Senator Wyden Releases Draft Of Privacy Rules That Silicon Valley Probably Won't Like Very Much
from the but-will-it-help? dept
As I’ve pointed out repeatedly, we’re really really bad at regulating “privacy” in large part because most people don’t understand privacy — and it means different things to different people. And, so far, most attempts at regulating privacy have created massive negative consequences, while doing very little to actually protect privacy. The ones most making the news are the GDPR in the EU (though reaching well outside of the EU), which is a total mess and California’s unmitigated disaster of a privacy bill that was passed in an insane rush to stop an even worse privacy law from being on the ballot. And, of course, all of this comes against the backdrop of various companies doing a horrifically bad job of protecting the public’s private information.
Given all of that, it is inevitable that Congress will, at some point, attempt to pass some sort of privacy bill. And, it seems likely that it will be a disaster. In the last year or so, Senator Ron Wyden, who historically has been seen (unfairly and inaccurately) as an “ally” of Silicon Valley companies is now the first to throw his hat into the ring, releasing a discussion draft of the bill (you can also see a one pager about the bill and a section by section breakdown — all also embedded below).
Above, I mentioned that it’s been unfair to argue that Wyden was a booster of Silicon Valley companies. If you look at his history, he has always been focused mainly on being an ally of the users of the internet. Many times, those two things align, but when they do not, Wyden has repeatedly taken the side of the users, not the companies. And that is the case here, for the most part. Over the last year, Wyden has been on a bit of a rampage in basically telling the companies that they’ve had decades to do the right thing in regards to protecting their own users, and they have failed to do so.
Reading the new bill in that context puts things into perspective. The key parts of the bill, as described in the one-pager are as follows:
- Establish minimum privacy and cybersecurity standards.
- Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
- Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don?t want their information monetized.
- Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
- Hire 175 more staff to police the largely unregulated market for private data.
- Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.
A lot of the bill is really in giving the FTC more resources and power to go after companies for failing to protect the privacy of users. And, I think putting some level of pressure on companies to take these issues more seriously could really help.
I think there’s a lot in the bill that is carefully thought out and worthwhile, but I still have a number of significant concerns. The headlines around this bill have focused on the fact that it includes potential jail time of 10 to 20 years for senior execs who sign off on annual “data protection reports” to the FTC, in which those reports “knowingly” misrepresent information (it also includes GDPR-esque fines of 4% of gross revenue, even for first time offenders). I do think there’s value in creating real punishment for company execs that knowingly misrepresent information concerning the privacy of their users, but I do worry how much this might impact the willingness of good people — especially potential chief privacy and chief information security officers — to agree to take these jobs with large companies. While the “knowingly” part of the requirement is important, I can envision quite intense legal battles over the level of knowledge such execs had in signing off on these documents. Yes, this would get them to take those issues seriously and go over such documents carefully. But, I do worry that this could scare off many good people from taking these jobs.
Similarly, the fact that these massive fines apply to the very first offense could be seen as problematic as well. It’s great to say that even one mistake is one too many, but is that realistic? It is not easy to seal off every possible vector of attack. There are always new attacks. And, as it stands right now, there are only a few companies who have the resources and ability to really harden their systems to this level — and this bill could lock in those providers and leave out the ability of smaller companies to challenge them in the market (there is a limited safe harbor for smaller companies, but as soon as a company reaches a reasonable size, the rules apply to them).
I also do wonder about the “minimum privacy and cybersecurity standards” that the FTC will be authorized to detail. Again, on its face, this sounds like an okay idea, but there are a lot of devils in those details. Too often “standards” like this, if not properly constructed, could limit potential innovations or business models that wouldn’t actually negatively impact people’s privacy, but won’t be allowed out of a fear for violating these standards.
While I am supportive of bringing back the concept of a Do Not Track system, I find the requirement for companies to “offer a paid version of their product or service, for which they can charge no more than they would have made by sharing the user’s data” potentially a complete mess (the bill has a lot of conditions on this that might limit the problems, but it’s not clear why this is necessary in the bill). Again, that’s something that sounds nice in theory, but would require a pretty big shift for many companies — which would mean a lot of new costs that it’s unclear they can even attempt to recoup. It also has the potential of cutting off a number of new business models, as there are potential businesses where such a setup wouldn’t even make any sense. Again, conceptually, this idea could make sense for companies, but requiring it could have significant consequences.
