I podcast over at Games At Work dot Biz with my friends and co-hosts Andy Piper and Michael Martine. We have a weekly podcast where we talk about gaming, technology, innovation, and other topics that we find interesting each week. Periodically we will be talking about some new technology and reviewing their business model, which almost always seems to be how they can take your data and monetize it. We then end up talking about how the privacy laws between the US and Europe are different, and ultimately end up in a rathole on how even in the US, every state has it’s own, (read different), privacy laws.
A Patchwork of States
The United States has long history of balancing the rights of individual states and having a consistent set of governing policies across the country. After the revolutionary war, the US started their first government with the Articles of Confederation from 1781-1789. One purpose of the Articles, was to ensure that there wasn’t a strong, centralized government. The states were given most of the powers of government. Over the 8 years that the Articles were in effect, it became apparent that the confederation model did not allow a fledgling country to effectively manage the complexity of becoming a nation.
The people who benefited the most from the confederation approach where those who did not want to have any set of centralized control, however, it quickly became apparent that not having a consistent way of treating with other countries was causing issues for commerce. Not having a strong centralized military, meant that only those organizations that were really big could successfully deal with pirates, or could negotiate with other countries.
This same level of ineffectiveness, along with other issues between each of the states, ultimately led to the creation of the current US Constitution, which not only addresses the need for a strong central government, but also tried to the balance the various states’ needs.
Constitutional Right to Privacy?
While the U.S. Constitution does not call out a specific right to privacy, there are multiple amendments which are part of basis for the what has been precedent for the right to privacy of individuals in the United States. This set of amendments are the basis for what is called penumbras, which were used by the Supreme Court in the 1965 decision of Griswold v. Connecticut.
I won’t go thru and repeat the entire section of the above Wikipedia article on the US right to privacy, but the description of what the basic law provides should be considered in light of this post.
- The right of persons to be free from unwarranted publicity
- Unwarranted appropriation of one’s personality
- Publicizing one’s private affairs without a legitimate public concern
- Wrongful intrusion into one’s private activities
If we use that list, I believe we have a strong case for constraining the runaway invasion of privacy perpetrated by various business and social networks. Which will require a nation wide approach to privacy, not the current state by state patchwork of laws and state constitutions.
Privacy in the news
In the last month, I’ve started collecting a set of stories and blogposts that have all talked about privacy. I highly recommend click thru on each of them and reading up.
- The Global Surveillance Free-for-All in Mobile Ad Data by Brian Krebs: This article discusses the lawsuit against a company called Babel Street, which sells location data. This data is easily able to take other data and pull together a detailed movement map of individuals. In this case, the data was used to violate New Jersey law enforcement officer’s privacy, but this same data can and is used to track individuals.
- Verizon, AT&T tell courts: FCC can’t punish us for selling user location data – by Jon Brodkin: In this article the carriers claim that location data isn’t protected, i.e. not private, and as such they should be allowed to collect and sell that data. Of course, that is the data that companies like Babel Street aggregate to create the portal tracking individuals and law enforcement. Their argument is that the FCC can’t tell them to stop, they should have a jury trial, and a recent Supreme Court case stated that a jury trial is required when the SEC seeks civil penalties. While this is a FCC decision they are fighting they will try to get the court to apply the same logic.
- Supreme Court Helps AT&T, Verizon Avoid Accountability For Spying On Your Every Movement – Karl Bode: This is another story on the Verizon and AT&T item from above.
- The Open Source Project DeFlock is Mapping License Plate Surveillance Cameras All Over the World by Jason Koehler: With the massive deployment of traffic cameras by a company called Flock, the author indicates that in the U.S. it is impossible to drive in some cities without being captured by these cameras. Again, the data that companies like Flock collect can be used, with other meta data, to build detailed maps of where people travel. (This was also covered by Bruce Schneier with the post Mapping License Plate Scanners in the US.)
- Threatened With A Ban In India, Wikimedia Agrees To Hand Over Personal Information About Wikipedians To Delhi High Court by Glyn Moody: while this story is not about U.S. Privacy law, it shows how a company can is trying to compel a US based foundation to provide information about editors of various public pages. While I am not clear on how the Wikipedia Foundation is structured within other countries, this attempt to silence information created by various individuals, is in my opinion another attack on privacy.
- Security Now Episode 998: The Endless Journey to IPv6 – Steve Gibson and Leo Laporte: In this episode there is a discussion about the privacy focused messenger called Telegram, and how they are moving their company from Australia to Switzerland, due to privacy laws.
- New iOS Security Feature Makes it Harder for Police to Unlock Seized Phones – Many sites had this story. Bruce Schneier’s article is a good jumping off point for some of the articles. Net-Net, this is a somewhat good news story in that the latest version of iOS 18, has enabled a mode that if a phone is not unlocked every 72 hours it will reboot and go into “Before First Unlock” state, which makes it much more difficult tools to break into the phone.
Now the above set of stories are a small set of stories from the last 4 weeks, but the illustrate an on-going drum beat about how data is being gathered, sold, aggregated, and used for purposes way beyond the “public” expectation. To that end, we should go back and review how we can address the possibility of privacy in an age of surveillance capitalism.
What is Surveillance Capitalism?
According to Wikipedia: Surveillance capitalism is a concept in political economics which denotes the widespread collection and commodification of personal data by corporations. The reason I bring this up is, even if we have strong laws for data privacy, e.g. the E.U.s GDPR, unless the fines are large enough, many businesses considering violation of privacy for profit will factor in the fines as a cost of doing business.
We’ve seen in the U.S. that many states have to have their own privacy laws, and this patchwork causes issues for any real privacy. I have experienced this first hand, as I’ve tried to use tools to automate opting out of data collection from various websites. About half of the websites have responded back with a no indicating that North Carolina laws do not require that they disable that collection.
If I were living in California, the data privacy laws of the state require that companies actually remove the data in a timely manner. So even thought many of these companies are located in California, the fact that I am in North Carolina means they do not have to react to my request. If we had a single, common law across the country, modeled after California both consumers and companies would have clarity. And on smaller companies, would be able to compete with the larger enterprises who use regulatory capture to keep them from entering the market.