Unrestrained data collection and selling doesn’t just harm citizens at home. It’s terrible foreign policy.

Original article posted on Wired.com https://www.wired.com/story/weak-us-privacy-law-hurts-americas-global-standing/

Justin Sherman 7/20/2021

 

Last month, President Joe Biden signed an executive order replacing former president Trump’s orders that attempted to “ban” TikTok and WeChat in the United States. Among several praiseworthy components, it called for far more evidence-driven risk assessment of foreign software than the Trump administration’s. But the order focused entirely on data risks posed by foreign governments.

Data risks posed by domestic firms, from widespread data collection to unrestricted data selling, also demand action from Washington. While numerous privacy bills purporting to address these problems circulate the halls of Congress, none have become law. Senator Richard Blumenthal recently said of American privacy regulation, “Europe’s way ahead of us. China is about to go ahead of us. The rest of the world is leaving us behind.”

Citizens and consumers desperately need strong privacy laws to protect them against the damage wreaked by firms with too much data. This is especially true because US government agencies and corporations have long targeted surveillance disproportionately, if not exclusively, against already marginalized communities—causing disparate harms across racial, class, gender, citizenship, and other lines.

This is far from just a domestic issue, however. The absence of a robust and widespread regime to constrain modern surveillance and data abuses is also increasingly a foreign policy problem.

The weakness of American privacy law hurts US national security by allowing sensitive citizen data to be widely sold and shared with third parties—with little or no transparency or safeguards. It further undermines trust in Silicon Valley throughout the world, hindering the competitiveness of American technology firms, as many countries advance data regulations driven, in part, by Silicon Valley’s unrestrained data practices. And lastly, amid talk of “digital authoritarianism,” the lack of strong privacy law only diminishes US soft power. American rhetoric on techno-democracy is less credible when corporate surveillance runs rampant at home.

Last summer, TikTok went from a viral dance-challenge app to, according to the Trump administration, a grave threat to US national security. Trump issued an executive order last August to ban the app, alongside a second executive order to ban the messaging platform WeChat. The TikTok order was badly written and has been struck down by multiple courts; it was also driven by politics more than any real notion of digital security. Trump himself suggested two months earlier that banning TikTok would be a great way to punish the Chinese government for its early handling of Covid-19.

One of the saga’s real takeaways should have been that forcing (or trying to force) a company to change ownership only cuts off a single potential vector of data sharing—because US privacy law doesn’t stop the company from openly selling the data anyway.

The Trump administration wanted to have a US firm buy TikTok from the Chinese-incorporated ByteDance, arguing that it was the only way to ensure Beijing couldn’t access TikTok’s data. Yet even if TikTok had gone to, say, Oracle (once the apparent front-runner, perhaps because Larry Ellison hosted a Trump fundraiser in his home), virtually nothing in US privacy law would stop TikTok from selling reams of user data to anyone who’s buying.

The TikTok saga pointed to a broader problem: When American citizens are scrolling through Facebook or Twitter, shopping on Amazon or Etsy, or swiping on Tinder or Bumble, there’s no telling how many third parties are receiving their information. Buying, licensing, and otherwise sharing user data is all part of the vast data-brokerage ecosystem that commodifies human information and underpins many of the apps with which citizens interact. Just because citizens are outside US borders—whether on vacation abroad or serving at US diplomatic outposts—doesn’t mean they aren’t tracked by American tech companies, either.

Big Tech firms deploy nationalistic arguments to suggest that American incorporation equates to a guarantee that their business models won’t undermine US national security or US foreign policy. Without a federal privacy law to constrain data collection and sharing, however, that is not true. This data-brokerage ecosystem allows US citizens’ data to end up in foreign government hands, threatening national security and potentially sabotaging US diplomacy and foreign policy activities. It also weakens American credibility on data issues; if the White House is taking action against individual Chinese tech firms while Congress passes no privacy law, for instance, seeking to eliminate a potential means through which Beijing can spy on US citizens, the US appears more focused on targeting companies than mitigating overall data-diffusion harms.

These Big Tech arguments, though, relate to a second concern of weak US privacy law: distrust of US tech firms overseas.

There are myriad legitimate reasons why US tech giants have reputation problems abroad, from sheer market power and extensive lobbying to enabling the spread of hate online and massive, exploitative data collection. Phrases like “data colonialism” and “digital colonialism” have been used to characterize this phenomenon, particularly when large tech firms enter lower-resourced countries (e.g., Venezuela, Uganda, India), surveil citizens, and extract all the value back to their headquarters while perpetuating other problems like unequal divisions of labor.

It doesn’t have to be this way. Right now, American civil servants are renegotiating a transatlantic data-transfer agreement with European Union counterparts, following an EU court’s invalidation of the Privacy Shield framework in July 2020. Some might argue, with good reason, that the EU Court of Justice will find any reason to invalidate any EU-US data-transfer agreements. But Washington can buttress its position by putting new, real constraints on American companies’ data collection, sharing, and use. Even though Schrems II, the decision invalidating Privacy Shield, focused on national security access to data in the US, this absence of robust US privacy law almost always enters the same conversation about inadequacy.

Passing a strong federal privacy law in the US could also help American companies grapple with an increasingly complex and fractured regulatory landscape globally. For instance, India’s Personal Data Protection Bill, introduced in 2019 and still undergoing deliberation, was inspired by the EU’s GDPR (though it includes a dangerously broad set of exemptions for the state). Brazil’s General Data Protection Law also has similarities to GDPR. The more that other governments enact privacy laws, the greater the risk that US firms will face regulatory challenges and public distrust around the world.

For all that politicians talk about the importance of having competitive US technology firms, that shouldn’t come at the expense of democratic regulation to protect citizens from data-related abuses—nor should controls on data abuses be seen as an antithesis to a competitive tech sector. On the contrary, as more data regimes crop up globally, as Silicon Valley faces increased scrutiny in overseas markets, and with trust in artificial intelligence coming to depend partly on a country’s privacy regime, passing a robust federal privacy law could have many benefits for US tech competitiveness.

The recently announced US-EU Trade and Technology Council, through which the US and EU member states will engage in conversation on everything from internet policy to standards development, has a strong implicit focus on China. Coming out of the G7 Summit in June, Biden reiterated a focus on providing a “democratic alternative” to Chinese government influence.

Biden’s plan to unite democracies on tech faces many challenges, in part because it’s not clear if a democracy-versus-authoritarianism framing is the best way to combat digital repression. Depending on the plan’s execution, it might also wrongly overlook disagreements among democracies themselves on how to address technology challenges. EU member states, for instance, are hardly in lockstep with Washington on a range of internet policy issues. India is often assigned to the democratic bloc in these conversations, but the Modi government’s repression, attacks on democracy, and internet abuses call that into question.

One of the greatest foreign policy challenges posed by weak US privacy law, though, is that Washington loses credibility on democratic tech governance by purporting to fight digital repression globally while allowing data-enabled abuses at home.

Many authoritarian governments spin this reality right into what-about-ism, in which everything is hypocrisy and there is no difference between democratic and authoritarian countries. The Kremlin, for example, routinely uses problems in American internet policy to suggest that internet openness is nonsense and to justify the Russian state’s internet repression. So, to be clear, the weakness of US privacy law does not mean there’s no hope (there is), nor that criticisms of authoritarian technology abuses are baseless (quite the opposite). Government surveillance in the US is also not the same as that in Russia or China.

But among many other digital harms allowed in the US, the lack of data controls on US firms undermines American soft power. As much as the US government condemns data surveillance practices overseas, American citizens are still unprotected from rampant corporate data hoarding and selling at home. This undermines Washington’s credibility. Politicians vaguely speak of zero controls on corporate data collection in China (inaccurate), while not acknowledging that the US has virtually no corporate surveillance controls whatsoever; the US government campaigns against Indian data localization rules and continues labeling the GDPR a trade barrier while not presenting a positive, democratic alternative for a “better” privacy law. All the while, companies and government organizations keep teaming up to surveil American communities with poor or nonexistent oversight.

If the US is going to forge a realistic, attractive, democratic model of technology governance—one it can use to entice internet “swing states” and hold up against Beijing’s and Moscow’s digital abuses—it needs to be privacy-proactive. Otherwise, the US fails to live up to the democratic ideal by failing to protect its citizens, especially its most vulnerable, from unchecked corporate data collection and sale. It also risks feeding into a post-Snowden view in Europe and elsewhere that the US is merely repeating its 2010-era “internet freedom” agenda when it speaks in the language of techno-democracy.

Citizens’ ability to lead a safe and democratic life in the digital age matters in and of itself, but it also matters for American foreign policy. Congress needs to investigate and hold hearings on the ways that US tech firms might also undermine US national security through their data practices. The unregulated brokering of US citizen data on the open market is one place to start.

In a globally connected world, US foreign policy cannot succeed without safeguarding the data and the rights of American citizens at home.

Justin Sherman (@jshermcyber) is a contributor at WIRED, focused on technology and geopolitics. He has written for The Washington Post, The Atlantic, and many other outlets.