Despite new laws in Europe and California aimed at strengthening the privacy rights of internet users, the United States still operates with a messy patchwork of laws, some decades old. This tangle of regulations has failed to keep up with changing technology and the damage that can occur when personal and business information entrusted to online companies or the government is stolen or exposed to the public.
Congress has been wary of the complex technical, economic and constitutional questions involved in updating internet privacy laws. Part of that wariness may be federal lawmakers’ woeful lack of expertise — in some cases even the basic knowledge — of tech matters that they displayed at recent congressional hearings. But thankfully that reluctance to become more involved appears to be changing, even though Congress’ work is still a long way from clarifying the pros and cons of different approaches.
At a Senate hearing last week Democrats and Republicans criticized Google for failing to disclose a data breach exposing private details about an estimated 500,000 Google Plus users, a troubling revelation that sparked the tech behemoth’s decision to shutter the foundering social network. Citing that case and last year’s discovery of the way Facebook allowed Cambridge Analytica to obtain hundreds of thousands of detailed personal profiles of Facebook users, the chairman of the Senate Commerce Committee, John Thune, R-S.D., said the industry has shown that its efforts at self-regulation have failed and “a national standard for privacy rules of the road is needed to protect consumers.”
Sen. Mark Warner, D-Va., said, “Congress needs to step in” by giving the Federal Trade Commission rule-making authority over data privacy and more effective penalties for data breaches.
The senators are correct: The industry has failed to provide the necessary protection for users of its services. Too much is at stake to allow this to go on.
While most of the attention has been devoted to missteps by Google and Facebook, data breaches they have been responsible for are only a small subset of the problem, according to the nonprofit Privacy Rights Clearinghouse, which keeps track of all publicly disclosed data breaches.
Privacy thefts and exposures actually have dropped over the past three years, but they remain massive. In the worst year since the PRC began compiling incidents in 2005, 4.8 billion records were breached in 2016. Last year the figure fell to 2 billion and this year so far it is just above 1 billion.
It is unclear whether that reduction is due to improved internet security by commercial firms and governments or a data glut that exploiters have yet to digest.
What is clear is that it is going to take a major effort by every organization that collects private data to prevent it from being stolen or exposed.