• Team

The Data Drop Panel: September 2021

Our host Heidi Saas takes a deeper dive into some of the most important, concerning, and downright fascinating data privacy and data protection items covered by the Data Drop News podcast in recent weeks.

Pro tip: get The Data Drop on your phone by subscribing to our podcast.

Heidi: I am Heidi Sass, a data privacy and technology attorney based out of the Washington DC area. I'm also a member of the iOWN community at the Data Collaboration Alliance. Welcome to the Data drop Panel. Each month, we gather some leading data and privacy professionals to hear about the news stories that stood out for them over the past month or so.

In the fast-paced world of data privacy, it's always interesting to hear what's raising the eyebrows and curling the fists of the practitioners. I should note that all the stories that we'll feature today have also appeared on episodes of the Data Drop News which delivers a four-minute news roundup every other week. Check it out.

So let's get started. This month on a Data Drop Panel, we have three great guests.

First up, we have Daniel Knapp who is a data privacy consultant based in Atlanta, Georgia, and a principal at Red Clover Advisors. We also have Dan DeMers, the CEO and Co-founder of Cinchy and the President of the Data Collaboration Alliance, and last but not least, we have David Krueger, the Dallas-based Co-founder at Absio, a leading protect company that's advancing distributed key cryptography.


President Biden signs Executive Order

Heidi: So first up is Daniel, I think you're going to be talking about Biden and his 72 points in his executive order, which one struck your fancy?

Dan K.: Well, we'll just go through all 72 real fast!

In all seriousness, I love the fact that this executive order is finally getting people to focus on the need for a federal privacy regulation in the United States. What I find less impressive is that, while the data privacy protection aspect of the executive order is getting a lot of focus, the reality is this executive order the intent is to aim at Big Tech and focusing on potential monopolies, potential anti-competitive behavior.

And I don't necessarily want to touch on that so much as the fact that that focus means that in practice, this is really limited in terms of, in my view, the impact that this will have in terms of data privacy because it's really focused on Big Tech and their data-harvesting practices that the administration views is anti-competitive. Not that that's not important, but the reality is that in my view, Big Tech is the portion of the sector that's best able to handle the thirties, know, some odd individual state privacy regulations that are either being implemented or being discussed right now.

I think it's the little guy really that will ultimately benefit most from federal privacy regulations because they're less equipped to really shift from state to state how they're actually set up to respond to and handle privacy regulations. So I think it's good that the executive order is getting, I think, more talk about the need for a federal privacy regulation in the US. This kind of highlighted more in people's minds.

But my concern is that people will look at this and say, "oh, now we have some kind of federal privacy rules in place." And really as it's designed, from my read, it's really only going to directly impact a small number of really big corporations. And that's the intent behind the whole executive order.

But I don't want it to get lost that there's still really a need to push for federal privacy regulations because right now we just have a few key states implementing their own rules, more kind of on the hopper and a lot of smaller to mid-sized companies still don't really know exactly what to do about that.

And until we get something more expansive until we get something that's actually, I think an actual law pushed through Congress, that's going to be pretty limited.

Heidi: I hear you. I'm not sure that's going to get through Congress the way it is. The way I look at the executive order is, and you can let me know if you agree with this or not, but it says we'll make our best efforts to do these things.

So it's not a right, and it's not enforceable. So it's not really going down the path that we need it to, but it is giving a little foreshadowing to the industry to say, we're not really cool with what you're doing anymore and we know how you do it. So I think that was kind of what was the unsaid statement from those executive orders.

Does anybody else have an opinion on that? Yeah, David,

David: What I'm concerned with that the people in DC and in state governments for that matter seem to miss is that legislation does not affect data. It has no force and effect on data. Only software does that.

So you know that there is this - I mean if we just get the words right in the legislation that somehow that's going to magically solve all our problems. And I'm not saying that legislation is not needed, but I'm also saying that there needs to be a clear recognition that if you're going to change the way that we do things with data, then you're going to have to change the things that manufacturer and manage data.

And that's software applications that seem to be not on the radar screen at all. And I don't want there to be some kind of prescriptive legislation, but there at least needs to be some accountability and some liability on the part of people that provide software to be able to disclose exactly what can be done and what controls they have on the data that they are either producing or further processing. That's my 2 cents.

Heidi: I Agree. Dan, did you want to get on that?

