NCL praises AG Barr for crackdown on COVID-19 scammers

March 25, 2020

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC–The National Consumers League (NCL) is applauding efforts by the Department of Justice and U.S. Attorney General William Barr to crack down on a wave of scammers and hackers trying to capitalize on the COVID-19 outbreak by ordering U.S. attorneys offices across the country to investigate and prosecute “all criminal conduct related to the current pandemic.” NCL greatly supports the move to make this a priority.

NCL operates a fraud prevention and education program, Fraud.org, working with law enforcement agencies in the U.S. and Canada to track trends in fraudulent activity. NCL also runs the Alliance Against Fraud, a coalition of nonprofits, government, and businesses dedicated to fraud awareness, prevention, and supporting criminal prosecution of fraudulent business practices. The League also works to advocate for science- and evidence-based claims about healthcare, foods, and dietary supplements.

As Barr noted earlier this week, “[i]n particular, there have been reports of individuals and businesses selling fake cures for COVID-19 online and engaging in other forms of fraud, reports of phishing emails from entities posing as the World Health Organization or the Centers for Disease Control and Prevention.”

“AG Barr is right; we’re seeing an upsurge in phishing emails purporting to be from public health organizations offering information on the coronavirus outbreak,” said NCL Executive Director Sally Greenberg. “During this time of vulnerability and uncertainty, consumers shouldn’t be left to fend for themselves in determining whether the claims they are seeing are true. We are pleased that the Trump Administration is taking the risks of scammers capitalizing on this global crisis seriously.”

In his letter, the Attorney General also pointed to recent reports about “malware being inserted onto mobile apps designed to track the spread of the virus.” Last week, an Android app called “COVID-19 Tracker App” surfaced. It’s actually a piece of ransomware designed to lock down access to a consumer’s phone.

“NCL continues to work to fight fraud, protect consumers, and collaborate with law enforcement to track and prosecute those who prey upon our citizens,” said NCL Vice President of Public Policy, Telecommunications and Fraud John Breyault. “Now more than ever, consumers need allies and watchdogs on their side to help protect them from predatory opportunists.”

—————–

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneering consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Imposter scams drive big increases in phishing and spoofing complaints in annual top ten scam report

February 27, 2020

At the start of National Consumer Protection Week 2020 (March 1-7), watchdog group issues warning about most common scams plaguing Americans 

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832 

Washington, DC—Consumers on the receiving end of scary calls and emails claiming that the government is coming after them drove a big increase in phishing and spoofing complaints to the National Consumers League’s Fraud.org campaign in 2019, according to the organization’s annual Top Ten Scams report issued today. With National Consumer Protection Week 2020 kicking off this weekend and being observed next week (March 1-7), the national consumer watchdog org is cautioning consumers against imposter frauds and the other most common scams that plagued Americans in 2019. 

In 2019, consumers submitted 5,647 complaints to Fraud.org. Fifty-three percent of complaints reported a monetary loss; the median loss reported was $749. 

In 2019, the percentage of complaints Fraud.org received about scams involving phishing or spoofing nearly tripled versus the previous year. NCL attributes the increase to the high number of imposter scam calls that consumers reported receiving. Scammers reportedly impersonated government agencies such as the IRS, FBI, and USCIS, and some of these criminals even claimed to be representatives of the National Consumers League.  

“Scammers know all too well that impersonating a government agency and threatening consumers is one of the best ways to get victims to pay up, and they depend on authentic-looking emails or spoofing Caller ID to get victims to pay attention to their threats,” said John Breyault, NCL Vice President of Public Policy, Telecommunications, and Fraud and the new report’s author. “The best advice for consumers is to remember that a government agency will never reach out to you via email or telephone to demand money, so hang up or delete. If you’re worried about back-taxes, your immigration status, or a debt you may owe, look up the phone number for the bank or government agency yourself and call to check. Don’t take the word of someone on the phone making threats.” 