A final major concern: it does not appear that this bill would pre-empt state efforts, like California’s giant mess of a privacy bill (and any other attempts by other states). That also seems like something any federal bill should include to avoid a patchwork of impossible to follow laws in every single state.
That’s not to say there aren’t parts of the bill that are worthwhile — and the intent behind it is well meaning. Companies do need to clean up their act and recognize what a mess they’ve caused. I do like the idea of standardizing APIs to allow users to use other apps to access and process the information and data that companies hold on them. That could be tremendously useful in moving to a world where individuals can take back more control over their data. I also appreciate the specific point that the rules do not apply to media organizations, as we’ve already been dealing with the fallout from the GDPR where people are claiming the data protection rules there can prevent media organizations from even reporting on certain people.
But, in the end, I’d prefer that be done more by the companies themselves in recognizing that they’re better off pushing control of the data out to the end users, rather than feeling the need to hoard it all themselves. I recognize that Wyden’s view on this is basically “they had their chance, and they failed” and perhaps that’s true. But I still worry about the unintended consequences from locking in some of these ideas.
At this point, the bill is still a “discussion draft” and it’s not at all clear if it has any chance of moving forward. Hopefully, if it does, there can be significant changes made to the bill so that it is still designed to punish truly bad behavior (and incentive good behavior), but without making it difficult to impossible for good people to hold key positions, and without cutting off potentially useful innovations for end users. At this point, I’m not sure this bill does so, even if it’s well-intentioned.
Filed Under: apis, cdpa, consumer data protection act, cybersecurity, data protection, ftc, privacy, ron wyden, transparency
Comments on “Senator Wyden Releases Draft Of Privacy Rules That Silicon Valley Probably Won't Like Very Much”
Its Wyden again!
“Establish minimum privacy and cybersecurity standards.”
Ha ha ha… good idea… now “whose standards get adopted”?
Agree with #2 for a chance… since there is possible jail time but lets be honest people… what are the chances people go to jail?
“Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized. “
Fucking Wyden getting it wrong ‘Again’, after all he is just another politician just not as bad as the others. Opt-In must be the case, otherwise its not going to work.
Agree with #4.
“Hire 175 more staff to police the largely unregulated market for private data. “
Bullshit and a total fucking waste of money. #4 would take care of that if enforced.
“Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security. “
ha ha ha… don’t worry… they already are… he just wants to wrangle them for his own political purposes.
Either way, I think this would be better in than out!
Re:
[citation needed]
Re: Re: Re:
You need a citation for that?
It is not a secret that “algorithms” are not there to be “fair”… they are definitely there to be “biased”, because that is their entire reason for existence. An algorithm choosing to advertise a Graphics card to a person that has as search history for CPU’s and Motherboards is a clear act of bias. You tell me what “other” purpose he could have for making these “unbiased” if not for “political” purposes?
In fact I WANT them to fucking be biased. If someone is going to advertise to me I want ads that I actually might give a shit about. I don’t want ads about “purple toilet” paper being sent to me because they can fucking be biased.
That is CLEAR political YAP YAP if I ever saw it! In fact even though I would still be okay with this legislation, lets not be coy here… there is NOTHING that goes through congress without an agenda attached and that is why many of these suck. You have to take two spoonfuls of shit to get 1 spoonful of decency.
Re: Re: Re: Re:
NOne of what you are saying has anything to have to do with the point being made by Stephen T Stone – His citation needed is in refrence, explicitly, to the claim that Wyden’s demand they assess their algorithms was so Wyden could force those algorithms to produce results he wants, not about the claim of bias.
We have noted that we do not claim google’s algorithm’s lack bias. As you note, a bias towards finding search results/ads relevant to the user is what we want. Though, I’m not sure you can call that ‘bias’. Bias is generally seen as an unfair prejudice for or against something. Serving ads for graphics cards to a person looking for CPUS and motherboards is not an unfair prejudice – its a valid and relevant connection. The ‘Unbiased’ section are likely designed to attract bi-partisan support given the rabble rousing around politically motivated bias against conservatives in google search. That’s a ‘political’ purpose, but that doesn’t mean its an effort to introduce a pro-wyden bias.
