A big part of the appeal of the World Wide Web has always been the first two words — “world” and “wide.” The internet represents an almost utopian ideal of a place where people around the globe can come together to share new ideas, create new products and even argue.
But as a privacy advocate, I fear we are rapidly hurtling toward the worst of all future states for the internet: one in which your present location dictates how much online privacy or free speech you enjoy. The current trend of carving up the country, and the globe, into an inconsistent patchwork of privacy and online speech laws benefits few and leaves too many exposed.
I’m a frequent traveler to California, and Assemblymember Ed Chau’s bill to mandate baseline privacy protections for consumers’ data got me thinking about the sorry state of privacy rights and the mistaken direction we are headed. If you are lucky enough to live in a state like California that favors privacy rights, you know that the region also favors policies that support innovation and places few limits on speech online.
But, since most of the world doesn’t live in such a digital utopia as California, many are likely to live, work and spend most of their time in a place that provides, at best, only moderate protections, while limiting what people can see, read or say online.
In the U.S., my fellow privacy advocates are seeking local regulations in reaction to failures at the federal level to enact wise data privacy and online speech policies. But Asm. Chau’s well-intentioned pro-privacy proposal is, unfortunately, only a bandage. It saps energy for the enactment of strong, nationwide policies to protect the privacy of consumers’ data — something we should all favor.
If the bill is enacted, when I visit California the ISPs I’ll encounter will protect my data more rigidly than those I use when I visit family in Wisconsin or am at my home in Washington, D.C. That leaves me less protected everywhere else and gives Californians an inflated sense of security while potentially leaving them exposed when they leave the state. That makes little sense. While I applaud California’s tradition of progressive privacy leadership, I deplore the fact that we don’t have basic privacy nationwide. For example, last year New Mexico became the 48th state to enact basic consumer protections for data breaches that leak consumers’ private data. But what about the residents of Alabama and South Dakota, or all of us when we visit those states for business or pleasure?
The danger of well-intentioned efforts that impose policy restrictions on the structure and content of the internet is real. While these proposals are laudable, personal privacy rights shouldn’t change from state to state. When Californians move around the country for work, to visit family or for vacation, they shouldn’t limit their travel based on states where they can privately and safely transmit medical or financial information, for example.
The same principle should hold true for Californians’ ability to access content or speak online as they travel the world. Restrictions in places like Turkey, Saudi Arabia, China and even across the European Union mangle the internet and make a mockery of the phrase “World Wide Web.”
Don’t mistake my message — I’m not saying we should get rid of all regulations. Instead, wise policies for the internet age — the kind that made California a beacon of innovation — should favor national and global norms that protect data while encouraging free speech. Consumers shouldn’t be left to fend for themselves under the lowest common denominator of protections. Instead, meaningful privacy protections need to be baked into national law.
If anything, the legislation should include more rigorous, broader privacy protections. The legislation should apply to offline businesses as well, instead of singling out ISPs, as retailers routinely obtain similarly sensitive information. The legislation should mandate that an ISP continue protections for Californian customers no matter where they travel to when using the same ISP, so that privacy protections would follow Californians across state lines at least some of the time. It should explicitly prohibit ISPs from obtaining roughly equivalent information about their customers by buying it from other companies that have it.
Most importantly, we need to give the Federal Trade Commission and the Office of the Attorney General of California the resources they need to protect consumer privacy both off- and online. We need robust enforcement of existing privacy laws coupled with a push for strong, nationwide protections.
The real danger in the internet age is states and countries erecting barriers that turn the web into a series of fiefdoms with different rules.
California can lead by example by promoting regulations that are robust and nationwide or global. But by enacting well-intentioned limitations on privacy, it gives encouragement to other well-intentioned rules. It prevents U.S. companies from arguing that rules on the web should be universal. After all, the rules in China to limit Chinese people’s access to the internet in the name of promoting security are also well-intentioned. The same is true for calls from French and Belgian national security agencies to force back doors in encrypted software and to limit speech in the name of potentially preventing radicalization. These types of regulations are always justifiable, but they turn the World Wide Web into a broken map full of unknown consequences.
That’s a destination that none of us wants to visit.