Top Ten Scams of 2019

  1. Internet: Gen Merchandise
  2. Fake Check Scams
  3. Advance Fee Loans, Credit Arrangers
  4. Phishing/Spoofing
  5. Friendship & Sweetheart Swindles
  6. Prizes/Sweepstakes/Free Gifts
  7. Investment Related
  8. Computers: Equipment/Software
  9. Employ Agency/Job Counsel/Overseas Work
  10. Internet: Info/Adult Services

Other topline findings from the report include: 

Romance scams and friendship swindles on the rise in 2019. 

The percentage of complaints involving romance scams increased by nearly 50 percent versus 2018. This is especially worrisome considering that romance scams tend to be among the most expensive type of fraud for victims. 

Web remains most common place scammers are finding victims. 

While the telephone was the method of first contact used by scammers in nearly a third of complaints to Fraud.org in 2019, the Internet remains the most likely place for complainants to have encountered a scammer. Almost 45 percent of complaints to Fraud.org in 2019 said that they first encountered a scammer on the Web. 

Wire transfer no longer scammers’ top choice of payment method. 

After many years of wire transfer being the payment method of choice by scammers, credit cards bumped wire transfers as the most frequently-reported method of payment in 2019. More than 44 percent of complainants to Fraud.org reported that their loss occurred because a scammer charged their credit card. 

Read the full 2019 Top Scams report from NCL.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneering consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

 

New National Consumers League podcast We Can Do This! explores current, historic socioeconomic reform in America

January 16, 2020

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC—The National Consumers League (NCL), the nation’s pioneering worker and consumer advocacy organization, has launched a podcast called We Can Do This!, produced by District Productive and hosted by NCL Executive Director Sally Greenberg and other members of NCL policy staff. 

In We Can Do This!, NCL and justice-minded, expert guests explore current socioeconomic issues at the heart of American political and cultural battles before a backdrop of the historic and ongoing advocacy and activism that help pave the way for meaningful policy reform. 

We Can Do This! episodes span the breadth of NCL’s wide mission and issues, including; healthcare, data and privacy, food and nutrition, labor, finance, and other topics. 

A first batch of episodes featuring individuals who are helping to shape the nation’s social and economic reforms have been released:   

E1-2: Crashing through the glass ceiling with two dynamos of women’s rights law—parts 1-2 

With Judith Lichtman, president emeritus and senior advisor of the National Partnership for Women and Families and Marcia Greenberger, founder and co-president of the National Women’s Law Center 

E3: Ending the scourge of child labor 

With Kailash Satyarthi, anti-child labor crusader and Nobel Laureate 

E4: Measles, it ain’t over until it’s over 

With Dr. Linda Fu, general pediatrician at Children’s National Health System 

E5: Sorry, fair pay and a safe workplace aren’t on the menu 

With Diana Ramirez, federal senior policy advocate at Restaurant Opportunities Center (ROC United) 

These five episodes are available now on Apple Podcasts and Google Podcasts, and the remainder of the 11-episode series will be released in early 2020. 

###

About the National Consumers League (NCL)

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

NCL applauds House passage of safety bills

December 17, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC–The National Consumers League applauds the passage by the House of Representatives of three bills to protect consumers, all of which came from the Energy and Commerce Committee.

“We are grateful for the leadership of Chairman Pallone and Subcommittee Chair Schakowsky in getting these bills through the Committee and to the House floor for passage,” said NCL Executive Director Sally Greenberg. “The House is taking an important in protecting Americans—especially our children—from dangerous products and protecting consumers from overseas scams.  Children are the most vulnerable consumers, and they need our advocacy. Products that prove dangerous to their health and wellbeing – like inclined sleepers and crib bumpers – should no longer be on the market, and we hope the Senate takes up these bills immediately. Thanks once again to the bipartisan efforts through the Commerce Committee and full House leadership for these important consumer protection measures.”

The House passed the following bills:

H.R. 4779, a bill to extend the Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers Beyond Borders Act of 2006, reauthorizes the U.S. SAFE WEB Act, which improved the Federal Trade Commission’s (FTC) ability to combat unfair or deceptive acts or practices that are international in scope, through Fiscal Year 2027 and requires the FTC to issue a report to Congress describing the Commission’s use of and experience with the authority granted by the Act. 

H.R. 2647, the “Safer Occupancy Furniture Flammability Act” or “SOFFA,” adopts the California upholstered furniture flammability standard as a national flammability standard for upholstered furniture to limit exposure to toxic flame retardant chemicals. 

