Consumers who have clamored for data privacy reform since Equifax’s ransacking and, more recently, Facebook’s Cambridge Analytica debacle have cause to celebrate.
On Thursday, Senator Ron Wyden (D-Ore.), a prominent privacy hawk, unveiled a draft bill that seeks to slap harsher penalties on companies—and chief executive officers—who run afoul of new rules that expand government oversight of the tech industry. The Consumer Data Privacy Act, as the bill is tentatively named, takes its cue from Europe’s General Data Privacy Regulation, or GDPR, which can fine companies up to 4% of their global, annual revenues for infractions. But Wyden’s bill goes even further; in addition to that penalty, the proposed law would jail chief execs up to 20 years with individual fines reaching as high as $5 million for CEOs who knowingly mislead regulators.
If GDPR has teeth, Wyden’s proposal has fangs—set on the jugulars of corporate heads. The proposed law would require big firms—ones with revenues exceeding $1 billion or ones that store data on more than 50 million consumers or their devices—to submit “annual data protection reports” to the government that lay out their data-securing practices. It would force companies to comply with “do not track” policies while offering alternative payment options to consumers, such as subscription fees instead of ad-supported “free” models. And it would boost the power of the Federal Trade Commission, adding a tech-focused division with a broader mandate alongside an arsenal of stronger enforcement actions.
Lindsey Barrett, an attorney and teaching fellow at Georgetown Law’s Communications & Technology Clinic within the school’s Institute for Public Representation, commented on Twitter that the proposed legislation “injects sorely needed accountability into our equif*cked information ecosystem.” Wyden’s own statement was a little more sanitized: “It’s time for some sunshine on this shadowy network of information sharing,” he said.
But the proposed reform isn’t all sunshine and rainbows. Jake Williams, an alumnus of the National Security Agency who has since cofounded Rendition InfoSec, a cybersecurity consulting shop, said he doubts the bill will pass. “Even if it does, it won’t mean what you might think. It won’t create a SOX style environment around cyber. Sorry,” he wrote on Twitter, referring to Sarbanes-Oxley, a 2002 financial reform enacted in the wake of the Enron scandal to prevent similar accounting blowups.
The main thrust of Williams’ criticism is that the proposed law will box in cybersecurity practitioners and will subjugate and constrain an industry that is still finding its feet. The bill effectively grants corporate governance, risk, and compliance departments the right to “rule infosec,” Williams warned. If it passes into law, it will likely lead to licensing requirements within the cybersecurity industry, akin to the hoops people must jump through to become certified public accountants, he said. “Professional licensure is not good for a profession this young,” he said.
Data privacy reform is long overdue, but this bill presents questions. Is Big Tech—and its CEOs—ready to face the formalized wrath of guillotine-thirsting regulators? Does the bill unfairly target CEOs, leaving other C-Suite executives and board members off the hook? Could companies end up shoving the blame onto scapegoat CEOs of subsidiary businesses? And finally, as Williams noted, is the cybersecurity industry really ready to grow up and professionalize, accepting all the responsibility and regulatory constrictions that entails?
Be careful what you wish for, and have a great weekend.
Robert Hackett
@rhhackett
robert.hackett@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
Apple drops the mic. Apple patched a number of critical flaws in its software, such as iCloud, macOS, and iOS. The company also revealed that its new MacBook security chip, called T2, includes a feature that cuts off microphone access when the lid of a laptop is closed, making it more difficult for spies to turn these computers into eavesdropping devices.
Google's bot blocker. Google is now requiring anyone attempting to log in to its online services to run javascript, a measure designed to weed out potentially malicious imposter bots. The search giant also improved its security checkup feature, added alerts related to data sharing with third parties, and instituted automatic account recovery triggers.
Facebook f***ups. Facebook's advertising platform remains a garbage fire. It approved ads that undercover journalists pretended were paid for by the Islamic State and it allowed marketers to target people interested in "white genocide."
Lips (un)sealed. The Department of Justice unsealed charges on Tuesday against two Chinese intelligence officers and eight supposed accomplices for allegedly conspiring to steal aircraft engine designs from U.S. aviation companies. Two days later, the department unsealed charges against Fujian Jinhua, a Chinese state-owned chip maker; United Microelectronics Corp., a Taiwanese partner; and three Taiwanese nationals for allegedly stealing trade secrets from Micron Technology, the U.S.'s largest memory-chip maker.
Huawei infiltrated? The Weekend Australian published a report alleging that Australian officials have received intelligence reports alleging that Chinese spies recruited staffers within Chinese telecom giant Huawei. The Chinese spies allegedly obtained secret access codes from these recruits, thereby enabling them to infiltrate an unidentified foreign network.
Share today's Cyber Saturday with a friend:
http://fortune.com/newsletter/cybersaturday/
Looking for previous Data Sheets? Click here
ACCESS GRANTED
Meet the bounty hunters. Mashable's latest installment in its ongoing series "the women fixing STEM"—an abbreviation for "science, technology, engineering, and mathematics"—profiles three hackers who get paid to keep the Internet safe. Katie Moussouris helped create the vulnerability disclosure program at Microsoft. Jesse Kinser used her bug bounty winnings to put a down payment on a Tesla. And Alyssa Herrera, another bug bounty hunter, describes her work as "quite euphoric...it's like solving a hard riddle or a puzzle."
It had taken a month of work, but Jesse Kinser had finally hit the jackpot. The security researcher had managed to pull off quite a feat — stealing the source code for more than 10,000 different websites, including a big four consulting company — and the ramifications of her find were staggering.
But contrary to many people's perceptions of shadowy hackers, her next move wasn't trading the data on the dark web, or crafting exploits to sell to the highest bidder. Rather, she was faced with a different sort of daunting task: developing a responsible disclosure process to notify the thousands of vulnerable companies she'd just pwned. That's right, after accessing all that code, her next job was to let the victims know exactly how she'd done it — and how they could stop someone with a different set of moral guideposts from doing the same.
FORTUNE RECON
Hackers Extracted and Published Facebook Private Messages Grabbed Through Bad Browser Plug-Ins by Glenn Fleishman
Americans Deserve to Know Who’s Behind Online Political Ads by Dipayan Ghosh and Robert C. Pozen
Cryptocurrency Scams Are Now Among the SEC's Top Enforcement Priorities by Jeff John Roberts
Yes, Chinese Piracy Has Lost Microsoft a Lot of Windows Revenue. But the Story Isn't So Simple by David Meyer
Google and the Rest of the Tech Industry Are Grappling With These 3 Data Problems by Jonathan Vanian
In China, Facial Recognition Tech Is Watching You by Eamon Barrett
ONE MORE THING
Pocket Shakespeare. Forget Twitter's 280 character limit. You can fit the entire works of Shakespeare into the metadata field of an image posted to the site, a security researcher discovered. The steganographic technique has applications beyond distributing literature, as Vice Motherboard writes: "Files could potentially act as parts of infrastructure for controlling malware while sitting out in the open."
The technique could disguise bot-net operations; after all, an infected computer pinging Twitter is far less suspicious than one contacting some random server.
