New Data Privacy Regulations

When Marc Zuckerberg testified before both the House and the Senate last month, it became immediately obvious that few US lawmakers had any appetite to regulate the pervasive surveillance taking place on the Internet.

Right now, the only way we can force these companies to take our privacy more seriously is through the market. But the market is broken. First, none of us do business directly with these data brokers. Equifax might have lost my personal data in 2017, but I can't fire them because I'm not their customer or even their user. I could complain to the companies I do business with who sell my data to Equifax, but I don't know who they are. Markets require voluntary exchange to work properly. If consumers don't even know where these data brokers are getting their data from and what they're doing with it, they can't make intelligent buying choices.

This is starting to change, thanks to a new law in Vermont and another in Europe. And more legislation is coming.

Vermont first. At the moment, we don't know how many data brokers collect data on Americans. Credible estimates range from 2,500 to 4,000 different companies. Last week, Vermont passed a law that will change that.

The law does several things to improve the security of Vermonters' data, but several provisions matter to all of us. First, the law requires data brokers that trade in Vermonters' data to register annually. And while there are many small local data brokers, the larger companies collect data nationally and even internationally. This will help us get a more accurate look at who's in this business. The companies also have to disclose what opt-out options they offer, and how people can request to opt out. Again, this information is useful to all of us, regardless of the state we live in. And finally, the companies have to disclose the number of security breaches they've suffered each year, and how many individuals were affected.

Admittedly, the regulations imposed by the Vermont law are modest. Earlier drafts of the law included a provision requiring data brokers to disclose how many individuals' data it has in its databases, what sorts of data it collects and where the data came from, but those were removed as the bill negotiated its way into law. A more comprehensive law would allow individuals to demand to exactly what information they have about them­ -- and maybe allow individuals to correct and even delete data. But it's a start, and the first statewide law of its kind to be passed in the face of strong industry opposition.

Vermont isn't the first to attempt this, though. On the other side of the country, Representative Norma Smith of Washington introduced a similar bill in both 2017 and 2018. It goes further, requiring disclosure of what kinds of data the broker collects. So far, the bill has stalled in the state's legislature, but she believes it will have a much better chance of passing when she introduces it again in 2019. I am optimistic that this is a trend, and that many states will start passing bills forcing data brokers to be increasingly more transparent in their activities. And while their laws will be tailored to residents of those states, all of us will benefit from the information.

A 2018 California ballot initiative could help. Among its provisions, it gives consumers the right to demand exactly what information a data broker has about them. If it passes in November, once it takes effect, lots of Californians will take the list of data brokers from Vermont's registration law and demand this information based on their own law. And again, all of us -- regardless of the state we live in­ -- will benefit from the information.

We will also benefit from another, much more comprehensive, data privacy and security law from the European Union. The General Data Protection Regulation (GDPR) was passed in 2016 and took effect on 25 May. The details of the law are far too complex to explain here, but among other things, it mandates that personal data can only be collected and saved for specific purposes and only with the explicit consent of the user. We'll learn who is collecting what and why, because companies that collect data are going to have to ask European users and customers for permission. And while this law only applies to EU citizens and people living in EU countries, the disclosure requirements will show all of us how these companies profit off our personal data.

It has already reaped benefits. Over the past couple of weeks, you've received many e-mails from companies that have you on their mailing lists. In the coming weeks and months, you're going to see other companies disclose what they're doing with your data. One early example is PayPal: in preparation for GDPR, it published a list of the over 600 companies it shares your personal data with. Expect a lot more like this.

Surveillance is the business model of the Internet. It's not just the big companies like Facebook and Google watching everything we do online and selling advertising based on our behaviors; there's also a large and largely unregulated industry of data brokers that collect, correlate and then sell intimate personal data about our behaviors. If we make the reasonable assumption that Congress is not going to regulate these companies, then we're left with the market and consumer choice. The first step in that process is transparency. These new laws, and the ones that will follow, are slowly shining a light on this secretive industry.

This essay originally appeared in the Guardian.

Posted on June 8, 2018 at 6:48 AM • 34 Comments

Comments

Bavo De RidderJune 8, 2018 8:10 AM

I would like to add some clarifications on the GDPR.

