Security
Headlines
HeadlinesLatestCVEs

Headline

Surprise! The Latest ‘Comprehensive’ US Privacy Bill Is Doomed

Gutted of civil rights protections by Democrats to woo pro-business Republicans, the American Privacy Rights Act was pulled from a key congressional hearing—and appears unlikely to receive a full vote.

Wired
#git

Dozens of civil rights organizations had been urging Democrats (some of whom had puzzlingly signed off on those changes) to sink the bill, arguing that the changes were both “immensely significant and unacceptable.”

The new text, engineered to appease conservative lobbyists representing the interests of big business, omitted, for instance, a key section referencing “civil rights.” The deleted section aimed to prevent businesses from trafficking in people’s data “in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, or disability.” For reasons that at this stage are above obvious, GOP lawmakers are firmly opposed to such language.

Deleting sections of a bill holding companies accountable for making data-driven decisions that could lead to discrimination in housing, employment, health care, and the like spurred a strong response from civil society organizations including the NAACP, the Japanese American Citizens League, the Autistic Self Advocacy Network, and Asian Americans Advancing Justice, among dozens of others.

In a letter this week to E&C Democrats, obtained by WIRED, the groups wrote: “Privacy rights and civil rights are no longer separate concepts—they are inextricably bound together and must be protected. Abuse of our data is no longer limited to targeted advertising or data breaches. Instead, our data are used in decisions about who gets a mortgage, who gets into which schools, and who gets hired—and who does not.”

But the cuts did not end there. The most recent version of the ARPA noticeably excluded language designed to grant users the power to opt-out before companies could use algorithms to “facilitate a consequential decision” using an individual’s personal data. At the same time, language that would have imposed a duty on companies to examine, or audit, the impacts of their own algorithms on users was likewise erased.

Both of these provisions contained generous “pro-business” caveats. For instance, users would be able to opt out of algorithmic decisionmaking only if doing so wasn’t “prohibitively costly” or “demonstrably impracticable due to technological limitations.” Similarly, companies could have limited the public’s knowledge about the results of any audits by simply hiring an independent assessor to complete the task rather than doing so internally.

“Prior versions of APRA required companies that developed or used AI for making automated decisions about people in certain important areas like employment, housing, and credit to be transparent about those systems and to allow people to opt out of that automated decisionmaking,” says Eric Null, codirector of the privacy and data project at the Center for Democracy & Technology, a digital rights nonprofit. “Without those provisions, people can and will be subject to AI that makes or contributes to important, life-changing decisions about them, and they will have little to no way to protect themselves.”

Digital rights groups such as Access Now, Demand Progress, and Free Press Action joined in to pressure Democrats not to accept these changes in stride, arguing that “a privacy bill that does not include civil rights protections will not meaningfully protect us from the most serious abuses of our data,” and that the changes were imposed “without prior stakeholder consultation and without studying the impact to the bill’s ability to address data-driven discrimination.”

WIRED had reached out on Wednesday to 23 Democrats currently serving on the E&C to get a response to the demands of these groups. A single lawmaker responded:

“I already had concerns with the American Privacy Rights Act,” US representative Nanette Barragán said, pointing to language in the bill that could arguably undermine stronger data privacy protections already implemented by her home state of California. “The latest draft only deepens my concerns about the bill because critical civil rights provisions have been removed from the proposal.”

In a statement after Thursday’s cancellation, the E&C’s ranking Democrat, Frank Pallone, Jr., blasted GOP leaders for interfering with the committee’s process while at the same time extending his gratitude to the committtee’s Republican chair, Cathy McMorris Rodgers, lauding her dedication to “giving Americans back control of their data.”

“We’re not giving up,” adds Pallone, declaring he and his colleagues are the only ones in Congress with the guts to “take on Big Tech on behalf of the American people.”

Wired: Latest News

Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack