Data, Social Media, and Users: Can We All Get Along?

Similar documents
Senate Staff Levels in Member, Committee, Leadership, and Other Offices,

House Committee Hearings: The Minority Witness Rule

CRS Report for Congress

Jerusalem: U.S. Recognition as Israel s Capital and Planned Embassy Move

The Federal Information Technology Acquisition Reform Act (FITARA): Frequently Asked Questions

Structure and Functions of the Federal Reserve System

Katrina Relief: U.S. Labor Department Exemption of Contractors From Written Affirmative Action Requirements

Filling the Amendment Tree in the Senate

The Unemployment Trust Fund and Reed Act Distributions

Selected Federal Data Security Breach Legislation

Power Marketing Administrations: Background and Current Issues

Iraq: United Nations and Humanitarian Aid Organizations

Election Year Restrictions on Mass Mailings by Members of Congress: How H.R Would Change Current Law

Congressional Official Mail Costs

Health Care Fraud and Abuse Laws Affecting Medicare and Medicaid: An Overview

Presentation to the. Mexico City. Phillip Herr. April 18, 2012

FBI Director: Appointment and Tenure

Statute of Limitation in Federal Criminal Cases: A Sketch

Who's in Charge Here? Information Privacy in a Social Networking World

The Repeal of the Public Utility Holding Company Act of 1935 (PUHCA 1935) and Its Impact on Electric and Gas Utilities

Voting and Quorum Procedures in the Senate

To amend the Communications Act of 1934 to require 105TH CONGRESS 2D SESSION AN ACT H. R. 3783

Privacy Law Update. David Goodis, Assistant Commissioner, Information & Privacy Commissioner of Ontario)

AVIS RENT A CAR AVIS APPS TERMS OF USE

Executive summary. We will continue to pursue any actions still outstanding at the time of writing. Regulatory action taken to date:

UOB BUSINESS APPLICATION TERMS AND CONDITIONS

LEGAL TERMS OF USE. Ownership of Terms of Use

Appendix 1 Data Processing Agreement

Chief Administrative Officer of the House: History and Organization

TERMS OF USE AND LICENSE AGREEMENT BUCKEYE CABLEVISION, INC. Buckeye Remote Record. (Effective as of November 15, 2013) PLEASE READ CAREFULLY

The Acerus Pharmaceuticals Corporation Web Site is comprised of various Web pages operated by Acerus Pharmaceuticals Corporation.

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

Terms of Use Call Today:

2017 Data Breach Litigation Report

NO. 14 The Plaintiff, State of Washington, by and through its attorneys Robert W. Ferguson,

SEMIANNUAL REPORT TO THE CONGRESS

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

Application Terms of Use

Data Breach Charts. November 2017

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

Policy: Notifiable Data Breach

TERMS OF USE Intellectual Property Copyright Policy

Strengthening Privacy Protection through Co-Regulation

The Corn City State Bank Web Site is comprised of various Web pages operated by Corn City State Bank.

TERM OF USE AGREEMENT BETWEEN USER AND COUNTY OF BEDFORD

AGREEMENT BETWEEN USER AND Fuller Avenue Church. The Fuller Avenue Church Web Site is comprised of various Web pages operated by Fuller Avenue Church.

Privacy and Access in British Columbia

ICO opening remarks - The Committee on Civil Liberties, Justice and. Home Affairs (LIBE) of the European Parliament Hearing on the

TERMS OF USE FOR PUBLIC LAW CORPORATION PERSONAL CERTIFICATES FOR AUTHENTICATION

TERMS OF SERVICE FOR SUPPORT NETWORK COMMUNITY HEART AND STROKE REGISTRY SITE Last Updated: December 2016

Terms of Service. Last Updated: April 11, 2018

Facebook CEO Answers Questions About Protecting Your Personal Information Online

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

ORDINANCE NO. 7,592 N.S. ADDING CHAPTER 2.99 TO THE BERKELEY MUNICIPAL CODE, ACQUISITION AND USE OF SURVEILLANCE TECHNOLOGY