The GDPR does not mandate that for all processing the consent of the user is required. Only for processing for which no other legal ground can be found (e.g. contractual obligations, legal obligations ...) is consent required. A considerable amount of processing of personal information happens because of contractual obligations or other legal grounds and does not require consent.

The GDPR also does not only apply to EU Citizens. It applies to all processing of personal information done inside the EU or by EU companies:

-) services offered in the EU, regardless if the company is from the EU or not, falls under the GDPR. E.g. Facebook or Amazon offering services to people in the EU. This regardless if those people are EU citizens or not.
-) services offered by an EU company to anyone, even outside of the EU, fall under the GDPR. E.g. a EU company offering services to US Citizens who consume the service while in the USA (they never have .

A more important aspect of the GDPR is the requirement for transparency. That is one of the cornerstones of the GDPR.

If you gather personal information, you have to inform the persons involved. Irregardless if you gather the information directly or indirectly. There are some provisions that make it easier for data brokers to be exempt from that (they can claim that it would have an unreasonable cost to do so). But in the latter it would still be required to inform the persons that their information has been passed on and to whom.

I am not a lawyer or legal expert so some of the above may require a more nuanced view but I still wanted to share this small clarification.

George H.H. MitchellJune 8, 2018 8:37 AM

I know I'm oversimplifying, but it would be nice if some entity enacted a basic regulation that data about me belongs to me. Even if I disclose information about myself to a business, the business should not be able to pass it on to anyone else without my express permission.

And yes, I still hope Santa Claus will visit my house the night before Christmas. (Might as well hope for as many impossible things as I can.)

echoJune 8, 2018 8:46 AM

The European courts ruled that blanket bans were unlawful which placed a limit on authoritarian abuses of power and the GDPR essentially makes secretive information silos unlawful too.

I'm fairly convinced that on balance that most states aren't that interested in war but keeping the great unwashed in their place, and they forget that state cruelty and violence begets cruelty and violence in an ever increasing and expanding demand for yet more power and more survellence. I have collected a few links this week including one new US study directly relating to this which I am saving for the squid topic.

@Bavo De Ridder

With regard to "unreasonable cost" and "undue burden" and so forth when Convention rights are being considered then the issue tilts the other way. There are legal requirements for extreme due diligience, adequate resoruces to the task, equity and a range of systemic and personal and other legal issues which must be considered. In this respect while a "data broker" may claim an exemption in reality they have obligations and as far as a "data broker" is concerned due to the higher degree of sensitivity and risk inherent to data brokerage any evasion or watering down of Convention rights will be actionable. In some cases this may be pursued at the very highest level both within the EU and within national governments.

I am not aware of a war or act of war being thretened because of a breach of Convention rights but I get the impression words have been had in some quarters which haveprovoked a few face saving u-turns.

jillJune 8, 2018 8:58 AM

The companies also have to disclose what opt-out options they offer, and how people can request to opt out.
Is there any requirement for them to offer opt-out options? Do companies generally do that?

Given the sensitivity of this data, it should really be opt-in. They could easily start with government agencies: ban states and municipalities (including their power/water companies) from giving personal information to data brokers, without explicit and optional permission. Many can skip credit checks if given a deposit, or if you're a homeowner, but they don't always publicize that. Ban them from collecting unnecessary data like SSNs too.

Karl LembkeJune 8, 2018 9:31 AM

Yes, the market is indeed broken. Generally, when a market is "broken", it means the incentives that apply to private goods don't apply to the particular good under examination. Either the incentives that produce a stable equilibrium price don't exist, or they have been perturbed by people determined to fix some problem.

Information is what economists call a "club good" -- non rivalrous but excludible. People can be excluded from using information, by keeping it private and divulging it only to those who are authorized to have it. But it's not rivalrous in that giving it to person A does not restrict the ability to give it to person B. Cable TV is another example of a "club good", and the problem of piracy is a good analog to the issue of identity theft.

It seems to me that cable TV and satellite TV companies have been working on the problem of ending piracy for quite a long time. These might be models to consider for data privacy.

