The Location Privacy Protection Act should have been an easy bill to pass.
First introduced by Senator Al Franken in 2011, the bill prohibited companies from collecting or disclosing location information from a device without a user’s consent. It sought to undermine so-called “stalking apps” such as SPYERA and FlexiSpy, that allowed users to install software on someone’s phone without their knowledge and track their location. In testimony, Sen. Franken shared an example of how this software had been used against victims of domestic abuse:
“This victim had decided to get help, and so she went to a domestic violence program located in a county building. She got to the building, and within five minutes, she got a text from her abuser asking her why she was in the county building. The woman was terrified, and so an advocate took her to the courthouse to get a restraining order. As soon as she filed for the order, she got a second text from her abuser asking her why she was at the courthouse and whether she was getting a restraining order against him. They later figured out that she was being tracked through a stalking app installed in her phone.”
The tech industry saw the bill in a different light. Industry groups expressed concerns about the impact on the development of location-based services, given the bill also required companies to get customer consent before sharing location information with third parties. They advocated for self-regulation. 54 organizations lobbied the bill, including Google, Facebook, Microsoft eBay and wireless communications industry group CTIA.
The Location Privacy Protection Act isn’t unique when it comes to opposition from the tech industry. The United States has taken a light-touch approach to regulating data privacy, largely due to the concern of stifling innovation. That hesitation seems to have only grown as the tech industry in the US became one of the country’s biggest economic exports: Five of the most valuable companies in the world include Apple, Alphabet, Microsoft, Amazon and Facebook.
In the meantime, over 90 consumer privacy bills have been introduced to Congress over the past decade, but there hasn’t been a major data privacy law passed at the federal level since 2009.
When Cambridge Analytica came to light, the conversation around privacy and data protection changed dramatically. Public trust in Facebook plummeted, while lawmakers and even CEO Mark Zuckerberg publicly recognized the growing need for regulation. At the same time, The European Union’s General Data Protection Regulation (GDPR) became enforceable on May 25, and its regulatory repercussions will soon hit US shores. The omnibus bill governs the use of all EU citizens’ data, even if the company using the data is outside the EU. Some have speculated that Facebook would have been heavily fined for Cambridge Analytica’s misuse of data under GDPR’s comprehensive rules.
As the fallout from Cambridge Analytica continues and Europe makes a major legislative step forward with the GDPR, there is the need for deeper conversation around data privacy in the US. Why has the US stagnated on data privacy laws since 2009?
There are a number of reasons that range from the US value of private enterprise, historical approach to data privacy laws and the meteoric growth of the tech sector. But there’s one factor that could stall legislation beyond the current crisis: The tech industry’s massive lobbying power.
Tech industry lobbying has ballooned over the last decade. Apple, Amazon, Google and Facebook spent nearly $50 million on lobbying efforts combined in 2017, according to data from the nonpartisan nonprofit MapLight Foundation. It’s the most that any of those companies have spent on lobbying in a single year, and over six times what they spent combined in 2009. The increase comes at a time when promising new technologies, including artificial intelligence, automated cars and machine learning are developing faster than ever. Slowing down that innovation could have serious consequences for their bottom line.
“All those companies, their livelihood and future depend tremendously on what the US government and other governments do in terms of tax policy, trade policy, labor policy, consumer rights policy and privacy,” said Robert McChesney, professor of communication at University of Illinois at Urbana-Champaign and author of the book Digital Disconnect: How Capitalism is Turning the Internet Against Democracy. “These are all government laws and policies that will determine whether a company is exceptionally profitable or whether it doesn’t exist.”
Many industries spend significantly to fight for friendly policy. But the tech industry’s appeal to both sides of the aisle and their financial ability to fund a defense against any bill of their choosing paints an uncertain picture of data privacy laws in the US moving forward.
