“If you suspect – report”: Western IT businesses may be required to report on customer actions
Technology companies expect the situation to develop around the next measures of Western regulators and special services lobbyists. This time, a bill is being discussed that could contribute to mass leaks of personal data of users of IT services.
Surrender from immunity
The project, called “See Something, Say Something Online Act”, is proposed to be extended to “providers of interactive services.” This definition includes social networks, media with readers’ profiles and comments, app stores, podcast showcases, fintech sites, mailing lists, and almost any IT product that you can find. Companies operating such services may be required to report suspicious activity of their audience and registered users.
If the management of the business does not provide such an opportunity, it faces the loss of immunity from prosecution for the actions of third parties. His provides Section 230 of the law “On the observance of decency in communications.” It relieves the top management of online service providers from responsibility for user-generated content. That is why the directors of the conditional social network are not “pulled” for publications and comments that are exchanged by its members, even if the US court finds them criminal or violating any requirements of the law.
Silence under the hood
Suspicion will presumably include personal messages, posts, tags, transactions, comments and other UGC content, or information that the state services and the court may associate with the onset of especially grave consequences, or is considered incitement to violence, prohibited activities or crimes in the field of drug trafficking.
These regulations will take into account potential violations both within the United States and abroad. Companies are asked to set aside up to thirty days to analyze possible risks, prepare and submit a report on questionable actions of customers and users. In emergencies, especially emergencies or the threat of their occurrence, the timing of the transmission of “Suspicious Transmission Activity Reports” will need to be minimized and all information available to the company should be immediately shared.
Interestingly, from the moment of submission of this or that report, the business will not be able to notify the audience about when it happened, as well as spread about the fact of informing the state bodies. Therefore, companies are likely to stop publishing so-called “transparency reports” and posting “order canaries”. In addition, civilians and organizations will not be able to obtain such reports under the Freedom of Information Law – even if they prepare a special request that meets its standards.
Demand for “security guards”
It is only possible to guess what kind of burden such a “redistribution of responsibilities” can place on the IT business, and by what methods technology companies of different sizes and levels of earnings will cope with it. It is highly likely that the internal security departments of the largest corporations will easily surpass the intelligence services of a number of small countries in their capabilities and become influential players in the field of national security. And given the fact that the intensity of information exchange and the number of verbal conflicts online is only increasing, such departments – and their counterparts on the side of the state – will be provided with work for many years to come.
The mechanism of interaction is likely borrow from a financial crime agency [FinCEN], and the flow of reports will be processed using a centralized resource. In addition to the potential risks of such an approach, experts point out that this law is directed against new IT platforms and the competitive environment in this niche. If the requirements are adopted and they come into force, the number of startups may significantly decrease – not all of them will be ready to pull additional bureaucratic burden.
What else we have on Habré and in the blog on the site:
Housing and communal services and telecom – why and why should they work together
Telecom operators work, DDoS attacks, network technologies and infrastructure
Research – low-quality internet connection was the least accessible