Draft ETSI EN V2.0.6 ( )

House Sergeant at Arms: Legislative and Administrative Duties

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

Remote Deposit Capture Application End User License Agreement

TERMS OF USE FOR PUBLIC LAW CORPORATION CERTIFICATES OF SECURE APPLICATION

Subject: U.S.-Russia Nuclear Agreement: Interagency Process Used to Develop the Classified Nuclear Proliferation Assessment Needs to Be Strengthened

COMPUTERS ON WHEELS WHO OWNS WHICH DATA?

Terms and Conditions. is a Blog Site.

TERMS OF REFERENCE. The Royal London Mutual Insurance Society Limited Remuneration Committee (the Committee ) Secretarial. Approved on 7 February 2018

GDPR: Belgium sets up new Data Protection Authority

Terms of Use. 1. Limited Use

Ownership of Site; Agreement to Terms of Use

LICENSE TO USE THIS SITE

Overview of GAO work on Nonemergency Medical Transportation

End User License Agreement

the general policy intent of the Privacy Bill and other background policy material;

Naturalizer Celebrate Together Instagram Contest

NYSE BOARD OF DIRECTORS APPROVES NEW CORPORATE GOVERNANCE AND DISCLOSURE STANDARDS AUGUST 23, 2002 S IMPSON THACHER & BARTLETT LLP

Your Account PATIENT PORTAL

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

[NRC ] Mr. Joseph Quintanilla is a radiographer who was formerly employed by Quality

Model Business Associate Agreement

Site Access Agreement. (hereinafter referred to as the

closer look at Rights & remedies

Record Retention Program Overview

INDEX. A Access and correction requests, see also Access to and correction of personal information. .. Part 8 of the Act, 115

The New Mandatory Data Breach Requirements under Canada s Federal Privacy Act

Your Board of Directors opposes the following proposals for the reasons stated after each proposal

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

Terms and Conditions GDPR Ready Data

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Morningstar ByAllAccounts Service User Agreement

TERMS AND CONDITIONS

Amending the Kansas 911 Act; HB 2084

NUCLEAR REGULATORY COMMISSION. [Docket Nos and EA ; NRC ] In the Matter of Energy Northwest; Columbia Generating Station

Zab Zab Application Privacy Policy Terms and Conditions

JERSEY GAMBLING COMMISSION. Policy Statement for the Conduct and Regulation of Hosting Providers for Gambling Firms in Jersey

Social Networking and Constituent Communications: Members Use of Vine in Congress

Cell Site Simulator Privacy Model Bill

The Honorable Michael Chertoff Office of the Secretary Department of Homeland Security Attn: NAC Washington, DC 20528

Mobile Application End User License Agreement

Comments on the Draft Digital Information Security in Healthcare Act

WXII12 Digital Media Food Lion Refresh Games Sweepstakes & Contest Official Rules

Title 17-A: MAINE CRIMINAL CODE

The Special Inspector General for the Troubled Asset Relief Program (SIG TARP)

Terms of Use for the REDCap Non-Profit End-User License Agreement

Transcription:

