The privacy issue remains locked in pre-internet thinking. Maintaining my privacy was easier before I started blogging, updating my Twitter status, revealing my interests on Facebook, sharing my reading habits, traffic, and purchases with everyone who would give me something fun or rewarding. All of these privacy reveals have been of my own free will and with the risk that some of that information, like my email, might be used in ways I wouldn't want (like spam). This is why I don't post my cell phone on Facebook or pictures of me drunk. I don't feel I'm censoring myself (I don't drink), but I'm acknowledging the reality of privacy on the web.
arc
· 1 year ago
What Schneier proposes is quite similar to what italian law mandates. Since 1996, if you collect personal data for commercial (or government) purposes you have to get an explicit consent, state why you are collecting data and avoid collecting unnecessary data. You must also allow some control on personal data, exactly in the terms Schneier advocates (see your data, corrections, deletion, ...).
Organizations have to protect the collected data from unauthorized access and send an yearly report to the independent "Privacy authority" stating what you do with the data, who accesses it, ...
As far as I know, the law works quite well. Well-organized businesses do not usually have trouble implementing the necessary changes, while individuals and scientific research bodies have only limited responisibility (except for "critical data" such as health information).
Jim Harper
· 1 year ago
Well, he didn't limit his proposal to commercial or governmental purposes. Perhaps that was just carelessness, but even if he meant to include such limits, why are people's privacy interests strong as to governments and corporations, but then weak as to other individuals, partnerships, and associations (and perhaps non-profits)?
And I'm not impressed with the Italian law. In January, I spoke at a small conference there, and we had to sign forms agreeing to allow the other speakers to learn who we were. It was silly, unnecessary bureaucracy, and I still don't know who half the other speakers were.
MikeT
· 1 year ago
One of the critical reforms that we need is to make those who maintain large databases partially liable for identity theft when they get hacked and their data is used against the public. Responsibility should be on the large institutions, not the individual, when they are the ones who are enabling the crime. It should also be this way with credit cards. If a bank lets someone sign up for a credit card in my name, the bank should be not only liable for all damages, but should be legally liable for clearing my good name with the credit bureaus.
Jim Harper
· 1 year ago
I largely agree, MikeT. Letting common law tort liability emerge for various harms caused by data holders would be a good thing. I haven't written enough on this, but talked about it in a TechKnowledge a few years ago.
Identity theft is largely the fault of these institutions. There have been reports that ripped up credit card applications were actually processed when someone tested the system by taping them together and sending them in. Unacceptable. It is way too easy for people to get these institutions to take financial action without proving the identity of the person making the request.
Chris Brand
· 1 year ago
I also agree with MikeT. If the full costs of these data breaches were borne by the people storing the data, we'd see a lot less data collected and it would be much better protected. As it stands, having to pay out for a year's credit reporting for a few people is just a cost of doing business, while the costs to people who's data is mis-used is huge.
Wyatt Ditzler
· 1 year ago
I am of the mind of holding those responsible for the data breach accountable. If we were able to control our information that private groups collect, my opinion would differ. However, a person really has little say as to how their information can be used or deny an organization's request to obtain personal information.
No, I think you're quite wrong. Norway has a law which is pretty much what Schneier is calling for, here. It is easily administrated, mainly through a tiny government body called the Data Inspectorate which has a strong, independent position to have oversight over both private and public data. It is simple, easy, and my oh my I am glad we have it.
Jim Harper
· 1 year ago
Norway's law is quite a bit more limited, specifically excluding private data processing. But I bet the source of its success is its non-use. Martin, could you describe an instance when you have exercised your rights under the law, demanding to inspect and correct data, say, held by your phone company? How did it go?
John David Galt
· 1 year ago
What both privacy laws and privacy opponents fail to address is that a substantial part of your everyday freedom relies absolutely on facts such as: your boss can't find out that you support political causes he opposes, follow a religion he dislikes, or have friends he hates; your landlord can't find out that you engage in sex practices he thinks are sinful.
As new technology removes these inabilities, it becomes imperative that the law either put them back in place, or introduce new laws to prevent employers and landlords from discriminating based on information of the types in my examples. Otherwise you are no longer free to have a private life that your boss or landlord doesn't approve.
And discrimination about those things is going to be impossible to prove. That is why gathering the info needs to be banned.
Jim Harper
· 1 year ago
JDG, do you realize that you're talking about limiting the freedom of the employer and the landlord to deal with whom they choose? Why should one "side" in any transaction enjoy legal rules giving them superior information to the other?
Maybe you think that there should be elaborate rules dictating what employers and landlords (and participants in all kinds of other markets) can consider, denying them the ability to control the nature of their society, but that sounds like the administrative nightmare I talked about. And it would be quite unfree.
