The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Why a privacy law like GDPR would be a tough sell in the U.S.

Analysis by
Assistant visual enterprise editor, reporter
May 25, 2018 at 8:14 a.m. EDT

with Bastien Inzaurralde

THE KEY

Today, the European Union cements its status as the global leader in data privacy.

The E.U.’s sweeping new data privacy law is taking effect, ushering in new restrictions on what companies can do with people’s personal data and setting tough penalties for those that break the rules.

In theory, there’s nothing preventing the United States from adopting a set of privacy standards that are just as broad and forceful. Indeed, many privacy advocates have called for it. But on this side of the Atlantic, it’s still kind of a data privacy free-for-all.

The European law, known as the General Data Protection Regulation, or GDPR, requires companies that collect data on E.U. citizens to use simple language to explain how they handle it. Companies must get explicit consent from consumers before doing anything with their information and allow them to request copies of their data or delete it entirely. The law also mandates that companies report data breaches on strict timelines. Fines for violations could cost them 4 percent of their global profits.

There’s no equivalent of the GDPR in the United States, nor is there likely to be one anytime soon. A mosaic of different state and federal rules, some of them varying widely, govern some of the same issues, but there’s no central authority that enforces them.

That’s not to say the GDPR won’t affect the United States. It will. American companies that operate in Europe (or otherwise serve E.U. citizens) have to comply. Facebook, Google, Apple and other tech giants have revamped their privacy policies internationally in preparation for the new rules and readied new tools for people to download and delete their data, as my colleague Elizabeth Dwoskin reports.

But the law isn’t legally binding in the United States, meaning that people living here don’t have the same recourse as an E.U. citizen if they believe a company runs afoul of the new law.

Does the United States need something similar? Depends on who you ask. But here are a few reasons a GDPR equivalent would be a hard sell here.

1. There’s no agency to carry it out.

E.U. member states have their own data privacy authorities to enforce the GDPR. That doesn’t exist in the United States.

The closest equivalent is the Federal Trade Commission, which is the main agency that enforces U.S. privacy policy. But its powers are thin compared to its European counterparts. It has little to no oversight over a range of businesses and industries, including airlines, universities, nonprofit organizations and banks, for example.

“Even if the FTC were to use its rulemaking authority to promulgate a set of commands, there’s no public institution in the U.S. that has that breadth of authority, and that’s a big gap,” William Kovacic, a former general counsel, member and chair of the FTC during the Barack Obama and George W. Bush administrations, told me.

Kovacic, a law professor at George Washington University, said other agencies such as the Education and Commerce Departments have data protection functions, and states have their own laws and regulations governing data privacy. But there’s no mechanism in the federal government to bring it under one roof.

“In many ways we have an antiquated policymaking infrastructure,” Kovacic said. “It’s a patchwork of controls that have no unifying principles and no unifying institutions to coordinate policy.”

2. Congress won’t go for it.

It’s challenging enough to pass simple legislation in a gridlocked Congress. Getting something as complex as the GDPR approved would be a huge undertaking.

Privacy legislation far less sweeping than the GDPR has stalled over and over in recent years. Legislation to create a federal standard for how companies and agencies report data breaches, for example, has repeatedly dead-ended — even after hackers stole the personal information of 22 million federal workers from the White House Office of Personnel Management in 2014.

Uproar over the misuse of millions of Facebook users' data by the political consultancy Cambridge Analytica has led lawmakers to introduce a flurry of new privacy-related legislation. There's one bill that would expand the FTC's authority and impose new restrictions on data collection, and another that would give people greater control over what companies can do with their information. Several similar bills are up for consideration.

But rallying support around those measures and others could be a struggle, said Joel Wallenstrom, chief executive of the secure communications company Wickr.

“Aside from the overall challenging legislative environment in the U.S., any proposal will face resistance from a very powerful tech lobby,” he said. “With GDPR primarily being focused on protecting European users from large U.S.-headquartered service providers like Google, Apple, Facebook, and Amazon, some policymakers may see it as E.U. enforcing a privacy tax on U.S. companies. And there is certainly less hunger in Congress to penalize or tax U.S. corporations, particularly given the 2016 electoral mandate to regulate and tax less.”

Other complications could arise as well, he said. “We have some policymakers calling for stronger data protection in response to the Cambridge Analytica scandal at the same time as others are calling to mandate back doors into encrypted communications systems designed to protect the very same users. These conflicting demands are destined to undermine each other.”

3. There’s not enough public demand for a data privacy overhaul...

The Cambridge Analytica scandal has spurred a fevered national debate about data privacy, elicited public apologies from Facebook chief executive Mark Zuckerberg and brought federal law enforcement investigations. But did it move the needle enough for the U.S. government to follow Europe’s lead? Probably not, Kovacic said.

Change such as that “often takes a kind of shock” akin to the 2008 financial collapse, he said. “We wait until there’s a grievous event and then do emergency-room surgery to fix it."

