Privacy is a confusing and complicated issue for most internet users. Many of us still believe outdated privacy myths about our activities online. Most of us aren’t sure exactly how we should be protecting our personal information on the internet, and we might not know exactly what laws protect our privacy and our security online. If you’re like the average American, you probably want more laws in place to protect your privacy — you might even be shocked by the state of the legislation that currently governs your privacy, too.
The Pew Research Center found that “a majority of the U.S. public believes changes in law could make a difference in protecting privacy — especially when it comes to policies on retention of their data.” Americans, whom researchers found lack confidence in the security of everyday communication channels and the organizations who control them, generally favor additional legal protections against abuses of their data. Most internet users — 68% of them — believe that current laws aren’t good enough to protect people’s privacy online. Almost as many (64%) believe that the government should do more to regulate advertisers.
Most expect at least some limits on retention policies by data collections. And 64% support more regulation of advertisers and the way they handle consumers’ personal information. When asked about the data that the government collects as part of its anti-terrorism efforts, 65% of Americans say that there aren’t adequate limits on “what telephone and internet data the government can collect.” Ahead, check out the most shocking things about the current state of the legislation that protects your privacy online.
1. To begin with, realize that there are few internet privacy laws
This isn’t a law, per se, but it sure is shocking. Carl Herberger reports for TechCrunch that “somehow we missed privacy from the initial design of the Constitution and amendments thereafter.” The so-called right to privacy wasn’t afforded to us by the Founding Fathers of the United States,” he explains, “nor does it make up the conscience of our jurisprudence system of government today.” Legally, privacy is nothing more than a regulation or a state-level law focused on data protection, and this protection only extends to limited kinds of data.
When you think about it, privacy is about more than data. Most people want to keep their private thoughts, moments, and conversations to themselves, free from surveillance, confiscation, or monetization. However, we don’t have the legislation in place to afford that protection. And in the meantime, governments and corporations alike do all kinds of things that most reasonable people would consider a violation of their privacy. Herberger asks, “When one’s life no longer has the intimacy of sharing a sweet-nothing between lovers, or singing alone in the shower, or being able to just be ‘you’ without anyone knowing, recording or watching, is this really a safer and more humane world?”
As things stand now, your privacy is protected only by an inconsistent and often incoherent assortment of rules, regulations, and micro-laws. And because we have no national privacy laws — no legislation that covers our privacy across types of data — we’re beginning to see some very real consequences, like frequent data breaches. And the privacy threats are only growing with increasing surveillance, conducted not only via your phone and computer, but via the other connected devices that register your activities at home, on your commute, and at the office.
2. The Electronic Communications Privacy Act (ECPA) is what enables the government to ask Google or Facebook for your information
The Electronic Communications Privacy Act, or ECPA, was originally passed by Congress in 1986 to set standards for how the government can access the digital information of citizens, extending restrictions on wire taps on phone calls to include transmissions of electronic data. But Brandon Butler reports for NetworkWorld that those who advocate for ECPA reform say that the most egregious portion of the law involves the rights of the government to obtain electronic files without a warrant. Essentially, a paper letter that’s sitting on your kitchen counter or stashed in a drawer at your office has a much higher level of constitutional protection than an email.
ECPA enables the government to gain access to your emails, your Facebook messages, the information in your cloud storage provider’s databases, and other electronic files with only a subpoena and not a warrant once such items are 180 days old. Major tech companies routinely disclose how many requests for information they field from the government. Another part of the law dictates when the government can access GPS tracking via phones.
While Congress has considered a bill called the GPS Act, which would limit government surveillance using signals from phones and GPS devices, the legislation has not been passed. And though amendments to the ECPA have been introduced, groups like the American Civil Liberties Union are still very concerned that major changes are needed to bring the law up to date with modern technology.
3. The Cyber Intelligence Sharing and Protection Act (CISPA) hasn’t been passed yet, but would grant immunity for companies to share your private information
The Cyber Intelligence Sharing and Protection Act (CISPA) is a proposed piece of legislation that’s supposed to protect consumers’ privacy. The bill would dictate how companies share information about cyberthreats with the federal government. But Butler notes that opponents of the bill, like the Electronic Frontier Foundation (EFF), are worried that the bill would actually create privacy loopholes and give companies legal immunity to share consumers’ information, thanks to the broad definition of “cyberthreat.”
The most recent action on the bill was its reintroduction in the House and its subsequent referral to the Subcommittee on the Constitution and Civil Justice. But the EFF argues that this so-called “cybersecurity” bill is dangerous “because it carves a loophole in all known privacy laws.” The bill claims that companies and the federal government are allowed to share information that they believe will prevent or defend against network and other internet attacks. In the process, it grants companies the power to identify and obtain “threat information” by looking at consumers’ private information.
In fact, the bill would allow companies to hand over large amounts of consumers’ personal information with no judicial oversight — unlike established laws like the Cable Communications Policy Act or the Wiretap Act, which provide judicial oversight to prevent companies from unnecessarily sharing your private information. Butler points out that the information turned over to the federal government goes straight to the National Security Administration (NSA), which is a military division of the government that engages in all kinds of activities that Americans don’t know much about. Thanks to the bill’s broad definition of terms like “cybersecurity” and “cyberthreat,” it’s difficult to know exactly how the bill would be used.
4. The Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA) was passed in 1986 and is another great example of a privacy law that’s too outdated to accurately reflect the reality of modern technology. Butler reports that advocates seeking reform for the law, which was passed in the late 1980s and updated a decade later, is “too restrictive in banning information sharing.” The law makes it a federal crime to access and share protected information. But organizations like the EFF have called for CFAA reform to reduce penalties for CFAA violations and to create clearer definitions of what a breach of CFAA really entails.
The EFF reports that the CFAA, which it refers to as the federal “anti-hacking law,” is primarily a criminal law intended to reduce instances of malicious hacking. But a 1994 amendment to the bill allows for civil actions to be brought under the statue, and creative prosecutors “have taken advantage of this confusion to bring criminal charges that aren’t really about hacking a computer, but instead target other behavior prosecutors dislike.” For instance, the government has claimed that violating a private agreement or corporate policy amounts to a CFAA violation. The problem is made worse by what the EFF characterizes as a disproportionately harsh penalty scheme.
The EFF proposes reforming the law to prevent sentences of prison time for violating Terms of Service. They want to protect “tinkerers, security researchers, innovators, and privacy seekers” and want to ensure that “the punishment fits the crime.” In terms of keeping the law from punishing you for protecting your privacy, the EFF proposes that “it should not be a crime to take steps to change your IP address, MAC address and similar identifiers for the purpose of protecting privacy or maintaining anonymity, as long as you are not engaging in identity theft.”