Will Obama’s draft privacy law champion consumer rights?

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, Third­Cer­tain­ty

The White House has tak­en anoth­er step toward fram­ing Pres­i­dent Oba­ma as the “pri­va­cy pres­i­dent.”  But it remains to be seen how assertive­ly his admin­is­tra­tion will actu­al­ly cham­pi­on con­sumers’ rights in an age of unprece­dent­ed dig­i­tal pri­va­cy inva­sion.

In a speech at the Fed­er­al Trade Com­mis­sion today, Pres­i­dent Oba­ma stat­ed the obvi­ous: Iden­ti­ty theft is a grow­ing prob­lem, gen­er­at­ing bil­lions of dol­lars in com­mer­cial loss­es and pos­ing risks to indi­vid­u­als that can “ruin your life.”

This is a direct threat to the eco­nom­ic secu­ri­ty of Amer­i­can fam­i­lies and we need to stop it,” Oba­ma said. “If we are going to be con­nect­ed, we need to be pro­tect­ed.”

More: Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era

Oba­ma pro­posed a sweep­ing new fed­er­al pri­va­cy law that pre­sum­ably would impose new rules on cor­po­ra­tions for safer han­dling of per­son­al data, as well as pro­vide indi­vid­ual cit­i­zens with some lev­el of con­trol over the vast amount of online-track­ing data gen­er­at­ed and stored for con­sumers.

Dev­il in the details

But the dev­il is in the details. And both the cor­po­rate heavy­weights mak­ing bil­lions off of online track­ing and pri­va­cy advo­ca­cy groups aim to influ­ence the fin­er points. The White House is expect­ed to deliv­er draft leg­is­la­tion in about two weeks when the pres­i­dent makes his State of the Union address

One would hope it (the draft leg­is­la­tion) imple­ments strong con­trols that empow­er con­sumers to pro­tect against the col­lec­tion of their sen­si­tive data with­out their con­sent,” says Alvaro M. Bedoya, exec­u­tive direc­tor of the Cen­ter on Pri­va­cy & Tech­nol­o­gy at George­town Uni­ver­si­ty Law Cen­ter.

With a new­ly elect­ed Repub­li­can majori­ties in both house of Con­gress, Obama’s draft leg­is­la­tion may pick up a spon­sor and get debat­ed. But pri­va­cy and leg­isla­tive experts say it has zero chance of being enact­ed as law.

Alvaro Bedoya
Alvaro Bedoya

So the thrust of Obama’s pro­posed Per­son­al Data Noti­fi­ca­tion and Pro­tec­tion Act will be strict­ly sym­bol­ic. Yet sym­bol­ism is impor­tant. Stiff fed­er­al sanc­tions, even pro­posed ones, on com­pa­nies that fail to robust­ly deter data breach­es could shift more of the cor­po­rate world’s atten­tion to cyber­se­cu­ri­ty.

By the same token, a strong­ly-word­ed White House draft bill that spells out a spe­cif­ic lev­el of con­sumer con­trol over online track­ing could like­wise dis­rupt cur­rent com­mer­cial prac­tices. It could slow the relent­less col­lec­tion and unreg­u­lat­ed shar­ing of behav­ior data col­lect­ed from smart­phones, med­ical devices and wear­able tech. That behav­ior cur­rent­ly is dri­ven pri­mar­i­ly by prof­it motives.

Pro­vid­ing a clear set of rules, guide­lines and prac­tices that set basic expec­ta­tions for both con­sumers and the busi­ness­es where they shop—not to men­tion the gov­ern­ment they pay tax­es to—would be the best of all pos­si­ble worlds,” observes Eduard Good­man, chief pri­va­cy offi­cer at IDT911, an iden­ti­ty and data risk man­age­ment, res­o­lu­tion and edu­ca­tion ser­vices firm. Full dis­clo­sure: IDT911 is the cor­po­rate spon­sor of Third­Cer­tain­ty.

Lob­by groups for the online adver­tis­ing indus­try led by tech giants Google and Face­book, and giant data aggre­ga­tors led by Axciom and Lex­is-Nex­is, will push hard for benign word­ing in Obama’s draft pri­va­cy law. Their inter­est is to pro­tect the sta­tus quo.

Sta­tus quo not work­ing

Yet the sta­tus quo isn’t work­ing. Loop­holes in data loss dis­clo­sure laws in 47 states enable com­pa­nies to dodge noti­fy­ing con­sumers when their data gets stolen. A fed­er­al noti­fi­ca­tion law with teeth could prompt giant retail­ers to take bet­ter care of stored data than Tar­get, Home Depot or Sony Pic­tures did.

The past year has been marked with numer­ous secu­ri­ty breach­es that have affect­ed big brand names,” says Jerome Segu­ra, senior secu­ri­ty researcher at anti­mal­ware ven­dor Mal­ware­bytes. “Con­sumers are not only wor­ried but also demand­ing more account­abil­i­ty from these busi­ness­es.”

Although many states already have laws in place regard­ing breach noti­fi­ca­tion, with fed­er­al leg­is­la­tion it will remove any doubt with regards to the noti­fi­ca­tion peri­ods,” says

Ken West­in, senior secu­ri­ty ana­lyst with Trip­wire, says that fed­er­al leg­is­la­tion could ..

. “Par­tic­u­lar­ly with the num­ber of high- pro­file breach­es over the past year, many com­pa­nies are ret­i­cent to noti­fy con­sumers when cred­it card and oth­er data are com­pro­mised, sim­ply because of the effect it can have on the busi­ness, from loss of trust, law­suits, fines and fees and oth­er relat­ed expens­es to clean up the mess after a breach occurs.”

Mean­while, the so-called Inter­net of Things, is accel­er­at­ing the col­lec­tion and stor­age of data that makes it pos­si­ble to pro­file an individual’s moment-to-moment where­abouts, med­ical con­di­tion, and vital signs, down to count­ing steps tak­en, and even a heart rate.

At this moment, for-prof­it com­pa­nies are col­lect­ing and shar­ing data amassed via the Inter­net of Things for com­mer­cial pur­pos­es. That col­lec­tion and shar­ing is based on lax con­sumer con­sent stan­dards, says Bedoya.

One would hope Obama’s draft pri­va­cy law fills these gaps unequiv­o­cal­ly by imple­ment­ing strong con­trols for con­sumers and empow­er­ing con­sumers to pro­tect them­selves against enti­ties tak­ing and using their data with­out their con­sent,” Bedoya says.

Dave Frymi­er, CISO of Unisys, believes more needs to be done to pre­vent breach­es from hap­pen­ing in the first place. Con­sumers and com­pa­nies “remain vul­ner­a­ble to the per­son­al, rep­u­ta­tion­al and finan­cial ram­i­fi­ca­tions of data breach­es if we only aim to address them after hack­ers have infil­trat­ed a net­work,” Frymi­er says.

Will Pres­i­dent Oba­ma stake out turf as the pri­va­cy pres­i­dent?

Stay tuned here for more dis­cus­sion.

More on emerg­ing pri­va­cy con­cerns

Ver­i­zon begins track­ing cell phone users for adver­tis­ers
Mys­tery shrouds con­sumer pri­va­cy inva­sion
Cal­i­for­nia enacts stricter data loss 


Posted in Data Privacy, News & Analysis