. “Some have certain medical issues, political ties and other things they want to keep private when browsing the Internet — and advertising companies should respect that.”
Sharon Goott Nissim, consumer privacy counsel with the Washington, D.C.-based Electronic Privacy Information Center (EPIC), agrees that more work needs to be done on the Kerry-McCain bill.
“Enforcement should be strengthened and the loopholes should be closed,” Nissim said. “We would like to see the bill limit the ability of companies to exploit loopholes for behavioral targeting, and also make sure that the Federal Trade Commission (FTC) can investigate and prosecute unfair and deceptive practices.”
However, Nissim agrees that the Stearns bill isn’t as strong as the Kerry-McCain proposal.
“The Stearns’ bill does not represent the same step forward as the Senate bill — perhaps it’s even a step backwards,” Nissim said. “In general, the bill seems much more focused on providing ‘notice’ to the consumer, rather than actually giving the consumer meaningful access to and control over their information.”
Ad world response
As for how marketing companies are responding to the proposed initiatives, the Interactive Advertising Bureau (IAB) said that it is applauding the leadership of Sens. Kerry and McCain in their pursuit to protect consumer privacy. However, it has its concerns.
“We are concerned with the provisions in their proposal that would impose strict new requirements on first-party sites to allow their users to access, correct and delete data collected by that site,” said Mike Zaneis, senior vice president and general counsel of the IAB. “These types of first-party restrictions were explicitly rejected by the FTC and are unnecessary to protect consumer privacy, but would severely hurt publishers.”
“Second, the proposal provides the FTC with far too much discretion in drafting implementing rules,” Zaneis added.
Zaneis declined to comment on the Stearns bill.
If the Kerry-McCain bill passes, it would become federal law enforced by the FTC, and would give the agency the power to set guidelines, the ACLU’s Calabrese said.
Contention over the issues of online rights and privacy is not new. According to Calabrese, the foundation of the bill is an underpinning of existing privacy laws in all of Europe, Canada and other industrial nations.
“We are trying to catch up with other parts of the world,” Calabrese said.
The movement to do so has accelerated over the past year or so. The FTC’s “do not track” recommendation in December was part of a much larger preliminary report that proposed a framework to balance the privacy interests of consumers with innovation from companies that rely on this type of information to develop beneficial new products and services.
The FTC stated that industry efforts to address privacy through self-regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.”
The White House has also formed a subcommittee on how to deal with online privacy issues.
“Overall, no one would be fighting for this if there wasn’t a problem that needed to be solved,” Calabrese said. “Although the [Kerry-McCain] bill is still a good step in the right direction, we are a long way from the finish line.”
Samantha Murphy is a senior writer for TechNewsDaily, a sister site of SecurityNewsDaily.