On Monday, Sens. Mark R. Warner (D-Va.) and Josh Hawley (R-Mo.) introduced the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, bipartisan legislation that would require data harvesting companies such as social media platforms to tell consumers and financial regulators exactly what data they are collecting from consumers and how it is being utilized by the platform for profit.
“When a big tech company says its product is free, consumers are the ones being sold. These ‘free’ products track everything we do so tech companies can sell our information to the highest bidder and use it to target us with creepy ads,” Hawley said in a statement. “Even worse, tech companies do their best to hide how much consumer data is worth and to whom it is sold. This legislation gives consumers control of their data and will show them how much these ‘free’ services actually cost.”
“For years, social media companies have told consumers that their products are free to the user. But that’s not true—you are paying with your data instead of your wallet,” Warner added.
The proposed legislation, Warner said, “will allow consumers to understand the true value of the data they are providing to the platforms, which will encourage competition and allow antitrust enforcers to identify potentially anticompetitive practices.”
The proposed DASHBOARD Act would:
- Require commercial data operators (services with over 100 million monthly active users) to disclose types of data collected as well as regularly provide their users with an assessment of the value of that data;
- Require commercial data operators to file an annual report on the aggregate value of user data they’ve collected, as well as contracts with third parties involving data collection; and
- Require commercial data operators to allow users to delete all, or individual fields, of data collected and disclose to users all the ways in which their data is being used, including any uses not directly related to the online service for which the data was originally collected.
The bill would also “empower” (it stops short of mandating) the Securities and Exchange Commission to develop methodologies for calculating data value while encouraging the agency to facilitate flexibility to enable businesses to adopt methodologies that reflect the different uses, sectors, and business models.
The DASHBOARD Act is the second tech-focused bill Hawley and Warner have partnered on. The first was Hawley’s Do Not Track Act, which would be modeled after the Federal Trade Commission’s (FTC) “Do Not Call” list and allow users to opt out of non-essential data collection.
Last week, Hawley also introduced legislation to amend longstanding “Section 230” immunity for big tech companies.
The Ending Support for Internet Censorship Act, he says, is “a major update to the way big tech companies are treated under Section 230 of the Communications Decency Act.” The legislation removes the immunity big tech companies receive under Section 230 unless they submit to an external audit that proves “by clear and convincing evidence” that their algorithms and content-removal practices are politically neutral.
The bill would apply only to companies with more than 30 million active monthly users in the U.S., more than 300 million active monthly users worldwide, or who have more than $500 million in global annual revenue. The bill would not apply to small- and medium-sized tech companies.
“With Section 230, tech companies get a sweetheart deal that no other industry enjoys: complete exemption from traditional publisher liability in exchange for providing a forum free of political censorship,” Hawley, a critic of alleged online censorship of conservative political viewpoints, said in a statement. “Unfortunately, and unsurprisingly, big tech has failed to hold up its end of the bargain.”
The Communications Decency Act, passed in the Internet’s early days of widespread adoption in 1996, protects companies from liability for illegal content posted by third parties. According to Hawley, however, “the Internet has long passed its infancy.”
“The largest and most powerful companies today are big tech companies. And they have enormous resources and advanced algorithms that they can use to help them moderate content. Those companies should not receive this government subsidy free of any responsibility,” he says. “It is time to shine light onto what big tech companies do and force them to provide transparency about their content moderation practices.”
The Ending Support for Internet Censorship Act would:
- Remove automatic immunity under Section 230 from big tech companies;
- Give big tech companies the ability to earn immunity through external audits;
- Force big tech companies to prove to the Federal Trade Commission, “by clear and convincing evidence” that their algorithms and content-removal practices are politically neutral;
- Establish that the FTC could not certify big tech companies for immunity except by a supermajority vote;
- Impose responsibility upon big tech companies for the cost of conducting audits;
- Mandate that companies reapply for immunity every two years; and
- Preserve existing immunity for small- and medium-sized companies.
Recently, the Senate Homeland Security and Governmental Affairs Committee advanced bipartisan legislation introduced by Sens. Warner and Cory Gardner (R-Colo.), cofounders of the Senate Cybersecurity Caucus. It seeks “to improve the cyber-security of Internet-connected devices.”
The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements. The bill awaits consideration in the full Senate. Previously, the House of Representatives Committee on Oversight and Reform advanced companion legislation sponsored by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas).
The Internet of Things (IoT) Cybersecurity Improvement Act of 2019, as passed out of Committee, would:
- Require NIST to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices;
- Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations;
- Task OMB with reviewing its IoT policies at least every five years;
- Require any Internet-connected devices purchased by the federal government to comply with those recommendations; and
- Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
The bill would also require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies.