The Data Drop Panel for June 2022
Host Cat Coode and special guests take a deep dive into the noteworthy, concerning, and downright fascinating stories featured in recent episodes of the Data Drop News podcast.
Pro tip: you can listen to The Data Drop Panel on your phone by subscribing to our podcast.
About The Data Drop
The Data Drop podcast is a production of the Data Collaboration Alliance, a nonprofit dedicated to advancing meaningful data ownership and global Collaborative Intelligence.
Join The Data Collaboration Community
The Data Collaboration Community is a data-centric community where professionals, nonprofits, and researchers join forces to collaborate on datasets, dashboards, and open tools in support of important causes. Learn more.
Cat Coode: Hi folks. I'm Cat Coode, a data privacy consultant from Binary Tattoo and a member of the Data Collaboration Community. Welcome to the Data Drop Panel where each month we gather some lead data and privacy professionals to hear about the news stories that stood out for them over the past month or so in the fast paced world of data privacy.
It's always interesting to hear what's raising eyebrows and curling the fists of practitioner. I should note that all of the stories that will feature today have been included in our podcast, which delivers a five minute privacy news Roundup. Every other week. This month on the data drop panel, we have three amazing guests.
We have Jeff Jockisch who's the CEO of PrivacyPlan. David Kruger, who's the VP of Strategy at Absio. And Heidi Saas, who's the data privacy and technology attorney. All right, actually, Heidi's gonna kick us off today. So our first topic is the long awaited us data, privacy bill. That appears to be on track again.
Heidi, why don't you tell us about that?
Heidi Saas: Yes, no longer a mythical creature. We have it in draft form. But as I've been telling people, believe you need, this is not the first. Draft like firstborn children were sold. Like so many promises were made, like deals were cut all over the place. This is the deal that is supposed to represent all of the stakeholders.
It's not just about privacy. This one also includes children, includes biometric data. It includes AI and audits. It includes so many different things. Civil. Just not consumer rights in cybersecurity. It's got a little bit of everything in here. I don't wanna call it an omnibus because that's, that's too all encompassing here.
But what it does have in it is some good stuff along with a couple of, you know, issues. And not everything that we want to be covered is going to be covered. But it's at least something right now, which is when we really, really need it in our country. Because I don't know if you're aware of what's going on in our country, but women are about to lose our right to bodily sovereignty.
And so our data will be able to criminalize us. Basically. So that that's a, a story that we're gonna cover next. But that is part of the driving force behind why now people suddenly pull a rabbit outta their hat and say, here is this giant privacy bill. So, the major headwinds that it's facing in DC right now is Blumenthal and can't, well, they don't support this.
So it's a draft been introduced in the house. It's not been introduced in the Senate yet. And that's why, because they're not behind it. There are other competing bills that they feel like. Have stronger consumer protections. Part of their issue is the private right of action. So there is a private right of action, but it's very limited and it doesn't even kick in for four years.
So four years is there. So the other stakeholders can claw back any protections over time through whatever administration we may have next. So that's kind of the reasoning why it was drafted this way, the purpose and story behind the actual draft itself. So some of the great things that we do see in it are algorithmic bias in audits and things like that.
Because we are recognizing. Across the board, every industry's using these tools and nobody really knows how they work, but we do know they're causing disparate impacts. That's wildly illegal. So at this point we need to do something just at least to raise the base level of knowledge and provide best practices for businesses.
So that they don't run afoul of these issues that they're not even aware of for the most part. So I think the new data, privacy bill, it includes so many other moving parts that I can't really cover it in about five minutes. But those are some of the things that I see that are positive. Those are some of the things that I see that are gonna hold it back.
And we are limited by time. I think this is the most important part right now. We are limited by time. The August recess is. And if we get to the August recess and nothing is done with this bill, it is likely that it will just lie, follow and do nothing because then we're caught up in the midterm elections and then who, who knows what we have for the next, you know, set up for how Congress lines up.
This is our best opportunity. Now you can see where people are starting to add pressure. Elizabeth Warren just threw a new bill in last week, just to throw fire on the flame to try to get Kent well pushed back into this line. So that she'll accept what everybody else is on board with the hearing last week, I think was interesting to me because I've, I don't recall seeing a whole hearing of all the legislators, all the legislators and all of the lobbyists who were there presenting their issues.
Everybody on agreement about we've gotta do something now that was the vibe in the room, something, anything now, and everything else we can work out later. We all agree. Something's gotta happen. I don't recall seeing that before. So I think that's the most unusual thing out of the whole circus that is this last, you know, two weeks of crazy privacy look.