When the US and Europe diverged
The US hasn’t always lagged on privacy regulation. The US actually created the framework that underpins privacy regulations around the world today. In the early 1970s, a Senate advisory committee created a code for automated personal data systems called the Fair Information Practices (FIPs), a set of principles for business and government entities that collect, use and disclose personal information. This laid the groundwork for the US’ first comprehensive data privacy law, the 1974 Privacy Act, which governs the use of personal data stored on federal government databases. The FIPs also inspired the OECD’s data privacy protection guidelines established in 1980 as well as the European Data Protection Directive in 1995, the precursor to GDPR.
However, given the FIPs were a set of principles and not legislation, the way data privacy laws developed was largely dependent on the values of different societies. In Europe, where data privacy and protection is considered a fundamental right in part due to the chilling way the Nazis used databases to track and target Jews and other minority groups during World War II, more comprehensive and consumer-oriented legislation was successful. Whereas in the US, where a high value is placed on free enterprise and individual freedoms, a sectoral approach that attempted to balance between the benefits of commercial activity and protection of individual privacy developed instead.
“The United States is a very free-market pro-capitalist society, that has really impacted how we think about privacy,” said Joe Jerome, policy counsel for data and privacy at the Center for Democracy and Technology.
The sectoral model governs through a combination of legislation, regulation and self-regulation, only passing laws for specific industries: Health data is protected by HIPPA, for example, while data of children under 13 is protected under COPPA. This has resulted in a patchwork quilt of laws at the federal and state level, without baseline legislation that applies to all data. This approach allows for finely tailored laws with different levels of protection depending on the sensitivity of data, said Ellen Goodman, a professor of law at Rutgers University and cofounder of the Rutgers Institute for Information Policy and Law. But as big data increasingly blurs the lines between sectors, this approach is getting pushback.
“Inconsistent regimes create a lot of loopholes between laws,” Goodman said. “Another con is that there are large swaths of data that aren’t covered by anything.”
Corporate lobbying booms—and tech companies take notice
While data privacy laws were developing around the world, the power of corporate lobbying in the US was beginning to take hold. Businesses first began expanding their lobbying efforts in the 1970s in response to heavy regulation in the 1960s. The culture continued to flourish and build upon itself even when the political environment favored small government, as corporations became more confident in their ability to affect outcomes, according to research by Lee Drutman, senior fellow in the political reform program at New America. This culture continues today: $3.37 billion was spent on lobbying in 2017.
At first, tech companies weren’t a part of this growing movement. The early days of the internet were driven by a “technolibertarian” philosophy that eschewed government interference and trumpeted the innovations of private business. However, in the early 2000s Microsoft was sued by the Justice Department over antitrust issues, leading to a lengthy legal battle that eventually resulted in the company having to make Windows interoperable with competitors. Tech companies began to acknowledge that the law may pose a challenge to their ambition.
Since then, the lobbying spend of tech companies has grown dramatically. Companies spread their money across think tanks to influence the policy debate and campaign funds to curry favor. Several Silicon Valley executives and high level officials in President Barack Obama’s administration bounced back and forth between positions at tech companies and the government.
“I think the tech sector, particularly Google, had an outsized influence on policy in that administration,” said Gigi Sohn, a distinguished fellow at the Georgetown Law Institute for Technology Law and Policy and former counselor to FCC Chairman Tom Wheeler.
Tech companies’ rapid economic growth and unique politics—that are strongly anti-regulation and socially liberal—had bipartisan appeal. “Both [parties] have been falling over each other to identify as the party of this burgeoning digital economy,” McChesney said.
A lack of expertise cracks the door open to lobbying
However, few lawmakers have a background in technology, and the Office of Technology Assessment, which provided bipartisan expertise on issues in science and technology, was cut in 1995 and never re-established.
“[Lawmakers] rely on industry to give them their ‘facts,’” said Sohn. “When you don't give government the resources they need to educate themselves on these issues, they have no one to rely on but industry and underfunded public interest advocates.”
