2017 Year in Review: Privacy & Security

This post is one in a series of reports on significant issues for startups in 2017. In the past year, the startup community's voice helped drive notable debates in tech and entrepreneurship policy, but many of the startup world's policy goals in 2017, such as immigration reform and an open internet, remain unfulfilled. Check back here for more year-end updates and continue to watch this space in 2018 as we follow policy issues affecting the startup community.

2017 YIR.png

Privacy and security debates continued to unfold in 2017. While we saw the extension of fights from previous years—including efforts to require a warrant to access user data on the Hill and an administration pushing for backdoors into encrypted products and services—policymakers and the courts were forced to grapple with questions raised by new events, court developments, and deadlines.

 

Privacy

Congress again took up the debate over government access to user data, an issue that often forces tech companies to choose between ignoring government orders or turning over user data. The House approved the Email Privacy Act, a bill that would reform the 1986 Electronic Communications Privacy Act to require law enforcement to obtain a warrant before accessing stored emails. Sens. Mike Lee and Patrick Leahy renewed their push to pass similar legislation through the upper chamber, but the bill has yet to move. In the executive branch, the Justice Department announced that it changed its long-standing practice of serving requests for users’ data with gag orders, a move that has kept tech companies from letting their users know that their data has been surrendered to the government.

Government access to user data was a big issue in the courts this year, with the Supreme Court taking on two of the biggest questions in privacy law during its 2017-2018 term. The court agreed to hear arguments in a 2014 case centered on whether the U.S. government could force Microsoft to turn over user data that was stored abroad. The court also heard oral arguments in the case Carpenter v. U.S., a case about whether the government violated the Fourth Amendment by getting an armed robbery suspect’s location information from his cellphone company.
 

Cybersecurity

Policymakers turned their attention to data breach policy after credit reporting agency Equifax announced that it had suffered a massive data breach, making vulnerable the data of tens of millions of Americans. The FTC said it would investigate the breach, and the company faced scrutiny from House Energy and Commerce Republicans and Democrats, the bipartisan leaders of the Senate Finance Committee, Sen. Brian Schatz (D-Hawaii) and a group of Senate Democrats. In the wake of the high-profile breach lawmakers proposed a national standard for data breach notification.

There was also a public debate about vulnerabilities in 2017, especially after an NSA-held vulnerability was used in the WannaCry ransomware attack that affected hospitals, telecommunications companies, and more around the world. Later in the year, the White House released some much-anticipated information about its Vulnerabilities Equities Process, the interagency process that the federal government uses to determine whether it should tell companies about their products’ vulnerabilities it finds and uses.

 

Encryption

The administration may have changed, but the fight over encryption hasn’t. This year saw a new Justice Department put some familiar pressure on tech companies to break their encrypted products and services—or practice “responsible encryption”—to help the government gain access to data.

New U.S. Attorney General Jeff Sessions continued his record of supporting encryption backdoor requirements, issuing overblown warnings about encrypted technologies and criticizing tech companies that don’t give law enforcement access to encrypted data. Deputy Attorney General Rod Rosenstein touched on cybersecurity issues in a speech in November, again criticizing encrypted technologies that don’t allow for law enforcement access and specifically citing the FBI’s inability to access encrypted data on a device belonging to the shooter in that month’s tragic shooting in Texas. And during a December oversight hearing, FBI Director Christopher Wray warned lawmakers in written testimony that his agency is increasingly struggling to access encrypted data.


Government Surveillance

Congress spent 2017 with a looming deadline on online surveillance: the end-of-year sunset of Section 702 of the Foreign Intelligence Surveillance Act, the law that mandates controversial online spying programs including PRISM and Upstream. While those programs are ostensibly aimed at foreigners located abroad, they regularly allow U.S. intelligence agencies to collect and search Americans’ communications, and the invasive spying poses major impacts on companies with users abroad.

Despite the deadline, Congress didn’t begin seriously considering the issue until relatively late in the year. In the House, the Judiciary Committee moved a bill that made pro-privacy reforms to the law, and the Intelligence Committee passed a bill that would extend and expand spying under Section 702. The Senate Intelligence Committee also passed a bill that could expand Section 702 programs, and two other pro-privacy bills in the Senate failed to advance. After a series of start-and-stops, Congress failed to find a passable solution before it adjourned at the end of the year and instead included a short-term straight reauthorization that will expire with the current government funding measure on January 18, 2018. The last minute punt sets Congress up for a debate in early 2018.