H.R. 3172, the “Safe Sleep for Babies Act of 2019,” designates inclined sleepers for infants as banned hazardous products under the Consumer Product Safety Act. The bill was amended to include the text of H.R. 3170, the “Safe Cribs Act of 2019,” which also designates crib bumpers as banned hazardous products.

###

About the National Consumers League (NCL)

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

NCL announces new action center to help patients steer clear of deadly counterfeit drug websites

December 5, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC—The National Consumers League (NCL), America’s pioneering consumer advocacy organization, today launched Fraud.org/FakeRx, a new digital consumer education campaign to address the growing global crisis of harmful counterfeit medications. The World Health Organization estimates that one in every 10 medical products circulating in developed countries is either substandard or fake, and nearly $83 billion in counterfeit drugs are sold annually. Counterfeit drugs can be, at best, a waste of money and, at worst, fatal.  The Partnership for Safe Medicines has found counterfeit pills made with fentanyl in 48 states, with deaths attributed in 33.

“Counterfeit drugs are everywhere, and they are dangerous. Going to the Internet to buy medicines is a bad idea if you don’t know how to protect yourself from illegal pharmacies selling counterfeit drugs. Consumers do not realize how common counterfeits are; our campaign aims to provide the tools and resources to help consumers steer clear of illegal products and protect themselves and their families,” said NCL Executive Director Sally Greenberg. “NCL is launching Fraud.org/FakeRx to serve as a hub for reliable information for consumers and law enforcement.  Our action center helps consumers learn how to spot the red flags of counterfeit drugs and report issues to law enforcement.”

With the growth of Internet sales of medications, the problem of illegal pharmacies hawking counterfeit drugs is a growing risk to consumers. Visitors to Fraud.org/FakeRx can arm themselves with information to:

  • Reduce the chances they’ll encounter counterfeit drugs and shop safely for medications online
  • Learn to spot harmful counterfeit drugs if they do; and
  • Report counterfeit drugs and the websites offering them to the authorities fighting the problem.

“Criminals posing as legitimate online pharmacies are a serious threat to our nation’s drug supply and to unsuspecting consumers who purchase contaminated or potentially deadly counterfeit medications,” said George Karavetsos, former director of the U.S. Food and Drug Administration’s Office of Criminal Investigations. “Policymakers, regulators, and manufacturers have clear roles for doing their part to protect our drug supply, but having informed consumers is essential to shutting down this illegal online market. This campaign gives consumers the tools they need to stay safe and keep criminals from lining their pockets with consumers’ money.”

NCL has worked with victims of suspected and confirmed counterfeit drugs to capture their experiences and report them to authorities. Two mothers who each lost their adult children to tainted counterfeit medications have lent their stories to the new campaign in hopes of helping others avoid falling to the same fate.

“I lost my son, Jerome, himself a loving big brother and father of three beautiful children, to a counterfeit drug laced with fentanyl. It took one single pill to take Jerome away from us,” said Natasha Butler, whose son was one of a wave of victims of counterfeit drug deaths in Sacramento in 2016. “We had no idea that these dangerous drugs, manufactured to look exactly like the real thing, are out there and could be the last drug someone ever takes. Anyone who takes medication or fills prescriptions needs to be aware of the risks of counterfeits, and that where you get drugs is so crucial for your safety and health. Everyone should visit Fraud.org/FakeRx to learn about the risks and how to avoid being the next victim.”

 “On June 11, 2018 my phone rang at 7:24 am. The voice on the other line told me that my beautiful daughter, Ashley, was dead. Ashley had been given a counterfeit pill laced with fentanyl. I was told by the coroner that she probably died instantly,” said Andrea Thomas, a Colorado mother who, since her daughter’s death from a counterfeit drug, co-founded Voices for Awareness Foundation. “The deadly pill Ashley took looked just like her normal medication. This is an epidemic in our country that I previously knew nothing about. It is time to take action. The National Consumers League’s new resources for consumers will help spread awareness and will make a difference to many.”

