WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Banking Committee and a lead author of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which created the Consumer Financial Protection Bureau (CFPB), released the following statement after the Supreme Court announced it will hear arguments next term in a case with far-reaching implications for the constitutionality of the CFPB, CFPB v. Community Financial Services Association of America:

“Congress created the Consumer Financial Protection Bureau after the financial crisis to enforce consumer protection laws and make sure the banks, credit card companies and other financial institutions aren’t abusing their powers to take advantage of everyday Americans. If the Fifth Circuit’s decision, which could make every rule put forward by the CFPB unconstitutional,  is permitted to stand, there will be financial chaos as all sorts of transactions governed by CFPB policies could grind to a halt, and consumers would be left without the protections they expect and deserve.”

Since its creation in 2010, the CFPB has recovered nearly $15 billion in financial relief for customers.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) led a bipartisan group of colleagues in reintroducing the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, legislation that will encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose. Sens. Richard Blumenthal (D-CT), Lindsey Graham (R-SC), Josh Hawley (R-MO), and Amy Klobuchar (D-MN) joined Sen. Warner in introducing the legislation.

“The tremendous dominance of a handful of large social media platforms has major downsides – including few options for consumers who face a marketplace with just a few major players and little in the way of real competition,” the senators said. “As we learned in the Microsoft antitrust case, interoperability and portability are powerful tools to restrain anti-competitive behaviors and promote innovative new companies. By making it easier for social media users to easily move their data or to continue to communicate with their friends after switching platforms, startups will be able to compete on equal terms with the biggest social media companies. Additionally, empowering trusted custodial companies to step in on behalf of users to better manage their accounts across different platforms will help balance the playing field between consumers and companies. In other words – by enabling portability, interoperability, and delegatability, this bill will create long-overdue requirements that will boost competition and give consumers the power to move their data from one service to another.”

Online communications platforms have become vital to the economic and social fabric of the nation, but network effects and consumer lock-in have entrenched a select number of companies’ dominance in the digital market and enhanced their control over consumer data. 

The Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act would increase market competition, encourage innovation, and increase consumer choice by requiring large communications platforms (products or services with over 100 million monthly active users in the U.S.) to:

• Make their services interoperable with competing communications platforms.
• Permit users to easily port their personal data in a structured, commonly used and machine-readable format.
• Allow users to delegate trusted custodial services, which are required to act in a user’s best interests through a strong duty of care, with the task of managing their account settings, content, and online interactions.  

“Markets work when consumers have a choice and know what's going on. The ACCESS Act is an important step toward reestablishing this dynamic in the market for tech services. We must get back to the conditions that make markets work: when consumers know what they give a firm and what they get in return; and if they don't like the deal, they can take their business elsewhere. By giving consumers the ability to delegate decisions to organizations working on their behalf, the ACCESS Act gives consumers some hope that they can understand what they are giving up and getting in the opaque world that the tech firms have created. By mandating portability, it also gives them a realistic option of switching to another provider,” Paul Romer, New York University Professor of Economics and Nobel Prize winner in Economics, said.

“Interoperability is a key tool for promoting competition on and against dominant digital platforms. For social networks in particular, interoperability is needed to make it easy for users to switch to a new social network. Until we have clear and effective interoperability requirements, it will be hard for users to leave a social network that fails to reflect their values, protect their privacy, or offer the best experience. Whatever our reasons for switching to a new social network, the ACCESS Act can make it easier by requiring the largest platforms to offer interoperability with competitors. We all stand to benefit from the greater competition that an interoperable world can create,” Charlotte Slaiman, Competition Policy Director at Public Knowledge, said.

"We now understand that the dominant tech platforms' exclusive control over the data we create as we interact with them is the source of extraordinary market power. That power distorts markets, reduces innovation and limits consumer choice. By requiring interoperability, the ACCESS Act empowers consumers, levels the playing field and opens the market to competition. Anyone who believes that markets work best when consumers are able to make informed choices should support this Act,” Brad Burnham, Partner and Co-Founder at Union Square Ventures, said.

“The reintroduction of the ACCESS Act in the Senate is a critically important step forward for empowering consumers with the freedom to control their own data and enable consumers to leave the various walled gardens of the today’s social media platforms. The ACCESS Act literally does what it says—it would give consumers the option to choose better services without having to balance the unfair choice of abandoning their personal network of family and friends in order to seek better products in the market.  The Senate needs to move forward as soon as possible to vote on the ACCESS Act.” Eric Migicovsky, Founder and CEO of Beeper, said.

Sen. Warner first introduced the ACCESS Act in 2019 and has been raising concerns about the implications of the lack of competition in social for years.

Sen. Warner is one of Congress’ leading voices in demanding accountability and user protections from social media companies. In addition to the ACCESS Act, Sen. Warner has introduced and written numerous bills designed to improve transparency, privacy, and accountability on social media. These include the Safeguarding Against Fraud, Exploitation, Threats, Extremism and Consumer Harms (SAFE TECH) Act – legislation that would allow social media companies to be held accountable for enabling cyber-stalking, targeted harassment, and discrimination across platforms; the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, bipartisan legislation that would require data harvesting companies to tell consumers and financial regulators exactly what data they are collecting from consumers and how it is being leveraged by the platform for profit; and the Deceptive Experiences to Online Users Reduction (DETOUR) Act, bipartisan and bicameral legislation that would prohibit large online platforms from using deceptive user interfaces, known as “dark patterns,” to trick consumers into handing over their personal data and would prohibit these platforms from using features that result in compulsive usage by children.

Full text of the bill is available here. One-pager of the legislation is available here.

###

WASHINGTON – Ahead of Wednesday’s Senate hearing with the head of Instagram, U.S. Sens. Mark R. Warner (D-VA), Deb Fischer (R-NE), Amy Klobuchar (D-MN), and John Thune (R-SD) along with Reps. Lisa Blunt Rochester (D-DE-AL) and Anthony Gonzalez (R-OH-16) have re-introduced the Deceptive Experiences to Online Users Reduction (DETOUR) Act to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns,” to trick consumers into handing over their personal data. The DETOUR Act would also prohibit these platforms from using features that result in compulsive usage by children.

The term “dark patterns” is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not. These design tactics, drawn from extensive behavioral psychology research, are frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company. 

“For years dark patterns have allowed social media companies to use deceptive tactics to convince users to hand over personal data without understanding what they are consenting to. The DETOUR Act will end this practice while working to instill some level of transparency and oversight that the tech world currently lacks,” said Sen. Warner, Chairman of the Senate Select Committee on Intelligence and former technology executive. “Consumers should be able to make their own informed choices on when to share personal information without having to navigate intentionally misleading interfaces and design features deployed by social media companies.” 

“Manipulative user interfaces that confuse people and trick consumers into sharing access to their personal information have become all too common online. Our bipartisan legislation would rein in the use of these dishonest interfaces and boost consumer trust. It’s time we put an end to ‘dark patterns’ and other manipulative practices to protect children online and ensure the American people can better protect their personal data,” said Sen. Fischer, a member of the Senate Commerce Committee.

“Dark patterns are manipulative tactics used to trick consumers into sharing their personal data. These tactics undermine consumers’ autonomy and privacy, yet they are becoming pervasive on many online platforms. This legislation would help prevent the major online platforms from using such manipulative tactics to mislead consumers, and it would prohibit behavioral experiments on users without their informed consent,” said Sen. Klobuchar, a member of the Senate Commerce and Judiciary Committees.

“We live in an environment where large online operators often deploy manipulative practices or ‘dark patterns’ to obtain consent to collect user data,” said Sen. Thune, ranking member of the Senate Commerce Committee’s Subcommittee on Communications, Media, and Broadband. “This bipartisan legislation would create a path forward to strengthen consumer transparency by holding large online operators accountable when they subject their users to behavioral or psychological research for the purpose of promoting engagement on their platforms.”