I agree with Stephen Stone. [Citation Needed]
Re: Re: Re:2 Re:
The proposed law itself is the citation. How much does this need to be spelled out to you?
I don’t care if these assholes are politically motivated against any group, they have that fucking right! It is not discrimination to advertise something to someone based on criteria in their data.
Re: Re: Re:3
To the point where you can reasonably prove that the purpose of the law is to help Wyden “wrangle [algorithms] for his own political purposes”. If you can prove it, go right ahead. If you cannot, stop making accusations that have no basis in fact.
Re: Re: Re:2 Re:
I imagine the poster pointing out “bias” would claim that 2+2=4 is biased mathematics.
Re: Re: Re: Re:
“It is not a secret that “algorithms” are not there to be “fair”… they are definitely there to be “biased”, because that is their entire reason for existence.”
entire reason for existence … not
You do not know what an algorithm is do you? Have you ever written code of any type?
I can write an algorithm that is not biased, you believe me?
How/why is an unbiased algorithm necessarily political?
Apparently you misunderstand what an unbiased algorithm might look like and/or do.
Re: Re: Re:2 Re:
“Have you ever written code of any type?”
Yep!
“I can write an algorithm that is not biased, you believe me?”
Nope, prove it! But before you get started you should look up the definition of bias and the definition of algorithm.
“How/why is an unbiased algorithm necessarily political?”
First ask a valid question. Since there is no such thing as an unbiased algorithm.
The words “unbiased algorithm” is called a fucking oxymoron for a mutha fucking reason you simpletons!
“
Apparently you misunderstand what an unbiased algorithm might look like and/or do.”
Apparently you are a fucking moron!
Re: Re: Re:3 Re:
“Apparently you are a fucking moron!”
Takes one to know one
Re: Re: Re: Re:
Good for you. Me? I’d rather see ads about purple toilet paper than have my browsing data collected, tracked, and used to identify me. Better yet, I’d rather see no ads at all (yay for adblockers). But hey, if you’re fine with all your private data being out in the public space, you do you.
Re: Re: Re:2 Re:
I suspect those who proclaim they want “relevant” ads are in fact stooges for the industry.
Re: Its Wyden again!
How do you propose to enforce the rules if you don’t have anyone around to enforce them?
Re: Re: Its Wyden again!
I can’t help it if you are too stupid to figure out how #4 solves that problem.
Re: Re: Re: Its Wyden again!
The only thing you can’t help is be completely useless, assuming that insults can stand in for intelligent discussion.
I welcome you to change my mind.
Re: Re: Re:2 Its Wyden again!
I have not reason to change your mind.
If you are too stupid that to figure out gravity is going to pull your ass down the to ground really fast if you walk off a cliff I am just going to call you a moron instead of saying… you might not want to do that.
I have a lot of fun watching those what could go wrong videos on reddit. In fact, other than the fact that you morons vote, I rather enjoy a world full of idiots… it does make the place interesting.
Re: Re: Re:3 Its Wyden again!
Then your whining and complaining on here is a complete waste of time. You should instead let us continue to be a bunch of "morons and idiots" for your amusement.
Gravity has nothing to do with the subject at hand of privacy regulations. Unless for some reason gravity and privacy are quantum entangled in a way that only you know and the rest of us are indeed ignorant about. If so, please do enlighten us.
Re: Re: Re:4
I think that may have been part of the Time Cube theory.
Re: Re: Re:3 Its Wyden again!
Clearly, you are too stupid to change my mind. Just another idiot full of impotent sound and fury, screaming at the masses as if it will give their life meaning.
Re: Re: Re: Its Wyden again!
And I can’t help it if you say that #4 needs to be enforced but then turn around and say that we shouldn’t hire anyone to enforce it. So which is it, do you want to enforce it or not, and if so, how do you propose to enforce it without anyone around to enforce it? It’s not going to enforce itself.
After all, what if the companies refuse to put such a system for consumers in place? Or if they do, refuse to take action on customer requests?
Re: Re: Re:2 Its Wyden again!
You do understand that the DOJ exists right? You do know that there are other enforcement agencies that can take on these rules.
If a customer sees #4 not being follow they can just report it. You don’t need a fucking agency full of 175 people to do that. Just give them to one that exists and let them work it in. If they are overstaffed then we can see what kind of impact that has on the budget but hell no to it right off the bat.
Or do you think the police needs one new head count for every new fucking law that gets created? All you fucks want to do is spend like a bunch of fucking morons.
Re: Re: Re:3
And if that agency is already working on other cases and “projects” and such, that agency will likely assign a bare minimum number of people to cover this issue and any complaints arising from it. Understaffing is worse than overstaffing because the gears of bureaucracy will grind slower thanks to not enough people being available for work on the issue at hand. Which would you prefer: five people in the DOJ working on this issue as a “side job” to more important work, or 175 people specifically tasked to work on this issue?
Re: Re: Re:3 Its Wyden again!
And you do understand that it isn’t the DOJ’s job to enforce laws right? The DOJ exists to prosecute the offenders of said laws, which is not the same thing. If we’re talking local here, the FTC is the police and the DOJ is the district attorney.
And which ones of those have the legal authority to do so? Hm? Oh right, it’s the FTC. They are the corporate world cops.
Well actually you do. More or less at least.
You do realize that the more work you give someone to do, the less they actually get done right? That’s why one person in a department is usually never enough to run the entire department. The more workload you have, the more people you need. So even if you gave the responsibility to a different agency, you would still have to let them hire more people to take on the extra workload.
Pretty sure you mean understaffed.
Not for every single new law but for some absolutely. And the more cumulative laws we create for them to enforce, the more bodies they are going to need to enforce them.
No, all we want is for people to come join us in the real world.
Re: Re: Re:4 Its Wyden again!
“And you do understand that it isn’t the DOJ’s job to enforce laws right?”
Hahahahahahahaha – that’s what their Mission Statement says – LOL
Funny how that “enforcement” is selective huh.
Re: Re: Re:5 Its Wyden again!
You responded to a comment noting that the DOJ is not in the job of law enforcement, by saying its in the job of law enforcement…
While this might get complicated, you are somewhat right. by a broad dictionary definition. But in america ‘law enforcement’ refers to the investigatory and intervention forces like local police, Sheriff, Highway patrol, State Troopers, FBI ect. Not the DAs or AGs that prosecute criminal activity. The DOJ functions primarily as the prosecution arm, with other agencies operating in the investigatory role even at the federal level (like the FBI before they decided to be a useless Anti-terror outfit).
We actually are seeing the results of years of cutbacks and budget hawks working against the creation of task forces to investigate crimes in the number of long-running financial crimes uncovered by the Muller investigation. To say the investigatory arms of the DOJ can just whip up task forces of individuals highly educated in AI and programming to investigate and enforce privacy law violations is ridiculous.
Then again, you are the psychic who intuits the corrupt motives of the one anti-surveillance Senator on the Intelligence committee based on a line that is clear signalling to his political opponents that he is willing to address their boogeyman in exchange for their support.
Re: Re: Re:6 Its Wyden again!
Thank you for that clarification. I made the mistake of assuming he knew what I meant by “enforcement”. I should have been clearer in my wording.
Re: Re: Re:6 Its Wyden again!
Hey thanks – good write up.
Investigatory, intervention and prosecution – are all three required before the law is considered to be enforced?
Also is a law still considered to be enforced when the DA/AG does not investigate/prosecute? (bankers & econ collapse)
Re: Re: Re:6 Its Wyden again!
So do they really pat themselves on the back saying things like “Law and Order” all the while not prosecuting known criminal activities? Is this what they call “Law Enforcement”?
Don’t worry, Mike. Your Silicon Valley sponsors’ lobbyists will dismantle this far before it ever has a chance of becoming reality.
Re: Re:
Your Silicon Valley sponsors
[citation needed]
(How) would that work with "anonymized" data?
Re: Re:
While possible to actually anonymize data, it is best to just assume that data is never more than pseudo-anonymized.
And a DNT markers just means don’t track, it really has nothing to do with data anonymized or not. You could still be tracked indirectly.
Re: Re:
Probably in a manner similar to the Do Not Call List … ie: make it worse.
I’m sympathetic to the concerns about unintended consequences, but I think it’s frankly naive to think the free market will fix this. We simply haven’t seen the current market produce an incentive for Google, Facebook, Twitter, et al to change their data collection policies in the way that you describe, and I see no reason to expect that to change.
On the other hand, this is all likely a moot point:
That’s putting it mildly. As always I respect Wyden for trying to do something, but I don’t expect this will even make it out of committee. Unfortunately this has become a partisan issue, and even in the unlikely event that Wyden’s party takes the Senate in next week’s election, they still won’t have a filibuster-proof majority.
(I suppose they might be able to get Trump on their side if they convinced him it was a way to stick it to Bezos.)
Re: Re:
I think the final section about looking for bias is designed to get conservatives on board
Re: Re:
“I think it’s frankly naive to think the free market will fix this.”
Surprise surprise… a moron that does not know anything about free-market or how it is supposed to work but will still blame it for something anyways like a well… moron.
Re: Re: Re:
Surprise surprise – an aggressive commenter with a over-inflated sense of their own capabilities who thinks that an effective argument consists entirely of calling someone else a moron and claiming they don’t know how things work, without ever actually pointing out what is wrong with the statement in question, explaining why it is wrong, and going through how to correct it.
You have nothing useful to contribute here. I welcome you to change my mind.
Re: Re: Re:
Since there is no such thing as a “Free Market” I find it difficult to argue that said free market is capable of anything much less fixing a huge problem.
Re: Re: Re:
Well, the free market had it’s chance at fixing this and it kept moving in the opposite direction. So now we’re looking at rules to bring it back in-line.
I’m sorry, what about the free market does the OP not understand?
Re: Re:
I’m sympathetic to the concerns about unintended consequences, but I think it’s frankly naive to think the free market will fix this. We simply haven’t seen the current market produce an incentive for Google, Facebook, Twitter, et al to change their data collection policies in the way that you describe, and I see no reason to expect that to change.
Perhaps this is so. I am more optimistic. I think that, especially as these companies are getting beaten up on all sides, that they may soon realize two key things: (1) the value they get out of all the data they collect really isn’t as big as they expected it to be and (2) the costs, including political and reputational costs, of holding onto all that data are much higher than they expected it to be. And, it is at that point that better solutions seem a lot more possible.
Re: Re: Re:
Perhaps — though in the latter case, at least, the threat of legislation like this is one of those political costs, and creates pressure even if it doesn’t pass.
Re: Re: Re:
Well, the free market won’t fix this. It had decades, it didn’t.
The questions are simple: Can I offload costs (like for security) onto somebody else? Or can I make a profit where somebody else has to pay the cost (like selling data). And if the answer is yes, it will be done, no matter whether it’s amoral or not.
Actually, fraud and identity theft in the US is massively the bigger problem than in Europe, where harder privacy laws existed for decades, not just since the GDPR. So that’s actually proof these laws are needed, and also, they work.
Re: Re: Re: Re:
“Identity Theft” is fraud.
Re: Re: Re:
I’m not as optimistic and I honestly think Wyden is on the right path even if the bill needs some adjustments. There has to be real consequences or they’ll keep doing it again and again. I’m not sure if it was Sanders but I’ll credit it to him: “when a company is too big to fail then the system itself has failed” or something like.
The US lost a big chance to jail people and let companies crash flamboyantly when the mortgage market exploded back in 2008. We are losing the opportunity in the digital world as well regarding privacy.
Yes there is a solution....
It is possible to seal off all but one vector of attack – simply isolate the data into a non-web-facing storage area. i.e. it can be accessed only from a local console. Keep that console in a locked room, and your exposure is quite limited indeed. Put a card reader on the doorlock, and a camera in the hallway, and you’ll know who’s been selling user data to nefarious parties, without permission.
Yes, it’s possible that a MITM attack can take place during the initial yielding of data by the user, but that would take considerable resouces in both time and processing power, each of which are more easily detected than the usual back-door skullduggery about which we hear so much.
sumgai
Not time to consider pre-emption
It would certainly be a disaster if the bill was to add pre-emption of states’ laws at this time. The time to consider pre-emption is when there has been experience (good and bad) of various attempts. That should be after a few years of experience with GDPR plus some insights into the effects of different states’ approaches. Then Congress can consider pre-empting states in a bill built on experience.
Re: Not time to consider pre-emption
And congress can also shoot themselves in the foot.