Protecting data privacy and protecting children’s online safety are well-intentioned goals that lawmakers should hesitate to legislate.
Legislative solutions are often ill-thought-out, relying on external people to figure out how to solve an impossible problem: data privacy with no trade-offs. The very mechanism of providing data privacy or protection often involves aggregating and collecting that very same data in a thoroughly insecure manner. Proponents of government actions mandating data protection are left with solutions that are either so ineffectual they can be bypassed or methods so effective they violate the very privacy they’re meant to protect. A few examples can illustrate this principle.
The Tea is a women-only app meant to protect women who may be cautious of online strangers by providing a place to discuss men, without repercussions, who may have red flags. Its privacy method involves requiring verification of all users by collecting identification information upon registration; the promise of a safe space for women, guaranteed. Unfortunately, this service relied on a legacy data storage system, which was recently hacked, and very quickly, online communities have been able to spread the private details of these women, even creating geographic maps of where these individuals live.
This is a major tragedy for those who signed up for this service, and illustrates the inherent risks of verification via data aggregation. Now consider that most policy proposals rely on third-party data storage, and the downsides of laws that use this kind of verification become apparent.
The United Kingdom’s Online Safety Act, meant to protect children online, just took effect and suffers from the same problem. While protecting children from age-inappropriate material is a laudable goal, the means by which this is achieved requires U.K. citizens to store their identification data on foreign servers with varying degrees of security. Furthermore, the requirements are easy to bypass – children raised in the digital age are savvy. Depending on the content being accessed, users can provide fake or readily available online IDs to bypass the verification process, use grandfathered email accounts whose digital footprint predates the user, or simply use one of the many VPN options to spoof a foreign location for the user.
Ironically, using VPNs has been a market-oriented way for users to protect their data, but the Labour government is considering implementing a VPN ban that it previously supported. The U.K. is demonstrating in real time the paradox of a security law that puts citizens’ privacy at risk while also being so easy to bypass that it provides no real security.
The lack of consideration for these secondary effects is not limited to our friends across the pond, either. This last legislative session, Washington state lawmakers introduced Senate Bill 5708 to protect children from addictive social media feeds. Washington Policy Center highlighted an included provision that would have notified children who were being monitored online, including by their parents. This caused the provision to be removed, but it demonstrates the tradeoffs involved with privacy and data protection laws.
In many cases, lawmakers try to outsource the mechanisms of their goals to external actors, but this leaves the root problem unaddressed. Either data monitoring and privacy laws preserve a level of anonymity for citizens and can be skirted easily, or they work as intended but require the surrender of all privacy rights to the government.
Even totalitarian solutions like China’s internet firewall have cracks, and lawmakers should learn the lessons that well-intended policies don’t come without unintended consequences. By trying to regulate privacy, you may just as well be violating the very principle of privacy.
Donald Kimball is the communications manager and Tech Exchange editor for the Washington Policy Center.
