POLITICS

The Last Time Congress Threatened To Enact Digital Privacy Laws, It Didn’t Go So Well

What can a past failure tell us about the current privacy push?

WASHINGTON ― Regulating big tech companies like Facebook is hot again. Members of Congress are talking about it. Advocacy groups are pushing for it. CEOs like Facebook’s Mark Zuckerberg are making vague promises that they’ll consider accepting it. And now the Trump administration is in talks with big players like Facebook and Google to press for new rules.

Don’t buy the hype. All of this has happened before. The last big blowup over privacy occurred less than a decade ago, when Washington policymakers zeroed in on the pervasive tracking of internet users by tech platforms, advertisers and data brokers. That time, the pro-regulation folks failed utterly. Here’s what happened.

The Proposal

America’s last big fight over internet privacy began in the final years of the 2000s, when concerns over consumer privacy violations had started to trouble lawmakers and the public. In 2007, pro-privacy technologists first proposed Do Not Track, developing a simple way to let online users send a signal from their browser ordering websites and trackers not to collect their data. The problem was getting stakeholders who make money off of tracking to agree to accept those signals.

Like every privacy policy battle before or since, the effort pitted outgunned consumer advocates against a coalition of big tech platforms and advertising trade groups. The coalition, which included companies like Facebook and Google as well as groups like the Interactive Advertising Bureau (IAB), the Direct Marketing Association and the Digital Advertising Alliance (DAA), responded to proposed regulations by claiming any privacy rule would hamper innovation.

The Federal Trade Commission, which has oversight authority for consumer protection and corporate competition, announced it would investigate online tracking in December 2009. The FTC enforces regulations on consumer privacy, but its authority to issue industrywide regulations is incredibly weak. Congress had gutted the agency’s rule-making authority during the deregulation craze of the 1970s. An amendment to restore that power was included in the version of the Dodd-Frank financial reform bill that passed the House of Representatives in 2010. A lobbying campaign led by the advertising tech industry, however, stripped that amendment from the final bill. Without agency regulations, the industry was left to its own, preferred devices of self-regulation. The IAB, which counts Google and Facebook (and Oath, which owns HuffPost) as members, labeled the removal of the provision their “number one legislative priority” and called it a “a major victory for industry” when it was dropped from the final bill text.

The Federal Trade Commission backed the Do Not Track policy in 2010.
The Federal Trade Commission backed the Do Not Track policy in 2010.

In 2010, the FTC held a series of roundtables with stakeholders to hear from both industry and privacy advocates about what regulatory approach would work best to protect online consumer privacy. The agency threw its weight behind Do Not Track in a report that included a detailed explanation of past privacy failures throughout the industry.

The Venue

In 2011, the FTC brought in the World Wide Web Consortium (W3C), an internet standards-setting body largely composed of the representatives of big technology companies, to help outline Do Not Track rules.

This was where the privacy push really got derailed, Jonathan Mayer, a technologist who was involved in the negotiations, told HuffPost.

“This was a recurring problem during the Obama administration,” Mayer, who would later work at the Federal Communications Commission under Obama and is currently a professor at Princeton University, said in an email. “The federal government had a habit of punting difficult technology policy issues to multi-stakeholder working groups. Unsurprisingly, these working groups didn’t make much progress.”

The consortium wasn’t exactly a fair venue. The group is mostly made up of industry players like tech companies and advertising trade groups who pay its annual membership fee. The playing field was tilted toward the very corporations that did not want to endanger their profit source, which involved tracking users, collecting their data and packaging it to target ads — the same companies that are now under the microscope for privacy violations.

A small band of consumer advocates from nonprofit groups like the Electronic Frontier Foundation, the Center for Digital Democracy and Consumer Watchdog were allowed by the W3C to participate, too, even though they were not consortium members when the negotiations started. The nonprofits were effectively “charity cases,” said Lee Tien, a senior staff attorney at EFF who participated in the negotiations. “We were heavily outnumbered in the room,” he said.

Tim Berners-Lee, founder of the World Wide Web and co-founder of the W3C, delivers a speech in 2011.
Tim Berners-Lee, founder of the World Wide Web and co-founder of the W3C, delivers a speech in 2011.

The Default Settings

In February 2012, the Obama administration released a consumer privacy bill of rights and announced that executives for the big tech firms and advertising trade groups had accepted the FTC’s Do Not Track principles. In the administration’s press release, companies operating web browsers agreed to provide a Do Not Track capability. The DAA, which was created by the big advertising trade groups, agreed to run a voluntary effort through its AdChoices platform where online users could opt out of tracking. (This is that blue triangle you see next to online ads.)

Browsers followed through on their promises soon after the presidential announcement, but not in the way advertisers wanted. Mozilla and Microsoft both launched new versions of their respective web browsers with the Do Not Track function automatically turned on for users. Antivirus company AVG similarly opted users in to Do Not Track through its default setting.