“My colleagues and I are introducing the DETOUR Act because Congress and the American public are tired of tech companies evading scrutiny and avoiding accountability for their actions. Despite congressional hearings and public outcries, many of these tech companies continue to trick and manipulate people into making choices against their own self-interest,” said Rep. Lisa Blunt Rochester. “Our bill would address some common tactics these companies use, like intentionally deceptive user interfaces that trick people into handing over their personal information. Our children, seniors, veterans, people of color, even our very way of life is at stake. We must act. And today, we are.”

“Social media has connected our communities, but also had detrimental effects on our society. Big tech companies that control these platforms currently have unregulated access to a wealth of information about their users and have used nontransparent methods, such as dark patterns, to gather additional information and manipulate users,” said Rep. Anthony Gonzalez. “The DETOUR Act would make these platforms more transparent through prohibiting the use of dark patterns. We live in a transformative period of technology, and it is important that the tech which permeates our day to day lives is transparent.”

Dark patterns can take various forms, often exploiting the power of defaults to push users into agreeing to terms stacked in favor of the service provider. Some examples of these actions include: a deliberate obscuring of alternative choices or settings through design or other means; the use of privacy settings that push users to ‘agree’ as the default option, while users looking for more privacy-friendly options often must click through a much longer process, detouring through multiple screens. Other times, users cannot find the alternative option, if it exists at all, and simply give up looking.

The result is that large online platforms have an unfair advantage over users and potential competitors in forcing consumers to give up personal data such as their contacts, messages, web activity, or location to the benefit of the company.

“Tech companies have clearly demonstrated that they cannot be trusted to self-regulate.  So many companies choose to utilize manipulative design features that trick kids into giving up more personal information and compulsive usage of their platforms for the sake of increasing their profits and engagement without regard for the harm it inflicts on kids,” said Jim Steyer, CEO of Common Sense. “Common Sense supports Senators Warner and Fischer and Representatives Blunt Rochester and Gonzalez on this bill, which would rightfully hold companies accountable for these practices so kids can have a healthier and safer online experience.”

“'Dark patterns' and manipulative design techniques on the internet deceive consumers. We need solutions that protect people online and empower consumers to shape their own experience. We appreciate Senator Warner and Senator Fischer's work to address these misleading practices,” said Jenn Taylor Hodges, Head of U.S. Public Policy at Mozilla.

“Manipulative design, efforts to undermine users’ independent decision making, and secret psychological experiments conducted by corporations are everywhere online. The exploitative commercial surveillance model thrives on taking advantage of unsuspecting users. The DETOUR Act would put a stop to this: prohibiting online companies from designing their services to impair autonomy and to cultivate compulsive usage by children under 13. It would also prohibit companies from conducting online user experiments without consent. If enacted, the DETOUR Act will make an important contribution to living in a fairer and more civilized digital world,” said Katharina Kopp, Director of Policy at Center for Digital Democracy.

The Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb manipulative behavior by prohibiting the largest online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. The legislation:

• Prohibits large online operators from designing, modifying, or manipulating user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data
• Prohibits subdividing or segmenting consumers for the purposes of behavioral experiments without a consumer’s informed consent, which cannot be buried in a general contract or service agreement. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare.
• Prohibits user design intended to create compulsive usage among children under the age of 13 years old (as currently defined by the Children’s Online Privacy Protection Act).
• Directs the FTC to create rules within one year of enactment to carry out the requirements related to informed consent, Independent Review Boards, and Professional Standards Bodies.

Sen. Warner first introduced the DETOUR ACT in 2019 and has been raising concerns about the implications of social media companies’ reliance on dark patterns for years. In 2014, Sen. Warner asked the FTC to investigate Facebook’s use of dark patterns in an experiment involving nearly 700,000 users designed to study the emotional impact of manipulating information on their News Feeds.

Sen. Warner is one of Congress’ leading voices in demanding accountability and user protections from social media companies. In addition to the DETOUR Act, Sen. Warner has introduced and written numerous bills aimed designed to improve transparency, privacy, and accountability on social media. These include the Safeguarding Against Fraud, Exploitation, Threats, Extremism and Consumer Harms (SAFE TECH) Act – legislation that allow social media companies to be held accountable for enabling cyber-stalking, targeted harassment, and discrimination across platforms; the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, bipartisan legislation that would require data harvesting companies to tell consumers and financial regulators exactly what data they are collecting from consumers and how it is being leveraged by the platform for profit; and the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, legislation that would encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.

Full text of the bill is available here. 

###

WASHINGTON – U.S. Senators Mark Warner (D-Va.), Bob Menendez (D-N.J.), and Mazie Hirono (D-Hawaii) today slammed Facebook for failing to remove vaccine misinformation from its platforms. The rapid spread of dangerous misinformation across social media could hamper the efforts of public health officials as they work to vaccinate hard-to-reach communities and hesitant individuals, representing a serious concern for public safety. Studies show that roughly 275,000 Facebook users belong to anti-vaccine groups on the platform. 

“As public health experts struggle to reach individuals who are vaccine hesitant, epidemiologists warn that low rates of vaccine rates coupled with the relaxing of mask mandates could result in new COVID-19 outbreaks,” the senators wrote in a letter to Facebook CEO Mark Zuckerberg. “Moreover, most public health officials agree that because herd immunity in the U.S. is now unlikely, ‘continued immunizations, especially for people at highest risk because of age, exposure or health status, will be crucial to limiting the severity of outbreaks, if not their frequency’. In short, ‘vaccinations remain the key to transforming the virus into a controllable threat’.” 

A recent report from Markup.org’s “Citizen Browser project” found that there are 117 active anti-vaccine groups on Facebook. Combined, the groups had roughly 275,000 members. The study also found that Facebook was recommending health groups to its users, including anti-vaccine groups and pages that spread COVID-19 misinformation and propaganda.

The lawmakers asked Zuckerberg a series of questions, including why users were recommended vaccine misinformation; how long anti-vaccine groups and pages remained on the platform before being taken down; and what specific steps the company is taking to ensure its platforms do not recommend vaccine misinformation to its users.

A copy of the letter can be found here and below:

Dear Mr. Zuckerberg,

We write to express our concern over recent reporting alleging that Facebook failed to remove vaccine misinformation from its platforms. As the U.S. struggles to reach vaccine hesitant individuals and the world grapples with new variants, it is more important than ever that social media companies such as Facebook ensure that its platforms are free from disinformation.

In a February 2021 blog post, Facebook promised to expand “the list of false claims [it] will remove to include additional debunked claims about the coronavirus and vaccines. This includes claims such as: COVID-19 is man-made or manufactured; Vaccines are not effective at preventing the disease they are meant to protect against; It’s safer to get the disease than to get the vaccine; [and] Vaccines are toxic, dangerous or cause autism.” According to data from the Markup.org’s “Citizen Browser project,” misinformation regarding COVID-19 and vaccines are readily available on Facebook. According to Madelyn Webb, a senior researcher at Media Matters, as late as April 2021, she found 117 active anti-vaccine groups on Facebook. Combined, those groups had roughly 275,000 members. Even more troubling is the finding that Facebook “continued to recommend health groups to its users, including blatantly anti-vaccine groups and pages explicitly founded to propagate lies about the pandemic.” As public health experts struggle to reach individuals who are vaccine hesitant, epidemiologists warn that low rates of vaccine rates coupled with the relaxing of mask mandates could result in new COVID-19 outbreaks. Moreover, most public health officials agree that because herd immunity in the U.S. is now unlikely, “[c]ontinued immunizations, especially for people at highest risk because of age, exposure or health status, will be crucial to limiting the severity of outbreaks, if not their frequency.” In short, “vaccinations remain the key to transforming the virus into a controllable threat.”

In March 2021, Senator Warner wrote to you expressing these same concerns. Your April 2021 response failed to directly answer the questions posed in his letter. Specifically, you failed to respond to a question as to why posts with content warnings about health misinformation were promoted into Instagram feeds. Given Facebook’s continued failure to remove vaccine misinformation from its platforms, we seek answers to the following questions no later than July 5, 2021.

1.    In calendar year 2021, how many users viewed vaccine-related misinformation? 

2.    In calendar year 2021, how many users were recommended anti-vaccine information or vaccine-related misinformation? 

a.    Why were these users recommended such information?

3.    In calendar year 2021, how many vaccine-related posts has Facebook removed due to violations of its vaccine misinformation policy? How many pages were removed? How many accounts were removed? How many groups were removed?

a.    On average, how long did these pages or posts remain on the platform before Facebook removed them?  

4.    What steps is Facebook taking to ensure that its platforms do not recommend vaccine-related misinformation to its users? Please be specific. 

5.    What steps is Facebook taking to ensure that individuals who search out anti-vaccine content are not subsequently shown additional misinformation?

6.    In March 2019, Facebook said it would stop recommending groups that contained vaccine-related misinformation content. It wasn’t until February 2021 that the company announced it would remove such content across the platform. Why did it take Facebook nearly a year to make this decision? 

Thank you in advance or your prompt response to the above questions. 

Sincerely, 

###

WASHINGTON - As tech companies and public health agencies deploy new tools to fight the spread of COVID-19 – including contact tracing apps, digital monitoring, home tests, and vaccine appointment booking – U.S. Sens. Mark R. Warner (D-VA), Richard Blumenthal (D-CT) and U.S. Representatives Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) introduced the Public Health Emergency Privacy Act to set strong and enforceable privacy and data security rights for health information.

After decades of data misuse, breaches, and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information – according to a recent poll, more than half of Americans would not use a contact tracing app and similar tools from Google and Apple over privacy concerns. The bicameral Public Health Emergency Privacy Act would protect Americans who use this kind of technology during the pandemic and safeguard civil liberties. Strengthened public trust will empower health authorities and medical experts to leverage new health data and apps to fight COVID-19. 

“Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” Blumenthal said. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19. This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health.”

“Our health privacy laws have not kept pace with what Americans have come to expect for their sensitive health data,” Warner said. “Strong privacy protections for COVID health data will only be more vital as we move forward with vaccination efforts and companies begin experimenting with things like ‘immunity passports’ to gate access to facilities and services. Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations and discriminatory uses of health data could become the new status quo in health care and public health.” 

“I’m exceedingly proud of the American innovators, many of whom are in my congressional district, who have built technologies to combat the coronavirus. As these technologies are used, they must be coupled with policies to protect the civil liberties that define who we are as a nation,” said Eshoo. “The Public Health Emergency Privacy Act is a critical bill that will prohibit privacy invasions by preventing misuse of pandemic-related data for unrelated purposes like marketing, prohibiting the data from being used in discriminatory ways, and requiring data security and integrity measures. The legislation will give the American people confidence to use technologies and systems that can aid our efforts to combat the pandemic.”

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights. I am proud to re-introduce this bill with my friend and fellow Energy & Commerce Subcommittee Chairwoman Eshoo and Congresswoman DelBene, along with Senators Blumenthal and Warner,” said Schakowsky. “It’s our shared belief that the Trump Administration missed an opportunity when it failed to advocate for swift passage of this legislation. Based on how poorly the Trump Administration’s contact tracing scheme went, we all know this legislation would go a long way towards establishing the trust American consumers need – and which Big Tech has squandered, time and again – for digital contact tracing to be a worthwhile auxiliary to the Biden Administration’s plan for widespread testing and manual contact tracing.” 

“Technology has become one of our greatest tools in responding to the COVID-19 pandemic but we need to build trust with the broader public if we are going to reach its full potential. Americans need to be certain their sensitive personal information will be protected when using tracing apps and other COVID-19 response technology and this pandemic-specific privacy legislation will help build that trust,” said DelBene. “Data privacy should not end with the pandemic. We need comprehensive privacy reform to protect Americans at all times, including state preemption to create a strong, uniform national standard. I hope that this crisis has shed light on the lack of adequate digital privacy policies in our country and look forward to working with these lawmakers and others to create the necessary standards moving forward.”

The bill is co-sponsored in the Senate by U.S. Senators Michael Bennet (D-CO), Amy Klobuchar (D-MN), Edward J. Markey (D-MA), Tammy Baldwin (D-WI), Mazie K. Hirono (D-HI), Cory Booker (D-NJ), Robert Menendez (D-NJ), Angus King (I-ME), Elizabeth Warren (D-MA) and Dick Durbin (D-IL).

The bill is co-sponsored in the House of Representatives by Don Beyer (D-VA), Jerry McNerney (D-CA), Nanette Diaz Barragán (D-CA), Mark Pocan (D-WI), Bobby Rush (D-IL), Peter Welch (D-VT), Mary Gay Scanlon (D-PA), Doris Matsui (D-CA), Ted Lieu (D-CA), Mark DeSaulnier (D-CA), Jahana Hayes (D-CT), Ro Khanna (D-CA), Jesús ''Chuy'' García (D-IL), Stephen Lynch (D-MA), Raúl Grijalva (D-AZ), Barbara Lee (D-CA), Debbie Dingell (D-MI), and Peter DeFazio (D-OR). 

The Public Health Emergency Privacy Act would:

·       Ensure that data collected for public health is strictly limited for use in public health;

·       Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;

·       Prevent the potential misuse of health data by government agencies with no role in public health;

·       Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;

·       Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;

·       Require regular reports on the impact of digital collection tools on civil rights;

·       Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent; and

·       Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

The Public Health Emergency Privacy Act is endorsed by Access Now, Electronic Privacy and Information Center (EPIC), the Center for Digital Democracy, Color of Change, Common Sense Media, New America’s Open Technology Institute, and Public Knowledge.

“A public health crisis is not the time to give up on our privacy rights, and this bill would go a long way toward protecting those rights. COVID-19 response apps are already out there, and this bill will help ensure that the apps are distributed and used in a responsible manner that will limit the new and expansive surveillance systems companies are building. Allowing these apps to proceed unchecked would create serious privacy violations that will never be undone,”said Eric Null, U.S. Policy Manager at Access Now.

“The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director with Electronic Privacy Information Center (EPIC).

“Public health measures to contain the deadly spread of COVID-19 must be effective and protect those most at risk. Where data are collected or used, they should not be misused to undermine privacy, fairness and equity, or place our civil rights in peril. The Public Health Emergency Privacy Act ensures that efforts to limit the spread of the virus truly protect all our interests,” said Katharina Kopp, Director of Policy for the Center for Digital Democracy.

“Color Of Change strongly supports the Public Health Emergency Privacy Act, as it would prevent corporate profiteering and government misuse of health data to help ensure Black people — who are disproportionately exposed to the dangers of surveillance — can operate online without fear. Profit-incentivized corporations should not be allowed to exploit loopholes to gather and sell sensitive health and location data without any regard to the safety of our communities. As the COVID-19 pandemic rages on, we need stringent and enforceable safeguards in place to protect private health information of Black people and other marginalized communities, who are most at risk of both COVID-19 and surveillance. We thank Senators Blumenthal and Warner for their leadership on this legislation, and we will continue to advocate for the highest standard of protection against the abuse of personal data,” said Color Of Change President Rashad Robinson.