INSIGHTi Data, Social Media, and Users: Can We All Get Along? nae redacted Analyst in Cybersecurity Policy April 4, 2018 Introduction In March 2018, media reported that voter-profiling company Cambridge Analytica had exceeded Facebook s data use policies by collecting data on millions of Facebook users. Cambridge Analytica did this by working with a researcher to gain access to the data, so the company itself was not the entity seeking access to the information. This allowed Cambridge Analytica to scrape or download data from users who had granted access to their profiles, as well as those users Facebook friends (whose profiles the first user had access to, but for which the friends did not authorize access). At this time, it is publicly unknown what data were accessed. Facebook hired a digital forensics firm to audit the event. Based on media reporting and old Facebook applications, user profile data such as interests, relationships, photos, likes, and political affiliation may have been accessible, but not all data held by Facebook appear to have been accessed by an outside party. Additionally, as initial access to a user s profile was granted via an app, other information about the user, such as other apps installed on the device and Internet Protocol addresses, may have been accessed. With this information, Cambridge Analytica built profiles of potential voters to test messaging and target advertisements. In addition to ads on Facebook, search engine optimization may have been used to drive users toward ads and other web content (i.e., blogs) outside Facebook. This event could be characterized as a data breach despite Facebook systems not being breached (i.e., hacked) because a third party was able to access data that neither users nor Facebook intended to share. Rather than compromise a vulnerability in Facebook s information technology (IT), Cambridge Analytica compromised weak security controls and violated Facebook s data policies. This breach is akin to an insider exceeding authorized access to retrieve information, or an outsider using information they were authorized to access for purposes prohibited by contractual agreement. CRS INSIGHT Prepared for Members and Committees of Congress Congressional Research Service 7-... www.crs.gov IN10879

Congressional Research Service 2 In response to this incident, some Members of Congress have questioned Facebook and have invited Facebook CEO Mark Zuckerburg to testify before House and Senate committees. This Insight examines policy issues surrounding this incident and provides options for Congress to consider. While this event has started discussions on election security and social media company requirements to report advertising, this Insight addresses data security concerns without discussing the impacts or consequences of data use. Issues This is not Facebook s first major privacy and data security incident. In 2011, the Federal Trade Commission (FTC) entered into a consent order with Facebook following an investigation into the company s privacy practices at the time. The FTC went further and released guidance so other companies could avoid enforcement actions. In an unusual step, the FTC has publicly confirmed opening an investigation on Facebook s data security and privacy practices in light of the media reports about Cambridge Analytica. While Facebook s, the FTC s, Congress s, and other investigations continue, the public will learn more about this event and its implications. However, initially, this event has ignited a public debate on data ownership, usage, security, and privacy. Data Ownership, Rights, and Usage Consumers expectations and reality on who owns data and how data may be used are commonly misaligned. In Europe and Canada, data about individuals are generally considered to always remain their data; they have a right to the data, a right to expect the data be secured, a right to know exactly how those data are used, and a right to remove those data from the service hosting it. However, in the United States, general data regulation does not exist. Individual regulations exist, but those are targeted at specific types of entities (e.g., the Safeguard Rule for financial firms and HIPAA health information standards for payers and providers of healthcare). Once data are submitted to another entity, they are generally considered to be under that entity s ownership, and any data that entity generates from submitted data belongs to that entity barring a separate agreement between the parties dictating data ownership and usage. Data Security and Privacy Data security is not generally prescribed by law for the information technology sector. Instead, companies make IT security investments as part of managing corporate risk. Mitigating this risk may be material to their investors or beneficial to their users. In the U.S. system, privacy rules are in place to ensure privacy of an individual from the government. However, privacy of individuals from other entities (e.g., other individuals or corporations) is a matter of state law and private agreements (e.g., contracts). This places a higher burden on individuals to understand the risk of generating and sharing data, as well as reviewing and understanding individual agreements with different services with which they engage. Options for Congress Oversight Congress has provided oversight of data security practices at private companies in the past. Following the Equifax data breach last year, Congress held hearings on the incident and encouraged the industry to adopt stronger security postures and provide consumers relief. Hearings can inform legislation, advance debate, and drive private action in hopes of avoiding governmental action.