He continued: “As the magnitude of the Facebook lapse becomes apparent, maybe that would be enough to galvanize some effort. But I’m not sure that’s a severe enough shock to do it.”

What’s more, the GDPR’s ripple effects in the United States may have gone far enough, said Jonathan Zittrain, director of the Berkman Klein Center for Internet and Society at Harvard.

“In some ways Europe may be doing the job for us,” he said, “since companies above a certain size will be adopting GDPR-friendly practices for all users, not just Europeans.”

... Or is there?

Amie Stepanovich, U.S. policy manager at Access Now, argued the public appetite for data privacy regulation was strong.

“Cambridge Analytica and Facebook really raised the profile of this issue in the United States,” she told me. “It showed people who really weren’t sure just where they could be harmed from a privacy perspective.”

Stepanovich said the spate of privacy bills pending in Congress was evidence that lawmakers had taken note of rising privacy concerns. “They’re hearing from their constituents that they need to do something,” she said. “If members of Congress are listening to what people want and what people seem to talking about right now, this should be a top priority.”

Wallenstrom, of Wickr, agreed that the public focus is growing.

“Businesses and end users want to know they own their data and no one else can access it. And while the consumer demand for privacy tech is growing in response to the lack of security guarantees by traditional tech providers, there is still far more growth in products that de-emphasize data protection,” he said. “It is fair to say that GDPR aims to regulate the protection of personal data largely because the tech industry has repeatedly shown that securing personal data privacy is not a priority.”

CHAT ROOM

— As GDPR takes effect, you may be getting a flood of privacy policy updates in your inbox. Twitter had some fun with it:

PINGED, PATCHED, PWNED

PINGED: A woman in Portland, Ore., said the virtual assistant Alexa on an Amazon.com Echo device quietly recorded a conversation in her home and sent it to one of her husband's employees without their knowledge, The Washington Post's Hamza Shaban reports

Two weeks ago, Danielle, who would only give her first name, received a phone call from the employee: “Unplug your Alexa devices right now,” the person said. "You're being hacked." Danielle told KIRO 7's Gary Horcher they did not believe the employee actually heard them talking: "'At first, my husband was, like, 'no you didn't!' And the [employee] said 'You sat there talking about hardwood floors.' And we said, 'oh gosh, you really did hear us.'"

Amazon said in a statement to The Post that the Echo device activated itself when it picked up a word sounding like “Alexa,” Shaban writes. “The subsequent conversation was heard as a 'send message' request,” Amazon's statement said. “At which point, Alexa said out loud 'To whom?' At which point, the background conversation was interpreted as a name in the customer's contact list.”

"As unlikely as this string of events is, we are evaluating options to make this case even less likely," Amazon added. (Amazon founder and chief executive Jeffrey P. Bezos is the owner of The Post.)

PATCHED: Facebook and Twitter are making changes to boost transparency about the political ads that appear on their platforms as the midterm elections near and two years after Russia's online disinformation campaign. "Starting Thursday on Facebook, political ads will include a marker at the top indicating who has paid for it," The Post's Tony Romm reports. "Clicking on the label will bring users to a new repository of all political ads that have run on the site, along with information about the people who saw it, like their age and location."

The changes on Facebook and Instagram cover advertisements about candidates as well as political issues such as immigration and guns, Romm writes. “Our intent is trying to help people understand who is trying to influence them on political and social issues, and why,” said Katie Harbath, global politics and government outreach director at Facebook.

Also on Thursday, Twitter said in a blog post that it will require those who want to run ads for federal elections to identify themselves and certify that they are based in the United States. The company reiterated its intention to label political ads "in the near future" and also said that it is working on a policy about “issue ads,” Romm writes.

From Sen. Mark R. Warner (D-Va.):

From ProPublica's Derek Willis:

PWNED: The Anti-Phishing Working Group, a coalition of institutions combating cybercrime, said on Thursday that criminals have stolen about $1.2 billion in cryptocurrencies since the beginning of last year, Reuters's Gertrude Chavez-Dreyfuss reports: “One problem that we’re seeing in addition to the criminal activity like drug trafficking and money laundering using cryptocurrencies is the theft of these tokens by bad guys,” Dave Jevans, the group's chairman and chief executive of the cryptocurrency security company CipherTrace, told him. The group's estimates include theft that's been reported as well as unreported theft.

Jevans also said the E.U.'s new online privacy regulations may make it harder to fight online crime. "GDPR will negatively impact the overall security of the internet and will also inadvertently aid cybercriminals,” he told Chavez-Dreyfuss. “By restricting access to critical information, the new law will significantly hinder investigations into cybercrime, cryptocurrency theft, phishing, ransomware, malware, fraud and crypto-jacking.”

— More cybersecurity news from The Post and elsewhere:

Prominent Republican expands lawsuit against Qatar (Ellen Nakashima)

Hey Alexa, come clean about how much you’re really recording us (Geoffrey A. Fowler)

Is Florida’s elections system safe from a cyber-attack? (Tampa Bay Times)

PUBLIC KEY

— The Senate Armed Services Committee on Thursday approved a bill that would require companies doing business with the U.S. military to disclose whether the source code of the software that they're selling was reviewed by U.S. advseraries such as China or Russia, Reuters's Joel Schectman reports. The bill passed the committee in a 25-to-2 vote. Security experts say letting Russia examine the source code of software could allow it to discover weaknesses that it could take advantage of, according to Schectman.

“If the Pentagon deems a source code review a risk, military officials and the software company would need to agree on how to contain the threat,” Schectman writes. “It could, for example, involve limiting the software’s use to non-classified settings.” The legislation was passed as part of the Senate's version of the National Defense Authorization Act, staffers for Sen. Jeanne Shaheen (D-N.H.) told Schectman.

— Sen. Thomas R. Carper (D-Del.) has some questions about President Trump's cellphone. In a letter to Defense Secretary Jim Mattis on Thursday, Carper reiterated a request he made last year with Sen. Claire McCaskill (D-Mo.) for information about what measures — if any — the Pentagon and the White House have taken to ensure that Trump uses a secure device.

Trump's cellphone lacks sufficient security features to protect his communications, Politico reported this week“This security lapse is all the more concerning in light of reports that President Trump has urged world leaders to contact him directly through his smartphone and that White House Chief of Staff John Kelly's personal smartphone was compromised for months,” Carper wrote. Carper requested an answer from Mattis by June 7.

— More cybersecurity news from the public sector:

D.C. government data breach exposed nurses’ Social Security numbers (Fenit Nirappil)

Downtown Orlando has 3 Amazon facial-recognition cameras, police chief says – contrary to earlier claim (Orlando Sentinel)

PRIVATE KEY

— A lawsuit in California alleges that Facebook gathered extensive personal data through its apps from users and also collected information from some people who didn't have an account on the social network, the Guardian's Carole Cadwalladr and Emma Graham-Harrison report.

“The claims of what would amount to mass surveillance are part of a lawsuit brought against the company by the former startup Six4Three, listed in legal documents filed at the superior court in San Mateo as part of a court case that has been ongoing for more than two years,” Cadwalladr and Graham-Harrison write. A Facebook representative said the “claims have no merit, and we will continue to defend ourselves vigorously.” 

Facebook "also collected information sent by non-subscribers to friends or contacts who had Facebook apps installed on their phones, the court documents claim," according to Cadwalladr and Graham-Harrison. "Because these people would not have been Facebook users, it would have been impossible for them to have consented to Facebook’s collection of their data."

— Fraudulent transactions via mobile apps have increased by more than 600 percent in three years, according to a report by cybersecurity firm RSA released on Wednesday. “While part of this increase is likely attributed to greater digitalization of banking and other consumer services, it is clear the mobile channel is still more vulnerable to fraud and requires better protection,” RSA's Heidi Bleau wrote in a blog post.

Here are some other takeaways from the report:

  • “Phishing accounted for 48 percent of all cyber attacks observed by RSA. Canada, the United States, India and Brazil were the countries most targeted by phishing."
  • “Financial malware accounted for one out of every four fraud attacks.”
  • “More than 80 percent of observed fraudulent e-commerce transactions originated from a new device.”

— More cybersecurity news from the private sector:

How JPMorgan Chase Learned to Love the Blockchain (Fortune)

SECURITY FAILS

T-Mobile security lapse let anyone see customer account details (ZDNet)

More Than Half of Users Reuse Passwords (Dark Reading)

A Basic Z-Wave Hack Exposes Up To 100 Million Smart Home Devices (Forbes)

THE NEW WILD WEST

Ireland’s Abortion Vote Becomes a Test for Facebook and Google (The New York Times)

Macron to Silicon Valley: Embrace Europe’s Regulations (The Wall Street Journal)

ZERO DAYBOOK

Today

  • The European Union's General Data Protection Regulation goes into effect.
  • LayerOne conference in Los Angeles today through May 27.

Coming soon

EASTER EGGS

Why the North Korea summit was doomed to fail:

The Post's Adam Taylor explains what led up to President Trump's May 24 letter to North Korea leader Kim Jong Un and what to expect going forward. (Video: Joyce Lee, Adam Taylor/The Washington Post)

What Trump has said about the NFL protests:

The NFL enacted a new policy May 23 that requires players to stand for the national anthem or wait in the locker room. (Video: Victoria Walker/The Washington Post)

Listen to Elon Musk's frustrated outbursts during Tesla's earnings call:

Tesla’s CEO lashed out at analysts and the media during a wide-ranging earnings call. (Video: Tesla via Earningscast)