“Common Sense calls on Congress to pass meaningful privacy safeguards for families. More than ever, the pandemic has highlighted how important it is that families can trust how their information is being collected, used, and shared. PHEPA is an important proposal to ensure technologies and data being used to combat COVID are used in privacy-protective ways, and it also can serve as a model for how Congress can comprehensively protect privacy in the near future,” said Ariel Fox Johnson, Senior Counsel for Global Policy with Common Sense Media. 

“OTI welcomes the re-introduction of this legislation that would establish strong safeguards to prevent personal data from being used for non-public health purposes and prevent the data from being used in a discriminatory manner. The ongoing privacy threats and urgency of the pandemic make these protections more important than ever,” said Christine Bannan, Policy Counsel at New America’s Open Technology Institute.

“As contact tracing apps and other types of COVID-19 surveillance become commonplace in the United States, this legislation will protect the privacy of Americans regardless of the type of technology used or who created it. It is critical that Congress continue to work to prevent this type of corporate or government surveillance from becoming ubiquitous and compulsory,” said Sara Collins, Policy Counsel at Public Knowledge.

###

WASHINGTON, DC – As communities across the country grapple with how to reopen as safely as possible, U.S. Sen. Mark R. Warner joined Sens. Tom Carper (D-Del.), Bill Cassidy, M.D. (R-La.) and a bipartisan group of senators in calling on the Department of Health and Human Services (HHS) and the Centers for Disease Control and Prevention (CDC) to improve, automate and modernize COVID-19 data collection and management. In a letter sent to Secretary Azar and Dr. Redfield, the lawmakers specifically called on the agencies to harness technologically advanced systems and build on existing data sources in order to provide public health officials and community leaders with more accurate, real-time information as they make critical decisions about reopening.

Unfortunately, recent reports have shown that case reporting and contact tracing across the country are being hampered by a fragmented health system and antiquated technology, including manual entry of patients’ data and results and sharing of such results through paper and pencil or fax. In Texas, some patients were having to wait l0 days to find out if they had been infected with coronavirus because their results were being faxed to public health officials and then entered into a database by hand. 

In their letter, the lawmakers wrote, “During an emergency such as the current pandemic, scaling up and using existing systems to the greatest extent possible can improve data collection and contact tracing efforts. We therefore ask that you and your colleagues utilize and build on existing data sources, such as electronic health record (EHR) and laboratory information management systems (LIMS), claims databases, and other automated systems to provide government leaders, public health officials, community leaders, and others with actionable, easy-to-interpret data from a wide-ranging set of sources. Data generated by contact tracing, syndromic surveillance, and large-scale testing can help inform decisions on how to safely reopen communities and bring economies back online. Modernizing and automating data collection should augment detection, testing, and contact tracing plans, while also helping to prevent and improve the management of new outbreaks.”

The bipartisan group highlighted the fact that some of these tools are already being successfully utilized in communities across the country. They noted, “Fortunately, software-based systems providing data management for state public health entities and major testing laboratories already exist, and they are more efficient and accurate while reducing the burden of excess paperwork. For example, North Carolina and Florida have taken steps to modernize and improve patients’ Covid-19 test results and other infectious disease symptoms. In Florida, nurses can register patients for Covid testing in the field using tablet computers that are connected to a HIPAA compliant cloud. By managing the patient and order requisition information electronically, lab processing time is reduced and transcription errors are eliminated.”

Joining Sens. Warner, Carper and Cassidy in sending this letter are Sens. Michael Bennet (D-Colo.), Richard Blumenthal (D-Conn.), Bob Casey (D-Penn.), Susan Collins (R-Maine), Chris Coons (D-Del.), Tina Smith (D-Minn.), and Thom Tillis (R-N.C.).

The letter is available here. 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) joined Sen. Amy Klobuchar (D-MN), a senior Member of Senate Commerce Committee and Ranking Member of the Senate Judiciary Subcommittee on Antitrust, Competition Policy and Consumer Rights and Chairman of the Senate Commerce Subcommittee on Manufacturing, Trade, and Consumer Protection, Senator Jerry Moran (R-KS), sent a letter to  Federal Trade Commission (FTC) Chairman Joseph Simons urging the FTC to take action to address the troubling data collection and sharing practices of the mobile application (“app”) Premom. 

Premom is a mobile app that helps users track their fertility cycles to determine the best time to get pregnant, relying on personal and private health information. As of November 2019, the app has been downloaded over half a million times, and it is one of the top search results among fertility apps in the Apple App and Google Play stores.

In addition to Sen. Warner, Sens. Klobuchar and Moran were joined by Ranking Member of the Senate Commerce Committee, Maria Cantwell (D-WA), Richard Blumenthal (D-CT), Shelley Moore Capito (R-WV), and Elizabeth Warren (D-MA).

“A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent,” Klobuchar and her colleagues wrote.

The full text of the letter can be found HERE and below:

Dear Chairman Simons:

We write to express our serious concerns regarding recent reports about the data collection and sharing practices of the mobile application (“app”) Premom and to request information on the steps that the Federal Trade Commission (FTC) plans to take to address this issue.

Premom is a mobile app that helps users track their fertility cycles to determine the best time to get pregnant. As of November 2019, the app has been downloaded over half a million times, and it is one of the top search results among fertility apps in the leading app stores. To use Premom, users provide the app extensive personal and private health information.

A recent investigation from the International Digital Accountability Council (IDAC) indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data-sharing practices. Most troubling, the investigation found that Premom shared its users’ data without their consent. IDAC sent a letter to the FTC on August 6, 2020, to describe these undisclosed data transmissions along with other concerning allegations including conflicting privacy policies and questionable representations related to their collection of installed apps for functionality purposes.

While Premom claimed to only share “nonidentifiable” information in its privacy policy, the IDAC report found that Premom collected and shared—with three third-party advertising companies based in China including Jiguang, UMSNS, and Umeng—non-resettable unique user device identifiers that can be used to build profiles of consumer behavior. Additionally, users of the Premom app were not given the option to opt out of sharing their personal data with these advertising companies, and reports also allege that one of the companies that received user data from Premom concealed the data being transferred—which privacy experts say is an uncommon practice for apps that is used primarily to conceal their data collection practices.

While we understand that Premom has taken steps to update its app to halt the sharing of its users’ information with these companies, it is concerning that Premom may have engaged in these deceptive practices and shared users’ personal data without their consent. Additionally, there may still be users who have not yet updated the Premom app, which could still be sharing their personal data—without their knowledge or consent. 

In light of these concerning reports, and given the critical role that the FTC plays in enforcing federal laws that protect consumer privacy and data under Section 5 of the Federal Trade Commission Act and other sector specific laws, we respectfully ask that you respond to the following questions:

1.  Does the FTC treat persistent identifiers, such as the non-resettable device hardware identifiers discussed in the IDAC report, as personally identifiable information in relation to its general consumer data security and privacy enforcement authorities under Section 5 of the FTC Act?

2.  Is the FTC currently investigating or does it plan to investigate Premom’s consumer data collection, transmission, and processing conduct described in the IDAC report to determine if the company has engaged in deceptive practices?

3.  Does the FTC plan to take any steps to educate users of the Premom app that the app may still be sharing their personal data without their permission if they have not updated the app? If not, does the FTC plan to require Premom to conduct such outreach?

4.  Please describe any unique or practically uncommon uses of encryption by the involved third-party companies receiving information from Premom that could be functionally interpreted to obfuscate oversight of the involved data transmissions.

5.  How can the FTC use its Section 5 authority to ensure that mobile apps are not deceiving consumers about their data collection and sharing practices and to preempt future potentially deceptive practices like those Premom may have engaged in? 

Thank you for your time and attention to this important matter. We look forward to working with you to improve Americans consumers’ data privacy protections. 

