JURIST Guest Columnist Maxwell Slackman, George Mason University School of Law Class of 2014 discusses US Internet privacy standards, the economic ramifications of national security leaks and why the US should compete for foreign Internet consumers...
dward Snowden's recent leaks
exposing the National Security Agency's (NSA) PRISM program have prompted a national civil rights debate over the Fourth Amendment
and its modern application. The American Civil Liberties Union (ACLU), Electronic Privacy Information Center (EPIC), and Senator Rand Paul (R-KY) attempt to sue
the government while President Barack Obama and Speaker of the House John Boehner (R-OH) advance the constitutional theory that security must be balanced with privacy. Though the constitutional debate takes center stage, there are also important economic ramifications that could stifle the US Internet economy. Lax privacy protections and mistrust of the US government's surveillance programs incentivize foreign Internet consumers, who make up the majority of demand, to abandon US Internet companies. The government can implement privacy legislation, private self-regulation, and minor changes to its surveillance programs in order to restore trust without damaging national security.
US Internet companies have long competed for consumer trust. Google's official motto, Don't Be Evil, helped convince consumers that the search engine's ranking system was accurate and unbiased. Mozilla and Google have already begun privacy-centered campaigns to distance themselves from the surveillance programs and their corresponding Foreign Intelligence Surveillance Court (FISC) orders. However, trust campaigns that are not enforceable through national privacy laws may not curb mistrust created by the NSA leaks.
EU-based Internet companies may capture the consumers of US companies due to heavier privacy statutes and isolation from FISC authority. On June 21, 2013, Massachusetts Institute of Technology's Alan Davidson stated that consumers prefer services that they trust. He believed that the current lack of FISC transparency and oversight may embolden foreign companies to compete for US consumers. Foreign consumers comprise the majority of demand for US Internet company services, with Google serving more than 1.1 billion unique, foreign visitors per year. Foreign consumer may shift to companies and countries capable of protecting their privacy, fundamentally changing the global Internet economy at the expense of US companies. Cloud computing firms are already facing financial fallout due to the recent rise in foreign mistrust. Additionally, consumers are switching from large US search engines to smaller, privacy-oriented companies.
EU Law Encourages Consumer Trust
Why do European-based companies pose a threat to a traditionally US-dominated industry? European law views privacy as a fundamental right of its citizens. The EU's Data Protection Directive (Directive), updated in 2009 with the ePrivacy Directive, sets out a series of mandates designed to protect European Internet consumers from data mining and profiling.
Companies that store or analyze personal data in an EU member state may only collect the data if, among other criteria, the data is collected for a pre-defined, specific purpose and if it is kept only as long as necessary. Data may only be processed if the company secures consumer consent or if it meets a pre-defined exception.
The regulation also prohibits the processing or storage of sensitive personal information, including data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade-union membership, health and sexual orientation. With some exceptions, data collectors must notify consumers of the specific information being collected, its intended use, and the identity of the collecting entity.
Under EU law, Internet consumers have the right to access collected data, object to its uses, and even erase or block data collection. The Directive does allow Member States to restrict these rights for national security purposes. However, limits on data storage periods and the Member States' perceived self-restraint [PDF] placate consumer fears.
Current US Privacy Laws are Inadequate
The US has no such privacy law, nor does it incentivize the creation of corporate best practices that would limit collection and profiling of consumer data. The US instead relies on a "patchwork" of statutes that do not fully protect Internet users.
The Stored Communications Act (SCA) protects stored files and subscriber information held by service providers from immediate access by the government. The SCA originally mandated that law enforcement secure subpoenas, special court orders, and warrants depending on the sensitivity of the data it sought. However, the PATRIOT Act [PDF] and Foreign Intelligence Surveillance Act (FISA) amendments eased restrictions on law enforcement access to stored communications, thus allowing for the NSA's current surveillance programs.
The US' second best-known act, the Children's Online Privacy Protection Act (COPPA), requires that websites that knowingly collect personal information from children under thirteen years old obtain verifiable parental consent and allow parents to view and delete to collected information. While COPPA is enforceable by states and several federal agencies, the Federal Trade Commission (FTC) generally enforces COPPA though Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive trade practices. However, the FTC's case history focuses on security breaches rather than privacy breaches. The FTC may be wary of enforcing numerous COPPA breaches due to the high resource costs and low marginal benefits of COPPA cases and a corresponding chilling effect on child-focused website entrepreneurship. This has resulted in heavy criticism of COPPA as an ineffective privacy protection.
