The following is a guest-post from Michael Kearney, Esq.*
Last month Datacoup identified consumer demand, decentralized technology, and legislative pressure as the three key ingredients that are coalescing to create a massive shift in economic power from centralized platforms to sovereign individuals. Since that last post, there has been significant movement in these areas. As mentioned, keep your seatbelts fastened.
In the last three weeks, we’ve seen:
- Marriott’s announcement of one of the largest data breaches in history
- A major article in the New York Times regarding location tracking and sharing by iOS/Android apps
- Google CEO’s testimony before Congress regarding privacy issues, and
- A new data protection and privacy bill in the United States Senate
These events, whether indicative of data exploitation or security/privacy bungling, continue to drive consumer demand for better data protection, as well as lawmakers’ willingness to pass new privacy and security legislation. We are now nearly 20 years into this century and the existing framework does not provide an adequate answer for consumer data protection and privacy issues that began appearing in the 1900s. The time for individual data sovereignty has arrived.
Look Who’s Tracking
Let’s begin with the consumer demand ingredient. The New York Times article on location tracking and sharing by apps comes off as just a bit creepy. By now, most of us are aware that certain apps access our location. And in some cases this makes sense. Location tracking for a weather app? Sure. Location tracking for Waze? No brainer (sadly you can’t just be magically whisked away to Delaware). But where data tracking practices veer off course for many is the sharing of this data with third-parties that do not perform functions related to the app (e.g., online marketers, hedge funds). Notice of this information sharing is often buried in policies that nobody bothers to read (a point so eloquently made by The Book of Mormon creators more than seven years ago). Even if the shared data is supposedly rendered “anonymous” for the third-party, the ever ubiquitous data breach could leave nefarious actors one step away from re-identifying the data (think names associated with locations that are clearly a home address). Particularly disturbing were revelations from the data that a math teacher had stayed at her ex-boyfriend’s house and visited Weight Watchers. Middle schoolers can be cruel.
Nestling into our location tracking theme, Marriott recently announced that 500 million guests (yes, ½ billion) had their personal information exposed in a recent data breach that occurred over a four year period from 2014–18. In addition to the run-of-the-mill account information (such as name, address, email, DOB, etc.), the hackers also absconded with “arrival and departure information, reservation dates, and communication preferences.” The attacker, likely China, had access to the lodging habits of many Americans for the past 4 years. Awesome.
Agreement in the House?
With these two events fresh in the minds of the House Judiciary Committee, along with its own Google+ privacy issue announcement on Monday, Google CEO Sundar Pichai addressed questions about consumer data privacy. It probably seemed as if many were peering over his shoulder in anticipation of what he would say.
Not surprisingly, Pichai had to answer pointed questions about Google’s practices of app data tracking, as well as collection, protection, and related practices. In a rare moment of bipartisanship, Representatives from both sides of the aisle appeared concerned with these issues. And just like many other executives, Pichai appeared to support the notion of national privacy legislation. Happy 2018 — maybe security/privacy will be the great unifier we didn’t know that we truly needed.
New Proposed Legislation
Perhaps with one eye on recent events, a group of 15 Democratic Senators dropped the Data Care Act of 2018. We know, this is not the first federal privacy and security bill to be introduced (nor will it be the last). Legislators, policymakers, and lawyers still have plenty to debate regarding the types of covered data, covered organizations, notification thresholds, end-user consent, federal preemption, reasonableness, proportionality, fines, and enforcement bodies. But the proposed legislation elevates an interesting concept into the discussion — fiduciary duty. In general, a fiduciary has the obligation to act in a trustworthy manner on behalf of another person. Think doctors, lawyers, and (in some cases) financial advisors. The Act has a goal of re-introducing the concept of trust to your relationship with organizations that handle your data (face the music, “data breach fatigue” is now a thing — it just isn’t working). Outlining this quasi-fiduciary role, the Act includes a few duties for businesses:
- Care: Provide reasonable security and data breach notification.
- Loyalty: Don’t use data in ways that harm or are offensive to the individual.