To hear from additional victims who know the issue firsthand, visit the new Fraud.org/FakeRx. The site also includes tips for consumers about ways to save on prescription drugs without increasing their risks of purchasing counterfeits. 

NCL thanks its partners for providing support for the new campaign: Allergan, Celgene, Eli Lilly, Gilead Sciences, Pfizer, and PhRMA.

###

About the National Consumers League (NCL)

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

How consumers must respond to the security threat inside nearly every computer

Nearly two years ago, researchers revealed flaws in the chips of virtually every computer made since the mid-1990’s. The flaws—primarily found in Intel’s chips—create a vulnerability that can be exploited by allowing hackers to obtain unauthorized access to privileged information.

Since the initial exploits were first exposed, new versions have continued to be discovered—the most recent of which was found this past NovemberWhile software “fixes” have been released, they tend to reduce the speed and performance of computers—as much as 40 percent, according to some reportsIn additionsince the flaw is hardware-based, the “fix is only good until the next exploit is discovered. 

At the time of the discovery of one of the “worst CPU bugs ever found,” there was significant alarm expressed in the news as well as across the cybersecurity communitySince that timepublic attention has waned. Unfortunately, the problem has only grown worse. And while there has been considerable discussion of the impact these flaws have on businessesthe impact on consumers has been somewhat overlooked. 

That’s why NCL’s #DataInsecurity Project recently released a paper detailing the threat that these bugs—with scary names like MeltdownSpectre, and Zombieloadpose to consumers, their data, and the performance of their computers.  

Every organization or individual running a server or computer with affected hardware should take action to protect themselves. Unfortunately, consumers are less likely to know what to do or have the resources to do it, leaving them more exposed 

For example, consumers are more likely to be running older or outdated software. Consumers are also likely to keep their computers much longer than a business, making their hardware older as well. The way these flaws work, older hardware generally sees a greater slowdown when the security patches are applied. 

Additionally, the small businesses that consumers interact with may also be running “legacy” hardware or software. These businesses may not be able to afford the high cost of additional servers to offset the speed loss from the patches or of entirely replacing old systems. This difficult choice for small businesses could mean that some decide against applying patches – with potentially severe consequences for consumers’ data security.  

Google has taken preemptive steps to protect consumers, but it also warned that as a result of these security measures, “some users may notice slower performance with some apps and games.” Apple, conversely, has offered software patches but left other security measures as an “opt-in” for consumers.  

So, while consumers may not face the same type of risk as businesses, they do face a lot of challenges when it comes to addressing these exploits. Consumers already live in heightened threat environment, filled with phishing emails and computer viruses. They shouldn’t have to choose between the security of their data or the performance of their computers.  

To learn more about these issues and the best way to protect yourself, you can find NCL’s white paper here.

Consumer group urges District of Columbia to pass critical data security legislation

November 12, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC—Today, the National Consumers League, the Nation’s pioneering consumer and worker advocacy organization, testified before the Council of the District of Columbia in support of the Security Breach Protection Amendment Act of 2019.

The following is attributable to NCL’s Public Policy Manager Brian Young:

“This consumer protection bill will help stop breaches before they happen by requiring holders of personal data, to take reasonable steps to secure and safeguard the data they have been entrusted with. When breaches happen, it is often because the business did not utilize current best practices to secure data, and yet, it is the consumer that bears the price for the business’ misstep. Consumers cannot and should not be expected to carry the load when it comes to protecting the data they share with businesses and other organizations. NCL believes that each councilmember has a unique opportunity to safeguard District residents’ data through this bill. NCL urges the Council of the District of Columbia to quickly pass and implement this critical consumer protection bill.”

Brian Young’s full testimony can be found here (PDF).

Video footage of Brian Young’s testimony is available here.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Computer chip defects force consumers to choose between speed and security

October is National Cybersecurity Awareness Month! Since the first observation of this month 15 years ago, the world has gone from about 800 million Internet users to approximately 4.5 billion. Over that same period of time, there has been an extensive amount of time and energy dedicated to improving cybersecurity and cyber hygiene.

Sadly, despite those good faith efforts, it does not appear that consumers have become safer. In fact, it is clear by now that most individuals have, in one way or another, been affected by some sort of hack or data breach—either on a personal computer or through a company that they have entrusted with their sensitive information.