Sincerely, 

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) and Sen. Richard Blumenthal (D-CT), along with Sens. Michael Bennet (D-CO), Mazie Hirono (D-HI), Angus King (I-ME), Bob Menendez (D-NJ), Kamala Harris (D-CA), Ed Markey (D-MA), Cory Booker (D-NJ), Tammy Baldwin (D-WI), Elizabeth Warren (D-MA), Amy Klobuchar (D-MN), and Dick Durbin (D-IL), sent a letter to Senate leaders urging them to include the Public Health Emergency Privacy Act in the next coronavirus relief package as negotiations between Senate Republicans and Democrats are underway. Inclusion of the legislation will help strengthen the public’s trust to participate in critical screening and contact tracing efforts to aid in the fight against COVID-19.

“As you begin negotiations on another coronavirus stimulus package, we write to urge inclusion of commonsense privacy protections for COVID health data. Building public trust in COVID screening tools will be essential to ensuring meaningful participation in such efforts. With research consistently showing that Americans are reluctant to adopt COVID screening and tracing apps due to privacy concerns, the lack of health privacy protections could significantly undermine efforts to contain this virus and begin to safely re-open – particularly with many screening tools requiring a critical mass in order to provide meaningful benefits,” the Senators wrote in a letter to Senate Majority Leader Mitch McConnell, Senate Minority Leader Chuck Schumer, and the Chairman and Ranking Member of the Senate Committee on Health, Education, and Labor.

According to a recent survey, 84 percent of Americans feel uneasy about sharing their personal health information for COVID-19 related mitigation efforts. Public reluctance can be attributed to a myriad of investigative reports and congressional hearings that have exposed widespread secondary use of Americans data over the years. The Senators noted that with the inclusion of their bill, Congress can establish commonsense targeted rules to ensure the collection, retention, and use of data by COVID screening tools are focused on combatting COVID and not for extraneous, invasive, or discriminatory purposes.

“Our urgent and forceful response to COVID-19 can coexist with protecting and even bolstering our health privacy. If not appropriately addressed, these issues could lead to a breakdown in public trust that could ultimately thwart successful public health surveillance initiatives. Privacy experts, patient advocates, civil rights leaders, and public interest organizations have resoundingly called for strong privacy protections to govern technological measures offered in response to the COVID-19 crisis. In the absence of a federal privacy framework, experts and enforcers – including the Director of the Bureau of Consumer Protection of Federal Trade Commission – have encouraged targeted rules on this sensitive health data. The Public Health Emergency Privacy Act meets the needs raised by privacy and public health communities, and has been resoundingly endorsed by experts and civil society groups,” the Senators continued.

A copy of the letter can be found here and below.

Dear Leader McConnell, Leader Schumer, Chairman Alexander, and Ranking Member Murray,

As you begin negotiations on another coronavirus stimulus package, we write to urge inclusion of commonsense privacy protections for COVID health data. Building public trust in COVID screening tools will be essential to ensuring meaningful participation in such efforts. With research consistently showing that Americans are reluctant to adopt COVID screening and tracing apps due to privacy concerns, the lack of health privacy protections could significantly undermine efforts to contain this virus and begin to safely re-open – particularly with many screening tools requiring a critical mass in order to provide meaningful benefits. According to one survey, 84% of Americans “fear that data collection efforts aimed at helping to contain the coronavirus cost too much in the way of privacy.”

Public health experts have consistently pointed to health screening and contact tracing as essential elements of a comprehensive strategy to contain and eradicate COVID. Since the onset of the pandemic, employers, public venue operators, and consumer service providers have introduced a range tools and resources to engage in symptom monitoring, contact tracing, exposure notification, temperature checks, and location tracking. Increasingly, we have seen higher education institutions mandate the use of these applications for incoming students and employers mandate participation in these programs among employees.

Health data is among the most sensitive data imaginable and even before this public health emergency, there has been increasing bipartisan concern with gaps in our nation’s health privacy laws. While a comprehensive update of health privacy protections is unrealistic at this time, targeted reforms to protect health data – particularly with clear evidence that a lack of privacy protections has inhibited public participation in screening activities – is both appropriate and necessary.

Our legislation does not prohibit or otherwise prevent employers, service providers, or any other entity from introducing COVID screening tools. Rather, it provides commonsense and widely understood rules related to the collection, retention, and usage of that information – most notably, stipulating that sensitive data collected under the auspices of efforts to contain COVID should not be used for unrelated purposes. As a litany of investigative reports, Congressional hearings, and studies have increasingly demonstrated, the widespread secondary use of Americans’ data – including sensitive health and geolocation data – has become a significant public concern. The legislation also ensures that Americans cannot be discriminated against on the basis of COVID health data – something particularly important given the disproportionate impact of this pandemic on communities of color.

Efforts by public health agencies to combat COVID-19, such as manual contract tracing, health screenings, interviews, and case investigations, are not restricted by our bill. And the legislation would allow for the collection, use, and sharing of data for public health research purposes and makes clear that it does not restrict use of health information for public health or other scientific research associated with a public health emergency.

Our urgent and forceful response to COVID-19 can coexist with protecting and even bolstering our health privacy. If not appropriately addressed, these issues could lead to a breakdown in public trust that could ultimately thwart successful public health surveillance initiatives. Privacy experts, patient advocates, civil rights leaders, and public interest organizations have resoundingly called for strong privacy protections to govern technological measures offered in response to the COVID-19 crisis. In the absence of a federal privacy framework, experts and enforcers – including the Director of the Bureau of Consumer Protection of Federal Trade Commission – have encouraged targeted rules on this sensitive health data. The Public Health Emergency Privacy Act meets the needs raised by privacy and public health communities, and has been resoundingly endorsed by experts and civil society groups.

Providing Americans with assurance that their sensitive health data will not be misused will give Americans more confidence to participate in COVID screening efforts, strengthening our common mission in containing and eradicating COVID-19. For this reason, we urge you to include the privacy protections contained in the Public Health Emergency Privacy Act in any forthcoming stimulus package.

Thank you for your attention to this important matter.                                                                       

Sincerely,

###

WASHINGTON - As tech companies and public health agencies deploy contact tracing apps and digital monitoring tools to fight the spread of COVID-19, U.S. Sens. Mark R. Warner and Richard Blumenthal (D-CT) and U.S. Reps. Anna G. Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA) introduced the Public Health Emergency Privacy Act to set strong and enforceable privacy and data security rights for health information.

After decades of data misuse, breaches, and privacy intrusions, Americans are reluctant to trust tech firms to protect their sensitive health information – according to a recent poll, more than half of Americans would not use a contact tracing app and similar tools from Google and Apple over privacy concerns. The bicameral Public Health Emergency Privacy Act would protect Americans who use this kind of technology during the pandemic and safeguard civil liberties. Strengthened public trust will empower health authorities and medical experts to leverage new health data and apps to fight COVID-19.

“This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more,” Blumenthal said. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19. Americans are rightly skeptical that their sensitive health data will be kept safe and secure, and as a result, they’re reluctant to participate in contact tracing programs essential to halt the spread of this disease. The Public Health Emergency Privacy Act’s commitment to civil liberties is an investment in our public health.”

“Communications technology has obviously played an enormously important role for Americans in coping with and navigating the new reality of COVID-19 and new technology will certainly play an important role in helping to track and combat the spread of this virus. Unfortunately, our health privacy laws have not kept pace with the privacy expectations Americans have come to expect for their sensitive health data,” Warner said. “Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations could become the new status quo in health care and public health. The credibility – and indeed efficacy – of these technologies depends on public trust.” 