Right. So in the Canada don't wanna feel left out. So, I mean, they threw something in there too, and you gotta get to that too,
Cat Coode: right? They did. Yeah, they did. They did. I don't know. Jeff. David, do you have anything to add to that one? I think Heidi's covered it.
David Kruger: yeah. Well, I, I
Jeff Jockisch: would say it's a pretty good bill.
We, we had to pass it. There's some good coverage of data brokers in there. I like what it's doing with preemption. I mean, I'd rather, it didn't preempt stuff, but we have to have some uniformity and the fact that it's doing some limited preemption and still giving states the ability to do things.
Cover facial recognition laws and some other things like leaving death end intact. I think that's good. So, I'm pretty happy with this law. And I really like the fact that it's, that it's covering sensitive data. Really stringently requiring opt in for things like location tracking.
Cat Coode: Yes, that's right. And I agree, like location tracking should be sensitive data. I'm always surprised when it isn't. Where's the foam finger emoji on this. Yeah. Where what's the timeline in the us for this? Like, if, if this gets passed, what are we looking at before? This is actually like a law where this.
Jeff Jockisch: You know, I'm not sure what the dates are on it, but I think it goes into effect pretty quickly. It's only the the private right of action. That's delayed for like four years.
Heidi Saas: Yeah. There's a rolling basis for some of the other provisions that that need to happen. But for the most part day one, There's a flat out ban on using children's data, like flat out and, and children.
They've decided to identify as minors, not 13 to 16 and you know, none of that just as minors. So that would be 18 and under
Cat Coode: her. That's great. All right, Jeff, we're going on our next topic, which is yours and that's the FTC chair con plans. Key work. As we were just talking about kids on kids' data privacy online.
Jeff Jockisch: Yeah. So, Le Khan at the FTC is saying that they're really gonna crack down on children's data. You'll you'll note that children's data is really sort of a, a subset or maybe even a superset of, of sensitive data. Which is a real Babbo of mine. And, and really what the FTC said is that they're gonna crack down on education technology companies in particular, right?
Who illegally surveil children when they go online to learn, that's one of their real big focuses. And, you know, this is really a little bit of a, a response you remember recently that senators were grilling executives from YouTube and tech talk and, and Snapchat about what they're doing to ensure user safety in the wake of suicides and other harms to teens attributed by their, you know, parents, the usage of, of, of those kinds of platforms after Facebook sort of got called under the map by, by Francis Hogan.
So. You know, this is very much in the spotlight right now, but it's also because children's data is sensitive data and it needs to be protected even more than our personal data. Which needs to be more protected, right? So we have to have, you know, our privacy protected our personal data protected, but children's data has and sensitive data have to be even more protected.
It requires not just an ability for us to opt out of that collection, but needs to be required to opt in to protect that sensitive data that children's data. And while we've had laws like Copa in, in effect for a long time, There are loopholes in that legislation that essentially that companies collect that data.
If they don't know that you're a child. And that's a really huge loophole that trucks drive through every day.
Cat Coode: Yeah. And then for anyone listening, who isn't familiar with carpets, the children's online privacy protection act. And it does say that you can't pull data from children under 13, but then, which is why all of the social media of course has a minimum age of 13.
And I used to do a lot of kids, internet safety workshops, and like get into a, anyone undergrad sex and say who here has an Instagram or a Snapchat account. Every hand would go up, which means every one of those kids is lying about their age, which is perfectly on point. Jeff, is that exactly what you said is that kids are lying in order to get in.
So the data's being collected anyway. Right. David, why don't you tell us about Marinna one and protecting users' privacy from Google and surveillance?
David Kruger: Well, I, I there's a sort of a, a, a mantra of mine. Partial privacy is no privacy. Right. And this really has to do with the structure of data brokerages and how things flow.
If a, if a, if a broker gets a data from one source or a hundred sources, they don't. They care that they get the data and then that data is sold and reused and reuse and reuse without end. So the thing that, and then there's another thing that's a particular PVE being a ly guy of mine, where, where things are marketed as being privacy enhancing without actually quantifying or qualifying what that means.
Right. So. There was a a, and, and I'm not dissing this product. And I, I, I'm glad that they're trying to do things like this, but you know, there's this couple lines that IED outta there, we have removed many pieces of code that send your personal data to remote servers without your without your consent.
Sounds great. What was the key in that sentence? Right. Let me say it again. We have removed many pieces of code that send your personal data to remote servers without your consent. Heidi many just that's correct. Yeah. There are many more, so many that's that's correct. There are many, many more. And again, the way the structure of the market works if you're going to sell and, and reuse that information perpetually right there, there's no practical distinction between many and.