To make matters worse, beyond the heightened cyber threat environment that exists today, a new hardware-based vulnerability found in almost every processor in the world has recently emerged, and it is making it increasingly difficult for consumers to keep their data protected.

A new report released by the National Consumers League’s #DataInsecurity Project, “Data Insecurity: How One of the Worst Computer Defects Ever Sacrificed Security for Speed,” discusses the threat these processor flaws pose to consumers—both in terms of the security of their data and the performance of their computer after security patches are applied—and how they can protect themselves in the future.

The report details seven publicly disclosed exploits, known as “Spectre,” “Meltdown,” “Foreshadow,” “Zombieload,” “RIDL,” “Fallout,” and “SWAPGS,” that take advantage of the flaws found in CPUs manufactured by AMD, ARM, and Intel. While Spectre affects all three major chip manufacturers, all six subsequent exploits largely affect only Intel processors.

The exploits, in short, can allow a hacker to obtain unauthorized access to privileged information. And while patches have been released alongside each exploit, they have led to a decrease in computer speed and performance—as much as 40 percent according to some reports. In addition, the patch is only good until the next exploit is discovered.

The flaws create a real challenge for consumers: apply each temporary “fix” as new exploits are discovered and risk slowing down your device, or don’t and put your sensitive information at risk. And consumers who apply patches remain at the mercy of companies that hold their sensitive data and are faced with a similar dilemma, particularly as they must consider the expenses of implementing these fixes—including costs to add computing power lost by each patch.

The report concludes that the best protection for consumers is to buy a new computer that has a CPU with hardware-level security fixes or is immune from some of the exploits. Unfortunately, this is not practical for many consumers. Therefore, consumers are advised to perform frequent software updates. NCL is also strongly supporting data security bills, such as the Consumer Privacy Protection Act of 2017, which would require companies to take preventative steps to defend against cyberattacks and data breaches and to provide consumers with notice and appropriate protection when a data breach occurs.

As we mark this year’s National Cybersecurity Awareness Month, we should certainly celebrate the progress that we have made. We cannot lose sight, however, of the need to better secure our information and systems moving forward. Awareness and smart data hygiene by consumers is one part. Companies must do their part to secure our information as well.

If you are interested in learning more, you can find NCL’s latest report here.

Protecting information privacy: challenges and opportunities in federal legislation

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Turner-Ward

On September 11, 2019, policymakers, industry stakeholders, and consumer advocates gathered at The Brookings Institution to discuss the pressing question of how to protect information privacy through federal legislation. Representing the National Consumers League was Executive Director, Sally Greenberg.

How did we get here?

To set the scene, panelists first discussed why there is consensus on the need for federal legislation to address privacy and data security. The Snowden revelations showed consumers how much of their data is out there, and they began to question whether companies could be trusted to keep their data safe from the government. More recently, in light of the Cambridge Analytica scandal and increasing instances of identity theft and fraud resulting from data breaches, consumers have begun to question whether companies themselves can be trusted with their data.

Businesses are worried about lack of consumer trust interfering with their adoption of digital products and services. For instance, parental refusal to provide consent to the collection and use of data regarding their kid’s academic performance prevents the personalization of their children’s learning experience. By providing individuals with greater privacy protections, businesses hope that individual participation in the digital economy will increase.

In response to consumer privacy concerns, a patchwork of state bills on privacy and data security are also popping up. Business claims to be overwhelmed by the idea of complying with these differing regulatory schemes, especially in light of the EU’s General Data Protection Regulation (GDPR), which has already moved many organizations to comply with privacy and data security rules. To support businesses and to regain U.S. privacy leadership, greater international operability is necessary.

What should federal legislation look like?

Each panelist set forth their idea of what federal legislation should aim to achieve. Intel drafted a privacy bill which includes various protections but which lacks a private right of action – that is, the ability to take wrongdoers to court if they violate privacy laws. If companies promise not to use your information in certain ways and then do it anyway, in violation of law, you should have the right to take them to court. NCL’s Sally Greenberg directed audience members towards the Public Interest Privacy Principles signed by thirty-four consumer advocacy and civil rights organizations. Advocating in favor of strong protections, strong enforcement, and preemption, and highlighting the importance of “baking data privacy into products and services”, she offered NCL’s vision of a strong, agile and adaptive national standard.