Although Section 5 grants the FTC broad authority over online data protection, the FTC encourages self-regulation [PDF] in lieu of formal rulemaking. Further, the FTC's general authority only extends [PDF] to companies that make assertions of privacy protection. The FTC did publish a new privacy framework [PDF] in 2010, focusing on [PDF] privacy by design, transparency, and consumer choice. However, this framework is only enforceable when a company voluntarily adopts it. This framework does not protect Internet consumers from US surveillance.
Potential US Legislation
While the government does not have broad reaching privacy statutes on the book, multiple bills have been introduced in response to the NSA leaks.
Senator Mark Udall (D-CO) and Senator Ron Wyden (D-OR) have proposed a bill that would require a demonstrated link to terrorism or espionage before allowing collection of American data. While the legislation has growing bipartisan support, it does not contemplate foreign data and would thus do little to reassure foreign Internet consumers.
Senator Jeff Merkley (D-OR) and Senator Mike Lee (R-UT) proposed a bill that would declassify FISC opinions and also enjoys bipartisan support. This would allow "Americans to know how broad of a legal authority the government is claiming to spy on Americans under the PATRIOT Act and Foreign Intelligence Surveillance Act."
Senator Bernie Sanders (D-VT) proposed the Restore Our Privacy Act. According to Senator Sanders' statements, the bill would require reasonable suspicion to justify searches, "to put an end to open-ended court orders." The bill would expand oversight by requiring the US Attorney General to report to all members of congress.
Senator Patrick Leahy's (D-VT) FISA Accountability and Privacy Protection Act of 2013 would require that the government show relevance to an authorized investigation and link the targeted individual to a foreign power. The act would also accelerate the FISA Amendment Act's sunset date from 2017 to 2015, "to ensure timely re-examination of how these authorities are being utilized." Finally, the Act would broaden oversight by mandating the review of privacy and civil rights concerns created by the FISA Amendments Act.
While all of these bills would create safeguards to protect US Internet users, only Leahy's bill proposes to review the PATRIOT and FISA Acts in a manner that could ease foreign Internet consumers' fears. The administration should consider supporting any of these bills if their enactment would increase consumer trust while not overly hindering constitutional surveillance.
Other Government Actions that may Satisfy Foreign Consumers
The Obama Administration can also reassure foreign consumers by broadening FISC oversight without legislation. The ACLU criticizes FISC's limited oversight of the orders it grants and demands that FISC opinions Fourth Amendment protections be declassified.
While the Obama administration could declassify these opinions, the opinions' interweaving of sensitive facts and constitutional analysis makes this difficult. Instead, the administration should consider adding adversarial mechanisms within the FISC process, expanding the congressional oversight committee, create white papers describing the constitutional analyses of past FISC orders, and mandating that future FISC opinions be written with declassification in mind. At a recent hearing, Judge James Robertson, a former FISC judge, also suggested [video] that the Privacy and Civil Liberties Oversight Board take a more direct position overseeing the FISC process.
Outside of direct changes to the NSA programs, the Obama Administration may be able to assuage consumer fears by creating a joint stakeholder process aimed at strengthening US company data and privacy practices. A self-regulatory framework, enforced by the FTC, can mimic the protections created by the EU's Directive by designating best practices and rules for collection, use, storage, and sharing of personal information.
The National Telecommunications and Information Agency (NTIA), an executive agency that informs the White House on Internet policy issues, has experience promoting privacy-related self-regulation through its joint stakeholder initiatives. Unlike legislation, self-regulation is designed by the companies themselves and should be accompanied by federal enforcement in order to ensure consumers that the framework is followed. Such a framework could be adopted by companies and enforced by the FTC via its Section 5 enforcement powers, in exchange for safe harbors from potential data breaches and suits.
Due to the recent NSA leaks, foreign Internet consumers, a large user base with little allegiance to US companies, may move to companies whose countries implement competitive privacy regulations. The US may lose its dominant position in one of the largest world markets if it is unwilling to meet the privacy statutes and standards of its competitors. But the US need not hobble national security through its efforts to regain trust. The expansion of FISC oversight, institution of privacy laws, and self regulation of private entities can meet the government's critics half-way, ensuring that the NSA programs continue without losing our market dominance.
Maxwell Slackman is a senior notes editor for the Journal of Law, Economics & Policy at George Mason University School of Law. His experience includes positions at the National Telecommunications and Information Administration, the Federal Communications Commission, and Telecommunications and Media Law Association.
Suggested citation: Maxwell Slackman, Regaining Trust: How and Why American Should Compete for Foreign Internet Consumers , JURIST - Dateline, July 18, 2013, http://jurist.org/dateline/2013/07/maxwell-slackman-internet-consumers.php.
This article was prepared for publication by Endia Vereen, an assistant editor for JURIST's student commentary service. Please direct any questions or comments to her at firstname.lastname@example.org