The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Senate Democrats launch new privacy effort to protect consumer data

with Bastien Inzaurralde


A bill introduced last week by Senate Democrats  would require any company that collects users’ digital data to treat that information with the same care that’s required from doctors, lawyers and bankers.

The Data Care Act, which signals Democrats’ thinking as they prepare for the next Congress, would represent a drastic shift from the present state of affairs under which customers’ personal information is often a tech company’s most valuable commodity. But the bill may struggle to win the support of more Democrats, including some prominent backers of stricter privacy regulation who would like to see tech companies face harsher penalties than the vague ones described in the new effort.

If passed, the bill would essentially make tech companies responsible for treating user data with the user’s best interests in mind rather than their own — similar to the way a doctor must advocate for a client’s best interests even if it results in a lower fee.

The effort, which has a long way to go before it has a chance of passage, would bar companies from doing anything that benefits the company over the customer and from selling or sharing customers’ data with companies that don’t put the customer’s best interests first. It would also require Internet companies to “reasonably secure” users’ personal information from hackers and “promptly inform” users when their data is breached.

The bill comes after myriad data scandals, including Facebook acknowledging it allowed third-party apps, including one from the Trump campaign-linked consultancy Cambridge Analytica, to collect reams of information about users and their friend networks. It also comes after data breaches, including at Facebook and the Google Plus social network, that compromised tens of millions of users.  

Facebook and Google have both reined in their data practices since the scandals, even as tech companies are embattled on a host of other fronts by investigators examining how Russian trolls used their platforms to influence the 2016 election campaign and beyond.

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them,” Sen. Brian Schatz (D-Hawaii), the bill’s lead sponsor, said in a statement. “Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same.”

Tech companies including Google, Apple and Twitter at a Senate Commerce Committee hearing in September signaled support for some sort of federal legislation to protect user privacy. The movement is seen as a growing sign that major tech players need to be at the forefront of some kind of privacy push as Washington lawmakers increasingly scrutinize their practices.

It was also a rear-guard action after California passed a major privacy bill requiring companies to disclose what data they’re collecting from users and to allow users to opt out of that information being shared with third parties.

The new privacy bill won quick praise from civil society groups including the Electronic Frontier Foundation and the Center for Democracy and Technology.

Michelle Richardson, director of CDT’s Privacy and Data Project, said the bill “signals an important shift in how Congress views consumer privacy issues and foreshadows a serious privacy debate in 2019.”

The Internet Association, which represents tech giants including Google and Microsoft, stopped short of endorsing the bill, but said it “looks forward to continuing its work with … stakeholders on both sides of the aisle on our shared goal of passing an economy-wide law that protects consumer privacy and allows companies to innovate.”

There are some reasons, however, to doubt the bill’s future next Congress.

First off, the bill was sponsored by 15 Democrats and zero Republicans, which means it will obviously face a rough road in a Senate where Republicans will still control a majority of seats.

“There is no consensus among Democrats and Republicans on how to manage data security,” Betsy Cooper, director of the Aspen Institute’s Cybersecurity and Technology Program, told me.

“Without Republican support for these ideas, I think they will remain abstract principles to be discussed in committee hearings and at conferences,” Cooper added.

The bill also focuses on vaguely described "duties" that tech companies owe their users — such as a "duty of loyalty" and a "duty of confidentiality" — rather than tangible requirements. That could be a major sticking point for some Democrats who want tech companies to face much harsher penalties for misusing customer data.

Sen. Ron Wyden (D-Ore.), for example, released a discussion draft of his Consumer Data Protection Act in November calling for fines of up to 4 percent of companies’ annual revenue and jail time for executives for mishandling customer data.  

The bill does envision some of those vague terms being clarified by the Federal Trade Commission, which is granted new regulatory authorities. Those new authorities, however, are sure to give heartburn to regulation-averse Republicans.

The vague language also leaves room for tech companies to lobby for the broadest possible interpretation of their responsibilities under the bill, Steven Weber, faculty director at the University of California at Berkeley Center for Long Term Cybersecurity, told me.

“I would like to see some more specifics even if they’re inadequate,” Weber said. “That way at least you could ratchet up the provisions over time.”


PINGED: Russian trolls found a particularly efficient tool in Instagram as they worked to spread online disinformation and divide the American electorate. While experts and policymakers have examined Russian influence efforts on Facebook, Twitter and Google, two new reports prepared for the Senate Intelligence Committee highlighted the prominence of Instagram in those disinformation operations, according to The Washington Post's Craig Timberg, Tony Romm and Elizabeth Dwoskin.

Russian operatives posted 116,000 times on Instagram — almost twice the number of times they posted on Facebook, researchers found. “The most popular posts praised African American culture and achievement, but the Russians also targeted this community for voter suppression messages on multiple platforms, urging boycotts of the election or spreading false information on how to vote,” Craig, Tony and Elizabeth reported.

Also, “over the years of the disinformation campaign, Instagram generated responses on a scale beyond any of the others — with 187 million comments, likes and other user reactions, more than Twitter and Facebook combined,” my colleagues wrote. One report was prepared by the Computational Propaganda Project at Oxford University and the network analysis firm Graphika. The other report was from the cybersecurity company New Knowledge, Columbia University and Canfield Research.

