Starting at 10 a.m. Wednesday, the Senate Commerce Committee plans to quiz representatives of six big tech firms about privacy on their services and in their apps. And the answers that committee members get from Amazon, Apple (AAPL), AT&T (T), Charter (CHTR) Google (GOOG, GOOGL) and Twitter (TWTR) executives may give us a better sense of how these companies use our data and try not to lose it.
Or, as we saw earlier this month when a House interrogation of Twitter CEO Jack Dorsey turned into an airing of GOP grievances, the session could simply tell us how high each tech firm ranks on the enemies lists of individual senators.
Either way, the possible upside is that after years of inaction, we may see serious action by Congress on a comprehensive privacy bill.
What senators should ask
Currently, no CEOs are scheduled to testify. Instead, the following executives are scheduled to face questions from Senators:
Len Cali, Senior Vice President—Global Public Policy, AT&T
Andrew DeVore, Vice President and Associate General Counsel, Amazon
Keith Enright, Chief Privacy Officer, Google
Damien Kieran, Global Data Protection Officer and Associate Legal Director, Twitter
Guy (Bud) Tribble, Vice President for Software Technology, Apple
Rachel Welch, Senior Vice President, Policy & External Affairs, Charter Communications
After the easy and entertaining gotcha questions — “have you actually read your own terms and conditions?” comes to mind — it’s not hard to think of queries senators ought to pose to the various vice presidents and officers of these six firms.
“When did you last remove a feature to reduce the amount of data you collect?” would be a great question. Data minimization is the best way to reduce the damage inflicted by a hack or a data breach. But it’s also a thoroughly foreign concept in much of the tech world.
“How many of your users have changed their privacy preferences from the defaults?” is another revealing query, because these options often wind up deeply buried in a site or app’s interface.
Among firms that allow their users to see the profile data provided about them to advertisers, the committee would be smart to ask how many users have inspected or edited their information.
Most of these companies also let outside firms build apps on their platforms, and as the Cambridge Analytica data scandal showed, that represents an immense risk. Not even Apple is immune: An app called Adware Doctor stole browsing histories of Mac users fooled by its long tenure and high ranking in the Mac App Store. Marco Rubio (R.-FL) isn’t a Commerce member, but somebody in the hearing should read from his letter to Apple CEO Tim Cook last week: “Why were the claims involving Adware Doctor’s use of user data not immediately investigated?”
Finally, because the European Union’s General Data Protection Regulation (GDPR) has become such a frequent and unflattering point of comparison to America’s patchy privacy framework, somebody on this committee should ask these firms which provisions of the GDPR inflicted the lowest and highest compliance costs.
What we might hear instead
But recent U.S. political history offers no guarantee that we’ll see such focused, high-minded questioning. When something as minor as a search tool’s autocomplete function can become a political football, why not do the same with privacy and security?
“Attorney General Session’s upcoming meeting with state attorneys general could coax some senators into talking about how platforms might be ‘intentionally stifling the free exchange of ideas’,” said Will Rinehart, director of technology and innovation policy at the free-market-oriented think tank American Action Forum. “The focus of this hearing needs to be on data security and privacy issues.”
The European Union’s GDPR, which has wound up bringing new privacy protections for U.S. customers when companies decided to bring the same privacy features worldwide, has also become increasingly tempting to many lawmakers. A hearing that pivots to asking why we don’t just import GDPR rules into U.S. law will not be too informative either.
“No one really seems capable of looking at the issue of consumer privacy in a different and less innovation-antagonistic way, which is what an effective policy would require,” said Cathy Gellis, a lawyer who runs the Digital Age Defense project.
The tech representatives themselves, meanwhile, may fall back on the same old promises to do better. Expect to hear versions of what Deloitte CEO Cathy Engelbert told Yahoo Finance’s JP Mangalindan at Thursday’s Yahoo Finance All Markets Summit conference: “More regulation is not necessarily the answer. Companies need to self-regulate.”
Send us the bill, please
This hearing will mean little if it doesn’t lead to Congress doing anything about privacy. Historically, that has not been its strength. The Obama administration’s attempt to pass a “Consumer Privacy Bill of Rights” went nowhere, and Congress has since proven itself incapable of even fixing the grotesquely obsolete Electronic Communications Privacy Act of 1986.
But this year—or more realistically, next year—may be different. That’s not just because of all of Big Tech’s privacy screwups, but because California passed a sweeping, GDPR-inspired privacy law that will go into effect in 2020.
“The possibility of a federal privacy law is set to dramatically increase next year,” Rinehart said, noting that 2020 deadline for California’s Consumer Privacy Act. ”Congress has one year to act.”
Gellis concurred: “As long as states keep trying to pass their own GDPR-ish laws themselves, the appetite for federal pre-emption will continue to grow.”
Senate Commerce chair John Thune (R.-SD) told Politico Wednesday that he’s preparing his own privacy bill, although that may not drop until next year.
And maybe it will take another year after that.
“I expect we’ll see bills later this year after the election and early next year as the next Congress is gearing up,” said Cameron Kerry, a fellow at the Brookings Institution. “Something with as broad impact as this issue often takes more than one Congress, but there are lot of currents that converge on getting something done by 2020.”
More from Rob: