Sen. Al Franken (D-Minn.) presides over hearing while Ranking Member Sen. Coburn (R-Okla.) looks on.
On Tuesday, CDT’s Justin Brookman told a congressional panel that U.S. data protection laws are in serious of need of an overhaul. Brookman’s comments came during the first hearing of the Senate Subcommittee on Privacy, Technology and the Law, which is chaired by Sen. Al Franken (D-Minn.). Senator Franken called the hearing to examine broader issues of mobile privacy.
More specifically, Franken wanted to look at how various mobile platforms and applications collect location data and the weak protections in law for preventing potential abuse of that data by both government and commercial entities.
Brookman and fellow witness Ashkan Soltani described how phone operating systems and apps can collect enough highly detailed location information to know who you are, where you are going (be it a hospital or a political rally), and where you have been, but explained that the law offers essentially no protections for such information. Indeed, once an app has access to a user’s data, there are usually no rules governing its disclosure and no controls available to consumers to regain control of it. Once the data leaves the phone it is “in the wild.” App developers, advertisers, ad networks and platforms, analytics companies, and any number of other downstream players can share, sell, or unpredictably use this data far into the future.
As Brookman’s testimony explains, technology has simply outpaced the existing legal framework. CDT has long advocated for comprehensive privacy legislation that would provide a baseline of protection for all consumer data – including location data – and provide for enforcement against those commercial entities who inappropriately collect or use such information.
One particularly concerning trope that emerged during the hearing involved recommendations that Congress protect consumers by creating laws that implicate Internet intermediaries, rather than the malefactors themselves, and turn these intermediaries into Internet gatekeepers. It’s a DOA suggestion that we have heard many times before. In the U.S., Internet intermediaries generally have strong protections from liability for content created by others. If this weren’t the case, services like YouTube would not exist; no company would want to take on the risk of being liable for every piece of content, for everything buried in every app. Innovation would freeze up.
In another odd turn, Jason Weinstein, Justice Department deputy assistant attorney general of the criminal division, played skunk at the garden party, arguing that rather than reduce the amount of data they store, platforms – and others – should increase the amount of data stored so that data is more readily available for law enforcement. CDT rebutted a similar claim he made at a congressional hearing back in February, noting that a law requiring the retention of large amounts of consumer data for future – potential – access by law enforcement would create a panoply of problem while being of questionable efficacy.
The hearing underscored the complex issues implicated by any discussion of location privacy specifically and data privacy more generally. Striking the right balance – between privacy, innovation, and law enforcement’s legitimate need for information – is anything but a simple task.
As Senator Franken noted in his closing comment: “I still have serious doubts that [consumer privacy] rights are being respected in law or in practice. We need to think seriously about how to address these problems and we need to address them now.”