And all right. I mean, are, are many in some and all that. It, it is essentially, if you can't do all, you're not doing really anything except. Doing a little, you know what I call rubbing a little privacy S on you, you know, and then, and then making money from it, right? It's not actually a solution to the problem.
Not, not dissing these people. I'm glad somebody's doing something, but it is an illusion to think that they're actually doing anything that has real force and effect in the world. They also go on to say in this article and cause EOS their proprietary operating system runs on Android. You can still run most of your favorite Android apps.
The company continues. So, Jeff, I think you snagged the the Tim Horton story before I did. So these, these two things and actually even the the, the duck dot go Microsoft story, they're all related to each other. Because again, if you don't stop the flow period, you don't stop the flow at all.
So if you can run your favorite Android apps, you know, there are, there are ask yourself a question. Why are there millions? Somewhere between four and 6 million. Now I think apps in the Android store. Why are there millions of apps? Do we have millions of actual applications that we need all those apps for?
And the answer is no. Most apps in the app store, their financial model is selling the data that they collect. So they have every impetus in the world to lie. And if you've got a, an OS that cuts off some functions that doesn't allow stuff to be sent out and you. And you allow them to load native Android apps.
you know, into the whose sole function for many of these apps is to collect the data and sell up the data brokerages and or to deliver advertising. And I love the ones that make you pay to not get ads, but still collect your information and sell it. God, you gotta love the, the tah for doing that. So, so again, these things are partial.
Privacy is no privacy. But that does not prevent people from making BKU books off of the earnest desire that we have for privacy. And frankly, that bothers me a lot.
Jeff Jockisch: Well there's so there's very little dad to what David said. I mean, he's just spot on it, it's great to want to improve privacy, but I'm not sure how much this would really do to improve that privacy.
David Kruger: Yeah, it, it it's a step in the right direction. The legislation is a step in the right direction. But the, the thing is, is that these are all battles that have to be fought in won, but, but we're still nowhere near winning the war.
Heidi Saas: I'll just add that. I hate data brokers. I, I hate data brokers, like whatever you wanna do.
I mean, that, that's a good idea.
David Kruger: So I mean,
Jeff Jockisch: you know, I, I was actually just thinking one thing, maybe we could, we could add to this if you actually, you know, implemented Desar request and go to a couple data brokers and, and pull your data off of those data brokers, what is the real point of doing that?
I mean, if you're individually gonna try to do that and, and get your data out of like two or three or five or 10 data brokers, does that accomplish anything? This is
David Kruger: already out of the tube. Yeah. Remember this privacy sad. Just rub a little bit on and you'll be fine, you know, it's we have cybersecurity on this arm too.
So there two things are related, right. So right.
Cat Coode: All right, Heidi, you have our next topic, which you had touched on a little bit earlier. Health data, privacy concerns grow as abortion laws change nationwide. What does this have to do with privacy and tracking?
Heidi Saas: So this is why everybody freaked out when Ruth died like this.
This is why because robe being overturned there are 13 different states that enacted legislation that says if Roe is ever overturned, it triggers. New laws in those states immediately. And some of them criminalize the act including accomplices. So if you're in Texas and your friend wants to use your phone to look up, how do I get an abortion and travel to Maryland?
That could be data collected and. Sold by a data broker or gathered by the government because they have all of these powers over big tech to walk in and say, give me data on people in this area, or people searching these terms and then they can pursue these people. So your period can lead to a sentence.
And that is, that's why we freaked out. That's a fundamental freedom that we have. It's a safety issue. Now these list safe craft was busted by vice magazine for selling location data. On people who were using planned parenthood services and they offer a lot of services, but they were selling these lists.
I wanna know who's buying these lists and what are they doing with 'em. But also, you know, that turns it more from privacy into personal safety. So cyber can take a backseat for our minutes because that's not, ransomware is like the last of my concerns right now. I am more concerned with religious white people showing up.
When I'm trying to go to work, if I'm a healthcare provider and they're shooting at me or something like these are real concerns, cuz these are things that happen. So the fact that Roe being overturned it's gonna upset the, the penumbras and emanations, the privacy in our country is based on. So I don't even know how the decision is gonna be written.
But I read one of the leaped drafts from Alito, and I gotta tell you not since Plessy V Ferguson, have I read a Supreme court decision that was so vile, so hateful, so paternalistic and willingly. Ignorance of the issues. And I am afraid of a decision that comes out, looking anything like that. So this is a big reason for everybody to get upset.