“I’m thankful that our country is blessed with the world’s best innovators and technologists, many of whom I represent in the House, and that they have joined the effort to combat the coronavirus by using technology to control the spread of the virus,” said Eshoo. “As we consider new technologies that collect vast amounts of sensitive personal data, we must not lose site of the civil liberties that define who we are as a nation. I’m proud to join my colleagues to introduce the Public Health Emergency Privacy Act, strong and necessary legislation that protects the privacy of every American while ensuring that innovation can aid important public health efforts.”

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights. I am proud to introduce this bill with my friend and fellow Energy & Commerce Subcommittee Chairwoman Eshoo, along with Senators Blumenthal and Warner,” said Schakowsky. “It’s our shared belief that swift passage of this legislation would go a long way towards establishing the trust American consumers need – and which Big Tech has squandered, time and again –  for digital contact tracing to be a worthwhile auxiliary to widespread testing and manual contact tracing.”

“We must use every tool available to us to respond to the COVID-19 pandemic. Contract tracing, along with testing, are the cornerstones of a science-based approach to addressing this historic crisis. We can protect our public health response and personal data privacy,” said DelBene. “I have been calling on the Trump administration and the private sector to adopt data privacy principles since the start of this outbreak. It is time for Congress to lead the way in assuring we have a strong national contact tracing system and that Americans’ personal data is protected. This bill will achieve this mutual goal.”

Eshoo, Schakowsky, and DelBene introduced House legislation with original co-sponsors House Energy and Commerce Committee Vice Chair Yvette Clarke (D-NY), Health Subcommittee Vice Chair G. K. Butterfield (D-NY), and Consumer Protection & Commerce Subcommittee Vice Chair Tony Cárdenas (D-CA).

The Public Health Emergency Privacy Act would:

·       Ensure that data collected for public health is strictly limited for use in public health;

·       Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;

·       Prevent the potential misuse of health data by government agencies with no role in public health;

·       Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;

·       Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;

·       Require regular reports on the impact of digital collection tools on civil rights;

·       Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent; and

·       Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

The Public Health Emergency Privacy Act is endorsed by Lawyers’ Committee for Civil Rights Under Law, Public Knowledge, New America’s Open Technology Institute, Consumer Reports, Free Press, Electronic Privacy and Information Center (EPIC), Public Citizen, health privacy scholar Frank Pasquale, and privacy scholar Ryan Calo.

“African Americans and other marginalized communities are suffering disproportionately from coronavirus and its economic effects. They do not need further harm from snake oil surveillance tech. This bill protects the most vulnerable—it ensures that any technology used to track the virus is not used to unfairly discriminate in employment, voting, housing, education, and everyday commerce,” said David Brody, Counsel and Senior Fellow for Privacy & Technology at the Lawyers’ Committee for Civil Rights Under Law.

“As contact tracing apps and other types of COVID-19 surveillance become commonplace in the United States, this legislation will protect the privacy of Americans regardless of the type of technology used or who created it. It is critical that Congress continue to work to prevent this type of corporate or government surveillance from becoming ubiquitous and compulsory,” said Sara Collins, Policy Counsel at Public Knowledge. 

“OTI welcomes this effort to protect privacy as lawmakers consider pandemic response plans that gather vast quantities of data. The bill would establish strong safeguards that would prevent personal data from being used for non-public health purposes and prevent the data from being used in a discriminatory manner,” said Christine Bannan, Policy Counsel at New America’s Open Technology Institute.

“When it comes to tracking and collecting people’s data, we want to make sure there are basic protections for people’s privacy, and this bill is a positive step to establish the trust and balance that’s needed. The bill smartly requires that data collected to fight coronavirus can only be used for public health purposes – and nothing else. Importantly, the bill ensures an individual's right to seek redress for violations, and it bars against the use of pre-dispute arbitration agreements. These measures will help individuals trust contact-tracing or proximity-tracing programs, and they can serve as a model for more comprehensive protections down the road,” said Justin Brookman, Director of Consumer Privacy and Technology Policy for Consumer Reports.

“Digital contact tracing and exposure notification systems may be important tools in combating the spread of coronavirus. But they must be deployed responsibly and with adequate safeguards that protect the privacy and civil rights of the people that use them. The Public Health Emergency Privacy Act is a serious effort at ensuring our rights are protected while giving public health officials the tools they need to track and notify those exposed to COVID-19. These rules must apply to everyone using these systems, whether that’s state or local governments, employers, or other tech companies. This bill protects the civil rights of the most vulnerable essential workers, the disproportionately Black and Latinx people most exposed to the virus, and will help ensure they’re not also subject to invasive and unnecessary surveillance that will linger long after this crisis passes,” said Gaurav Laroia, Senior Policy Counsel with Free Press.

“The Public Health Emergency Privacy Act shows that privacy and public health are complementary goals. The bill requires companies to limit the collection of health data to only what is necessary for public health purposes, and crucially, holds companies accountable if they fail to do so,” said Caitriona Fitzgerald, Interim Associate Director and Policy Director with Electronic Privacy Information Center (EPIC). 

“What we need more than anything during this global emergency is to feel less vulnerable, to be sure not just that our health is protected, but that our rights are protected as well. This bill will ensure that whatever technological innovation emerges during the pandemic, we will feel safer knowing that our rights to privacy, to our day in court and to access to the ballot box won’t be threatened,” said Robert Weissman, President of Public Citizen.

 “This bill establishes critical protections for patients whose health data is released in the context of the public health emergency. To build a trusted data infrastructure, the US needs to ensure that any entity which accesses such data is held accountable and does not abuse the public trust. The Public Health Emergency  Privacy Act is a big step in the right direction,” said Frank Pasquale, Piper & Marbury Professor of Law at University of Maryland Carey School of Law. 

“This draft legislation addresses two of my biggest privacy concerns about the use of technology and information to respond to COVID-19. As the Act makes clear, the emergency health data of Americans should only be used to fight the pandemic and should never be used to discriminate or deny opportunity,” said Ryan Calo, Lane Powell & D. Wayne Gittinger Endowed Professor at University of Washington School of Law.

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) urged Vice President Mike Pence to take steps to both combat online misinformation related to the coronavirus outbreak and to correct false and misleading statements by the President and other members of the Administration, in the interest of public health. This letter follows reports of widespread misinformation on social media about the novel coronavirus (COVID-19) – from conspiracies about the virus’ inception, to false claims about products that were said to provide immunity or cures.

“I am deeply concerned that despite the seriousness of the novel coronavirus (COVID-19) outbreak, your coronavirus taskforce and members of the Administration have failed to consistently counter the significant amount of misinformation conveyed to the American public. In many instances, we have seen misinformation spread by those seeking to profit from untested and potentially dangerous products misrepresented as effective treatments for the virus,” wrote Sen. Warner. “Of even greater concern, false or misleading information has also come directly from prominent members of the Administration, up to and including the President.”

“The President’s injudicious and false statements could gravely undermine ongoing public health efforts to contain the outbreak. His statements directly conflict with the advice and recommendations of your own coordinated federal response and leading public health experts and will likely exacerbate economic uncertainty and discourage individuals from seeking needed care. To date, I am not aware of any steps your Administration has taken to publicly correct this false narrative,” he continued. “Simply put – this conflicting messaging and misinformation will weaken our ability to respond to COVID-19 and significantly undermine ongoing public health efforts. I strongly encourage you to publicly withdraw and correct President Trump’s statements and other false statements made by members of the Administration. In addition I ask that, moving forward, the coronavirus taskforce proactively monitor and develop a comprehensive strategy to counter widespread misinformation, including campaigns by foreign actors or parties seeking to profit from fraudulent health treatments. Information conveyed to the public must accurately reflect the latest guidance from public health experts and other authorities.”