This lack of expertise made it easy for tech companies to use their lobbying power to change the conversation as pro-privacy bills gather momentum. After President Donald Trump repealed broadband privacy rules in 2017 enacted under President Obama, lawmakers introduced similar legislation at the state level around the country. One of the most closely watched was California’s Assembly Bill 375, which required Internet Service Providers (ISPs) such as Comcast and AT&T to ask for California residents’ consent before sharing their information with a third party, among other data protection demands.
Ernesto Falcon, a legislative counsel with the Electronic Frontier Foundation who supported the bill, was optimistic about its passage when it was first introduced due to public support of the issue. It was voted through three committees and introduced on the Senate floor. Then Google and Facebook joined the opposition fight.
Suddenly lawmakers were flooded with suggestions that the bill had unclear definitions, would result in constant consent pop-ups and could prevent ISPs from sharing information about potential violent threats, arguments that Falcon calls “illegitimate.” He said he reached out to the tech companies asking what they specifically wanted to see changed but received no response.
“Because it was Silicon Valley making these arguments along with telecom companies, it started to sound more confusing,” he said. “Many of these folks weren’t sure what this bill did by the time it actually came to the vote.”
The majority of lawmakers chose not to vote on the bill and it died in the last session, which Falcon believes was the tech companies’ goal. “They know their position against privacy is unpopular,” Falcon said. “They’d rather never have opportunities to be brought to light where politicians have to make the choice: Are you for or against privacy?”
Tech’s lobbying power could still shape politics post-Cambridge Analytica
The tech industry has met its limits elsewhere. Despite strong lobbying efforts in Brussels, the tech industry wasn’t able to deter the passage of GDPR.
“The European Commission and legislators have probably been immune toward the lobbying of those big tech companies because if they had really impacted the legislation, then [GDPR] wouldn’t have been so strict,” said Maja Brkan, an assistant professor in EU law at Maastricht University, who focuses on data protection and privacy.
The GDPR will set a new standard for data protection, and many countries--including Japan, Argentina, New Zealand and Israel—are pushing similar legislation as not to lose out on the cross-border free flow of data. This could put further pressure on the US to break the data privacy law drought.
The road ahead for US privacy law isn’t clear cut.
Some believe the lobbying power of tech companies in the US would derail an attempt at an omnibus bill. Alvaro Bedoya, founder of Georgetown Law’s Center on Privacy and Technology, pointed out in a New York Times op-ed that President Obama’s attempt at a cross-sectoral bill was gutted after the tech industry weighed in. “If the United States tries to pass broad rules for personal data, that effort may well be co-opted by Silicon Valley, and we’ll miss our best shot at meaningful privacy protections,” he wrote.
Not to mention, research has shown that privacy regulations could actually increase the power of incumbents could be more easily absorbed by a larger company. This is both in terms of cost of cookie management software and the customer’s comfort level in explicitly consenting to share data with multiple companies.
But public outcry over the issue is prompting lawmakers to act. In April, Senators Amy Klobuchar and John Kennedy introduced the Social Media Privacy Protection and Consumer Rights Act of 2018. The Act covers a host of privacy updates, such as requiring websites to inform users of their data collection practices, provide users control over privacy settings and alert users within 72 hours if their data has been compromised.
In the meantime, tech companies’ lobbying efforts haven’t abated. While Zuckerberg publicly conceded the need for regulation, Facebook was spending money to undermine a California privacy ballot measure and an Illinois biometric privacy bill (though the company later pulled out of lobbying efforts after media coverage).
As for the stalking apps?
The Location Protection Privacy Act was re-introduced in 2014, but met similar industry concerns. The legislation never left the Senate floor, and Sen. Franken resigned over sexual misconduct allegations in 2017.
Stalkerware, in the meantime, continues to thrive: A recent study found that apps used and marketed for intimate partner surveillance are still rampant. FlexiSpy’s iPhone monitoring package starts at just $68 per month, and a year of smartphone, tablet and laptop monitoring from SPYERA for just $489.