Dan K.: David, wouldn't you say that's kind of part of the cycle, the way we're seeing things right now is, it really is cyclical, right?

We have tech companies kind of advancing at a rapid pace, things like ad tech that involve

that have privacy implications and therefore we have the different regulatory bodies or in this case, not so much a regulatory body, but just the administration coming up with an executive order to sort of responding to that.

And then, in some way, shape, or form, whether you're dubious about the motivation behind it, we had the tech companies in term responding by innovating in such a way to adhere to said legislation. So right now we're in that cycle. I don't know if it's a good thing or a bad thing. But it strikes me that's just sort of the current state of affairs and it seems like you're indicating there needs to be something more that happens. I'm just curious what your thought process is?

Heidi: Yeah. A private right of action would do it. That's exactly what it needs is a private right of action that right is enforceable and set clear guidelines, then businesses will know what they need to do. And the ones that don't, they're going to have some trouble. So that's how you get the big shift in the market, but nobody wants to talk about that.

So that was a quick answer right there. at this point, I want to ask Dan DeMers, did you want to get in on this or do you want to wait until we move on to another topic?

Dan D.: Yeah, I just wanted to say that I very much agree with what David was saying. As the only way that this is going to happen, that absolute scale is if the way that technology is created and managed is fundamentally changing and that does require enabling technology but also does require any such regulations to mandate adoption of standards. For the same reason that if I'm manufacturing a car, I have to put seatbelts in the car. Whereas if I try and say that the driver of the car is responsible for the safety of the passengers, but the car doesn't need seatbelts, doesn't need crash testing, doesn't need any of these things. It's going to be very difficult to ensure the safety of my passengers even if I'm ultimately accountable for that. So we need to make sure that the cars have seat belts and they're crash tested.

And so the technology that gets created needs to be designed in a way that makes compliance at scale possible such that it respects privacy and I think that's where we're going to need to see a shift for this to make a real dent and an impact.

Heidi: I agree


Zero-click hacks threaten mobile devices

Heidi: Up next again, David. And David, I think we're going to talk about zero clicks and you want to talk about that one first?

David: You know, we get this story that zero-click hacks threatened malware, and that this basically, this is a piece of malware that can get loaded onto the phone. And you don't have to click a link. You don't have to do anything like that. Just merely having the opening whatever is bearing this zero-click malware's enough to get it installed on your phone. The thing that strikes me about this is this further failure to understand authentication and how to properly implement it.

So you've got a piece of a room of malware that's been loaded on you. You've got remote execution. That's attached to that. That's part of the story. Here's the problem with that, we know how computers work and we know that when we know how authentication works. If we're going to authenticate something personally, we always look at

You know, assigned values that we give something, you know, we give it a name, we give it a serial number or something like that as some kind of assigned semantic or numerical value. And then we also look at the physical characteristics of the thing that we're trying to authenticate.

What you have here is this, the provider that doesn't even bother to ask if it's a remotely executed piece of malware to verify who it is, where it's from, what device is it reporting back to. So this utter failure to understand that if you're going to reliably authenticate anything, whether it's a user or it might be.

You got to do the user, you've got to do the hardware, you've got to do the software. You have to have all three to make the malware work. This is an especially egregious case where we didn't ask for anything, but even in most cases, the only authentication we asked for was user authentication. So I'm probably doing a bad job of framing the problem but imagine this, you're protecting the money that's involved in a bank, you have a door that people have to go to the vault door and you'll let anybody in there as long as they slip their driver's license in, and we know that those are easily faked. That's the only thing that we ask for. And then we open up the vault door and let them in. Is it any wonder we have all of these problems?

This again is just sort of showcasing the continued sort of engineering stupidity about the way that we do authentication. It's just maddening.

Heidi: I hear you on that. You know, I would also add that they probably do know how but it is not their obligation to do so right now. If we think back to when car stereos were being stolen, well then they sent forth legislation to demand the kill switch be added.

Well, then they stopped stealing stereos overnight. Because it was regulated. They knew how all the time, but it wasn't in their benefit until it was regulated to make them do it. So as soon as they did that, people stopped stealing radios. So that's not a problem that we have right now. Right now you're talking about phone jacking.

So what do we do to have a kill switch, to stop phone jacking? It's authentication and it's gotta be done the right way. So does anybody else want to get in on that? Did you have something else you wanted to add?

