It is shameful that top technology innovation companies, who prosper and have a thirst for vast amounts of private user-data, are fighting to water-down protective regulations. California and a handful of other states are leading the way to protect its citizens. The California’s Consumer Privacy Act (CCPA), which goes into effect in January 2020, will require businesses to disclose, at the consumers request, what personal data and sources has been collected. Privacy continues to garner concerns with people across the country due to a greater awareness of the vast potential impacts. It has reached the point that legislators are wanting to act, to protect their constituents.
Many tech companies unsuccessfully lobbied against the bill (ex. Facebook, AT&T, Verizon and Cox Communications) and other tech giants (ex. Google, Amazon, Facebook, Microsoft, Uber, and Lyft) are now working to push through amendments to limit the scope and open loopholes. This maneuvering is an attempt to reduce the transparency to users, greatly diminish the likelihood of penalties, and avoid business disruption when violations occur. The reason is simple: they profit from the use of people’s private data. Regulations that institute limitations, accountability, and risk of enforcement or penalties represents a danger to their business and profitability.
U.S. Protections Far Behind the World
For many years, the global community has recognized the importance of privacy and has been aggressive in establishing protections for citizens. The United States lags. We lack any cohesive federal regulations. States have had to take the initiative to create their own laws and face powerful lobbying from tech firms to de-fang the needed protections. The result is a patchwork of different rules that has holes and opens challengers to legal debates from data companies.
Many years ago, the European Union instituted privacy requirements as part of the General Data Protection Regulation (GDPR) and just recently updated them to include severe penalties. This included fines as a percentage of global revenue and even jail time for executives. As a large collective of modern digital countries, the EU is leading the way.
More evidence is showing how violations in privacy can have detrimental effects on individuals, families, and groups. Harvesting, selling, or losing data is fueling digital criminals in their victimization of society. Data loss and its manipulation to facilitate misconduct is a key aspect to cybercrime, which will reach an estimated $6 trillion annually by 2021.
We are only seeing the beginning of what is possible. Right now, vast amounts of data are being collected about everyone online. It is estimated that only 10% of data being collected is currently being used. The rest is being stored for a time in the not-too-distant-future where Artificial Intelligent algorithms can tease out more information about people. Vast profiles are being created about you, me, your neighbors, everyone.
What can be done today is scary, but with tomorrow’s technology it is an absolute horror show. Imagine aggregation of data from government systems, healthcare, shopping, web surfing, personal healthcare devices, security cameras, entertainment viewership, finances, social media posts, etc. all pulled together to create a powerful profile of every person. It is no longer just your email, social security number, address, and name that are at risk. It is about what you like, who you listen to, how your opinion can be swayed, what factors create your trust, and what buttons spark your rage, compassion, fears, and desires. It allows the holders of such information to classify, manipulate, and even assign a value to you based upon their bias scales.
Complex profiles can be used for benign or malicious purposes. It can help people connect with the right information, products, services, and people, but it can also be wielded to sway political opinions, filter what information you can get access to, limit financial opportunities based upon others prejudice, steal assets, and destroy reputations. In some cases, it can result in far worse. Such profiles in the past have been used to target and persecute people based upon their race, religion, political views, sexual orientation, or personal opinions.
Access to private data leads to the ability to manipulate people and foster systems of inequality. This is inherently why we naturally keep some information about our lives private, so it is not used against us. Our digital footprint provides more data about us than anyone ever could. Knowing which organizations possess what data about us is a crucial first step for the masses to protect themselves.
A Moment of Revelation
This should be a moment when ethical tech companies make a stand and openly recognize that their collective industry has grown accustomed to excessively harvesting personal data, and such actions represent an unnecessary risk of harm to society in the long run. Much of the data being collected is unnecessary and in many cases the users of products are unaware. Did you know the new car you bought has been collecting data on where every one of its vehicles go? Your grocer knows exactly what you buy, therefore your consumption habits. Your web search engine has tracked every one of your searches, so it knows what you are interested in and what concerns you. Your favorite social media app knows what topics you like and the people you listen to. Your internet provider knows every website you visit and for how long. Did you think about that the last time you searched about a medical condition or navigated to a site that you would not want others to know about? The list goes on.
