Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Compliance

2/22/2019
07:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Here it Comes – Internet Privacy Regulation

A new report by the US Government Accountability Office could be the catalyst for meaningful change on the Internet privacy front.

The US Government Accountability Office (GAO), which provides auditing, evaluation and investigative services for Congress, has issued a reporton Internet data privacy. Two years in the making, the report suggests that "Comprehensive Internet privacy legislation that establishes specific standards and includes traditional notice-and-comment rulemaking and broader civil penalty authority could enhance the federal government's ability to protect consumer privacy." It also said that, "Recent developments regarding Internet privacy suggest that this is an appropriate time for Congress to consider comprehensive Internet privacy legislation."

No, they didn't come out and say Facebook there, but it's between the lines.

The report looks at the ad hoc responses to privacy that the current (non)system encourages. The Federal Trade Commission (FTC) has been addressing Internet privacy through its "unfair and deceptive practices" authority, among other statutes, and other agencies have been addressing privacy using industry-specific statutes. The report writers found that some stakeholders believe that FTC's reliance on its unfair and deceptive practices authority to address Internet privacy issues has limitations. Some of the tools it uses are not legal requirements and so the FTC cannot rely on them to define what constitutes unfair and deceptive practices related to privacy and data security.

Also, a former Federal Communications Commission (FCC) commissioner told the investigators that a new privacy statute could enhance Internet privacy oversight by creating uniform standards for all players in the Internet ecosystem that are focused on the consumer rather than the regulatory legacy of the companies involved. He was referring to regulations that apply to specific types of companies based on what they are or used to be, such as telecommunications carriers, cable companies, broadcasters or mobile wireless providers.

In a 2013 report, the GAO found "the current U.S. privacy framework is not always aligned with the Fair Information Practice Principles and that these principles provide a framework for balancing the need for privacy with other interests."

In particular, the GAO noted ""there are limited privacy protections under federal law for consumer data used for marketing purposes. We said that although the Fair Information Practice Principles call for restraint in the collection and use of personal information, the scope of protections provided under current law has been narrow in relation to: (1) individuals' ability to access, control, and correct their personal data; (2) collection methods and sources and types of consumer information collected; and (3) new technologies, such as tracking of web activity and the use of mobile devices … Companies are not always following the Fair Information Practice Principles, such as that companies' data practices should be transparent, allow consumers the right to access and edit their data, and limit the collection of data to the extent feasible."

Google and Facebook must be sweating now, eh?

The House Energy and Commerce Committee has scheduled a hearing for February 26 in which it will discuss the GAO's recent report as well as the possibility of drafting a federal-level Internet privacy law. Things might actually get real this time around.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.