David: I mean, the only thing, I go back to Dan DeMers talk about cars, my background is in process safety. So I'm in agreement with you. If you know the method that something is going to become hazardous, that bad things are going to happen, you have full knowledge of that and you take no action to stop. In any other industry but our industry, we have a legal term for that you're familiar with. We call it negligence.

But there's no liability to attach us for letting something as stupidly egregious as zero-click malware to get on a device. Until there is some kind of negligence that attaches to that, then the cell phone provider has no reason to do anything about it. Except for a vague apology.

And that's a situation that just can't persist. My two cents.


Time to kill standard privacy notices?

Heidi: Dan DeMers, do you want to add on this one or did you want to start your next story? I think killing standard privacy notices was one of your topics. I'm excited to hear what you have to say about that.

Dan D.: Well, it's not a new story by any stretch. It's a, I'm sure we've all accepted thousands of such privacy agreements and I'm sure we've all diligently read all of them. But one of the things that I've been fascinated with is the Apple move for the App Tracking Transparency and what does that mean to privacy agreements of the future? Because now it makes it digestible, consumable in terms of what am I actually accepting by utilizing this particular application or whatever it is that I'm doing. And I wanted to just open it up to the group to think of, to ask what you guys think of, is the emergence of tracking transparency and the longer-term consequences of that.

What is the impact of that on kind of the standard privacy agreement when you're accepting software or playing a video game or doing that? Is that going to eliminate that as a concept? My hope is yes, but I'm curious what you all think.

Dan K.: It's hard for me to imagine a world without privacy agreements at all, just because they're so much a part of our everyday lives. But I could definitely foresee further standardization since you have Apple and potentially Google following suit not long after pretty much-forcing standardization in terms of how tracking actually works within apps. So, maybe we're being in this situation where we can kind of templatize things.

And what would be great about that is, yes, you're kind of joking, people actually read every privacy notice and we all know they don't. But if you basically have to read one once, maybe you will, at some point actually, not only will it enhance the privacy and security of the apps, but it could actually enhance awareness as to what's actually going on.

Because at some point someone does read the template and yeah, maybe it's updated once a year. For all the reps, so their entire phone. And so in addition to actually helping with the privacy and security to begin with I think if it raises awareness that just a big thing of what we need in general and I'm optimistic that yeah

Heidi: Yeah. If you pay people to read them and get informed consent, now I'm serious, in a tokenized kind of discount for your purchases online or whatever. If you pay people to read it and give you the informed consent that you need, you've got a better likelihood of raising their base knowledge.

Otherwise, they're not incentivized to read that thing. I'm not incentivized to read those. I think it's the digital answer to something that I don't think anyone grows out of past college, people will do just about anything for a free pizza. This is the digital free pizza.

Dan D.: I think part of the problem is that the way that they tend to be phrases from the person trying to protect their liabilities perspective rather than

the person accepting it so that it's not expressing it in terms of what the actual impact of it is. So to me, that's the reframing where it now makes it digestible and consumable where you can actually understand what you're accepting. Like many of you have probably heard the story.

This is going back to quite a while ago where there was a retailer in the UK that, as part of April fool's joke put, basically you're signing over the right to your eternal soul. And thousands of people were happily accepting this privacy agreement and signing over the rights of their eternal soul.

And, if anyone did not, they would actually reward them. But the fact that most did just reinforces what we already knew. It's that people don't read it. And then even if they did, they probably wouldn't understand it. I've tried myself just a couple of times, but I think the reframing it in terms of the impact to you, which - the templatization - I think is a really big shift.


School posts on Facebook could threaten student privacy

Heidi: So I want to move on now to our next topic here. I think we're back at Daniel, I think Facebook was your next topic. Always something to talk about over there.

Dan K.: Yeah. So, this was, specifically that there is I'm trying to recall which publication uncovered this, but essentially schools and school systems posted their Facebook account information and photos information about and photos of students all the time.

And what they realized was that even if parents and students themselves have their own Facebook accounts and they've set all the privacy settings to as private as possible. If schools post pictures and information about their students you don't even have to be logged in some cases to Facebook at all to actually access this information.

It's alarming, but to me, not necessarily surprising. As a parent myself whenever I sign up my kids for anything, be it registering for a new school year or camp program or any extracurricular activities, there's almost always you sign off the approval for their photos to appear somewhere.