scorecardresearch Skip to main content
Hiawatha Bray | Tech Lab

Is it time to lay down the law on the Internet?

The next big thing on the Internet may be law and order.

For a quarter of a century, the US government has largely treated the Internet like the Oklahoma Territory in the 1890s, leaving network operators and Internet businesses free to do pretty much as they pleased. But attitudes are changing, due to outrage over online privacy lapses, political meddling, even sex trafficking.

Much of the credit — or blame, really — goes to the scandals at Facebook, the massive social media network. Already under attack for allowing Russian agents to plant political ads during the 2016 elections, Facebook is now reeling from the disclosure that a political consultant working for the Trump campaign improperly accessed data of millions of Facebook subscribers. In the resulting firestorm, even Facebook founder Mark Zuckerberg has acknowledged his company would benefit from federal regulation.


Justin Brookman, director of privacy and technology policy at Consumers Union, publisher of Consumer Reports magazine, said the Facebook controversy is boosting support for stronger controls among politicians on the left and right. “I think you’re seeing growing recognition on both sides that the Internet is more than fun and cat pictures,” said Brookman.

But even before the latest Facebook scandal, there had been some movement toward tougher online regulations. Their biggest success so far is the Fight Online Sex Trafficking Act, a recently passed bill that will punish online publishers and social networks that tolerate sex-trafficking ads. The bill was bitterly opposed by civil liberties groups, but was embraced by online titans like Google and Facebook and passed with overwhelming bipartisan support.

Last year, Republican and Democratic lawmakers in Congress put forward a bill to require Internet companies to identify the people and groups who purchase political ads on their sites, much as TV networks must already do. This is essentially the regulation backed this week by Facebook’s Zuckerberg.


Representative Marsha Blackburn, a Tennessee Republican, wants to ban Internet service providers and website operators from collecting personal information about users without their explicit permission. And last September, Senator Edward Markey , a Massachusetts Democrat, proposed tougher regulation of data brokers that collect and resell vast amounts of personal information. Markey’s bill was inspired by the theft of personal data of 143 million customers of credit reporting company Equifax.

And in Facebook’s home state of California, lawmakers are considering creating a state “data protection authority,” with oversight powers over any company that collects digital data about California residents. They would require Internet companies to inform users in clear, simple language what they do with customer data. Users would have the right at any time to demand the company delete their personal data.

But maybe the Europeans have done the job for us. In May, a new privacy law goes into effect in the European Union, the General Data Protection Regulation. Importantly, US firms that collect information on an EU citizen, regardless of their location, will be subject to the law. That means Google or Facebook must provide its European users with the same privacy protections as a company in Germany or France. This might give the American companies an incentive to apply European privacy standards worldwide, to avoid the complexity of meeting different standards in different countries.


Under the EU law, users must give explicit consent for use of their personal data, and can withdraw that consent at any time. Companies must provide copies of data on demand. And if that data is stolen, companies must notify victims within 72 hours. Violations can result in fines of as much as 4 percent of a company’s annual revenues, or 20 million euros — about $25 million.

Dozens of other countries have data and security laws of varying strictness. But despite the recent push here, there’s no guarantee any sort of privacy law would make it through the US Congress. Indeed, last March, Congress weakened Internet privacy protections by striking down regulations issued by the Federal Communications Commission during the Obama administration.

Daniel Weitzner helped draw up a privacy bill of rights as a member of the Obama administration in 2012. The effort went nowhere in Congress, Weitzner said, because lawmakers dreaded a two-front war against giant Internet companies who opposed any regulation and pro-privacy activists who said it didn’t go far enough.

Weitzner said that the passage of the anti-sex-trafficking law could represent a turning point, because “it kind of broke the taboo on regulating Internet companies.” But he acknowledged it’s unclear whether lawmakers will pass more comprehensive privacy rules for the entire industry.

“I hope that Congress will wake up and realize that there are big issues to address, but I think they’re a ways away,” said Weitzner, now director of the Internet Policy Research Initiative at the Massachusetts Institute of Technology.


But Wayne Crews, vice president for policy at the libertarian think tank Competitive Enterprise Institute, said Facebook customers know they’re sacrificing privacy every time they log on. “It’s never been a secret that when you go online you share information in exchange for certain services,” said Crews.

People who are worried about loss of privacy can simply stop using these services, he said, rather than have the government decide for them. If enough consumers want social networks that protect their privacy, Crews added, then some clever entrepreneur will eventually create them.

The hands-off approach to Internet regulation has helped US Internet companies Facebook, Google, and Amazon become global titans. But simmering anger over the abuse of Facebook data for political ends may shift the debate, and goad American lawmakers toward a European-style crackdown in defense of online privacy.

“If we’re going to see a move to do this kind of thing,” said Danny O’Brien, a privacy activist at the Electronic Frontier Foundation, “right now is that moment.”

Hiawatha Bray can be reached at Follow him on Twitter @GlobeTechLab.