[BreachExchange] Should company bosses face jail for mishandling your privacy?

[Inga Goddijn]

https://nakedsecurity.sophos.com/2018/11/05/should-company-bosses-face-jail-for-mishandling-your-privacy/

Mark Z, how do you feel about orange? Like, say, in a jumpsuit style?

Kidding! No court has found that you, the Facebook CEO, has purposefully
misled the government about how your company did/did not protect consumers’
data during, say, the multifaceted, ever-unfolding, Cambridge Analytica
privacy debacle.

Senator Ron Wyden’s on the case, though, and has now put on the table a
bill that would throw execs into jail for up to 20 years if they play
loosey-goosey with consumer privacy.

Under his proposed bill, introduced on Thursday and called the Consumer
Data Protection Act, execs who knowingly mislead the Federal Trade
Commission (FTC) about how their companies protect consumer data could face
up to 20 years in prison and $5 million fines.

He’s proposing sunshine. He’s proposing “radical transparency.” He’s
proposing legislation with “real teeth” when it comes to punishing
companies that vacuum up our data without telling us “how it’s collected,
how it’s used and how it’s shared,” Wyden said in a statement.

This is a way to arm consumers against the massive data monetization
industry that’s flourished over the past decade, dragging privacy scandals
along with it, Wyden said:

Today’s economy is a giant vacuum for your personal information –
Everything you read, everywhere you go, everything you buy and everyone you
talk to is sucked up in a corporation’s database. But individual Americans
know far too little about how their data is collected, how it’s used and
how it’s shared.

Besides fines and jail time, Wyden’s proposal would also dramatically beef
up resources to go after data miscreants. The cops in this case would be
the FTC: to give the Commission the muscle it would need, the senator is
proposing jacking up its authority, funding and staffing to crack down on
privacy violations. The bill would also mandate easy opt-out for consumers
to shrug off hidden tracking of their sensitive personal data.

This is what the bill would enable the FTC to do:


   1. Establish minimum privacy and cybersecurity standards.
   2. Issue steep fines (up to 4% of annual revenue), on the first offense
   for companies and 10-20 year criminal penalties for senior executives.
   3. Create a national Do Not Track system that lets consumers stop
   third-party companies from tracking them on the web by sharing data,
   selling data, or targeting advertisements based on their personal
   information. It permits companies to charge consumers who want to use their
   products and services, but don’t want their information monetized.
   4. Give consumers a way to review what personal information a company
   has about them, learn with whom it has been shared or sold, and to
   challenge inaccuracies in it.
   5. Hire 175 more staff to police the largely unregulated market for
   private data.
   6. Require companies to assess the algorithms that process consumer data
   to examine their impact on accuracy, fairness, bias, discrimination,
   privacy, and security.


Thumbs-up

Senator Wyden got a thumbs-up from the Consumers Union, search engine
DuckDuckGo, and four former FTC chief technologists. This would be awesome
for us, said CEO Gabriel Weinberg of DuckDuckGo, the privacy-oriented
browser that eschews profiteering off our data:

Senator Wyden’s proposed consumer privacy bill creates needed privacy
protections for consumers, mandating easy opt-outs from hidden tracking. By
forcing companies that sell and monetize user data to be more transparent
about their data practices, the bill will also empower consumers to make
better-informed privacy decisions online, enabling companies like ours to
compete on a more level playing field.

The bill proposes that companies with annual revenues in excess of $1
billion, or those whose warehouses contain data on more than 50 million
consumers or their devices, submit “annual data protection reports” to the
government that detail all the steps they’ve taken to protect the security
and privacy of consumers’ personal information.

Execs who sign off on reports that are less than truthful could be looking
at the stiff fines, the jail time, or both.

The Do Not Track list would bar companies from sharing with third parties
the data of those who sign up, or from using their data to target ads to
them. The bill addresses the “Well, how do we make money, then?” aspect of
the pay-or-get-marketed-at dilemma of paying for websites by giving
companies permission to charge customers on the list a fee to use their
products and services.

But even those consumers who don’t sign on to the Do Not Track list would
be granted the ability to review information collected about them, see who
it’s been shared with or sold to, and challenge any inaccuracies.

What are the bill’s chances of passing?

“Activists and consumer groups claim the industry’s more interested in
undermining tougher privacy rules with their own, weaker proposals – than
actually crafting meaningful ones”, says Motherboard.

For example, Facebook, Google, and Verizon collectively lobbied the GOP to
kill modest but meaningful FCC privacy rules last year. They also worked in
unison to scuttle scuttle state-level privacy rules in California, falsely
claiming that such efforts would only “embolden extremists,” harm children,
and somehow increase internet popups, according to an analysis by the
Electronic Frontier Foundation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181105/b5c44104/attachment.html>