MorganCFirstPaper 4 - 03 May 2024 - Main.EbenMoglen
|
|
META TOPICPARENT | name="FirstPaper" |
Evasive Maneuvers --- How Privacy Regulations Can Cover Government Actors in the Future | |
< < | -- By MorganC - 05 Mar 2024 | > > | -- By MorganC - 01 May 2024 | | The Current Privacy Landscape | |
< < | The California Consumer Privacy Act (CCPA) and other data privacy regulations across the nation were passed with a goal in mind: to protect consumers from the extensive sharing and selling of their data by companies profiting from that personal, and often private, information without consumer knowledge or consent [https://termly.io/resources/articles/ccpa/] Similar legislation passed in the years following the CCPA in states like Virginia, Colorado, Utah, and Connecticut [https://perma.cc/G7WL-8ADZ]. While there are variances across the different consumer data regulations, a consistency across the board is that they are considered progressive steps forward, intended to allow transparency and provide protection for their consumers [https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us]. | > > | The California Consumer Privacy Act (CCPA) and other data privacy regulations across the nation were passed with a goal in mind: to protect consumers from the extensive sharing and selling of their data by companies profiting from that personal, and often private, information without consumer knowledge or consent. Similar legislation passed in the years following the CCPA in states like Virginia, Colorado, Utah, and Connecticut. While there are variances across the different consumer data regulations, a consistency across the board is that they are considered progressive steps forward, intended to allow transparency and provide protection for their consumers. | | | |
< < | In the time that has passed since the passing of the CCPA (now California Privacy Rights Act (CPRA)), businesses have worked to comply with the obligations imposed, and it seems that more and more legislation aiming to protect consumer data will emerge in the coming years [https://www.ncsl.org/research/telecommunications-and-information-technology/2022-consumer-privacy-legislation.aspx]. But the successful implementation of these state privacy regulations has enabled a far more dangerous and pervasive form of data collection, share, and sale of consumer data. It was recently revealed that the United States government has been “buying up reams of consumer data — information scraped from cellphones, social media profiles, internet ad exchanges and other open sources — and deploying it for often-clandestine purposes like law enforcement and national security in the U.S. and abroad [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742] ” The digital footprint that any American citizen has, “[t]he places you go, the websites you visit, the opinions you post — all collected and legally sold to federal agencies.” Id. | > > | In the time that has passed since the enactment of the CCPA (now California Privacy Rights Act (CPRA)), businesses have worked to comply with the obligations imposed, and it seems that more and more legislation aiming to protect consumer data will emerge in the coming years. But the successful implementation of these state privacy regulations has enabled a far more dangerous and pervasive form of data collection, share, and sale of consumer data. It was recently revealed that the United States government has been “buying up reams of consumer data — information scraped from cellphones, social media profiles, internet ad exchanges and other open sources — and deploying it for often-clandestine purposes like law enforcement and national security in the U.S. and abroad.” | | | |
> > | The digital footprint that any American citizen has, “[t]he places you go, the websites you visit, the opinions you post — all collected and legally sold to federal agencies.” Id. | | How Government Evades Privacy Regulations | |
< < | There is considerable danger and justified discomfort in the knowledge that the United States government is quietly purchasing and collecting consumer data from companies. This data can be, and is, “used for everything from rounding up undocumented immigrants or detecting border tunnels. We’ve also seen data used for man hunting or identifying specific people in the vicinity of crimes or known criminal activity [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742] ” See also [https://www.wsj.com/articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600]. We risk turning into an even bigger surveillance state than we already are with government purchasing consumer data, and many of those risks are even higher for minority populations[https://www.brookings.edu/articles/examining-the-intersection-of-data-privacy-and-civil-rights/].