Clive RobinsonJune 8, 2018 9:40 AM

@ Bruce,

If we make the reasonable assumption that Congress is not going to regulate these companies...

Without belaboring the point,

    It is difficult to persuade a man his position is wrong, when his livelyhood and position in society relies on him taking the wrong position

The US is not nor ever has been a Democracy, nor even a real "Representational Democracy", those in power --who are not those you elect but pay them-- do not want their investment wasted by the public good or self interest of society.

Thus Congress is going to look any which way it can except in the direction the correctly informed public would wish, as it's contrary to their "sponsors" interests.

As such "sponsors" also tend to "control the market" neither existing politics or the market will solve this problem.

After all the biggest and most useless industry in the world is "Marketing" which has between a 90-98% failure rate[1].

Thus you have to ask the question just how much of that largest industry in the world has been grabbed by the big Internet Companies, and what they would be prepared to do to ensure that cash keeps flowing one way or another?

We know they cheerfully hand over any and all data to the US Gov when requested wirh in most cases not even a token resistance.

[1] It depends on what metric you use, over 90% of new products in existing markets fail within a year, there is actually a museum to such failures. If you look at "flyers" and "direct mail" less than one in a thousand produces results just expensive land fill, so is a 99.9% failure.

meJune 8, 2018 10:11 AM

to all the readers: do you think that "whois" domain data hidden because of gdpr is a problem or a good thing?
brian kerbs keep saying that it is a big problem because it's an important tool for security researchers to catch bad people.
but i saw also scams because of it: people who got amazon or twitter account hacked because of data visible in whois database.
i don't see a big problem having it hidden, after all there always been an option to hide data, some offered it for free other paid but it was possible also before.

JordanJune 8, 2018 10:17 AM

@George H.H. Mitchell
> data about me belongs to me

So if you lend me money, and I fail to pay you back, you can't tell anybody else about that failure?

meJune 8, 2018 10:22 AM

I hope it was not too much off topic, if yes, moderator feel free to delete it.
I'm not american so i don't know very well your laws.

TRXJune 8, 2018 10:54 AM

The most intrusive of the data brokers are the credit reporting agencies. I've been battling them since the late 1980s now, as the keep conflating my credit record with various ne'er-d-wells. After weeks or months of jerking around I can get my record cleaned up, and then six months or a year later it's all back, as they merge databases with someone else again.

Back then it was just an annoyance. Now your credit rating affects things like your auto and homeowner's insurance rates, your rent, whether a new doctor will take you as a patient, and in a few jurisdictions, it's factored by software that determines your bail or sentence terms.

That's a lot of clout for data that's not only unverified, but is often incorrect, if not outright fraudulent.

vas pupJune 8, 2018 11:58 AM

@Clive. If and only if legislators were victims of unauthorized their personal data disclosure, they will do something. They act on public interest when they got negative personal experience, i.e. issue should become personal. Example: many years ago Choice Point was a culprit and got severe fine from feds. It is like mob can't bribe cop who got his loved family member killed by mob.

TheInformedOneJune 8, 2018 1:44 PM

Technology takes 2 things away from humanity without its consent. 1) Your Anonymity or Inherent Privacy. 2) Your ability to be patient. When Western European immigrants started populating America, the pioneering spirit saw families homesteading to establish their independence. When someone came onto your homestead without identifying themselves, they were usually greeted at the business end of a Winchester rifle until they identified themselves and stated their intentions. You could almost look at this as an early form of Authentication (Friend or Foe). In the pioneering days of modesty and values, most people valued their privacy and didn't seek undue attention or conflict. The early American settlers inherently had something we don't (if they wanted it), which was Inherent Anonymity. How does Technology reduce your anonymity? It starts with the basics. Everyone has to consume goods, right? Cash has allowed us to purchase things anonymously for a long time. Those days are over now. Even if you pay cash these days, the retail establishment your buying from has camera's everywhere, and if you drove a vehicle to that establishment you're on camera coming and going, not to mention the toll-road tag affixed to your windshield which is scanned by 12 different agencies tracking your migration patterns as you drive around the city. Credit cards have removed the anonymity of cash. Crypto-currency has recently afforded a little "bubble" of anonymity, but will eventually come to be regulated by governments and commercial interests who will insure the non-continuation of anonymous purchasing which created the Finance Industry. Besides, when Quantum Computing allows all encryption to be broken in mere seconds, us lowly citizens won't be able to hide behind encryption anymore. Enjoy it while it lasts. Fast forward to today and you have to ask yourself, "Why are Facebook, Twitter, Google, Snapchat....etc. free?" The answer is that they are stealing your anonymity, with your consent, but without your intellectual awareness. It all happens in the background using algorithms. On to point #2. The more we interact with technology the more we come to expect things to happen in "A New York Minute". Electronic automation and instant access to information keep blasting our brains with a high-speed rocket ride, until the battery dies or the video game is over. Then you have a meltdown and get upset because you have to actually talk to another human being instead of Siri. Take a cell phone away from a teenager for a few days and watch them literally become suicidal, cut off from their artificial world. It's scary. Patience is a virtue and with good reason. When people are impatient, it's like saying, "I'm better than the human condition and my needs should come before yours". Patience is how people learn to tolerate other people (or the human condition). Becoming dependent on technology slowly erodes your patience levels and robs you of this virtue. I'm not even sure Generation Z will understand that they ever had a right to anonymity or the ability to employ patience. Tell me I'm wrong....

Jesse ThompsonJune 8, 2018 5:10 PM

@Karl Lembke

Hey, thanks for the heads up on Club Theory. That's some good prior work to read up on. :D

@TheInformedOne:

I agree with your point #1 but I think your point #2 is a misplaced concern which human society has grappled with for thousands of years at minimum now. Ultimately it's not technology which biases the old fashioned against the new standards of faster rhythms, it's literally just the age of the old fashioned.

One part of your point #2 that I agree with is that we are seeing people becoming more accustomed to insulation from the human condition. But I argue that that is by design (of those of us with good intentions, not of some shadowy cabal), not as a side effect.

"Human Nature" as you call it is toxic, and the entire business of civilization is to allow people to interrelate with one another in spite of the shortcomings of human nature.

That's the entire reason that we build courts to settle disputes between people who might otherwise have no recourse but direct violence.

That is why we create automation to more efficiently generate food so that every citizen doesn't have to be a professional farmer by trade.

That's the reason we invent vehicles to carry ourselves and our goods so that our velocity is not circumscribed by the speed of our feet and our carrying capacity is not limited to how much we can personally carry over long distances.

That's the justification behind a global telecommunications network which allows middle-class foreign tourists halfway up Mount Everest to instantly exchange text, voice, or perhaps video communications with other middle-class foreign tourists on the other side of the world on a cruise ship hundreds of miles from land without either tourist being forewarned of the call or preparing for it more assiduously than reaching into their pockets and selecting a familiar name out of a backlit list.

Without that infrastructure or it's evolutionary predecessors we cannot know information that isn't conveyed to us on foot via word of mouth, and cannot with veracity trust information that doesn't transpire within feet of our person right before our eyes.

Human nature includes violence, lies, exploitation, and greed and without the technology of civilization we and our families are laid bare to those properties of the most powerful abusive people present. With that technology we can band the virtuous aspects of our humanity together collectively, and build systems to dodge and to resist these negative aspects of the humanity not only of others but of ourselves.

It's not always easy to do, and there will be times when said technology amplifies the damage that evil can do, but the only outcome in the best interest of the greatest number of people that remains constant is the good of mankind. So over very long timescales I believe that will always win the technological battle over the selfish greed of ephemeral actors via the process of natural selection. :)

echoJune 8, 2018 5:19 PM

@Jesse Thompson

On the issue of age and ageism here arerecent articles expanding on studies into ageism and why older people tend to stop discoverign new music. This is obviously a much larger topic than these articles but should help anyone interested in the topic expand their view.

https://www.theguardian.com/society/2018/jun/08/ageism-widespread-in-uk-study-finds
Ageism is rife in Britain, with millennials holding the most negative attitudes towards ageing, according to a study.
https://www.rsph.org.uk/uploads/assets/uploaded/010d3159-0d36-4707-aee54e29047c8e3a.pdf

Here's Why Most of Us Stop Discovering New Music After 30, According to Science https://www.sciencealert.com/here-s-why-most-of-us-stop-discovering-new-music-after-30-according-to-science

65535June 8, 2018 6:37 PM

“…none of us do business directly with these data brokers. Equifax might have lost my personal data in 2017, but I can't fire them because I'm not their customer or even their user. I could complain to the companies I do business with who sell my data to Equifax, but I don't know who they are.” Bruce S.

