The Internet provides the benefit of instant access to information and products, but Internet users also tacitly enroll themselves in a worldwide information exchange. Extensive databases capture our searches and record our visits to websites, profiling our interests and attitudes. What are the costs and risks associated with this growing body of personal information? What are the rules governing its use? What is the role of the states in addressing privacy and governance issues arising from the Internet? Chris Calabrese examined these issues in a session devoted to The Internet and Technology: Privacy and Information Governance.
State government has a crucial role to play in the Internet privacy debate, Mr. Calabrese noted, citing four reasons why state governments should play an active role. They include:
1. Technology is rapidly outstripping policy and law.
2. The failure of the federal congress and courts to address Internet legal issues.
3. Technology is central to people’s lives, but there are no rules governing it and there may be some unintended negative consequences for users.
4. Policy-making for the Internet has just begun, and more will come.
Technology has rapidly evolved while the laws regulating the Internet have not changed in 25 years. Computers are faster, smaller, more powerful, and, importantly, interconnected. There are more databases collecting extensive information about us. A cell phone is like a portable tracking device. In 2013, Facebook had 250 billion photos uploaded or about 200 photos per user. Our lives are being reported online. Our interests, political affiliations, habits, social media contacts, and texts are being recorded in databases.
“This has profound implications for privacy issues, law enforcement, and how we interact with the world,” Mr. Calabrese said. And these issues have not been addressed at the Federal level. There is no comprehensive data privacy law in the US compared to other industrial economies that have adopted Internet privacy laws.
Antiquated laws have not been updated to provide the laws and tools to protect privacy in an interconnected world. The Third Party Doctrine, for example, holds that once a record has been passed to a third party, privacy protection is no longer in force. Every Internet exchange is essentially passing a record to a third party, Mr. Calabrese said. The evolution of the “Internet of Things,” for example, Internet-enabled televisions and baby monitors, has created many more channels through which people can surreptitiously listen in on others’ private lives.
Privacy means people have control of the information about themselves, but the world of records is outside of people’s control. Extensive mechanisms are collecting information about us all the time, creating profiles that are marketable assets. While surfing the Internet, ads based on your profile will be served to you by a third-party tracking company. There is a pervasive concern about how all this information about people is being used or misused.
“Always leaving a record can create significant harms to the values we cherish,” Mr. Calabrese said. For example:
• The First Amendment protects private, confidential, anonymous communication. But our laws do not provide protection for this on the Internet.
• When unscrupulous people have access to sensitive information, this makes some people vulnerable to scams, for example, targeting elderly people.
• Security can be harmed when hackers seek personal information that links to bank accounts, etc.
• Identity theft can be fueled by data breaches such as the breach at the US Office of Personnel Management where hackers stole the records of 20 million federal employees including their fingerprints and background checks.
State lawmakers have a powerful and important role in making laws to regulate the Internet and protect privacy, Mr. Calabrese said. He recommended 4 areas where states could create legislation that would have a significant impact on protecting privacy.
Location data from cell phones may violate privacy by revealing sensitive and private information about where a person has been, and there is no comprehensive law regulating location tracking. Should government access to cell phone records require a warrant? Should police have access to this information when there is a high probability of crime? Federal law is silent on this issue. Four states – Maine, Montana, New Hampshire, and Utah – have passed laws that require a warrant to obtain current and past location information, and 13 states are considering such laws. Most state laws recognize exceptions to the warrant requirement such as user consent, emergency calls, or location of a missing person.
The Electronic Communications Privacy Act (ECPA) was passed in 1986 and is the Federal basis for monitoring electronic communications. It has not been updated to keep pace with technology, for example, it does not regulate third parties holding email and digital documents to provide privacy protections comparable to that for phone calls or physical mail. Mr. Calabrese’s organization, the Center for Democracy & Technology, recommends that states create their own equivalents to the ECPA but amend the law to require government representatives to obtain warrants before accessing emails or other electronic communications.
Texas has a model law, which requires state law-enforcement officials to obtain warrants before accessing communication content, and California is exploring a similar law, Mr. Calabrese noted.
Today’s technology offers new applications that can help students learn, do their homework, check assignments, or check their grades. But many of these are third-party apps and the data collected are not protected. These data can be sold to create marketing profiles. The Federal Right to Student Privacy Act does not cover these third party entities. Federally and in most states, there is no regulatory framework to complement this data collection and protect against inappropriate sharing of student information.
California’s Student Online Personal Information Act (SOPIPA) and Delaware’s Student Data Privacy Protection Act are comprehensive models for student privacy that prohibit student data from being used to create targeted advertising to students and their families, or to build advertising profiles, or to be sold or disclosed.
New technologies use biometric data such as fingerprints, iridology, or face prints to identify people. Video cameras can use face prints to track individuals in public, without the observed person being aware of, or consenting to, this observation. Widely deployed facial recognition technology could enable anyone to collect and share the identities and personal information of any person in public.
Illinois and Texas have enacted model facial recognition privacy legislation. Illinois statute requires biometric companies to inform users in writing that information is being collected, its purpose, and the period during which the information will be stored, and to receive their consent in writing.
Mr. Calabrese concluded that the states must create the right balance, not only supporting the development of great technology but also in protecting people’s privacy and security, providing control over their data, and enacting rules that regulate the use of data. He advised each senator to assess the technical literacy of their staff and state agency officials, stating, “ You need technical competence to identify the potential problems and abuses that come with technology.” He urged the Forum participants to prioritize the understanding of technology as a fundamental part of state policy-making.
Sen. Brian Bingman (OK): Blackberry has privacy built in through its proprietary technology, and all the data are owned by the subscriber company. Apple and Android have encryption for everything on your phone.
Mr. Calabrese: The challenge is that, once the data leave your phone, encryption varies. If you access websites and social media, there is no encryption.
Sen. David McBride (DE): There seems to be a tattered patchwork of laws regulsting the Internet. Doesn’t the Federal government have a responsibility to create a coherent policy?
Mr. Calabrese: Every big-tech company and organizations from the American Civil Liberties Union (ACLU) to the Heritage Foundation support new Internet privacy laws. Resistance comes from law enforcement and the courts—they do not want to surrender control. When legislation is attempted, special interests throw everything into a big omnibus law, which becomes ineffective; furthermore, there is a huge backlog of bills pending. As a result, when a data breach occurs, it is the state that steps in to make laws. Currently, there are 47 state laws regulating Internet data. Companies and organizations have to adapt to multiple regulations.
Sen. David Givens (KY): The privacy issues are important, but equally important is our response to cyber-terrorism, which is dispersed and challenging. Hackers can lock all my files and then offer to sell me a code to unlock my files. To your cited four issues, I would add Issue Five: We need an army of cyber-defenders, “friendlies” armed with computer skills. To this end, we have created a strong coding education program in our schools. It gives us both economic development and protection against cyber-terrorism.
Mr. Calabrese: We can’t have privacy without security, but cyber-security has not kept pace with technology. Better computer training and education on digital hygiene are essential for us to combat cyber-terrorism. The National Institute of Standards and Technology, part of the US Department of Commerce, publishes cyber-security information and has a Cyber-Security Resource Center (http://csrc.nist.gov).
Paul Plofchan (ADT): There are currently 8 bipartisan bills in Congress focused on Internet security. Where is a good place to start to get a coherent Federal policy?
Mr. Calabrese: A huge omnibus privacy bill will not work. A starting point could be requiring a warrant to access someone’s email. You can protect location information. Implement best practices for cyber-hygiene, and share cyber-threat information across agencies, states, and companies. Some states such as California and Illinois already have strong standards and don’t want to weaken them. For companies, the challenge is trying to comply with proliferating rules.
John Burchett (Google): A Federal solution would be best for the Internet. Google complies state-by-state with all the regulations, but we have to define which state law to follow. Is it where the user is, where the servers are, where the advertisers are? Twenty-five states have privacy laws, and they all differ. It is important for the states to consult with the technology companies, so you can get the services you want without causing unintended consequences. Sometimes, bills are competitively written to favor one company or exclude another.