From Camille François, research and analysis director at Graphika and one of the authors of the report by Oxford University and Graphika:

From Sen. Mark R. Warner (D-Va.), vice chairman of the Senate Intelligence Committee:

PATCHED: The federal government is set to launch the Federal Cyber Reskilling Academy to help remedy its shortage of cybersecurity workers by training employees who do not currently occupy an IT position, The Post's Eric Yoder reported. The program will initially include 25 employees to receive free training from March through June, according to my colleague. The application process opened on Nov. 30 and will close on Jan. 11. “This is one of the areas in technology where we have higher vacancies and shorter tenures. We’re in the same situation as many private-sector industries where we’re fighting tooth and nail for cyber professionals,” Federal Chief Information Officer Suzette Kent told Eric.

 “The curriculum will consist of three training courses, parts of which will be virtual and parts held on-site at Education Department headquarters,” Eric reported. “Those who complete the training successfully are not guaranteed a cybersecurity job with the government, but they should emerge with the skills needed for entry-level jobs, and they will be given further help to break into the field, according to the federal CIO Council, which is running the program.”

PWNED: Google has all but put on hold its project to set up a search engine that would comply with China's online censorship rules following complaints from staffers on the company's privacy team, according to the Intercept's Ryan Gallagher. The initiative ground to a halt after Google directed engineers to stop using a data analysis system meant to help develop the censored search engine Dragonfly. “Significantly, several groups of engineers have now been moved off of Dragonfly completely, and told to shift their attention away from China to instead work on projects related to India, Indonesia, Russia, the Middle East and Brazil,” Gallagher reported.

Engineers had been relying on data from Chinese users' search queries on, a Chinese-language website that Google owns. Google privacy employees, who are tasked with upholding users' rights, were not informed of the data gathering and “confronted the executives responsible for managing Dragonfly” once they found out about it in an earlier report, according to Gallagher. “Following a series of discussions, two sources said, Google engineers were told that they were no longer permitted to continue using the data to help develop Dragonfly, which has since had severe consequences for the project."


— A new report paints a dire picture of cybersecurity practices in the U.S. missile defense system, according to Defense One's Patrick Tucker. “Critical cyber vulnerabilities could allow adversaries to undermine the system of interceptors and sensors that protect U.S. territory from enemy missiles, the Pentagon’s inspector general said in a new report,” Tucker reported. “Much of the Dec. 10 report is redacted to hide the names of the five facilities and components that were under scrutiny. But the readable portions paint a picture of failures to take even the sort of basic cyber security precautions that are standard in business, such as enabling two-factor authentication, encrypting files that are removable, physically locking up server racks, and using cybersecurity software to detect intrusions.”

— More cybersecurity news from the public sector:

Equifax, others must secure apps as part of New York settlement (CyberScoop)


— Cybersecurity firm Trend Micro said it found malicious memes on Twitter containing instructions for malware installed on an infected computer, TechCrunch's Zack Whittaker reported. “The researchers found two tweets that used steganography to hide ‘/print’ commands in the meme images, which told the malware to take a screenshot of an infected computer,” Whittaker wrote. The malware then separately obtained information about the computer's command and control server,  Whittaker reported. Twitter suspended the account that posted the malicious memes after the researchers reported it. However, as TechCrunch noted, questions remain about the malware itself as it's unclear how it infects victims and where it originated.

— Separately, Reuters reported that Twitter said it solved an issue that could have revealed the country code of phone numbers associated with users' accounts. TechCrunch's Josh Constine noted that the glitch, which stemmed from one of Twitter's support forms, could also have made it possible to find out whether an account had been locked by Twitter. “The concern here is that malicious actors could have used the security flaw to figure out in which countries accounts were based, which could have ramifications for whistleblowers or political dissidents,” Constine wrote.

— More cybersecurity news from the private sector:

53 Bugs in 50 Days: Researchers Fuzz Adobe Reader (Dark Reading)


Your High-Tech Car Is a Magnet for Hacking (Bloomberg News)

Hacker Talks to Arizona Man Directly Through His IoT Security Camera (Motherboard)

PewDiePie fans hack the Wall Street Journal (The Verge)


Czech cyber watchdog calls Huawei, ZTE products a security threat (Reuters)

Denmark Hires Hackers to Test If Bank Systems Are Sitting Ducks (Bloomberg News)


Coming soon


How Democrats plan to get Trump’s tax returns in 2019:

Democrats tried 17 different times to obtain President Trump’s tax returns over the past two years. Now they may finally get them. (Video: JM Rieger/The Washington Post)

Will Trump supporters turn out in key states in 2020?

The Post's Seung Min Kim explains what President Trump's strategy in the 2018 midterms tells us about his 2020 campaign strategy. (Video: Monica Akhtar/The Washington Post)

Massive waves pummel California coast:

The San Francisco Bay Area was hit with giant waves on Dec. 17, after storm systems churned waters to dangerous levels along the West Coast. (Video: The Washington Post)