Sens. John Kerry and John McCain have introduced a bill to put limits on what companies can do with customers' personal information, but it's just one front in the ongoing debate.
During the explosion in recent years of online services, geolocation apps, social media and mobile connectivity, loss of privacy has often been collateral damage.
Now efforts to restore at least a measure of privacy for Internet users are bubbling up on several fronts, although the cast of characters sometimes seem interchangeable. In some cases, governments are proposing legislation to restrict what the private sector can collect from users, while in another case, companies are trying to prevent one government from getting access to that information.
Sens. John Kerry (D-Mass.) and John McCain (R-Ariz.) have introduced the Commercial Privacy Bill of Rights Act of 2011, which looks to put limits on what companies can do with customers’ personal information.
The bill would require giving users opt-out mechanisms against collecting personal data, require companies to implement security measures to protect the data they collect, and require that companies explain how and why they gather personal information. In addition to the opt-out rules, companies would have to get consent from users before collecting sensitive data, such as financial or health information.
Still, the bipartisan effort, which would seem likely to get support in Congress, does not satisfy privacy advocates, who argue that it doesn’t provide enough protection.
Some have complained about the lack of a “do not track” requirement in the bill. Kerry said the opt-out requirement would make a do-not-track provision unnecessary, according to a report in The Hill.
But some advocates say the opt-out requirement, which in some cases would require users to actively seek out the option, would be too difficult, Wired reported.
Meanwhile, privacy protection efforts are being carried out by some companies and at least one state.
Browser-makers such as Microsoft, Mozilla and Google are adding do-not-track features to their browsers, Wired pointed out, and California is considering a strong do-not-track bill in its state senate, according to the Los Angeles Times.
The law, similar to the federal Do Not Call law targeted at telemarketers, would forbid websites from tracking visitors and would apply to PCs (including tablets), smart phones and any other device used to access the Internet.
While these efforts aim to limit businesses’ use of personal information and habits, alarms are being raised over governments’ use of personal information, whether here or abroad.
More than 20 Internet companies, including Google, Facebook and eBay, are suing the French government over its plans to keep Web users’ personal data for a year.
The suit was brought by The French Association of Internet Community Services (ASIC) and will be heard by France's highest judicial body, the State Council, according to the BBC.
The law requires Internet businesses, including e-commerce sites, video and music services, and e-mail providers, to keep information on users’ names, addresses, telephone numbers and passwords. Companies will be required to turn over the personal data to government entities, including the police, fraud office, customs, tax and social security agencies, if asked.
ASIC wants the law overturned.
In the United States, a recent research paper calls attention to the lack of accountability for police who are increasingly requesting information from Internet service providers and social media operators.
In the paper, “The Law Enforcement Surveillance Reporting Gap,” Christopher Soghoian, a doctoral candidate at Indiana University’s School of Informatics and Computing, writes that there are “likely hundreds of thousands of such requests per year.” However, there are no hard statistics on how many because police aren’t required to report them, as they are for old-school surveillance techniques, such as wiretaps.
Police are required to report requests to intercept e-mail or instant messages in real time, but not records, according to Soghoian’s paper, which was reported in Computerworld. Companies such as AOL and Facebook frequently get records requests from police.
All this is happening against a backdrop of recent cases in which Internet companies were punished for collecting personal information.
The French Data Protection Authority, CNIL, fined Google $141,941, one of its largest fines ever, for accidentally collecting personal data while setting up its Street View service.
In the United States, Google agreed to bi-annual privacy audits for 20 years in its settlement with the Federal Trade Commission for violating consumer privacy with its Buzz social network.
Kathleen Hickey contributed to this report.