But the ad industry would only accept Do Not Track if it believed the tool would not be widely adopted. That’s why the industry cared deeply about the default settings for Do Not Track, and would only agree to honor it if users had to affirmatively select the option. When it became clear that browsers or other software would opt users in to Do Not Track automatically, the ad industry saw a direct threat. The DAA, which was the running the voluntary Do Not Track effort for the advertising industry, said it would not honor Do Not Track signals from browsers that set the default to opt-in.

The Failure

Meanwhile, the consortium negotiations between industry leaders and privacy advocates had reached an impasse. The actions by the browsers and other companies to default users into Do Not Track increased the acrimony.

The ad industry became publicly hostile to the Do Not Track talks and doubled down on its own self-regulatory solution that promised not to automatically opt in users to privacy. Mark Zaneis, the general counsel for the ad industry lobbying group IAB, told The New York Times, “We have self-regulation. It’s working very well.”

That’s when Washington lawmakers jumped into the debate. In a 2012 letter to the FTC, then-Sen. Jay Rockefeller (D-W.Va.), chairman of the commerce committee and a supporter of digital privacy legislation, promised that a failure by the W3C would “only highlight the need for Congress to act.” During an April 2013 oversight hearing on Do Not Track, he pointed a finger at the advertising industry. The industry was “dragging its feet” in the negotiations, “and I believe they are doing it purposely,” he said.

Rockefeller moved to reintroduce legislation to enact and enforce privacy controls, including Do Not Track. It was just one of many bills introduced during the Obama administration with the intent of addressing digital privacy. Not one passed out of committee.

As lawmakers grew increasingly frustrated with the slow pace of the Do Not Track process, major players dropped out of the consortium negotiations. The advertising industry quit, blaming “ideological” privacy advocates whom they likened to Bolsheviks. The industry declared it would stick to its self-regulatory approach. Outnumbered and overburdened, the consumer advocates, including Mayer, left. While the consortium released two Do Not Track standards in 2015, both opposed by privacy advocates, its negotiations still continue.

Back in Washington, nothing happened. The FTC had no rules to enforce. Congress, which would soon be under unified Republican control, did not follow through on threats to enact privacy legislation if the regulators or the consortium negotiations failed. Users began to turn to ad-blocking plugins.

Industry efforts to block regulation by claiming it would impede innovation had worked yet again.

Then-Sen. Jay Rockefeller (center) talks to FTC chairman Jon Leibowitz, left, and FCC chairman Julius Genachowski (right
Then-Sen. Jay Rockefeller (center) talks to FTC chairman Jon Leibowitz, left, and FCC chairman Julius Genachowski (right) before a hearing on online consumer privacy in 2010.

Will It All Happen Again?

Today, the same industry players are back to play the same roles. Zuckerberg might have accepted responsibility for abusing user privacy, again, and endorsed vague privacy measures, but the trade associations for the tech and advertising industries strongly oppose any new regulation or legislation.

The Internet Association, a major tech trade group, is running a campaign against a privacy ballot initiative in California. The ad trade groups, including the IAB, oppose any new legislative effort to enact privacy rules and current legislation to mandate transparency for online political advertising.

Privacy advocates appear to be on the sidelines at the moment. But those who spoke to HuffPost said they think the current moment holds more promise than previous failures like Do Not Track, even as the industry takes the same stance against government regulation.

They point to the tough questions Zuckerberg received from members of both parties. They consider the bipartisan privacy bill introduced by Sens. Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) as a sign of progress. They note that 41 state attorneys general are pushing for answers from Facebook about its business practices and that the FTC is investigating Facebook for violating a consent order on privacy from 2011. The passage of new privacy rules in states like California. And, most importantly, the implementation of the European General Data Protection Regulation has forced companies to adjust their business practices to stringent privacy rules in one of the world’s largest markets.

None of this should mean that privacy proponents should expect victory any time soon. One big lesson Tien, the privacy expert at EFF, said he learned from the Do Not Track effort is to not expect corporations to assent to rules that would make it harder for them to make money.

“If someone says, ‘We’re willing to do something that cuts into the amount of money we make,’ be very suspicious about whether they are actually going to do that,” he said.

The other lesson Tien suggested Americans learn from the Do Not Track failure is that legislators and regulators often don’t focus and follow through on promises. American politics, he said, tend “towards episodic hyperbole.”

“If you’re not grappling with enforcement and investigation as part of this and you’re just sort of beating companies over the head saying, ‘bad, bad, bad,’ You know, they’ll take it. And then once everybody forgets about them or goes on to the next scandal or the elections or children’s health care or whatever, they are working away at monetizing data all that time,” he warned. “You need constant vigilance.”

CONVERSATIONS