Panelists drew comparisons between this approach and that of the EU’s GDPR, but criticized the time-consuming and resource intensive nature of that legislation. They agreed that U.S. legislation should avoid being too prescriptive in the details. Rather than requiring documentation of policies, practices, and data flow maps, legislation should focus on high-level issues.

Breaking down these issues according to consensus and complexity, Cameron F. Kelly listed covered information, de-identification, data security, state enforcement, accountability, and FTC authority as solvable issues. Implementation issues, he said, include notice and transparency and individual rights (access, portability, right to object to processing, deletion, nondiscrimination). However, Mr. Kelly noted that disagreement clouds a number of complex issues. These relate to algorithmic transparency, algorithmic fairness, and data processing limitations (use restrictions). Until consensus is reached in these areas, disagreements about preemption and private right of action are unlikely to be resolvable.

Notice and Transparency 

While notice and transparency are important aspects of a comprehensive approach towards privacy and data security, it is difficult for consumers to process the volume of information contained in privacy policies. Consumers also often have little choice but to “agree” to services that are essential to everyday life. As such, legislators may wish to explore the extent to which a company may force an individual to waive their privacy rights as a condition of service. Consent should only have a limited role in relation to sensitive data uses, and companies should focus on designing user interfaces to enable meaningful consumer consent. Panelists criticized the California Consumer Protection Act (CCPA) for its lack of detail and for putting the burden on individuals to protect themselves. It was agreed that federal standards should move beyond notice-and-consent and put the burden back on businesses.

De-identification 

One panelist called de-identification the “secret sauce” to privacy. Preserving the utility of data while removing identification puts the focus on data processing harms. It is important to get de-identification right for valuable research purposes. However, de-identification is often not done well and confusion lurks around pseudonymization. This technique involves replacing personally identifiable information fields within a data record with artificial identifiers. As data remains identifiable using that technique, data security and privacy risks remain. Companies must be incentivized to effectively de-identify data, to not re-identify, and to contractually restrict downstream users from doing the same. To avoid conflating data security levels with pseudonymization levels, a universal and adaptable de-identification standard must be developed.

Data security 

Because data security is critical to privacy, panelists agreed that it is the foundation upon which privacy legislation should be built. Panelists warned against an overly prescriptive approach towards data security but suggested that the Federal Trade Commission (FTC) should offer more guidance. “Reasonable” data security depends upon the nature and scope of data collection and use. This affords organizations flexibility when adopting measures that make sense in terms of information sensitivity, context, and risk of harm.

However, determining data security standards according to the risk of privacy harm is difficult because “risk of privacy harm” is an unsettled and controversial concept. It was also debated whether “information sensitivity” should be used to determine the reasonableness of data security standards. Public Knowledge argued that all data should be protected in the same way because the distinction between sensitive and non-sensitive data is increasingly questionable. When data is aggregated and sophisticated technologies such as machine learning are applied, each and every data point can lead back to an identifiable person.

While use of off-the-shelf software should generally be considered reasonable, higher standards should apply to companies that are more aggressive in their data collection and use. Extending to third party processors and service providers, organizations must continually develop physical, technical, and legal safeguards. To ensure robust infrastructure to secure their data, they should run tests, impact assessments, and put resources towards data mapping.

Data processing limitations

In sectors ranging from education to healthcare, the use of data undoubtedly has the potential to help us solve many societal problems. However, data use is pervasive, and new and unpredictably bad outcomes are also possible. Consumers want data to be used in ways that benefit them, for data not to be used in ways that harm them, and for their data to be protected. However, information collection and sharing is largely unbounded. If Congress wishes to move beyond a notice-and-consent model and put the burden back on organizations that handle data, then the boundaries of how data should be collected, retained, used, and shared must be confronted. Without limitations, the high value of data will continue to incentivize organizations to collect and retain data for the sake of it. These practices increase cybersecurity and privacy risks on unforeseen levels.

