Congress Doesn't Understand Online Privacy

By David B. McGarry
June 02, 2022

Story Stream

recent articles

Congress has been on quite the internet regulation kick. And although most legislators haven’t the foggiest idea of how the internet actually works, there is a bipartisan consensus that ignorance shouldn’t preclude action. Bills like the American Innovation and Choice Online Act would stifle innovation and choice online and, along with the Open App Markets Act, jeopardize user security.

Two less-publicized — yet deeply problematic — pieces of proposed legislation are the SHOP SAFE Act and the INFORM Act. While the two bills have different foci, both compel internet platforms to collect incredibly sensitive user data. True to Congressional form, these proposals are thoughtlessly written and would threaten our privacy and data security.

So why do it?

SHOP SAFE is designed to crack down on online trademark infringement, but it ends up placing unreasonable legal liability and compliance costs on online marketplaces. Privacy concerns arise due to the bill’s provision that “electronic commerce platforms” must demand disclosure of third party sellers’ identity (preferably verified with a government ID), principal place of business, and contact information. All must be “displayed conspicuously” to customers. (There is a cutout in the display requirement for individuals who use their residential address and personal contact information for their business.)

Most concerning, however, are SHOP SAFE’s incredibly broad definitions. “Electronic commerce platform” is defined to include any platforms that “allow for arranging the sale or purchase of goods, or that enables a person other than an operator of the platform to sell or offer to sell physical goods to consumers located in the United States.” The key word is “arranging.” Sure, this bill is supposed to regulate third party sellers on online marketplaces, but anyone can arrange an informal sale on any service or app which allows for communication between users. So, if you are messaging a friend in an online poker game’s chatbox to sell, say, a used bicycle, the host platform risks a lawsuit if it has not gathered your data in compliance with SHOP SAFE. This absurdly wide net will likely prompt a wide variety of internet services to require that users scan an ID at signup. And given that SHOP SAFE creates an aggressive, plaintiff-friendly right of private action with no real protections for platforms against bogus lawsuits, tech companies will over-comply to avoid a barrage of litigation from trademark holders and other self-interested parties.

The INFORM Act is exclusively focused on data disclosure. And while it covers a narrower slice of the population, it requires the turnover of more information. Unlike SHOP SAFE, it only affects sellers who close at least 200 sales and gross more $5000 per year on a single online marketplace. INFORM requires such sellers to provide that marketplace with their identity, banking information, tax information, and a working phone number and email address. As required by SHOP SAFE, this information must be confirmed by the marketplace, preferably by government-issued documentation.

Forcing citizens to scatter their sensitive data across the internet is a bad idea because cyber security is really, really difficult. Governments, never mind private companies, are often unable to keep important data from hackers. Seriously, Google it — the ubiquity of data breaches is astounding. And small platforms with low overhead and little excess capital are especially unequal to the task. By exponentially increasing the number of entities with treasure troves of IDs and other sensitive data, SHOP SAFE and INFORM will provide hackers near-limitless opportunities to find and exploit inevitable cybersecurity weaknesses.

Besides the ever-present threat of civilian hackers, hostile foreign governments are becoming increasingly aggressive. Chinese spies and corporations (often a distinction without a difference) regularly attack our governmental networks, steal our corporations’ intellectual property, and mine our citizens for information. Moscow’s cyberspies are also on the move, and countries including America, Germany, France, and Italy are preparing for various Russian cyber threats.

To make matters worse, neither bill contains meaningful legal protections for disclosed data, and neither bill outright prohibits platforms from simply selling it off. INFORM goes through the motions of addressing both concerns, but its language is too vague to be effective. Furthermore, there is no sunset on data storage: platforms may keep collected data in perpetuity.

In addition to private hackers, rogue states, and a dearth of data protections, there are plenty of personal reasons to want privacy, security, and even anonymity in the digital space. Congress should be more mindful of those interests as it forays into internet regulation. As for SHOP SAFE, individuals shouldn’t need to dole out their IDs all over the internet to access basic internet services. And as for INFORM, sellers shouldn’t have to choose between preserving their privacy and personal safety and making a living. Legislators are clearly out of their depth, and they should stop recklessly endangering the folks who vote them in.

David B. McGarry is a contributor with Young Voices from sunny Los Angeles. He’s a staunch defender of liberty and American institutions, and writes extensively on privacy and tech policy. Follow him on Twitter @davidbmcgarry.

Comment

Show comments

You must be logged in to comment.

RCP Account: Login Register