The major threat that concerns people is identity theft. In fact, the vast majority of large Internet companies hold aggregated data rather than individual information. The large companies have many protections in their systems. They identify incoming risks and plug that hole, but hackers just move to their next strategy. We can identify where data breaches have happened and understand how to block them. Smaller companies do not have the resources to fight the battle against hackers, and state agencies are not set up to be data-protection experts.
Sen. Troy Fraser (TX): In 2013, Texas passed a warrant bill and a facial recognition bill, but we need the other states to join in. Cyber-terrorism is a global problem, not a state problem. Unfortunately, the hackers seem to be ahead of us.
Mr. Calabrese: We need a federal policy covering such things as data-retention limits. For how long should companies be permitted to store data? What happens to their data when someone dies? What are the best practices for data retention? These issues are escalating as more data is collected and stored and data security is becoming more complex.
Vans Stevenson (Motion Picture Association of America): How do we balance protection and privacy against our desire for technology access and also the First Amendment?
Mr. Calabrese: First Amendment values need to be protected. We do not want to restrict lawful speech. Once information is public it is essential not to censor it. However, industry, law enforcement, and the public need to come to a consensus about the privacy and security protections we want for the Internet and all data being collected and stored. The goal is to protect the values we cherish while facilitating innovation.
Chris Calabrese is the Vice President for Policy at the Center for Democracy & Technology (CDT) where he oversees CDT’s policy portfolio. Chris has long been an advocate for privacy protections, Internet openness, limits on government surveillance, and fostering the responsible use of new technologies.
Chris has testified before Congress and appeared in many media outlets, including CBS Evening News, Fox News and National Public Radio, discussing technology and privacy issues. He has also been quoted in a variety of publications including the New York Times, Washington Post and Associated Press. He was named one of Washington’s Top Lobbyists by The Hill newspaper in both 2012 and 2013. Chris also sits on the Consumer Advisory Committee of the Federal Communications Commission (FCC).
Before joining CDT, Chris served as legislative counsel at the American Civil Liberties Union’s (ACLU) Washington Legislative Office. In that role, he led the office’s advocacy efforts related to privacy, developing proactive strategies on pending federal legislation and executive branch actions concerning privacy, new technology and identification systems. His key areas of focus included limiting location tracking by police, safeguarding electronic communications and individual users’ Internet surfing habits, and regulating new surveillance technologies such as unmanned drones.
Before becoming a lobbyist, Chris also helped lead several national ACLU campaigns including opposing state implementation of the Real ID Act and ending law enforcement’s use of commercial databases and data-mining as part of the Multi-State Anti-Terrorism Information Exchange (MATRIX) program.
Prior to joining the ACLU, Chris served as the legal counsel to the Massachusetts Senate Majority Leader, Linda J. Melconian. In that capacity, he helped draft legislation to ensure that privacy and anti-discrimination laws extended to genetic information. Chris is a graduate of Harvard University and holds a J.D. from the Georgetown University Law Center. He lives in the Washington, D.C. area with his wife and three children.
Other New Media & Government articles:
Vice President for Policy
Center for Democracy & Technology
State government has a crucial role to play in the Internet privacy debate.
Everything we do online and offline leaves a trace. This is a detailed record of our lives.
There is no comprehensive Federal data privacy law regulating the Internet in the US.
Privacy means controlling what information about you becomes public, but the world of Internet records is outside of people’s control.
4 areas where state laws can impact Internet privacy:
1. Location tracking
2. Government access
3. Student privacy
The Center for Democracy & Technology recommends that states adopt laws such as the ECPA, but amend the law to require government representatives to obtain warrants before accessing emails or other electronic communications.
Sen. Brian Bingman
Sen. David McBride
Sen. David Givens
It is important for the states to consult with the technology companies so you can get the services you want without causing unintended consequences.
Cyber-terrorism is a global problem, not a state problem, and state agencies are not set up to be data-protection experts.
Sen. Troy Fraser
Industry, law enforcement, and the public need to come to consensus about the privacy and security protections. The goal is to protect the values we cherish while facilitating innovation.
Senate Presidents’ Forum
The Senate Presidents’ Forum is a nonpartisan, nonprofit
educational organization for State Senate leaders.
Copyright © 2017 Senate Presidents' Forum. All rights reserved.