Congressional Research Service 3 Legislation Options for Congress to legislate in response to the Facebook incident include (but are not limited to) defining national expectations for data ownership and privacy; establishing expectations for liability when unauthorized parties access data; and creating data breach notification rules. Examples of such rules are the European Union s General Data Protection Regulation (GDPR) and Canada s Personal Information Protection and Electronic Documents Act (PIPEDA). These options would alter companies relationship with data. Currently, data are cheaply collected, analyzed, and used for profit, enabling free access to large portions of the Internet and other IT services. Placing restrictions on data would alter the business models of these Internet-enabled companies and services. The question then becomes one of tradeoffs does the free use of data create a national harm or is it a necessity for America remaining a leader in innovation, and what are the consequences of each? In considering legislative options, Congress could also consider granting regulatory authority to a federal agency or agencies, or it could create a new federal entity to regulate companies. It appears that agencies do not currently have authority to regulate the data security at social media companies. Instead, data security may be enforced at a company pursuant to a consent order with the FTC after an unfair or deceptive practice investigation. Regulation The IT sector (including social media companies) currently faces little federal regulation. This stems from a desire to promote innovation. However, absent from that argument is the enormous social and economic impact of some IT companies. For instance, the reported number of Facebook users affected by this event is greater than the estimated populations of New York and Texas combined, and Facebook has a larger market capitalization (over $400 billion) than JP Morgan Chase (over $300 billion). Congress could consider several models for regulation, including Government Regulation a government agency directly regulates an industry through an exercise of statutory authority with accountability to the President and Congress (e.g., the Nuclear Regulatory Commission s relationship with nuclear facilities). Quasi-Governmental Regulation an organization with public and private sector characteristics, like a government corporation, regulates under a statutory authority and has accountability to the President and Congress (e.g., the Federal Deposit Insurance Corporation). Regulation by Nongovernmental Elements a nongovernmental entity exercises regulatory authority in cooperation with, or under the oversight of, a governmental agency (e.g., the North American Electric Reliability Corporation writes standards which are accepted and enforced by the Federal Energy Regulatory Commission). Self-Regulatory Organizations (SROs) organizations that act under a federal statute or authority, which can be overseen by a government agency (e.g., the Financial Industry Regulatory Authority) and federally chartered organizations that have exclusive jurisdiction over a specific subject (e.g., the U.S. Olympic Committee governing U.S. participation in the Olympic games). If Congress were to grant regulatory authority to a federal agency or agencies, agency action would probably fit into a three-step framework. First, an authorized entity creates the regulation which industry must follow. This is also called rulemaking. Next, an agency could examine or supervise for compliance with the regulation. If a company is found to be not in compliance with the regulation, the agency could

Congressional Research Service 4 enforce the regulation (e.g., suing the company or issuing a fine). Congress may grant authority to different agencies for each step in this framework. Should Congress legislate and/or grant regulatory authority to a new or existing entity, Congress may likely have an interest in conducting oversight of how that authority is executed. Another option, which does not require congressional action, is for industry-based SROs to prescribe standards (e.g., the Payment Card Industry Data Security Standards). In such instances, the government does not compel participation in the scheme, though industry-specific factors might make nonparticipation difficult.

EveryCRSReport.com The Congressional Research Service (CRS) is a federal legislative branch agency, housed inside the Library of Congress, charged with providing the United States Congress non-partisan advice on issues that may come before Congress. EveryCRSReport.com republishes CRS reports that are available to all Congressional staff. The reports are not classified, and Members of Congress routinely make individual reports available to the public. Prior to our republication, we redacted names, phone numbers and email addresses of analysts who produced the reports. We also added this page to the report. We have not intentionally made any other changes to any report published on EveryCRSReport.com. CRS reports, as a work of the United States government, are not subject to copyright protection in the United States. Any CRS report may be reproduced and distributed in its entirety without permission from CRS. However, as a CRS report may include copyrighted images or material from a third party, you may need to obtain permission of the copyright holder if you wish to copy or otherwise use copyrighted material. Information in a CRS report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to members of Congress in connection with CRS' institutional role. EveryCRSReport.com is not a government website and is not affiliated with CRS. We do not claim copyright on any CRS report we have republished.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback