Growing attention to individuals’ online privacy has prompted Congress and federal agencies to begin proposing and reviewing laws that would change how consumers interact with the online world.  With the advent of free cloud-based email and applications, any change in law should strengthen individuals’ right against government monitoring online activity while allowing consumers options to protect their privacy without a one-size-fits-all government regulation.

Empowering Data Agency: A Market-Based, User-Controlled Approach to Data Privacy

Click here for a downloadable version.

“That is the problem with government these days. They want to do things all the time; they are always busy thinking of what things they can do next. This is not what people want. People want to be left alone to look after their cattle.”

Obed Ramotwse, father of Precious Ramtoswe,
Head of The No. 1 Ladies’ Detective Agency

The market for user data is a relatively new marketplace where individuals are affected by a company’s practices, but those individuals are not the company’s customers. Because the user is not the customer, companies may not be entirely responsive to the requests or needs of their users in the same way that they are responsive to their customers. The following ideas could offer a targeted mechanism to promote privacy principles in the marketplace.

There is a distinction between companies that sell products to users and companies that sell user data or advertising to users.

Within this context, guidance for another category of personal data – user-controlled data or data agency – could be helpful.

There are many ways to explore the concept of user-controlled data. Some activities that could be included, but not limited to this category, might be: search, browsing, and viewing/listening habits. The user-controlled category falls in between non-sensitive and sensitive user data. It is data that is not about the user, but about the user’s aggregated habits. This type of data likely does not fall into the category of requiring breach notification, but the user should have a level of decision making power over its collection, thus user controlled.

For example, activities that fall into the user controlled category should not be tracked across websites or platforms without the user’s consent and no functionality should be lost if a user determines they do not wish to be tracked.

However, there is a difference between using live-time consumer data for the functionality of a service or device, versus tracking or storing data for other purposes outside the functioning of the device or particular product experience.

By using a website, App, or platform a user is sharing their data and habits with that company, and that company should be able to use data obtained within their own universe to enhance products and services, but once a user leaves that platform they should be able to do so without being tracked.

To further illustrate, while using an Online Marketplace or Streaming Service, the Marketplace and/or Streaming Service has data on a user’s shopping, viewing, and/or listening habits that are shared by virtue of using the service. The Marketplace or Streaming Service should be able to use that data to enhance user experience on the platform, for example product recommendations; however, when a user leaves the website, tracking should not continue without user consent.

To take the example a step further, if the user visited a Marketplace or Streaming Service through a Search Engine or Browser, the Search Engine or Browser should not be following all that the user is doing on other websites unless the user consented to such exchanges. This should also apply to the infrastructure these services operate through.

By using a service, operating system, software, or device a user is sharing their data and habits with that company, but the company should not be able to track the user within other services, operating systems, software, or devices that the initial implement allowed the user to access.

This concept is illustrated through the relationship between mobile devices and Apps. The act of using the device and operating system of the phone, should not equate to the relinquishment of all control over a user’s data. When entering an App the data should be confined to that App and not communicated with the operating system and used without consent.

While there is a difference between companies that sell products to users and companies that sell user data, the concept of user-controlled data does not need to be sector specific. These ideas on user controlled data translate to certain interactions taking place around the traditional business-customer relationship when there is a data exchange. For example, data gathered via customer loyalty cards and apps, or through interaction with a device such as a motor vehicle or other machine that also collects/analyzes data.

The user-controlled category should still allow for business models that would offer users reduced monetary expenses, received payments, or like kind exchanges for their valuable personal data.

GDPR Graveyard

Click here for a downloadable version.

How has Europe fared approximately one year after it enacted the General Data Protection Regulation? Let’s take a look.

Many American companies have had to stop offering or shut down their services and operations in the European Union. This is troubling, considering that two-thirds of America’s exports of digital media, goods, and services go to Europe.

The GDPR has limited European Union residents’ and the international communities’ access to information, including American newspapers and community statistics.

  • AEI scholar Roslyn Layton testified that the GDPR “would likely violate the First Amendment, as the requirements for data processing are so onerous that they would be found to limit expression.”
  • In Sweden and Denmark, churches are traditionally the official registers of baptism, wedding, and funeral information. Now, some churches aren’t printing that information in their programs unless they obtain consent first.
  • Europe claims that the GDPR covers all data that concerns Europeans. This means felons can use right to be forgotten provisions to force search engines to remove articles about their crimes. In Finland, a convicted murderer used this provision to require Google to delete all information on his case. French regulators are now demanding that this right apply globally, since the GDPR covers all data in the world that involves Europe.
  • In order to comply with the GDPR, ICANN announced that it will allow registries and registrars to obscure WHOIS information. This could lead to more illegal activity online, such as intellectual property theft, fraud, human trafficking, and cyberattacks.

Complying with GDPR has proved to be a massive burden for most companies.

  • According to a survey by the International Association of Privacy Professionals, the average firms says that it will spend a total of $3 million to comply with the regulation. That can be prohibitive for a lot of small- and medium-sized companies.
  • The association reports that 19 percent of privacy professionals do not believe that their companies will ever be fully in line with the GDPR’s rules.
  • The European Union even reported that approximately half of small businesses are not compliant with GDPR.
  • As of February 2019, there have been over 59,000 reported data breaches and 91 fines – potentially devastating for small businesses.

Small- and medium-sized firms are finding it harder to compete and innovate.

  • Small- and medium-sized advertising tech companies have lost up to one-third of their market position. Meanwhile, large companies that have the tools and resources to comply with the GDPR are maintaining or growing their market share.
  • Europe claimed businesses would benefit from a “level playing field,” but SMEs are struggling digitally. While large companies have been able to maintain their websites’ interactive functionalities, fewer SMEs have been able to, according to the European Commission’s Digital Scoreboard report

Despite the onerous rules to “protect” consumers, the GDPR will likely not boost Europeans’ trust in and usage of digital services.

  • An Information Technology and Innovation Foundation study found that strong data protections do not necessarily lead to increased trust.
  • The study also examined usage rates for different technologies before and after Europe implemented a privacy law. The United States showed higher increases in usage of the Internet, social media, and online shopping than the European Union did.

For more information on why GDPR-style regulation would be bad for American businesses and consumers, contact Katie McAuliffe at [email protected].

GDPR & Security

Click here for a downloadable version.

The GDPR enables bad actors to hide in the shadows. To comply with the new regulation, ICANN announced that it will allow registries and registrars to obscure WHOIS information, making it harder to identify the culprits behind harmful domains.

  • The WHOIS database holds information on who runs domains, making it a useful tool for law enforcement to track crime. Since its system has become more anonymized through a Temporary Specification following the GDPR, security professionals worry that it’ll be harder to hold criminals accountable.
  • Since the ICANN’s Temporary Specification was enacted, billions of users have been exposed to online scams for significantly longer periods than in a pre-GDPR world.
  • One security company found that following the change to the WHOIS system, its success rate for obtaining registrant information is only 49%.  
  • As of July 2019, the company found “full, un-redacted” registrant information for only 6% of violating domains.  
  • IBM X-Force reported a 91% decrease in researchers being able to successfully block bad actors. In October 2017, researchers were able to block about 1.8 million newly registered harmful domains. By February 2019, that number dropped to less than 160,000.  

Under the GDPR, users can request all of their data from a company. However, the law’s lack of user authentication provisions and tight deadlines and regulations on organizations leave this process vulnerable to hackers, identity thieves, and even just human error.

  • After hackers break into a user’s account, they can now easily access all of that user’s personal information. Jean Yang, a computer science professor at Carnegie Mellon University, discovered that hackers were able to request and download her music streaming history, date of birth and payment information after breaking into her Spotify account.
  • Oxford University student James Pavur demonstrated how easy it is to steal user data through the GDPR. He sent a simple email that included the name, email and phone number of his fiancée and paper co-author to 150 organizations.
    • 24% of the organizations gave him the information right away.
    • 16% provided the information after requesting weak forms of authentication, which he was able to complete.
    • 3% automatically deleted his fiancée’s account to avoid dealing with the data request.
    • Just through sending a basic email, he was able to collect her personal information — including her stays at a popular hotel chain and even her social security number.
  • After one German man requested his data from Amazon, he received over 1,700 Alexa voice recordings of another user. The original requester turned the files over to a German magazine after he was unable to get in touch with Amazon. There, reporters were able to piece together who the identities of the other recorded man and his female companion. Though Amazon claims this was human error, it demonstrates how GDPR’s provisions enable potentially sensitive information to get in the wrong hands.

For more information on why GDPR-style regulation would be bad for American businesses and consumers, contact Katie McAuliffe at [email protected].

The CCPA Catastrophe

Click here for a downloadable version.

After being hurried through the legislative process with little input from stakeholders, the California Consumer Privacy Act will go into effect on January 1, 2020. Let’s take a look at how this rushed job will impact American businesses and consumers.

The CCPA casts a wide net and will impact over a million American — not just Californian — businesses, regardless of whether they are major corporations or individually-run blogs.

  • The International Association of Privacy Professionals found that this law will apply to more than 500,000 U.S. companies.
  • The criteria to qualify are remarkably broad. Any business that serves California and meets just one of the following conditions must comply with the CCPA:
    • Gross revenue exceeds $25 million, within and outside of California
    • Possesses the personal data of 50,000 or more California “consumers, households, or devices”
    • Derives at least 50% of its annual revenues from selling Californians’ personal information
  • The CCPA defines personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That includes a lot of data, including IP addresses.
  • This would impact large companies with sizeable legal teams, but it’d also impact smaller enterprises like Professor Eric Goldman’s blog.
    • Professor Goldman wrote: “For example, my blog gets 50,000-plus visitors per year and makes about $400 per year in ad revenue, yet the law treats my blog like Google and Facebook. If the law doesn’t change, I’ll likely shut down ads and forego the associated revenue to avoid compliance costs that would vastly exceed my revenues.”

The CCPA’s compliance costs will be astronomical, potentially forcing businesses across the country to shut down service to California.

  • An economic impact assessment found that initial compliance with the CCPA would cost approximately $55 billion.
  • This will not only be borne by the biggest of the big companies. Below are initial costs businesses are estimated to face:
    • Smaller firms (fewer than 20 employees): $50,000
    • Medium-sized firms (20-100 employees): $100,000
    • Medium/larger firms (100-500 employees): $450,000
    • Firms with more than 500 employees: $2 million on average
  • A TrustArc and Dimensional Research survey found that 71% of companies expect to spend more than six figures to comply with the law. One in five anticipate to spend over $1 million in compliance costs.
  • Most companies are unprepared for this new law.
    • A survey from IT security company ESET found that as of July 2019, 44.2% of the 625 business owners and executives polled had never even heard of the CCPA.
    • 88% of companies will need external help to comply with the CCPA, according to the TrustArc and Dimensional Research survey.

Despite the onerous rules to “protect” consumers, the CCPA likely will not boost Californians’ trust in and usage of digital services.

  • An Information Technology and Innovation Foundation study found that strong data protections do not necessarily lead to increased trust.
  • The study also examined usage rates for different technologies before and after Europe implemented a privacy law. The United States showed higher increases in usage of the Internet, social media and online shopping than the European Union did.

In spite of the CCPA’s numerous problems, it will become the de facto law of the land.

  • The internet is an interstate service, essentially boundaryless within the United States, which makes it difficult for companies to comply with states’ conflicting laws.
  • Because California is creating the most stringent regulations, most companies will adhere to its rules, regardless of who they are serving.
  • Microsoft has recently announced that it will apply the CCPA’s rules across all of its U.S. operations. More companies will follow suit.

We can’t allow California to dictate how the rest of the country lives. Congress must stand up for American businesses and consumers by passing federal privacy legislation.

For more information on why CCPA-style regulation is bad for America, contact Katie McAuliffe at [email protected].

Privacy in Cloud Computing

Today, millions of individuals communicate using email and other Internet and cloud-based applications, yet the law that protects them from government monitoring data transmitted over the Internet is woefully out of date.  The Electronic Communications Privacy Act (ECPA), last amended in 1986, permits government to access data without a warrant or after a certain number of days have passed.  Recent court cases have found this to be a violation of individuals’ right against unreasonable search and seizure, and that access to online data like emails and cell phone geo-location should be protected the same as letters and phone calls.

Congress should update ECPA to protect Fourth Amendment online rights and to reflect dramatic changes in technology and the way consumers utilize the Internet today.  At the same time, any revision of ECPA should ensure that law enforcement has the necessary tools to continue counteracting illegal online activity.

Targeted Advertising

The advent of cloud-based email and application services has been funded almost entirely by advertisements tailored and targeted to consumers.  The collection of data about Internet users that generates such ads has come under attack by some in Congress and government agencies who have called for a “Do Not Track” list or other regulations.  Aside from the practical and technical difficulties of enacting such a policy, a one-size-fits-all government standard could impede the ability for companies to provide cloud services like email and word processing.

Instead of entrusting the government – arguably the largest violator of privacy rights – to set privacy regulations, individuals should be educated and empowered to protect their data and privacy with the myriad of tools already available in the free market.  This includes adjusting third-party cookie tracking in web browsers, installing specialized software, and adjusting privacy settings on frequently trafficked websites, amongst other options.