- Confidentiality: Disclosure to third-parties should follow duties of care and loyalty.
There it is, simple and sweet. These are all goals that any business that handles data should strive to follow. Even if end-users understand that a business is using their personal data to provide a service, that business should not handle or use that data in a way that is detrimental to the consumer. The sponsoring Senators further commented:
It’s long past time we rethink how our personal data is collected, stored, and shared online. -Senator Bennet
These companies are making billions off of this data and they’re keeping Americans in the dark about how it is being used. That’s wrong and it is especially alarming because it seems like every day we hear about new data breaches. It is clear that we must do more to protect consumer privacy. -Senator Klobuchar
Consumers understand now more than ever that their data is valuable and vulnerable to misuse. Everyone should be able to trust that their data is being protected and used properly. -Senator Booker
Far too many times, we have seen online providers fail to meet their users’ expectations about how their personal data will be collected, used and protected. The current system is skewed against consumers and we have to fix it. -Senator Baldwin
In today’s era of ‘big data,’ Americans are using the internet every day without fully understanding the consequences of every click and whether that click just handed over their personal data for unwanted uses. This is simply unacceptable. -Senator Durbin
To say nothing of impending policy prescriptions, these sentiments largely reflect Datacoup’s posture around data control and exploitation.
Not as Easy as it Sounds
This all sounds really great, but in our current environment it will be extremely difficult to meet these goals. First, security and privacy are hard. Really hard. There are armies of very smart employees from all backgrounds attempting to secure and properly manage data. But there are still many issues and there will always be a weakest link. For example, Marriott may have implemented completely reasonable security measures, but early signs point to them being hacked by China (and its vast resources). Like consumers, many organizations that experience data breaches are also victims. You could argue that “the right to be forgotten” — one of the major tenets of GDPR and the California Consumer Privacy Act — is a direct result of people throwing up their hands and just saying: it can’t be managed, just get it out of there.
Second, lawyers will be lawyers. There still may be a fight regarding the situations in which the FTC should bring an enforcement action related to the reasonableness of security controls. And reasonable security represents just one aspect of the Data Control Act of 2018. There will undoubtedly be questions about what is “offensive” to the consumer, in what instances disclosure of personal data to a third-party is improper, and what the definition of a data breach even means.
Third, compliance with this framework will be extremely expensive for organizations. Hiring highly specialized professionals, implementing appropriate controls, updating contracts, auditing processes, and addressing other technical and legal issues will cost a ton of time and money. At a certain point, it might not even make economic sense for most businesses to request and store consumer data.
The issues go on and on. In short, applying the appropriate regulatory and legal framework to digital issues is difficult.
A Better Way
Instead of trying to do backflips to develop and enforce a quasi-fiduciary duty for businesses, Datacoup believes that control of personal data should be given back to you, the consumer. The sponsoring Senators agreed: we must rethink today’s broken, unacceptable system. Our response: who is better to act on your own behalf than . . . you? Datacoup has been pushing to give consumers control of their data and a marketplace to share it, for 5+ years. They’ve built several different web-apps and accumulated a dedicated early user-base that understood the value of taking control of their data. With evolving technology comes new solutions that could provide a better means toward the end goal of true consumer data ownership. With blockchain-based technology, “functional ownership” (not legal ownership) of data is becoming a viable framework from which to vest control to the consumer. Straight from the newly minted Republican recommendations in The Equifax Data Breach Majority Staff Report from the US House of Representatives’ Committee on Oversight and Government Reform: we “must invest in and deploy additional tools to empower consumers to better control their own data.”
Not only do we now have the three key ingredients — the Montagues and the Capulets are speaking the same language. Please return your seat backs to their full upright and locked positions.
Michael spent the ’00s as a comp sci undergrad and a manager of information security risk assessments at Wells Fargo Bank. He has spent the ’10s as an attorney focusing solely on security, privacy, discovery, and records management, and has closely followed the evolution of personal data legislation and regulation. He hopes to use his experience to continue to push the conversation and implement effective solutions for the management of data risk.