Around the world, the novel coronavirus has sickened more than 113,000 people and killed more than 4,000 people to date. In the Commonwealth of Virginia alone, there have been nine identified cases of the virus. 

In his letter, Sen. Warner noted that the President’s false statements “stoke and legitimize already widespread online misinformation concerning the virus.”  He also highlighted indications “that at least some of the misinformation is derived from, or at least amplified by, malicious foreign actors.”

A copy of the letter is available here and below. A list of Sen. Warner’s work on coronavirus is available here.

The Honorable Michael R. Pence

Vice President of the United States of America

The White House

1600 Pennsylvania Avenue, NW

Washington, D.C. 20500

Dear Vice President Pence:

I am deeply concerned that despite the seriousness of the novel coronavirus (COVID-19) outbreak, your coronavirus taskforce and members of the Administration have failed to consistently counter the significant amount of misinformation conveyed to the American public. In many instances, we have seen misinformation spread by those seeking to profit from untested and potentially dangerous products misrepresented as effective treatments for the virus.^[1] Of even greater concern, false or misleading information has also come directly from prominent members of the Administration, up to and including the President. I believe that, left unaddressed, this misinformation and conflicting messaging will undermine our ability to respond to COVID-19 by reducing public confidence in ongoing public health efforts, creating economic uncertainty and causing the public to respond in counterproductive ways.

As you know, the novel coronavirus (COVID-19) has sickened more than 118,000 people around the world, and killed more than 4,200 people to date.^[2] While this situation is rapidly evolving in the United States, the Centers for Disease Control and Prevention (CDC) has said the potential public health threat posed by COVID-19 is very high.^[3] It is essential that the Administration communicate timely and accurate information to the American public. This should include a coordinated effort to address potentially harmful misinformation spread through social media and other sources.

On March 4, 2020, during a phone call televised to millions of viewers, President Donald J. Trump indicated that Americans who fear they may have COVID-19 should continue going to work and not seek medical care, and told viewers that the World Health Organization’s (WHO) estimates of the virus’ deadliness were false.^[4] In addition, on February 26, 2020 the President carelessly downplayed the seriousness of this outbreak by telling the American public that COVID-19 cases in the U.S. were “going very substantially down, not up” and that the existing 15 cases in the U.S. “is going to be down to close to zero” in two days.^[5] As you know, cases have increased exponentially since that time.

The President’s injudicious and false statements could gravely undermine ongoing public health efforts to contain the outbreak. His statements directly conflict with the advice and recommendations of your own coordinated federal response and leading public health experts and will likely exacerbate economic uncertainty and discourage individuals from seeking needed care. To date, I am not aware of any steps your Administration has taken to publicly correct this false narrative.

In addition, such remarks stoke and legitimize already widespread online misinformation concerning the virus. There are indications that at least some of the misinformation is derived from, or at least amplified by, malicious foreign actors.^[6] Additional misleading statements from members of the Administration, combined with intentional falsehoods pushed by these malicious actors, will only make matters worse.

Successfully combatting COVID-19 will require that public officials, health care providers and the American public act in a coordinated and responsible manner and, should the need arise, follow recommendations of public health experts to social distance, self-quarantine and take additional safety measures. This will not be possible if the Administration does not take proactive steps to counter false information and consistently relay trusted, accurate and timely information to the American public.

Simply put – this conflicting messaging and misinformation will weaken our ability to respond to COVID-19 and significantly undermine ongoing public health efforts. I strongly encourage you to publicly withdraw and correct President Trump’s statements and other false statements made by members of the Administration. In addition I ask that, moving forward, the coronavirus taskforce proactively monitor and develop a comprehensive strategy to counter widespread misinformation, including campaigns by foreign actors or parties seeking to profit from fraudulent health treatments. Information conveyed to the public must accurately reflect the latest guidance from public health experts and other authorities. Thank you for your attention to this request and I look forward to your response.                                               

Sincerely,

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and John Kennedy (R-LA), members of the Senate Banking Committee, released a statement today, ahead of Supreme Court arguments in Liu v. SEC, a case challenging the Securities and Exchange Commission’s (SEC) enforcement powers to seek disgorgement on behalf of defrauded investors:

“Today’s argument in Liu v. SEC highlights the critical importance of affirming the SEC’s ability to protect investors through its disgorgement authority. Disgorgement authority is an essential enforcement tool that deters violations of our securities laws, protects Main Street investors, and helps compensate hard-working Americans who are victims of financial scams. Since the Court’s 2017 decision in Kokesh v. SEC, the SEC has forgone an estimated $1.1 billion in proceeds on behalf of harmed investors – a number that will only grow if the Supreme Court sides with the petitioners in this case – putting more money in the pockets of scammers and fraudsters while leaving ripped-off investors holding the bag. While we strongly believe that the SEC has the legal authority to seek disgorgement in civil actions, uncertainty from this case underscores the importance of congressional action to better protect harmed investors. In the Senate, we have introduced bipartisan legislation that would affirm the SEC’s disgorgement authority and expand its toolkit to increase financial recovery for harmed investors. The House passed similar legislation last year. We urge our colleagues in the Senate to act now by taking up this bipartisan effort,” said the two Senators.

Sens. Warner and Kennedy last year introduced the Securities Fraud Enforcement and Investor Compensation Act, bipartisan legislation that would give the SEC power to seek restitution for Main Street investors harmed by securities fraud. The bill would give the SEC a broader range of tools to seek compensation for investors who’ve lost money to Ponzi schemes and other investment scams. 

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, issued the following statement after federal prosecutors today charged four Chinese intelligence officers with hacking Equifax in one of the largest data breaches in history:

“I’m glad the DOJ has moved to formally indict the Chinese intelligence officers associated with the hack of Equifax. For years, the Chinese government has targeted western commercial firms. It is disappointing that despite a lot of rhetoric President Trump’s recent agreement with China does nothing to address this specific issue.

“That said, the indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack. A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care – and face any consequences that arise from that failure. The legislation I have with Senator Warren would subject data brokers to a higher standard of care and is an important first step in data protection.”

Sen. Warner has been outspoken about the importance of protecting consumers from data theft by employing adequate cybersecurity practices. He has previously introduced legislation to hold large credit reporting agencies – including Equifax – accountable for data breaches involving sensitive consumer data.

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA) and Sen. Deb Fischer (R-NE) announced two new bipartisan co-sponsors for their legislation to protect consumers from being tricked into giving away their personal data online. Sens. Amy Klobuchar (D-MN) and John Thune (R-SD), two senior members of the Senate Commerce Committee, have co-sponsored the Warner-Fischer legislation to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns” to trick consumers into handing over their personal data.

“Whether you bought Christmas gifts online, downloaded a new messaging app, or tried to navigate a major browser’s byzantine privacy settings, chances are you were a victim of a dark pattern. In fact, if you wanted to score that extra discount at checkout, these design tactics most likely manipulated you into handing over more than just your email address to get that deal,” Sen. Warner. “I’m grateful to have the support of Sen. Klobuchar and Sen. Thune on this important bill to make sure Americans have more transparency about, and control over, their interactions online.”

“Nearly every time Americans use a new app on our smart phones or browse social media from our laptops, we run into dark patterns. These unethical tricks online platforms use as they battle to capture attention and manipulate users must be stopped. I am pleased to have expanded bipartisan support for this legislation that combats risks to consumer choice and privacy online,” said Sen. Fischer.

“Dark patterns are manipulative tactics used to trick consumers into sharing their personal data. These tactics undermine consumers’ autonomy and privacy, yet they are becoming pervasive on many online platforms,” said Sen. Klobuchar. “This legislation would help prevent the major online platforms from using such manipulative tactics to mislead consumers, and it would prohibit behavioral experiments on users without their informed consent.”