Privacy is now everybody's problem. If you have a uterus or you love someone with a uterus now is the time to get involved in privacy because your information can be used against you in ways that you never thought possible and you never agreed to, and you can't do anything about, so if you are using one of these.
Check out the FTC site, federal trade commission and their settlement with flow. You can get some good information on the flow of your data through flow right out to everybody. They wanted to market all of your information to, so, and that was a big settlement that nobody really wanted to pay a lot of attention to because it involves the female cycle.
And now it's at a point where you can't look away from this issue. I don't care how much you don't like to hear these words. You are gonna have to get used to hearing these words because your rights are at stake too. So that's where I'm at on, you know, the health data. The HIPAA does not protect most of the information that you put into these apps, unless they're from a health service provider or your insurance company.
And they do so many contracting and sub apps and this and that API to link things together that nobody's responsible in the end, because we don't have strong enough laws for consumers to know about what's going on and enforce their rights until we get privacy rights in this country. We still won't be able to do much about this.
So this is why everybody's freaking out. Now, this is why we freaked out when Bruce died, and this is why I'm gonna keep freaking out until we get this decision, which could come as early as Wednesday.
David Kruger: Those data flows are all over
Jeff Jockisch: the place. And, and every, you know, not just location, data, search terminology you know, variety of different things, right?
If you search for abortion services or, you know, prenatal services or whatever, right. That information goes ad tech vendors. Goes to data. Brokers can go to law enforcement can go to, you know, anti-abortion pro I guess providers, what do you call those services? Right? Pro-life services and probably people that might be, you know, angry with you for thinking whatever you you're thinking.
So, yeah, it's a big privacy concern for people whatever your, your thoughts are on the
David Kruger: issue. Well, you know, the, the, the thing is, again, you, you have the search engine. I mean, there's, there's a story about do, go giving stuff to Microsoft that, you know, violates their own policies. You, you, you there's technical problem with browsers.
The way browsers are architected, you cannot stop. You know, people from downloading stuff into a browser, you have a, the progressive web apps that don't go through any kind of vetting in a, in an app store, which is, you know, the vetting in an app store. Again, you, you vet what you don't like, you don't vet things that doesn't, don't give you information that you can resell and make money.
So there's a lot of variability in those things. And, and the, the useful thing about all of this is the more, and I know this sounds terrible, but the more outrages that people have that are based on their privacy, and one, one respect, that's almost gotta happen for people to wake up and smell the coffee and realize that their personal information a has real value and B can be used against them by anybody for any reason.
You know, so wake up this privacy stuff, isn't some side issue, right? Remember the real time. This is real serious stuff. Yeah. Remember
Jeff Jockisch: the, the real time bidding stuff that that Johnny Ryan's lawsuit is, is is going after right now applies to this too. So if you're. If you're searching for services like this your information is going out to potentially hundreds of different organizations every time you search for a term.
And that includes abortion services.
Heidi Saas: Massive ongoing data breach.
Cat Coode: Yep. Yeah. And just to tie this one out to reiterate, cuz I think you all covered different areas. There is the, the curated version of I'm gonna search something online. You're literally putting the term in there's the, maybe back of your mind version of these health apps that are tracking your cycle.
And then there is this total non curated area of geolocation where we're tracking people to these sites and people aren't like, we're not even thinking what apps or doing. So, now David, you said wake up and smell the coffee. So we're now gonna go back to Jeff for an issue about Tim Horton's
Everyone knows. So, Tim Horton's app collected vast amounts, vast amounts of sensitive data. So what is, what is the story behind that one?
Jeff Jockisch: Yeah. So, this is an interesting story. Apparently Tim Hortons was unhappy that people were drinking coffee other than Tim Horton's coffee. And so they started tracking their customers when their customers were going to Starbucks and and dunking donuts.
And some people found out about it. And one guy a reporter, James McLeod found out that Tim Horton's tracked him 2,700 times in less than a couple of months, five months. And so, he did a story about this and now Tim, Horton's got in a lot of trouble and obviously what they were trying to do is they were trying to protect their brand and, you know, find out when, you know, customers were going someplace else.
So. Probably try to figure out what they were doing wrong. Which makes a hell of a lot of sense from a marketing perspective, not so much from a privacy perspective and a cons customer trust perspective. And so, the, you know, Canada a privacy commissioner was not real happy with with Tim Hortons and that came down on them pretty hard.
But as we discussed a little bit, pre-show. Do not think there were any fines on Tim Horton's. They, they did agree to stop doing this and they got in a hell of a lot of trouble PR trouble, but there were no privacy fines because this is not illegal in Canada, at least at the moment. And so it's an interesting issue.