If we want to avoid future problems for ourselves and our children, we must act now. Privacy is akin to the global climate or pollution debates. Every day more damage is done unless we all recognize the problem and work together for future generations. The data that is collected today will be stored, aggregated, and extrapolated in the future and used in ways we cannot imagine.
Not Far Enough
Personally, I don't think the CPPA bill does enough. It is a fair start, but nowhere near what is needed.
Here is what I recommend to build the necessary foundation for transparency and ultimately support trust in our preferred technology providers:
- Data collectors/holders (companies) should be required to send out an Annual Privacy Statement to users including a summary of what specific data they possess of them (data they gathered, purchased, derived via analysis, etc.), what data they shared and with whom, and all data breaches that did or could have included that person's data.
- Failure to comply with accurate and complete information will be subject to a civil penalty for violations of each user. Citizens as well as state and federal agencies can prosecute. Funds will be split between a Consumer Privacy Fund to pay for government oversight and to the victims. A minimum of $5000 penalty, per user for each offense.
- Users should have the right to request data not be shared with specific entities (other than is required by law). These selections and limitations must be provided in the annual privacy statement. Companies should not be able to change these directives without the specific consent of the user. Instructions must be easy for users to understand, the service available without distraction or delay, and their wishes implemented in a timely manner.
First, it is about transparency. Users must be explicitly informed of what private information is out there, who has it, and if it has been mishandled. This must be a responsibility of those who hold and benefit from the data of others. It should never be a burden of users. Users should never have to ask. It should be provided by mandate at a regular cadence. This represents a cost to any organization that possesses private data and therefore becomes a natural forcing function to only gather, create, or sell data when it is absolutely necessary and legitimate to do so.
Second, there must be a realistic threat of enforcement. Let there be incentives for society to find offenders and be rewarded, at the offender’s expense, to punish those that are abusing citizens private data. Proceeds are split between victims and a national fund that pays for the governmental branch resources to investigate broad offenses, including criminal acts. Far too often regulations require an attorney general or some other understaffed oversight body to prosecute. Businesses know the likelihood is minuscule that such government bodies would ever come after them. But put it in the hands of individuals and hungry lawyers, then there is a formidable force to recon with. Even small abuses could be pursued. That will drive compliance.
Third, users must have the right to limit the distribution of their data, unless required by law. Armed with what data an organization has and with whom they are sharing, every person should be able to say no if they don’t want their data shared with a 3rd party. Data is valuable and users are the ones who become victims if their data is misused. Every person should have the right to control their data and withdraw it from services. This provides control over our data, for its lifespan.
Deliver Us Our Privacy Rights!
This is doable. Many industries require companies to send out monthly/quarterly/annual statements to customers describing their assets and the organization's health/responsibility for managing it. This is no different. Personal data is an asset.
Currently, people get victimized in various ways but don't have the means to understand the origins of who misused or exposed their data. Because so many companies have bits of our digital lives, it is unclear who is responsible or where the data trail goes. A data trail must exist to understand which companies are properly storing and sharing data versus those who are secretly sharing, exposing, or using data in unsanctioned ways. Transparency is key to track down offenders.
Armed with the right information, people can take specific actions to protect their privacy and hold accountable those organizations who are selling private data for profit, lax in their security, or provide data to unethical partners.
Every person should know who has their data, how it is being used, with whom it is being shared, and if it has been unlawfully exposed. Being informed and empowered is the first step to defend our privacy in the digital world and promoting trust in technology.
Interested in more insights, rants, industry news and experiences? Follow me on your favorite social sites for cybersecurity insights: LinkedIn, Twitter (@Matt_Rosenquist), YouTube, Information Security Strategy blog, Medium, and Steemit