“We live in an environment where large online operators often deploy manipulative practices or ‘dark patterns’ to obtain consent to collect user data, so I’m glad this bills takes meaningful steps to advance consumer transparency,” said Sen. Thune. “I particularly applaud the provisions of this bill that require large online operators to be more transparent about when users are subject to behavioral or psychological research for the purpose of promoting engagement on their platforms. I want to thank Sens. Warner and Fischer for leading this effort, and I’m glad to join them and Sen. Klobuchar in cosponsoring this important legislation.”

The bipartisan Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb manipulative dark pattern behavior by prohibiting the largest online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. Specifically, the legislation:

• Enables the creation of a professional standards body, which can register with the Federal Trade Commission (FTC), to focus on best practices surrounding user design for large online operators. This association would act as a self-regulatory body, providing updated guidance to platforms on design practices that impair user autonomy, decision-making, or choice, positioning the FTC to act as a regulatory backstop.
• Prohibits segmenting consumers for the purposes of behavioral experiments, unless with a consumer’s informed consent. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare. 
• Prohibits user design intended to create compulsive usage among children under the age of 13 years old.
• Directs the FTC to create rules within one year of enactment to carry out the requirements related to informed consent, Independent Review Boards, and Professional Standards Bodies.

Sen. Warner has been raising concerns about the implications of social media companies’ reliance on dark patterns for several years. In 2014, Sen. Warner asked the FTC to investigate Facebook’s use of dark patterns in an experiment involving nearly 700,000 users designed to study the emotional impact of manipulating information on News Feeds.

Sen. Warner is also recognized as one of Congress’ leading voices in an ongoing public debate around social media and user privacy. He has written and introduced a series of bipartisan bills designed to protect consumers and promote competition in social media. The Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data (DASHBOARD) Act will require data harvesting companies such as social media platforms to tell consumers and financial regulators exactly what data they are collecting from consumers, and how it is being leveraged by the platform for profit.? The Honest Ads Act will help prevent foreign interference in future elections and improve the transparency of online political advertisements. The Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act is a bipartisan bill to encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) released the following statement after President Trump signed into law a bill sponsored by Sen. Warner to crack down on illegal robocall scams:

“The truth is, folks in Virginia and across the nation are sick and tired of receiving unsolicited robocalls at all hours of the day,” said Sen. Warner. “These calls are intrusive and often set up by scammers looking to pray on vulnerable individuals. I’m proud to have sponsored this legislation and am very excited to see it signed into law so that it can start giving individuals some peace of mind. Personally, I know I won’t miss these annoying robocalls, and I have a feeling other Virginians won’t either.”

The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act gives regulators more time to find scammers, increases civil forfeiture penalties for those who are caught, requires service providers to adopt call authentication and blocking, and brings relevant federal agencies and state attorneys general together to address impediments to criminal prosecution of robocallers who intentionally break laws. Sen. Warner sponsored the Senate version of the bill, which passed the Senate in 97-1 vote in May 2019. After the House passed an amended version of the bill earlier this month, the Senate unanimously voted to send the bill to the President’s desk for signature on December 18.

The TRACED Act:

• Broadens the authority of the Federal Communications Commission (FCC) to levy civil penalties of up to $10,000 per call on people who intentionally flout telemarketing restrictions.
• Extends the window for the FCC to catch and take civil enforcement action against intentional violations to four years after a robocall is placed. Under current law, the FCC has only one year to do so, and the FCC has told the committee that “even a one-year longer statute of limitations for enforcement” would improve enforcement against violators.
• Brings together the Department of Justice, FCC, Federal Trade Commission, Department of Commerce, Department of State, Department of Homeland Security, the Consumer Financial Protection Bureau, and other relevant federal agencies, as well as state attorneys general and other non-federal entities to identify and report to Congress on improving deterrence and criminal prosecution at the federal and state level of robocall scams.
• Requires voice service providers to adopt call authentication technologies, enabling a telephone carrier to verify that incoming calls are legitimate before they reach consumers’ phones.
• Directs the FCC to initiate a rulemaking to help protect subscribers from receiving unwanted calls or texts from callers.
• Directs the FCC to initiate a rulemaking process to protect consumers from “one-ring” scams.
• Requires the FCC to establish a working group to issue best practices to prevent hospitals from receiving illegal robocalls.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the Department of Health and Human Services (HHS) regarding a proposed rule by the Centers for Medicare and Medicaid Services (CMS) that would require CMS-funded health plans (including ACA marketplace plans) to allow patients to access their personal health information electronically through third-party consumer applications. In his letter, Sen. Warner urged HHS to include clear standards and defined controls for accessing patient data in order to address the potential for misuse of these interoperability features.

“In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information,” wrote Sen. Warner. “It is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.”

“Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users,” he continued. “As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used.”

Under the proposed Interoperability and Patient Access rule, CMS would require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through open application programing interfaces (APIs). APIs would allow third-party software applications to connect to, process, and make the data available to patients.

In the letter, Sen. Warner emphasized the importance of allowing patients to easily access their health information. He also noted the similarities between the proposed rule and the ACCESS Act – bipartisan legislation introduced by Sen. Warner that would promote market-based competition among social media platforms by requiring the largest social media companies to make user data portable, and their services interoperable, with other platforms. The ACCESS Act would also allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose. Additionally, Sen. Warner urged that, at a minimum, the final rule include the following standards:

• Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
• Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
• Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
• Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Sen. Warner has been a longtime critic of poor cybersecurity practices that compromise Americans’ personal information. Last week, Sen. Warner raised concern with HSS’ failure to act, following a mass exposure of sensitive medical images and information by health organizations. In September, he wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

The Honorable Alex M. Azar II

Department of Health and Human Services

Office of the Secretary

200 Independence Avenue, S.W.

Washington, D.C. 20201

Dear Secretary Azar:

I am writing regarding the proposed rule from the Center for Medicare and Medicaid Services (CMS) on Interoperability and Patient Access that would enable third party consumer applications to access sensitive patient and health plan data through application programming interfaces (APIs) [1]. I share the goals of advancing interoperability in patient health information and believe that – implemented appropriately – this proposal could represent a significant step in that direction. However, I urge CMS to take additional steps to address the potential for misuse of these features in developing the rules around APIs. In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information.

Congress passed the 21st Century Cures Act (P.L. 114-255) with a key objective of improving the protected exchange of electronic health records across the care continuum. Notably, Section 4003 and 4004 included specific provisions to establish a trusted health information exchange framework and reduce information blocking; it stated that there should be regulation over unreasonable practices to interfere with, prevent, or materially discourage access, exchange, or use of a patient’s electronic health records. While your agency has taken substantial steps to implement fundamental aspects of this legislation, it is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.

In your proposed rule CMS would specifically require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through an open application programming interface (API). Data should be made available through an API so that third party software applications can connect to, process, and make the data available to patients.

I agree that patients should have an ability to easily acquire their health information. The rule is in many ways consistent with bipartisan legislation I have introduced in Congress – the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, which requires our nation’s largest social media companies to make user data portable, and make their services interoperable with other platforms.

Common to both my bill and the proposed rule is a recognition that consumers should have a right to possess their data – and share it with authorized third parties that will protect it. Both proposals also seek to address the control over consumer data that incumbents wield, often to the detriment of new, innovative providers. Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users.

 As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used. Such standards in a final rule should include at a minimum:

• Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
• Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
• Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
• Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Thank you for your consideration your commitment to advancing interoperability to improve patient care. I believe the outline I have shared would strengthen and ensure the rule achieves its intended purpose.  It is my hope and belief that we can achieve both a higher level of interoperability and patient access to their data, as well as, strong protections for that information. I look forward to continued work with you on this important issue and our shared goals.

Sincerely,

###