So on the side of wanting easy access to American data -
- People in the gov who want to monitor the general populace for dissent
- Power hungry individuals and governments
- Governments wanting to learn about their foreign adversaries/allies
- People in the gov who want to monitor other gov agents for whatever reason
- Corporations wanting to learn about their adversaries
- Corporations wanting to maximize their profits
- Corporations wanting to learn about their users for whatever reasons
- And so on and on.
On the side of limiting access to user data -
- People wanting privacy
Don't want to sound too pessimistic but I can't help it.
Most - if not all - the people in your first group are also in the second group! That is, I think, what they (and everyone) really needs to realize and understand:
The all-powerful CEO who wants access to detailed customer data? He will be in The Database himself (if not his own, then in the one that a rival company offers). As will his favorite son with the drug habit, and the questionable thing he did on holiday that one time... Might not even be that bad or illegal. But would he want his workers to know those things about him?
The policitian whose party is in power right now? She is in The Database, too. As is her shady half-brother, all the info about the medical procedures she had done while in college, plus her husband's business dealings. Sure, they are legal but will it sound good to her constituency if it leaks? After all, her party might not be in the majority anymore after the next election...
Whenever your unbridled greed for tracking, profiling and surveillance becomes overwhelming, please attend your closest meeting of "Data Collectors Anonymous" and memorize the mantra: IYDTS - It's your data, too, stupid!
Your own daughter will be spied on by creeps. Your mother may be discriminated against when trying to get a mortgage. Whenever you collect people's data for profit or control, you WILL hurt yourself and the ones you love.
Even if you personally are the cleanest Mr. goodie two shoes to ever live, those around you surely aren't - and don't forget, in the end it's very easy for The Database to have some entries about you that might not even be true. Mistakes happen. Good luck proving or correcting them.
If you don't do whatever you can to protect privacy and minimize data collection, every day the chance increases that your own data will be collected and used against you or the ones you love. Then you might not be in a position to stop it anymore. And you may never be happy again...
> The Database to have some entries about you that might not even be true. Mistakes happen. Good luck proving or correcting them.
This actually happened to me. A clerical mistake by a teacher changed my name in databases which led me to change my name officially so that I can have my original name back.
Why wouldn't they just special-case themselves? Pass a national security law (or a de-facto informal agreement) against harvesting politicians' personal data?
You paint a defeatist picture of the situation, which should be obvious not to be helpful in any way.
You list many categories of small groups of people opposed to one encompassing the absolute majority of all. How is the former more powerful by necessity?
The key is people realizing they are part of a large group with a common cause. And powerful if they organize as such. Your comment appears designed to prevent that.
> You paint a defeatist picture of the situation, which should be obvious not to be helpful in any way.
Recognizing obstacles to your goals is hardly unhelpful. GP is clearly pessimistic (and admits as much), but that doesn't change anything. If we (presumably in the "people wanting privacy" camp) want to win, we need to go down that first list and either decide why each of those sorts of people don't matter, or figure out how to counteract their political power.
"How is the former more powerful by necessity?" is a good question that deserves an answer, but I think you seem to have already decided, without evidence, that those people are not powerful, which I think is mere wishful thinking.
You utilize power as a group via coordinated action targeting pressure points and leverage. Understanding how the system you want to influence actually works is a prerequisite surprisingly often omitted.
"Counteracting" individual groups as you propose is a nonsensical approach. It is reactive and at best a second order addendum.
How you read from my comment I was making any assumptions about these groups is your secret alone.
> You utilize power as a group via coordinated action targeting pressure points and leverage.
Ok, sure...
> "Counteracting" individual groups as you propose is a nonsensical approach. It is reactive and at best a second order addendum. Understanding how the system you want to influence actually works...
I don't think you really understand how "the system you want to influence" works? Knocking down "the other side"'s argument is often an integral part of getting things done in politics. Certainly there are other ways, including trading favors and agreeing to support someone else's pet project for their support on yours. But that's not everything, and often is not sufficient.
Regarding coordinated action: I agree, but it turns out that's very hard to coordinate, especially when it comes to privacy issues, as most of the US electorate either doesn't care about privacy, or doesn't understand why they should care (seems they often fall victim to the whole "if I've done nothing wrong, I have nothing to hide" fallacy that the government always pushes). It's very hard to coordinate a group that at best thinks what you're talking about isn't important, and at worst has bought your opposition's propaganda efforts and thinks you're wrong.
> How you read from my comment I was making any assumptions about these groups is your secret alone.
Then what was the point of your post? OP was listing obstacles to getting this legislation passed. Some of them may not be relevant, but I don't think it's safe to blanket assume they all are. If you think they are indeed all irrelevant, then that's fair, but I'd disagree. If you think we don't need to care about those other groups, then I also disagree. If you don't hold either of those positions, then, again, what was the point of your post, and what did it have to do with what the OP was saying?
> Regarding coordinated action: I agree, but it turns out that's very hard to coordinate, especially when it comes to privacy issues, as most of the US electorate either doesn't care about privacy, or doesn't understand why they should care (seems they often fall victim to the whole "if I've done nothing wrong, I have nothing to hide" fallacy that the government always pushes). It's very hard to coordinate a group that at best thinks what you're talking about isn't important, and at worst has bought your opposition's propaganda efforts and thinks you're wrong.
I tend to agree, but rarely discussed: why are things this way, as opposed to being better?
Would investigating that not be top priority in a corporation? Isn't it strange that when it comes to the literal system that (theoretically) oversees and coordinates ~everything, we seem to never wonder such things, as if governance is an immutable constant?
>>The key is people realizing they are part of a large group with a common cause
COVID Shattered my belief that people "wanting privacy from government" is a "large group" as you seem to imply
People are more than willing to trade their privacy for the promise of the government provided safety blanket, even if that promise is false, can never been realized and will result in massive abuse.
I dont think there is a a large group to organize.
Part of the problem is it's hard to find people who want privacy due to that very privacy they crave, and their general mistrust of large organizations make it difficult to form them into a large organization for that reason.
Basically they find security in obscurity, and feel they have a better chance of surviving under the radar on their own.
Yeah! All we need is Congress to ignore all the corporate PAC's funding their campaigns, and do what anyone can see the average person plainly wants. There's no need for cynicism!
Patriotic people in government (they exist) who understand spying on innocent citizens can cause untold economic harm and damage America in the long run
> spying on innocent citizens can cause untold economic harm and damage America in the long run
I'm on the side of people who believe in privacy, but not on the side of people who believe this. I do not believe that privacy should be contingent on how it affects the US economy, and as such I do not believe that if I can engineer a wealthy totalitarian economy, there's no reason for privacy.
This feels like a correct summary of the situation. I wish it were not so, but that genie is so far out of the bottle, she’d need GPS to find her way back in.
It’s correct in the same way Joe Rogan talking about anything other than MMA or comedy feels correct to some people.
It’s great at feeling like you’ve said something clever but also makes it clear you haven’t actually thought about the topic for more than five minutes and you just said the first thing that came to mind and missed a bunch of important points in the process.
Since you seem to be an authority of some type on this topic, do you care to add any examples, for the sake of those who don't have as broad an understanding as you?
As it stands now, it seems like you posted this just to say something clever.
I understand the point, but it feels disingenuous to have it directed at someone who makes a living out of inviting guests and making interesting talk out of it.
I don't think he ever claimed to be an expert at the stuff he talks about and that we're free to talk about stuff we don't know everything about.
Gov'ts that want to monitor citizens for say a tendency to get an abortion have more power than a corp that wants to sell me diapers. One step at a time. Try to stop the worst offenses then work your way down.
Governments are monitoring citizens for the corporations. They don't care about abortions. They care about abortions turning out a base that will elect politicians who will pass laws written by the corp that wants to sell you diapers.
Is there a legal argument to be made to include the right to privacy in the current dispute regarding first amendment rights and the government talking to social media companies about removing information/accounts? Basically if the government can't undermine the 1st amendment through 'asking nicely' of companies then they also can't bypass the constitutional right to privacy? That would make it a broader constitutional rights coalition.
Everything that can be used for bad can be used for good.
Take memes for example and how they out educated press conferences during the pandemic.
Creating content that is anchored to hell the everyday person learn and decide what’s important to them beyond conscience at the expense of security and privacy should be an informed decision.
On the other hand, if people went through this 20 years ago, chances are it will start to happen some more with a much larger group, only less technical.
Well, I'm not getting paid for all (any) of the data collected about me.
How about this: services/sites make it abundantly clear what data they collect (no full page of legalese designed to make people scroll to the bottom). Make it a list of bullet points, maybe. Explain how the data will be used, maybe collapsed by default so it's not overwhelming. Depending on the service, it may be appropriate to notify users about an updated privacy policy. Enforce antitrust and whatnot so Google and co. aren't just dominating the landscape and forcing their way. Also remove dark patterns. This isn't exhaustive, by the way.
Then set a price. And no "here's a constant subscription notice that you can't really block". Guess what happens in my ideal world if a service is found violating the privacy policy.
Your first sentence isn't exactly accurate. If you are not receiving a benefit from Facebook, why do you use it? If you don't benefit from your credit card or cellphone or bank, why do you use them? If you don't benefit from the relationship you have with your employer, why do you have that relationship?
All of those parties are collecting data about you. While there is some value to using that data internally, it is obviously valuable as a commodity to be sold to others. You might complain that your cellphone company benefited instead of you. But you gave up your data to somebody for some reason.
You can't complain about not getting invited to this weekend's party if you aren't willing to share your phone number with the organizers. If you weren't willing for them to sell that data later, you should have put them under contract. Of course, they may have responded by charging you admission to the party. If you don't like being charged admission AND getting your data sold, go to a different party or no party at all.
I know, I know. It isn't fair. Parties are a basic human right.
I'll assume that you're speaking in general, because that last line especially isn't like me.
Sure, I give data to my bank. I expect them to do bank things well, and if they expect action on my part then I'm liable for not doing it. I benefit and so does the bank, because it does investing or whatever. Does that mean the bank should have carte blanche to share my data now? As a pure matter of trust, I have no recourse because I trust(ed) the bank. That's the "scary cracker breaking into the database" kind of trust.
However, I feel I'm entitled to more than that as a citizen of the fine and upstanding US of A. Governments are worthless if they don't protect the people from (or at least try to resolve) getting robbed and whatnot. I view "not getting my data spread to arbitrary parties with possibly only direct consent or knowledge on the surface level" as another thing to be protected from. A cost-benefit analysis breaks down if my benefit is "I get to use these services" and my cost is "I'm literally, financially paying and I'm tracked everywhere and I have a social credit score" and I don't have a feasible alternative.
For parties, perhaps they shouldn't be regulated the same as companies, so I guess I should be prepared for my phone number to be sold if I go. I can still complain if their excuse is dubious.
>> as a citizen of the fine and upstanding US of A.
If you work as W-2 in USA, your employer, or their payroll company, may be sending your payroll data including itemized withholdings to theworknumber. Some employers don't even know the payroll provider is doing this nonsense.
>> I don't have a feasible alternative.
Most people have to work.
The Work Number is good for us, says this university.
That's deeply unfortunate. Still, I rest my case. There's a difference between using PII for the agreed-upon service and sharing/selling it to third parties for a profit. If a free service can't be sustainable by properly using the information, then it should either charge or be abundantly clear about how data is used, allowing for "right to forget" and whatnot. It's not like a service has the right to exist if the matter comes down to consumers. Given that snooping inside peoples' homes is generally unacceptable, I posit that having access to peoples' searches, browsing history, locations, etc. should also be strictly curtailed unless it is necessary. Naturally that falls on the government to enforce.
How about a cell phone service that would not sell any location data connected to you or your phone usage. Would you be willing to pay over $200/month or less? What would you pay?
I recognize some folks want privacy at no cost to them.
As far as I can tell, $200/month is ridiculous compared to competitors. If I knew how to enforce "don't be a jerk and clearly overcharge" in law, I'd lay it out right here. It would be fair to require a moderate premium for legitimate privacy-upholding reasons.
Depending on what premium you are willing to pay, there might be a sustainable business. But privacy and cheap probably won't be a sustainable business.
If you think you can force it by law, then choose a good jurisdiction for that strong-arming.
To create a new business that aims for respecting user privacy, it is indeed a daunting task. However, it is just as well if the likes of Google are made to respect privacy; they won't be worse off in the long run anyways. There could be evaluations after a year or two to see how much really changes. There should be strict measures that enforce privacy-conscious business models and prevent companies from unreasonably retaliating.
On a more general note, it's ridiculous that the status quo is so entrenched to the point where discussions about privacy often feature doomerism and cynicism ad nauseum, as this thread shows. For all the hubbub (in the US, at least) about human rights, about justice, about democracy (however misguided some of these pleas may be), there is a sickening lack of attention when it comes to privacy. When you realize you live in a backwards (literally? figuratively?) world, do you point it out? Will the others merely laugh at you? Is your vision of something different just a worthless hope? I, for one, fervently wish that more people become antagonistic to the idea that privacy is meaningless or not worth fighting for.
I am already paying the TSP for it's service and providing the data for it's functioning. So what right does it have to share it or use it without my permission for some different business purpose? Just like the other comment that if I share my data with bank, it is for providing banking service. The bank cannot turn around and use it for some different business purposes.
We are not talking about the free service providers like google or meta, right?
>What is uplifting is that law is on the side of the people who want privacy as its in the constitution.
Is it? Are you referring the the Fourth Amendment?
The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated,
and no warrants shall issue, but upon probable cause, supported by oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized.
While that's a nice fantasy, it's not the reality.
Firstly, while the fourth amendment does preclude the government from rifling through your physical belongings without a warrant, the Third-Party Doctrine[0] allows the government to get pretty much any of your information and private data if you provide it to a third party.
What's more, corporations are not subject to the fourth amendment and can do pretty much whatever they want and you have no recourse.
I wish you were right, as I value my privacy. Sadly, you're not.
>I mean it is the supreme law of the land. So I am confident it is not fantasy. That the people only need to assert their rights, that is the fantasy.
I take your point and, as an American, I agree that's how it should be. What's more, upon further reflection, "fantasy" was probably too strong a term.
That said, there are serious issues around privacy in the US, given the legal jurisprudence around data you provide to others, especially since so many folks have their whole lives "in the cloud" (i.e., someone else's servers).
As such, I urge you to learn about and understand the Third-Party Doctrine[0].
It has a long legal history and is well established law in the US.
And it allows the government to obtain, without a warrant, any and all information you provide to a third party. That could be your cellular/email providers, your ISP, whoever stores your smart watch data, the company that hosts your menstrual period data, anyone to whom you willingly give information.
Granted, that third party could refuse and force the government to get a warrant/court order, but it's not required.
For many people that pretty much obviates most privacy protections of the Fourth Amendment.
That we have a right to "be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures," isn't at issue.
The issue is that so much of what you consider "private" data isn't private if you give it to a third party. And these days, we do that a lot by sharing our most private information with whoever hosts the app which tracks that information.
Presumably non-US spies are also spying on US people using US companies. (Not necessarily the same companies.)
As harmful as the OPM hack presumably was for US national security, countless US companies have been collectively assembling comparable-and-more intimate profiles of everyone, and an ongoing basis.
Want to map out social networks (in the original sense of the term)? Know who to focus on and target? Know what an individual's weaknesses are, for neutralizing, compromising, or more subtly manipulating? Automate personalized mass influence operations?
Good news to adversaries: half of the national technology infrastructure is built upon trying to construct that existential vulnerability, and sell it.
(Just trying to frame a pervasive industry/societal problem in a different way, in case that helps to understand it better.)
I think US intelligence should have access to any data that is already out there for purchase. If you have an issue with that, then regulate the sale of data.
Otherwise, this is all just PR, due to agreements such as Five Eyes where for example British intelligence buys American data and shares with CIA, etc.
3) Three letter agency can buy commercial information
With your logic the government will have access to everything because these laws are written to be circumvented, by the right people, just like tax laws. Stop Give eyes instead, simple, but impossible.
I understand this technicality; it doesn’t seem to answer my question, though I may have presented it poorly. If it’s ostensibly “wrong” (as some proxy) to collect something, it doesn’t matter how it was acquired given there’s still some intact collection.
As someone else already answered I'll just add another point in case you didn't know the full picture:
4) when neither three letter agency nor big business can collect data, contract with three letter agency in another country that can legally collect and get it from them.
That's how Five Eyes share data, basically removing the need to follow the law against data harvesting on Americans by NSA etc. (as shown by Edward Snowden).
Maybe this is what I’m missing: if US intelligence goes to UK intelligence for information about a US citizen, is US intelligence allowed to retain a copy? For how long? At what point are they “collecting” data in an overreaching manner?
Perhaps this relies too much on the phrasing in your initial comment but it was a (seeming) contradiction that stuck out to me.
"So the data isnt owned by the host company, its owned by the support company which is a child of the parent company. We are selling that child company to Amazon/FB/Google."
Google didn't buy nest because they were IOT fans.
1. Data about me should be owned by me, not the entity that collects it.
2. Disseminating false info about a person should trigger a statutory defamation liability akin to statutory copy right infringement, where the person does not have to prove damages then expand the Credit Reporting laws to include all Information and force them to tell you who all they have sold or given that info to.
#2 would do the most, if we reform defamation to make it where if a credit reporting agency, or Google gets something wrong and tells someone else that wrong thing they are liable you would see a massive curbing of private information collection, and even more of it being up for sale.
GDPR solves these problems. As a startup it was annoying implementing all the subprocessor paperwork, but as a consumer / citizen I want those rights.
In your case above, I’m not actually sure how data ownership works on sale of a company, but you can always have the company delete all your data if you don’t want it changing hands.
In other words, you should always own your data, and companies should never be able to do something with it that you do t consent to.
There are actually a bunch of really compelling strategic level national security style reasons to come to the same conclusion, it’s not purely just a consumer rights issue.
Firstly, it'd be nice if those national security reasons were clearly stated without the other bullshit. Secondly, as far as I've heard, there's no real success story for all the dragnet surveillance. If there's a legitimate application that is too broad that a warrant for targeted surveilance doesn't cover it, I'd like to hear it.
And until those other interest ^Hbribe their congress people, or said congress peoples data leaks to the world in a way they are effected on re-election they will be ignored by said people that make our laws.
Think tanks: "Congresspeople, here's some compelling word salad designed by the best. You can memorize and repeat this while pocketing 100,000 donated reasons from one of our funders."
Governments using it is wrong. But in the context of"democrcies" it is private corporations that is terrifying.
"Credit checks" are bad enough, and cause many problems in that if your credit record is unorthodox- say you use cash as much as possible- you can get excluded from many financial services when you need them. With all this extra data available there is more chance to discriminate against anybody "other".
Forcing everybody to be the same is the hallmark of fascism.
Another generation defeated state fascism, at a huge cost. We owe it to them, and even more to our children , to fight creeping corporate fascism.
I propose a system of statutory damages for offering to sell personal information, similar to those imposed for sharing copyrighted music recordings. This might create an industry of bounty hunters who track down violators, for a percentage of the damages.
This is still missing the 800,000 pound gorilla in the room. There's little point to preventing the de jure government from using commercial surveillance data, when corporations are all too happy to create an unregulated de facto government to stand in its place - eg credit bureaus, retail equation, unilateral account closures, etc.
The US desperately needs a port of the EU's GDPR, critically including its exact definitions of consent, personal information, and the right to deletion.
No sale of personal (even unidentifiable) data without consent coupled with no punishment for not consenting and a requirement of explicit affirmative consent.
Deletion of data upon request.
As a bonus third, retrieval of data on request.
I want those in that priority. I'd be pretty happy with just the first one.
I don't see your reason for downplaying the GDPR. That plus saying you're willing to forgo your second/third ask (deletion is paramount!) just feels like trying to bargain with the surveillance-industrial complex for something it'll accept. But most anything in that direction is just creating loopholes for the surveillance industry to nullify the intent of such law.
Your simple regulations sound great for the cases they address, but there are a lot of corner cases that the GDPR addressed that your "simple" requirements do not. For example, what happens when a surveillance company uses a third party data processor outside the jurisdiction? That is not a sale, and yet the processor can proceed to do whatever they want. Or when a company insists that it has obtained indefinite "consent" by some claimed assent to a contract of adhesion, or as part of a contract with a third party?