Calling out data brokers, Intel’s David Hoffman stated that databases containing lists of rape victims are simply “unacceptable.” However, transfer restrictions are likely to be one of the hardest areas to reach consensus on. Use restrictions, which relate to what organizations can and cannot do with data at a granular level, may be approached by creating presumptively allowed and presumptively prohibited lists. Use and sharing could be presumptively allowed for responsible advertising, legal process and compliance, data security and safety, authentication, product recalls, research purposes, and the fulfillment of product and service requests. Meanwhile, use of data for eligibility determinations, committing fraud or stalking, or for unreasonable practices could be presumptively prohibited.

However, it is difficult to determine the standards by which a particular data use should be “green-lighted” or “red-lighted.” To determine if a data use is for a purpose related to that which a user originally shared data, factors may be considered such as whether the use is primary or secondary, how far down the chain of vendors processing occurs, and whether the processor has a direct or indirect relationship with the data subject. The FTC has done work to articulate “unreasonable” data processing and sharing, and the Center for Democracy and Technology’s Consumer Bill of Rights emphasizes respect for context (user expectations) by laying out applicable factors such as consumer privacy risk and information sensitivity.

However, “context” is difficult to operationalize. One option may be to grant the FTC rulemaking authority to determine issues such as which data uses are per se unfair, or which information is sensitive. The deception and unfairness standard has guided the FTC for decades. However, panelists were concerned about giving the FTC a blank check to use the abusiveness standard to deal with data abuses. Instead, the FTC could be given a clear set of instructions in the form of FTC guidance, legislative preamble, or written in detail in the legislation. If this approach is taken, it would be necessary to confront the difficult question of what harm legislation should seek to address. Because privacy injury is not clear or quantifiable, it is difficult to agree on the appropriate harm standard. A specific list of the types of injury – not an exhaustive list – resulting from data processing would give the harm standard substance, and algorithmic data processing ought to be directly confronted.

Because the purpose of data analysis is to draw differences and to make distinctions, the privacy debate cannot be separated from the discrimination debate. Intent to engage in prohibited discrimination is difficult to prove, especially with use of proxies. For instance, rather than directly using a protected characteristic such as racial heritage as a proxy to offer payday loans, an algorithm could use zip code or music taste as a proxy for race in order to decide who to advertise payday loans to. To provide clarity and to promote algorithmic fairness, existing discrimination laws could be augmented with privacy legislation by defining unfair discrimination according to disparate impact on protected classes (disadvantaged groups). Privacy legislation should ensure that data use does not contribute to prohibited discrimination by requiring risk assessments and outcome monitoring.

To increase consumer trust and to provide them with recourse when they suspect that they are the victims of unfair discrimination, legislation should directly confront algorithmic transparency and burden of proof. Consumers cannot be expected to understand the mechanisms that determine what advertisements they are presented with or how automatic decisions are made about them. However, organizations should not be able to escape liability by claiming that they do not have access to the data or algorithm necessary to prove discrimination claims.

Enforcement

Panelists agreed that State Attorney Generals need to be able to enforce the law and that the FTC requires increased resources and enforcement powers. As Congress cannot anticipate every possible scenario, it is appropriate to give the FTC narrow rulemaking authority, the authority to fine for first offences, to be able to approve codes of conduct, and to clarify guidance on how to comply with the law on issues such as de-identification. The FTC needs vastly more resources to be able to accomplish this oversight and enforcement role. The jury is out as to whether Congress will pony up.

Sally Greenberg described the importance of also including an option for private parties to bring class-action suits. However, there was disagreement between panelists about whether individuals should be able to privately enforce their rights where the government lacks the resources or will to act. David Hoffman highlighted evidentiary problems associated with the difficulty in proving privacy harms. To better serve the public, he argued in favor of the creation of a uniform standard with strong protections.

Preemption of state laws 

The objective of creating a consistent federal standard was emphasized as a key driving factor for industry for the creation of a federal bill. Not including preemption of state law is a kind of “deal-breaker” for industry. They claim that complying with a patchwork of fifty different data breach notification standards is hard today. It was suggested that states could be given a window of five years with no preemption to allow them to adapt and innovate, after which time the situation could be reviewed. Or the reverse – preempt for five years and sunset the federal law. These suggestions both have merit, but in the end, answering the questions of preemption and private right of action remain to be seen.

