Communications of the ACM

P H O T O B Y C H I P S O M O D E V I L L A / G E T T Y I M A G E S

curred over the past 23 years, the law is largely outdated and simply does not address how companies collect, share, monetize, and protect personal and service-usage data, nor does it address the issue of data security breaches. Regulatory activity advocates generally believe the collection of such a large amount of data, its huge commercial value, and the potentially negative repercussions of this data falling into the wrong hands portends the need for strong regulatory controls, along with stiff penalties for noncompliance.

Within the U.S., several government regulations have been enacted that address general cybersecurity issues, in-

IN THE SPRINGof2018,Facebook CEO Mark Zuckerberg was called to testify before Con- gress, largely in response to the news that British consulting firm Cambridge Analytica had captured and used the data of more than 87 million Facebook users to influence elections without the social media giant’s knowledge or consent, as well as the admission that Facebook itself had been used by Russians to spread fake news and propaganda. During his testimony, Zuckerberg laid out his views on both the need for, and inevitability of, regulation of technology companies and their products and services.

Zuckerberg has since published a call for governments to regulate the Internet by limiting harmful content, addressing long-standing privacy concerns, securing the integrity of elections, and ensuring data portability. However, as of the writing of this article, there has been little to no substantive action on the part of the U.S. federal government to address these and other IT-related concerns.

The lack of consistent and widespread regulation of Internet and computer technology, particularly around data privacy and security, within the U.S. points to a confluence of complicated factors that make the creation of new federal rules related to technology unlikely, despite the public’s growing desire to have some entity police how their personal data and information is tracked, collected, and used.

“We’re under the 20-some-year-old
framework that doesn’t really work
closely for the industry,” says Lee
McKnight, an associate professor in
the School of Information Studies at
Syracuse University, referring to the
Telecommunications Act of 1996, the
last major piece of federal regulation
that addresses the activities of com-
munication and IT companies. While
the Act deregulated the communica-
tions business, letting any company
offer local and long-distance telepho-
ny, cable TV programming, and other
video services, its only reference to
the issues of data privacy or security is
Section 725’s reference to prohibiting
local exchange carriers from record-
ing or using the “the occurrence or
contents of calls received by providers
of alarm monitoring services for the
purposes of marketing such services
on behalf of such local exchange car-
rier, or any other entity.”
Indeed, McKnight says that, giv-
en the vast technological and busi-
ness model changes that have oc-

Regulating Information
Technology

Why isn’t IT regulated, when it can have such substantial impacts on people’s lives?

Society | DOI: 10.1145/3365583 Keith Kirkpatrick

Facebook chairman Mark Zuckerberg was called to testify before U.S. Senate committees after it was reported U.K. consulting firm Cambridge Analytica had harvested the data of more than 87 million Facebook users without their consent to influence elections.