The surveillance industry would love nothing more than to pass fig-leaf regulation that purports to create rights but actually just enshrines their regime into law while giving them further protections. That's precisely what they managed to do with the "Fair" Credit Reporting Act, which is why that segment of the surveillance industry has continued to spiral out of control, pushing nonsense like "identity theft" onto us.
The problem is that you can't just write those three things down on a single sheet of paper and call it a day. There -- unfortunately -- needs to be a lot of legalese that addresses various loopholes and edge cases, some of which will also increase the scope of the law/regulation. And so you either end up with something simple that's so riddled with holes that it doesn't work, or you end up with something like the GDPR.
The problem is that we'll have to consent to allowing the sale of our data just to use a service. From what I've seen a statement to that effect is already in the click through license fine print.
Forget about whether spies are buying it for a second. This data is out there.
The real problem I see is that:
- The data exists
- The people involved may not have consented, or they consented when they agreed to a a EULA without really understanding it.
In general, it's not illegal to record in public. The only thing that's changed is that it's feasible to use facial recognition, license plate readers, etc. Whereas before, it would have technically possible but practically infeasible.
Apparently this isn't the first go-around for this; Davidson and Jacobs proposed something much weaker last year[0], though I can't tell if it made it to the final bill. Their amendment last year merely required law enforcement to disclose when they purchase user data from a third party, and only applied to the feds, not to state and local law enforcement.
It's a little hard to believe that Congress is in a better position to pass privacy-related legislation (regardless of what bill it's attached to) this year than it was last year.
But I'd love to be proven wrong! It seems even Breitbart is reporting on this year's proposed amendment in a more-or-less positive way. That's... something.
Congress could require that certain personally identifiable data could not be kept in computers. Congress has done this for gun registrations. BATF's out of business records repository for gun registrations is all paper and microfilm. When they receive data in digital form, they print it and microfilm it, to increase lookup time. Really.[1]
My approach is to acknowledge that all of my data is compromised. Sometimes I obfuscate it with nonsense to throw off a trail, but even that I consider is probably worthless.
Maybe you could legislate this, but you wonder how a trillion dollar industry is going to lay down and take it. Most likely they will lobby, find loopholes, or do it anyway, accepting the fine as the cost of doing business.
I know this is defeatist, but I just don't see bandaids working.
I mean, most of the mobile carriers and a number of ISPs straight up monitor your web traffic and sell it to advertisers, just as bad. Some will even inject headers that you can use to track and associate mobile devices with desktops.
Yeah. I’m a lot more upset that the data is for sale in the first place. I want our government to have any helpful data that is public because I assume bad actors have it also. I just don’t want a lot of data to the public.
In a separate but related news item, how many "former" CIA, FBI & NSA operatives are now employed at Twitter, Google & Facebook? Check it out, it's /nuts/.
How many before you start to get uncomfortable? Nominate your number. Then look.
edit for obvious explanation:
The military links would be of more concern if these co.s were involved in military ops. They're involved in surveillance of users and data gathering. Spies and law enforcement are of particular interest. "Former cia" is widely regarded as not a thing, you can believe that or not but that very wide belief cannot be ignored when looking that just how many have found a love of silicone valley.
There are lots of former LE and intel people in any company that deals with analysis of massive amounts of data, because that is specifically what some of these skillsets are trained for. Leaving the IC absolutely is a thing and I can tell you without a doubt that giving up your FAANG job which pays 5-10x what an equivalent government job to break company policy is not something that most of those folks are willing to do.
Ironically I find those ex-LE folks to be more protective of the data, because if they ever went back into government or needed a clearance, those questions are not only asked, but if someone has violated the trust of their employer, it's very frowned upon.
This story is adjacent to some topics I follow fairly closely for various reasons.
I had seen a lot of not super well informed commentary on it when it was talked about here previously and so in that spirit I wanted to offer a short 20 minute chat that was aimed at policy makers between a well respected infosec journalist and someone who previously spent a long time working at the Australian equivalent of NSA about this particular topic.
I’d like to think it helps provide the outlines of how professionals in and around that field tend to think about it while not getting so caught up in a strictly US perspective.
