Congress, make privacy the rule — not the exception

Congress, make privacy the rule — not the exception

Privacy scandals are running amok, millions of cybersecurity jobs remain unfilled, and almost every American adult's personal information is in the hands of criminal hackers. This isn't hyperbole nor is it the work of dark science fiction— it’s reality. However, with an abundance of fresh eyes and minds, the 116th Congress has the potential to make significant headway to ensure our data is protected by prioritizing three key actions in 2019:

Developing comprehensive privacy legislation

The lack of a comprehensive federal privacy law is not just a threat to each one of us as individuals, it is a threat to our democracy.

ADVERTISEMENT

Apps and social media networks collect intimate details about their users — far more than people realize — and they're sharing this data with third-parties. This type of questionable data-sharing is not merely used for advertising or to select the news we see. It has been used by foreign actors to manipulate public opinion and influence the outcome of the past two elections.

Many companies argue that they secure user consent, but our research shows that hardly anybody reads the privacy policies they presumably agree to. And it's not the users' fault. We asked legal experts to comb through privacy policies, and even they had trouble deciphering what was being said. The reality is that most users who give "informed consent" do not know what they have agreed to. 

This data collection and sharing is in great part facilitated by the default “opt-out” approach to privacy. In other words, with a few exceptions in some specific areas (e.g., data about children), companies are allowed to collect our data and share it as they please unless users explicitly opt out of these practices. Our research further shows that many organizations fail to even offer “opt-out” choices to users — even when they do, “opt-outs” are hard to find, hard to understand and hard to use. In short: Right now, privacy is the exception rather than the rule.

Individual states are taking their own approach to protecting consumer data. For example, a new law introduced in California will give residents new rights over their data, such as the right to tell companies not to sell their data or to delete it completely. This is an important step in the right direction, but it still leaves most Americans unprotected and forces companies to deal with a patchwork of laws. It is time for the U.S. to pass a federal law that provides effective protection for all Americans, similar in nature to the General Data Protection Regulation (GDPR) implemented in the European Union last year. 

Enacting steeper penalties for companies with data breaches

Security is an arms race, and regulation needs to keep up.

Data breaches have been on the rise for decades — the 2018 breach at Marriott International, which was reported to potentially affect up to 500 million customers, is only the latest. At best, users whose data has been compromised are alerted by the company in a timely manner and are given suggestions on safeguards to protect themselves from identity fraud. At worst, users are alerted years later, or never at all. This is the status quo.

Companies are not economically incentivized to pay for security until it's too late. It's akin to putting locks on doors only after criminals have run away with the loot. There needs to be more meaningful accountability and incentives for companies to be more proactive in securing their customers’ data.

Increasing investment in security and privacy training and education

Security and privacy threats outpace our ability to foster new experts in the field. Estimates on currently unfilled jobs in this area — the so-called cybersecurity "talent gap" — are in the millions. 

For starters, general security and privacy skills need to be built into school curricula around the country. One reason we lack security and privacy talent is that most people do not know it's a viable career path until college after most students have already chosen a major. Even when students reach the college level, options are lacking. A recent study found that only 40 percent of computer science programs offered a single computer security course.

ADVERTISEMENT

However, some efforts are already in place, inside and outside the classroom. For example, the National Integrated Cyber Education Research Center provides K-12 cybersecurity curricula for teachers across the country at no cost, and many institutions offer free, online cybersecurity games that introduce middle and high school students to the field. Despite these existing resources, the talent gap hasn't shrunk and threats to our cybersecurity and privacy continue to expand. Federal investment in this area can help to reverse this trend.

Ultimately, the 116th Congress needs to do more to protect Americans from today’s very real cybersecurity threats. By developing privacy legislation, enacting steeper penalties for companies that put Americans’ information at risk, and investing in cybersecurity education for the next generation, this Congress can be the first to truly make Americans' data security and privacy a priority.

Lorrie Cranor is the director of CyLab Security and Privacy Institute at Carnegie Mellon University.

Norman Sadeh is co-director of the Privacy Engineering program at Carnegie Mellon University.