Developing an approach towards consumer privacy and data security

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Sanderson

This blog post is the first of a series of blogs offering a consumer perspective on developing an approach towards consumer privacy and data security.

For more than 20 years, Congressional inaction on privacy and data security has coincided with increased data breaches impacting millions of consumers. In the absence of Congressional action, states and the executive branch have increasingly stepped in. A key part of the White House’s response is the National Telecommunication and Information Administration (NTIA) September Request for Comment (RFC).

While a “Request for Comment” sounds incredibly wonky, it is a key part of the process that informs the government’s approach to consumer privacy. The NTIA’s process gathers input from interested stakeholders on ways to advance consumer privacy while protecting prosperity and innovation. Stakeholder responses provide a glimpse into where consensus and disagreements lie among consumer and industry players on key issues. We have read through the comments and in this series of blogs are pleased to offer a consumer perspective.

This first blog focuses on a fundamental aspect of any proposed approach to privacy and data security: the scope. Reflecting risks of big data classification and predictive analytics, one suggestion by the Center for Digital Democracy (CDD) was to frame the issues according to data processing outputs. This would cover inferences, decisions, and other data uses that undermine individual control and privacy. However, focusing on data inputs, there was consensus among many interested stakeholders that privacy legislation must cover “personal information.”

The Center for Democracy and Technology noted that personal information is an evolving concept, the scope of which is “unsettled…as a matter of law, policy, and technology.” Various legal definitions exist at the state, federal, and international level. The Federal Trade Commission’s (FTC) 2012 definition defines it as information capable of being associated with or reasonably linked or linkable to a consumer, household, or device. Subject to certain conditions, de-identified information is excluded from this definition. To help to address privacy concerns while enabling collection and use, many stakeholders agree that regulatory relief should be provided for effective de-identification techniques. This would incentivize the development and implementation of privacy-enhancing techniques and de-identification technologies such as differential privacy and encryption. Federal law to avoid classifying covered data in a binary way as personal or non-personal. An all-or-nothing approach requiring irreversible de-identification is a difficult or impossible standard.

In an attempt to recognize that identifiability rests on a spectrum, the EU’s General Data Protection Regulation (GDPR) excludes anonymized information and introduces the concept of pseudonymized data. These concepts demand federal consideration, having been introduced to United States law via the California Consumer Protection Act (CCPA). The law should clarify how it applies to aggregated, de-identified, pseudonymous, identifiable, and identified information. To be considered de-identified data subject to lower standards, data must not be linkable to an individual, risk of re-identification must be minimal, the entity must publicly commit not to attempt to re-identify the data, and effective legal, administrative, technical, and/or contractual controls must be applied to safeguard that commitment.

While de-identified and other anonymized data may be subject to lower privacy standards, they should not be removed from protection altogether. In their NTIA comment, the CDD highlights that third-party personal data, anonymized data, and other forms of non-personal data may be used to make sensitive inferences and to develop profiles. These could be used for purposes ranging from persuading voters to targeting advertisements. However, individual privacy rights may only be exercised after inferences or profiles have been applied at the individual level. Because profiles and inferences can be made without identifiability, this aspect of corporate data practice would therefore largely escape accountability if de-identified and other anonymized data were not subject to standards of some kind.

This loophole must be closed. Personal information should be broadly defined to address risks of re-identification and to capture evolving business practices that undermine privacy. While the GDPR does not include inferred information in its definition of personal information, inspiration could be taken from the definition of personal information given by the CCPA, which includes inferred information drawn from personal information and used to create consumer profiles.

Our next blog  will explore “developing an approach for handling privacy risks and harms.” In its request for comment, the NTIA established a risk and outcome-based approach towards consumer privacy as a high-level goal for federal action. However, within industry and society, there is a lack of consensus about what constitutes a privacy risk. Stay tuned for a deep dive into the key issues that arise.

The author completed her undergraduate degree in law at Queen Mary University of London and her Master of Laws at William & Mary. She has focused her career on privacy and data security.