Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Compliance

2/22/2019
07:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Here it Comes Internet Privacy Regulation

A new report by the US Government Accountability Office could be the catalyst for meaningful change on the Internet privacy front.

The US Government Accountability Office (GAO), which provides auditing, evaluation and investigative services for Congress, has issued a reporton Internet data privacy. Two years in the making, the report suggests that "Comprehensive Internet privacy legislation that establishes specific standards and includes traditional notice-and-comment rulemaking and broader civil penalty authority could enhance the federal government's ability to protect consumer privacy." It also said that, "Recent developments regarding Internet privacy suggest that this is an appropriate time for Congress to consider comprehensive Internet privacy legislation."

No, they didn't come out and say Facebook there, but it's between the lines.

The report looks at the ad hoc responses to privacy that the current (non)system encourages. The Federal Trade Commission (FTC) has been addressing Internet privacy through its "unfair and deceptive practices" authority, among other statutes, and other agencies have been addressing privacy using industry-specific statutes. The report writers found that some stakeholders believe that FTC's reliance on its unfair and deceptive practices authority to address Internet privacy issues has limitations. Some of the tools it uses are not legal requirements and so the FTC cannot rely on them to define what constitutes unfair and deceptive practices related to privacy and data security.

Also, a former Federal Communications Commission (FCC) commissioner told the investigators that a new privacy statute could enhance Internet privacy oversight by creating uniform standards for all players in the Internet ecosystem that are focused on the consumer rather than the regulatory legacy of the companies involved. He was referring to regulations that apply to specific types of companies based on what they are or used to be, such as telecommunications carriers, cable companies, broadcasters or mobile wireless providers.

In a 2013 report, the GAO found "the current U.S. privacy framework is not always aligned with the Fair Information Practice Principles and that these principles provide a framework for balancing the need for privacy with other interests."

In particular, the GAO noted ""there are limited privacy protections under federal law for consumer data used for marketing purposes. We said that although the Fair Information Practice Principles call for restraint in the collection and use of personal information, the scope of protections provided under current law has been narrow in relation to: (1) individuals' ability to access, control, and correct their personal data; (2) collection methods and sources and types of consumer information collected; and (3) new technologies, such as tracking of web activity and the use of mobile devices … Companies are not always following the Fair Information Practice Principles, such as that companies' data practices should be transparent, allow consumers the right to access and edit their data, and limit the collection of data to the extent feasible."

Google and Facebook must be sweating now, eh?

The House Energy and Commerce Committee has scheduled a hearing for February 26 in which it will discuss the GAO's recent report as well as the possibility of drafting a federal-level Internet privacy law. Things might actually get real this time around.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.
CVE-2021-3163
PUBLISHED: 2021-04-12
A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field.
CVE-2019-15059
PUBLISHED: 2021-04-12
In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration files have all PBX information including extension numbers, contacts, and passwords.
CVE-2021-21524
PUBLISHED: 2021-04-12
Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Cr...