I fully agree. This is a huge problem and must stop. But, the question is “how to stop data brokers?”

“…Marc Zuckerberg testified before both the House and the Senate last month, it became immediately obvious that few US lawmakers had any appetite to regulate the pervasive surveillance taking place…”-Bruce S.

I believe that observation is true.

What if an accurate study of data purchasers showed the Government with all of its tentacles are the largest data purchasers? Say the NSA, FBI, ICE, Border Patrol, IRS, TSA, Politicians, State police down to local police in sum were the largest set of purchasers of data from the 4000 data brokers. There are many “background checks” performed by the government to hire employees. And, don’t stop there include other governments around the world. Wouldn’t that align with:

“few US lawmakers had any appetite to regulate the pervasive surveillance” –Bruce S.

I think it would. Maybe, Clive Robinson has hit the nail on the head:

“Without belaboring the point, It is difficult to persuade a man his position is wrong, when his livelyhood and position in society relies on him taking the wrong position”-Clive R.

If the above is true, that government should stop collecting large data files on each and every person in the USA and quit wasting the taxpayer’s money buying such data from data brokers.

I would bet if the government got out of the data purchasing business there would be a lot less “data brokers” in business. Many of those data brokers would dry up and blow away.

cmeierJune 8, 2018 9:26 PM

@TRX

> That's a lot of clout for data that's not only unverified, but is often incorrect, if not outright fraudulent.

Since they are telling lies about you, can they be sued for libel?

Bauke Jan DoumaJune 9, 2018 6:11 AM

@George H.H. Mitchell

"And yes, I still hope Santa Claus will visit my house the night before Christmas. (Might as well hope for as many impossible things as I can.)"

Does Santa have your address?

Bauke Jan DoumaJune 9, 2018 6:14 AM

@cmeier

Note that in some countries libel doesn't require the libelous utterance to be a lie.

Petre PeterJune 9, 2018 10:42 AM

These questions point the way better than my mouse or my trackpad:

1)What data is being collected?
2)Who has access to it?
3)How can i delete it?

Surveillance is the business model of the internet.

Alyer Babtu June 9, 2018 1:51 PM

Because better for you !

We know they are doing it, but still one has to marvel at the implied arrogance that it would all be done without mentioning it were it not for those pesky laws, and also the blithe unspoken presumption that one wants any of this.

From a news site:

“AAAAA is now part of the BBBBB family. Due to EU data protection laws, we (BBBBB), our vendors and our partners need your consent to set cookies on your device to use your search, location and browsing data to understand your interests and personalise and measure ads on our products. BBBBBB will also provide personalized ads to you on our partners' products. Learn more about our data uses and your choices.
Select 'OK' to continue using our products, otherwise, you will not be able to access our sites and apps.”

Alyer Babtu June 9, 2018 4:14 PM

@all

Is the GDPR accompanied by or coordinated with EU tax code changes ?

Alyer Babtu June 9, 2018 7:13 PM

@echo

The EU's role is to oversee national tax rules – to ensure they are consistent with certain EU policies, ...

The power of law and of taxation is the power to destroy, and to build up, so to shape society.

There seems to be today a tendency everywhere towards statism (which is surprising given the failures of this approach throughout the 20th century).

Even laws, such as the GDPR, that start out by addressing real abuses, may gradually be turned into instruments of statist tyranny. It depends on the framework of reasons adduced for the law. So one might wonder what if anything correlated might be happening in tax, the other societal power.