While consumers may be protected from (some) of the predatory share and sale habits of for-profit businesses thanks to the existing privacy regulatory framework, the United States government has found a way to access this information while not being subject to the requirements of the data privacy regulations specifically designed to avoid such collection as this [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742]. This was likely accomplished through a few means. One, the privacy regulations apply to companies that meet certain criteria, and the government and government contractors were probably conducting business with companies that fell outside of these criteria. See id. For example, the CPRA applies “to any for-profit organization, which may do business in the State of California,” (emphasis omitted) and “applies to businesses that:
[1] Have a gross annual revenue of over $25 million in the preceding calendar year, or
[2] Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or
[3] Derive 50% or more of their annual revenue from selling or sharing California residents' personal information[.][https://www.termsfeed.com/blog/cpra/]”
To avoid the companies who would be subject to regulations like the CPRA, these government organizations and associates need only coordinate with the businesses just outside of these parameters. For instance, the government gleans consumer data from “tiny, obscure data brokers,” with “very little public-facing presence and almost no direct consumer relationship. Some of these companies focus on consumer data. Some focus on social data. Some focus on movement data [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742] ”
The second way that government was able to get around the privacy regulations is merely by taking advantage of the functionality of the “opt-out” mechanism. These regulations offer “opt-out” provisions that require businesses that qualify under the legislation to offer consumers the option to either opt out of the sharing of their data, or to be able to see to whom their data is sold [https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/].
In the European Union, the General Data Protection Regulation (GDPR) uses an “opt-in” format that requires consumers to intentionally choose to allow their data to be collected and shared by the pages that they visit[https://secureprivacy.ai/blog/difference-beween-opt-in-and-opt-out]. In the United States, it is the exact opposite. As a result of this, more data is collected because opting into data collection is the default option [https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/]. The companies that evade privacy regulations are able to exploit this default option and collect large swaths of consumer data, and profit off of selling it to third parties such as government and government contractors.
Closing the Gap
For current and upcoming consumer data privacy regulations to improve upon their goal of protecting consumer data and increasing transparency about where consumer data is going, future amendments and regulations should adjust the criteria for qualification under the privacy regulations and should make efforts to move our nation to an opt-in system. On the former point, the current revenue requirement should be lowered to include more businesses than it does at present. Considering the government is currently buying data from “tiny” data brokers, a smaller revenue requirement could help to include some of these parties [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742]. Alternatively, the number of residents whose data is bought, received, or sold could be reduced for the same purpose. Including for-profit businesses that receive even 10,000 residents’ personal information, instead of the current 100,000, could be included and help to reduce the degree to which the government is able to quietly access this information.
Also, moving to an opt-out system would at the very least reduce the number of people whose consumer data and private information is caught up in the share and sale data market. The conscious choice to opt into data share would reduce the number of people who do it, and agency could be successfully returned to large swaths of consumers [https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/]. | > > | There is considerable danger and justified discomfort in the knowledge that the United States government is quietly purchasing and collecting consumer data from companies. This data can be, and is, “used for everything from rounding up undocumented immigrants or detecting border tunnels. We’ve also seen data used for man hunting or identifying specific people in the vicinity of crimes or known criminal activity.” See also. We risk turning into an even bigger surveillance state than we already are with government purchasing consumer data, and many of those risks are even higher for minority populations.
The United States government has found a way to access this consumer information while not being subject to the requirements of the data privacy regulations specifically designed to avoid such collection as this. One, the privacy regulations apply to companies that meet certain criteria, and the government and government contractors were probably conducting business with companies that fell outside of these criteria. See id. For example, the CPRA applies to for-profit organizations that generate over $25 million annually, trade data of 100,000 or more consumers, and derive 50% or more of their annual revenue from trade of consumer data.
Why is this a link to a news story instead of the relevant statutory provision? Hearsay is not better than the law. You discuss CCPA rather a lot, but you never actually direct the reader to the statute. We have no reason to believe you've actually read it, as opposed to some news stories. What's going on?
To avoid the companies who would be subject to regulations like the CPRA, these government organizations and associates need only coordinate with the businesses just outside of these parameters. For instance, the government gleans consumer data from “tiny, obscure data brokers,” with “very little public-facing presence and almost no direct consumer relationship. Some of these companies focus on consumer data.”
Closing the Gap
A proposal to avoid this loophole would be a push for additional and more aggressive punishments from the FTC of violators of the privacy provisions. For instance, the FTC recently prohibited Rite Aid from using any and all facial recognition technology “for surveillance purposes for five years to settle Federal Trade Commission charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in its use of facial recognition technology in hundreds of stores.” Since the United States is unlikely to move to, say, an opt-in system like that of the European General Data Protection Regulation (GDPR), a stronger hand from the FTC would also work as incentive for businesses harvesting data to be zealous in their adherence to data privacy regulations, and hopefully could also deter more creative or gray area data dealings.
For current and upcoming consumer data privacy regulations to improve upon their goal of protecting consumer data and increasing transparency about where consumer data is going, future amendments and regulations should adjust the criteria for qualification under the privacy regulations and should make efforts to increase repercussions for those who violate privacy regulations. On the former point, the current revenue requirement should be lowered to include more businesses than it does at present. Considering the government is currently buying data from “tiny” data brokers, a smaller revenue requirement could help to include some of these parties. Alternatively, the number of residents whose data is bought, received, or sold could be reduced for the same purpose. Including for-profit businesses that receive even 10,000 residents’ personal information, instead of the current 100,000, could be included and help to reduce the degree to which the government is able to quietly access this information.
Also, moving to a system where enforcement is more extreme and the repercussions are more serious for companies that violate would serve as a deterrent for businesses and entities seeking means to get around the privacy regulations. Even if the companies are using existing loopholes that are not strictly impermissible, “preventing the misuse of biometric information is a high priority for the FTC” and knowledge that the agency is “closely monitoring this sector” would certainly deter bad actors. If prohibition of the use of customer data proves ineffective, additional and severe fines would serve the same purpose and protect the consumer data. This could, at the very least, reduce the number of people whose consumer data and private information is caught up in the share and sale data market. | | The government has been taking advantage of the data privacy regulatory framework as it is today, but there is still time to change it to avoid an even stronger surveillance state.
| |
< < | You need to get the next draft under 1,000 words. You don't need all the bot-like background information. Your idea is that state privacy regulation doesn't effectively prevent federal government acquisition of available consumer data, This idea is largely correct, but beyond reiteration of the danger to "privacy" from "surveillance," there's not much more for the reader to gain by close reading. | > > | This is not a second paper, this is a revision of the first paper, which should have been put over the prior version, which I have done for you. There is no second paper, so you either need to complete the tech projects or write and revise a second essay to complete the course. | | | |
< < | Let's try a draft that uses links rather than scattering URLs in the text, that provides higher-value references for the reader (to actual statutes, for example, rather than to"web content" about law), and that offers specific technical and social phenomena that the reader can learn about while also learning what, from your point of view, they mean. Perhaps we can gain insight into how a regulatory system comprehensive enough to effect the environmental harms you describe could work, and how the politics of enacting it might be arranged. Any one of those would probably be a route to significant improvement over the current draft.
| > > | This revision addresses the procedural comments I made, but it doesn't deal at all with the substantive issues I raised. The problem your first draft took up was federal government purchasing of commercially available consumer information. The original draft said that posed "surveillance issues." You here discuss CCPA, but you never actually link to it, and there's no evidence you've read it. You call for "extreme" enforcement of privacy policies by FTC (which have no effect on collection or sale of data, but only on whether the privacy policies published by businesses disclose that they collect and publish, including whatever broad language they may wish to use). Once again, you refer to no documents beyond news stories and press releases. Doing so doesn't get us any closer to real technical or legal analysis. An FTC order prohibiting a retailer from using facial recognition it has not disclosed to its customers does not actually reduce the amount of video surveillance, or what happens to the surveillance feeds, but only determines who runs the software that analyzes it, for example. (Perhaps the actual order rather than the FTC press release would have been more informative.) | | | |
> > | Making this work better still involves the same steps: better-quality sources used to illustrate and substantiate a coherent idea about the relationship between government surveillance and private markets in personal information.
| | | |
< < |
| | \ No newline at end of file |
|
MorganCFirstPaper 3 - 25 Apr 2024 - Main.EbenMoglen
|
|
META TOPICPARENT | name="FirstPaper" |
Evasive Maneuvers --- How Privacy Regulations Can Cover Government Actors in the Future | | Also, moving to an opt-out system would at the very least reduce the number of people whose consumer data and private information is caught up in the share and sale data market. The conscious choice to opt into data share would reduce the number of people who do it, and agency could be successfully returned to large swaths of consumers [https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/].
The government has been taking advantage of the data privacy regulatory framework as it is today, but there is still time to change it to avoid an even stronger surveillance state. | |
> > |
You need to get the next draft under 1,000 words. You don't need all the bot-like background information. Your idea is that state privacy regulation doesn't effectively prevent federal government acquisition of available consumer data, This idea is largely correct, but beyond reiteration of the danger to "privacy" from "surveillance," there's not much more for the reader to gain by close reading.
Let's try a draft that uses links rather than scattering URLs in the text, that provides higher-value references for the reader (to actual statutes, for example, rather than to"web content" about law), and that offers specific technical and social phenomena that the reader can learn about while also learning what, from your point of view, they mean. Perhaps we can gain insight into how a regulatory system comprehensive enough to effect the environmental harms you describe could work, and how the politics of enacting it might be arranged. Any one of those would probably be a route to significant improvement over the current draft.
| |
\ No newline at end of file |
|
MorganCFirstPaper 2 - 05 Mar 2024 - Main.MorganC
|
|
META TOPICPARENT | name="FirstPaper" |
| |
< < | | | Evasive Maneuvers --- How Privacy Regulations Can Cover Government Actors in the Future
-- By MorganC - 05 Mar 2024 | | -- By MorganC - 05 Mar 2024
The Current Privacy Landscape | |
< < | The California Consumer Privacy Act (CCPA) and other data privacy regulations across the nation were passed with a goal in mind: to protect consumers from the extensive sharing and selling of their data by companies profiting from that personal, and often private, information without consumer knowledge or consent. Similar legislation passed in the years following the CCPA in states like Virginia, Colorado, Utah, and Connecticut. While there are variances across the different consumer data regulations, a consistency across the board is that they are considered progressive steps forward, intended to allow transparency and provide protection for their consumers. | > > | The California Consumer Privacy Act (CCPA) and other data privacy regulations across the nation were passed with a goal in mind: to protect consumers from the extensive sharing and selling of their data by companies profiting from that personal, and often private, information without consumer knowledge or consent [https://termly.io/resources/articles/ccpa/] Similar legislation passed in the years following the CCPA in states like Virginia, Colorado, Utah, and Connecticut [https://perma.cc/G7WL-8ADZ]. While there are variances across the different consumer data regulations, a consistency across the board is that they are considered progressive steps forward, intended to allow transparency and provide protection for their consumers [https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us]. | | | |
< < | In the time that has passed since the passing of the CCPA (now California Privacy Rights Act (CPRA)), businesses have worked to comply with the obligations imposed, and it seems that more and more legislation aiming to protect consumer data will emerge in the coming years. But the successful implementation of these state privacy regulations has enabled a far more dangerous and pervasive form of data collection, share, and sale of consumer data. It was recently revealed that the United States government has been “buying up reams of consumer data — information scraped from cellphones, social media profiles, internet ad exchanges and other open sources — and deploying it for often-clandestine purposes like law enforcement and national security in the U.S. and abroad.” The digital footprint that any American citizen has, “[t]he places you go, the websites you visit, the opinions you post — all collected and legally sold to federal agencies.” Id. | > > | In the time that has passed since the passing of the CCPA (now California Privacy Rights Act (CPRA)), businesses have worked to comply with the obligations imposed, and it seems that more and more legislation aiming to protect consumer data will emerge in the coming years [https://www.ncsl.org/research/telecommunications-and-information-technology/2022-consumer-privacy-legislation.aspx]. But the successful implementation of these state privacy regulations has enabled a far more dangerous and pervasive form of data collection, share, and sale of consumer data. It was recently revealed that the United States government has been “buying up reams of consumer data — information scraped from cellphones, social media profiles, internet ad exchanges and other open sources — and deploying it for often-clandestine purposes like law enforcement and national security in the U.S. and abroad [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742] ” The digital footprint that any American citizen has, “[t]he places you go, the websites you visit, the opinions you post — all collected and legally sold to federal agencies.” Id. | |
How Government Evades Privacy Regulations | |
< < | There is considerable danger and justified discomfort in the knowledge that the United States government is quietly purchasing and collecting consumer data from companies. This data can be, and is, “used for everything from rounding up undocumented immigrants or detecting border tunnels. We’ve also seen data used for man hunting or identifying specific people in the vicinity of crimes or known criminal activity.” See also. We risk turning into an even bigger surveillance state than we already are with government purchasing consumer data, and many of those risks are even higher for minority populations. [see also Carter, forthcoming Columbia Law Review, March 2024].
While consumers may be protected from (some) of the predatory share and sale habits of for-profit businesses thanks to the existing privacy regulatory framework, the United States government has found a way to access this information while not being subject to the requirements of the data privacy regulations specifically designed to avoid such collection as this. This was likely accomplished through a few means. One, the privacy regulations apply to companies that meet certain criteria, and the government and government contractors were probably conducting business with companies that fell outside of these criteria. See id. For example, the CPRA applies “to any for-profit organization, which may do business in the State of California,” (emphasis omitted) and “applies to businesses that: | > > | There is considerable danger and justified discomfort in the knowledge that the United States government is quietly purchasing and collecting consumer data from companies. This data can be, and is, “used for everything from rounding up undocumented immigrants or detecting border tunnels. We’ve also seen data used for man hunting or identifying specific people in the vicinity of crimes or known criminal activity [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742] ” See also [https://www.wsj.com/articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600]. We risk turning into an even bigger surveillance state than we already are with government purchasing consumer data, and many of those risks are even higher for minority populations[https://www.brookings.edu/articles/examining-the-intersection-of-data-privacy-and-civil-rights/].
While consumers may be protected from (some) of the predatory share and sale habits of for-profit businesses thanks to the existing privacy regulatory framework, the United States government has found a way to access this information while not being subject to the requirements of the data privacy regulations specifically designed to avoid such collection as this [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742]. This was likely accomplished through a few means. One, the privacy regulations apply to companies that meet certain criteria, and the government and government contractors were probably conducting business with companies that fell outside of these criteria. See id. For example, the CPRA applies “to any for-profit organization, which may do business in the State of California,” (emphasis omitted) and “applies to businesses that: | | [1] Have a gross annual revenue of over $25 million in the preceding calendar year, or
[2] Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or | |
< < | [3] Derive 50% or more of their annual revenue from selling or sharing California residents' personal information[.]”
To avoid the companies who would be subject to regulations like the CPRA, these government organizations and associates need only coordinate with the businesses just outside of these parameters. For instance, the government gleans consumer data from “tiny, obscure data brokers,” with “very little public-facing presence and almost no direct consumer relationship. Some of these companies focus on consumer data. Some focus on social data. Some focus on movement data.”
The second way that government was able to get around the privacy regulations is merely by taking advantage of the functionality of the “opt-out” mechanism. These regulations offer “opt-out” provisions that require businesses that qualify under the legislation to offer consumers the option to either opt out of the sharing of their data, or to be able to see to whom their data is sold.
In the European Union, the General Data Protection Regulation (GDPR) uses an “opt-in” format that requires consumers to intentionally choose to allow their data to be collected and shared by the pages that they visit. In the United States, it is the exact opposite. As a result of this, more data is collected because opting into data collection is the default option. The companies that evade privacy regulations are able to exploit this default option and collect large swaths of consumer data, and profit off of selling it to third parties such as government and government contractors. | > > | [3] Derive 50% or more of their annual revenue from selling or sharing California residents' personal information[.][https://www.termsfeed.com/blog/cpra/]”
To avoid the companies who would be subject to regulations like the CPRA, these government organizations and associates need only coordinate with the businesses just outside of these parameters. For instance, the government gleans consumer data from “tiny, obscure data brokers,” with “very little public-facing presence and almost no direct consumer relationship. Some of these companies focus on consumer data. Some focus on social data. Some focus on movement data [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742] ”
The second way that government was able to get around the privacy regulations is merely by taking advantage of the functionality of the “opt-out” mechanism. These regulations offer “opt-out” provisions that require businesses that qualify under the legislation to offer consumers the option to either opt out of the sharing of their data, or to be able to see to whom their data is sold [https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/].
In the European Union, the General Data Protection Regulation (GDPR) uses an “opt-in” format that requires consumers to intentionally choose to allow their data to be collected and shared by the pages that they visit[https://secureprivacy.ai/blog/difference-beween-opt-in-and-opt-out]. In the United States, it is the exact opposite. As a result of this, more data is collected because opting into data collection is the default option [https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/]. The companies that evade privacy regulations are able to exploit this default option and collect large swaths of consumer data, and profit off of selling it to third parties such as government and government contractors. | | Closing the Gap | |
< < | For current and upcoming consumer data privacy regulations to improve upon their goal of protecting consumer data and increasing transparency about where consumer data is going, future amendments and regulations should adjust the criteria for qualification under the privacy regulations and should make efforts to move our nation to an opt-in system. On the former point, the current revenue requirement should be lowered to include more businesses than it does at present. Considering the government is currently buying data from “tiny” data brokers, a smaller revenue requirement could help to include some of these parties. Alternatively, the number of residents whose data is bought, received, or sold could be reduced for the same purpose. Including for-profit businesses that receive even 10,000 residents’ personal information, instead of the current 100,000, could be included and help to reduce the degree to which the government is able to quietly access this information.
Also, moving to an opt-out system would at the very least reduce the number of people whose consumer data and private information is caught up in the share and sale data market. The conscious choice to opt into data share would reduce the number of people who do it, and agency could be successfully returned to large swaths of consumers. | > > | For current and upcoming consumer data privacy regulations to improve upon their goal of protecting consumer data and increasing transparency about where consumer data is going, future amendments and regulations should adjust the criteria for qualification under the privacy regulations and should make efforts to move our nation to an opt-in system. On the former point, the current revenue requirement should be lowered to include more businesses than it does at present. Considering the government is currently buying data from “tiny” data brokers, a smaller revenue requirement could help to include some of these parties [https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742]. Alternatively, the number of residents whose data is bought, received, or sold could be reduced for the same purpose. Including for-profit businesses that receive even 10,000 residents’ personal information, instead of the current 100,000, could be included and help to reduce the degree to which the government is able to quietly access this information.
Also, moving to an opt-out system would at the very least reduce the number of people whose consumer data and private information is caught up in the share and sale data market. The conscious choice to opt into data share would reduce the number of people who do it, and agency could be successfully returned to large swaths of consumers [https://arstechnica.com/gadgets/2021/05/96-of-us-users-opt-out-of-app-tracking-in-ios-14-5-analytics-find/]. | | The government has been taking advantage of the data privacy regulatory framework as it is today, but there is still time to change it to avoid an even stronger surveillance state. | |
< < | (citations available in MSWord format) | > > | | |
\ No newline at end of file |
|
MorganCFirstPaper 1 - 05 Mar 2024 - Main.MorganC
|
|
> > |
META TOPICPARENT | name="FirstPaper" |
Evasive Maneuvers --- How Privacy Regulations Can Cover Government Actors in the Future
-- By MorganC - 05 Mar 2024
The Current Privacy Landscape
The California Consumer Privacy Act (CCPA) and other data privacy regulations across the nation were passed with a goal in mind: to protect consumers from the extensive sharing and selling of their data by companies profiting from that personal, and often private, information without consumer knowledge or consent. Similar legislation passed in the years following the CCPA in states like Virginia, Colorado, Utah, and Connecticut. While there are variances across the different consumer data regulations, a consistency across the board is that they are considered progressive steps forward, intended to allow transparency and provide protection for their consumers.
In the time that has passed since the passing of the CCPA (now California Privacy Rights Act (CPRA)), businesses have worked to comply with the obligations imposed, and it seems that more and more legislation aiming to protect consumer data will emerge in the coming years. But the successful implementation of these state privacy regulations has enabled a far more dangerous and pervasive form of data collection, share, and sale of consumer data. It was recently revealed that the United States government has been “buying up reams of consumer data — information scraped from cellphones, social media profiles, internet ad exchanges and other open sources — and deploying it for often-clandestine purposes like law enforcement and national security in the U.S. and abroad.” The digital footprint that any American citizen has, “[t]he places you go, the websites you visit, the opinions you post — all collected and legally sold to federal agencies.” Id.
How Government Evades Privacy Regulations
There is considerable danger and justified discomfort in the knowledge that the United States government is quietly purchasing and collecting consumer data from companies. This data can be, and is, “used for everything from rounding up undocumented immigrants or detecting border tunnels. We’ve also seen data used for man hunting or identifying specific people in the vicinity of crimes or known criminal activity.” See also. We risk turning into an even bigger surveillance state than we already are with government purchasing consumer data, and many of those risks are even higher for minority populations. [see also Carter, forthcoming Columbia Law Review, March 2024].
While consumers may be protected from (some) of the predatory share and sale habits of for-profit businesses thanks to the existing privacy regulatory framework, the United States government has found a way to access this information while not being subject to the requirements of the data privacy regulations specifically designed to avoid such collection as this. This was likely accomplished through a few means. One, the privacy regulations apply to companies that meet certain criteria, and the government and government contractors were probably conducting business with companies that fell outside of these criteria. See id. For example, the CPRA applies “to any for-profit organization, which may do business in the State of California,” (emphasis omitted) and “applies to businesses that:
[1] Have a gross annual revenue of over $25 million in the preceding calendar year, or
[2] Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or
[3] Derive 50% or more of their annual revenue from selling or sharing California residents' personal information[.]”
To avoid the companies who would be subject to regulations like the CPRA, these government organizations and associates need only coordinate with the businesses just outside of these parameters. For instance, the government gleans consumer data from “tiny, obscure data brokers,” with “very little public-facing presence and almost no direct consumer relationship. Some of these companies focus on consumer data. Some focus on social data. Some focus on movement data.”
The second way that government was able to get around the privacy regulations is merely by taking advantage of the functionality of the “opt-out” mechanism. These regulations offer “opt-out” provisions that require businesses that qualify under the legislation to offer consumers the option to either opt out of the sharing of their data, or to be able to see to whom their data is sold.
In the European Union, the General Data Protection Regulation (GDPR) uses an “opt-in” format that requires consumers to intentionally choose to allow their data to be collected and shared by the pages that they visit. In the United States, it is the exact opposite. As a result of this, more data is collected because opting into data collection is the default option. The companies that evade privacy regulations are able to exploit this default option and collect large swaths of consumer data, and profit off of selling it to third parties such as government and government contractors.
Closing the Gap
For current and upcoming consumer data privacy regulations to improve upon their goal of protecting consumer data and increasing transparency about where consumer data is going, future amendments and regulations should adjust the criteria for qualification under the privacy regulations and should make efforts to move our nation to an opt-in system. On the former point, the current revenue requirement should be lowered to include more businesses than it does at present. Considering the government is currently buying data from “tiny” data brokers, a smaller revenue requirement could help to include some of these parties. Alternatively, the number of residents whose data is bought, received, or sold could be reduced for the same purpose. Including for-profit businesses that receive even 10,000 residents’ personal information, instead of the current 100,000, could be included and help to reduce the degree to which the government is able to quietly access this information.
Also, moving to an opt-out system would at the very least reduce the number of people whose consumer data and private information is caught up in the share and sale data market. The conscious choice to opt into data share would reduce the number of people who do it, and agency could be successfully returned to large swaths of consumers.
The government has been taking advantage of the data privacy regulatory framework as it is today, but there is still time to change it to avoid an even stronger surveillance state.
(citations available in MSWord format)
|
|
Revision 4 | r4 - 03 May 2024 - 14:50:20 - EbenMoglen |
Revision 3 | r3 - 25 Apr 2024 - 18:43:25 - EbenMoglen |
Revision 2 | r2 - 05 Mar 2024 - 19:14:11 - MorganC |
Revision 1 | r1 - 05 Mar 2024 - 16:08:03 - MorganC |
|