April 13, 2011, 2:25 PM — Senators John Kerry and John McCain have co-authored a bill designed to protect consumer rights in the age of the InterWebs. Called the Commercial Privacy Bill of Rights Act of 2011, it’s supposed to restrict the kinds of information data brokers can collect about you, and what they can do with it.
First: Kudos to Congress for even addressing the issue of privacy. In the past, consumer privacy has been a topic those inside the Beltway have either a) religiously avoided, b) dealt with by passing extremely narrow legislation protecting one particular practice (like video rentals) while allowing all manner of worse things to continue, or c) addressed via wishy-washy laws that make it look like they’ve finally stopped ducking the issue while doing nothing to solve the problem (CAN-SPAM Act, please pick up a white courtesy telephone).
[ See also: Facebook's China Syndrome ]
Unfortunately, this piece of legislation -- which has received a thumbs up from Microsoft, Intel, HP, and eBay, and a “meh” from most privacy advocates -- contains more Wrongs than Rights.
What’s the matter with this bill? From a privacy standpoint, plenty.
* It’s extremely vague. The bill would allow data miners to “collect only as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service and retain it for only a reasonable period of time.”
Who determines what information is “necessary” and what a “reasonable” amount of time is? The answer: The data miners themselves. For Facebook, all of your information is necessary to deliver some kind of service; for years, Google claimed 24 months is a “reasonable” amount of time to retain search data. (After a lot of pressure they shrunk that down to 9 months).
The bill also calls upon data brokers to “implement security measures” to protect the data it collects. That could mean practically anything. Can you find a company that doesn’t claim to implement security measures? Only after a breach has occurred do we find out just how lame those measures really were. (RockYou, I’m talking to you.)