WinterJune 10, 2018 4:14 AM

"There seems to be today a tendency everywhere towards statism (which is surprising given the failures of this approach throughout the 20th century)."

I do not find this surprising. People living in functioning states are better off than those not living in functional states. The most wealthy, healthy, and happy people are living in some of the best developed states.

I do not think I have to point out the state of those people living in areas that are not part of a well functioning state.

echoJune 10, 2018 7:14 AM

@Alyer Babtu

Yes I know all this thank you! You asked a question and I gave you an answer based on what is not speculation. A "thank you" from you would be nice because I did the work for you which a rudementary level of knowledge about the EU and a simple search would have revealed for you.

CallMeLateToSupperJune 10, 2018 11:02 AM

I am still waiting for that first "because GDPR" email. I think that sufficient time has elapsed since the (alleged) emails cataract began that I can now state, without fear of contraception :-O, that years of diligence in avoiding "signing up" is proved effective: I am an unknown.

In some venues the best way to win is the only way to win, and the obly path to that end is refusing to play the game.

How much more drip-drip of bad news about Facebook will it take for a significant number of its members to clear their data and close their account? (Rhetorical)

ACKJune 10, 2018 12:02 PM

As a german lawyer I like your positive charactersation of the GDPR. Please allow me a little remark: The personal consent is practical not that important. There are at least another five legally defined conditions which allow the processing of personal data. Consent is amongst these of the least importance.

echoJune 10, 2018 7:39 PM

The UK is a common law jurisdiction not a civil law jurisdiction which ultimately means consent is of primary importance and explains a lot of noise from this side of the English channel.

English contract law and German contract law are different branches of a common Roman law root which explains a few difficulties too. One bad case and the City of London disappears in a cloud of smoke because the whole stack of contract law relies on one single high court judgment no judge wants to touch. It's one of those oddities like Parliament having to keep renewing marriage law ever year because if it doesn't then every single marriage in the UK would become null and void overnight.

Ollie JonesJune 11, 2018 11:00 AM

Regulations passed by local and state jurisdictions in the USA are a good way to get the dysfunctional national legislature to act.

The US Consitution has a clause stating US law and treaties supersede state law. The tenth amendment declares that the states, or the people, have all powers not specifically delegated to the US.

The supremacy of laws clause https://en.wikipedia.org/wiki/Supremacy_Clause is intepreted to mean that federal legislation overrides state legislation.

So what?

If the federal legislature cannot act, then the states can act, as Vermont has acted and as Washington state has tried to act. States large and small can work together to adopt uniform regulations, and thereby compel businesses doing business nationally to comply.

Or, states can be more aggressive, and work together to adopt a patchwork of incompatible regulations. This will make businesses beg the federal legislature for uniform regulations.

Either way, there's a route to reasonable regulations.

The business I serve has decided we will grant the data rights spelled out in GDPR to all persons worldwide (on a best-efforts basis to those not covered by specific regulations). It's easy for us: we only collect a tiny bit of data, and we are not a data broker.

Worldwide uniform regulations, or even nationwide regulations, will be very helpful to the future of internet business.

justinacolmenaJune 11, 2018 2:38 PM

Excuse me, Mr. Schneier.

Let's not have too much faith in the laws of the State of Vermont being applied internationally outside their jurisdiction where the sovereignty of any individual state within the Union is irrelevant at best.

Vermont is "known" as a permitless concealed carry state and lauded aming gun rights activists. That part is a trap, not the truth, and it never will be the truth, as long as those eastern "log-cabin" brotherhood states insist on limiting the recognition of gun rights to that of an archaic chauvinist sexist basis of gentlemanly honour.

I forget. Is that where radar detectors are illegal, and cops carry radar detector detectors, because moderate speeding is the only traffic infraction that is not obvious to the naked eye of any bystander and requires the formality of some technical instrumentation to detect?

Mark BabbittJune 12, 2018 12:44 AM

What I find laughable is the fact that a bunch of politicians get together and create ludicrous laws on how Private Companies can collect data on people, who mind you, are freely visiting their sites, yet the institutions under which these politicians work collect data on their citizens freely, unhindered, unfiltered and for much more neferious reasons.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.