Dubious Endtrails
· 1 year ago
The problem is fascism. Government and business have been in bed together all our lives. They use and control the data. This is a global problem. Until we as humans can evolve past this state, either mentally or through force, there will be more of the same. You can't expect the people causing the problem to actually want to fix the problem.
Sam
· 1 year ago
Similar laws like the ones proposed exist in countries such as the UK, any information collected about a citizen by any organisation has to be available to that person.
False Data
· 1 year ago
I'm not sure I agree that making those who lose data liable is the right answer to this question. Let's analyze this approach a bit further.
Normally, if one person's negligent act or omission injures another, the negligent person can be liable in tort. So, for instance, if you get distracted and drive into the back of someone else's car, you can be legally liable for the damage you cause to their car. This same principle should apply to a corporation that injures someone by leaking that person's sensitive data, unless there is some law that shields the corporation from liability. I don't know whether such a law exists, but for the sake of argument let's assume it doesn't.
So, assuming these people are already liable in tort, the next question is why aren't they changing their behavior under a flood of lawsuits?
Two possibilities come immediately to mind. The first is that no one person is hurt enough to justify the year or two of effort and $50K-$150K in legal fees it'd take to win a judgment. The classic solution to that sort of problem is to allow class actions: let a whole class of plaintiffs pool their similar claims, with one legal team leading the charge, and divvy up any damages they recover. I, personally, don't have a big problem with class action lawsuits in the right circumstances, but the current political and legal climate seem to frown on them.
The second possibility is that those data collecting entities may be able to contract around liability. Maybe when you sign up for your credit card, for instance, the contract includes a clause that says, in effect, "you agree not to sue us if we lose your data." But if all the credit card companies had a clause like that, then no one would end up suing them for data loss because the only way to get a credit card would be to agree to a contract waiving your right to sue. The classic solution to that kind of problem is to pass a consumer protection law which says, in effect, you can't waive your right to sue someone who loses your data even if you want to waive that right. Again, I don't have a big problem with consumer protection laws in the right circumstances, but they're not the sort of thing I'd normally expect this forum to support.
Finally, if you're interested in overall economic efficiency, litigation is usually a poor choice. It's generally slow, expensive, and inefficient. There are times when it's necessary or appropriate, but are you sure you really want it as your primary enforcement mechanism?
False Data
· 1 year ago
One correction--I should have said "liable in tort" in that opening sentence. The privacy law would impose its own kind of liability.
Jim Harper
· 1 year ago
FD, there have been a couple of cases where data holders are held liable in tort for releasing data, including one case on permitting identity fraud. I cite them at the end of the piece linked to in my second comment above.
If you're asking why there isn't a flood of lawsuits right now, I think it's the first possibility you mention: because there isn't very much in the way of damages. Only a tiny percentage of data breaches result in any identity fraud happening.
I, too, would be amenable to well-circumscribed class actions, pursuing actual damages only, but that's hard to reach. It seems like half the world hates litigation, and the other half wants to use it as a quasi-regulatory tool and a source of jackpots.
That said, I prefer litigation to regulation because at least common law is self-correcting over time. Regulation represents the best guess of a legislature or bureaucracy about what the rules should be, which draws interest groups around it to freeze it in place, and it almost never changes. (I agree it's a close call between the two options.)
Philippe
· 1 year ago
Here in the province of Quebec (Canada) there is such a law that says that contract clauses that demand to waive your rights are illegal. Some businesses still put them in their contracts but they cannot be enforced. The trouble with litigation is that it is much to expensive for the great majority of the population and the balance of power of an individual to a business is much too small. Corporation usally have more and better resources than individuals. On top of that, at least in Canada, legal expenses are tax deductible for businesses while for the individual they are not.
Martin G.
· 1 year ago
Hey, Jim, The Data Inspectorate mostly takes care of these things _for_ me, ensuring that the creation of new archives containing information about me are strictly monitored for need, privacy & so forth. The law is not a sleeping law at all, quite the contrary, it is very active (mostly in that it is followed, more observed than violated), and while it is a source of debate (e.g. the unification of medical records: expediency of medical help vs. right to privacy and risk of data theft), it is also generally held to be one of the most successful specifically Norwegian institutions.
But yes, I have used this law on several (at least three that I can think of) occasions in order to make companies delete information about me that they shouldn't have, and were using for commercial purposes. On one occasion I reported the company (a small, dubious cell-phone-oriented internet portal, which is thankfully no longer around) to both the Data Inspectorate and the consumer protection doodad, the official name of which escapes me at the moment. Both institutions came through for me, and they forced the company to change its practices or face substantial daily fines (the doodad got there first, but the inspectorate could have done the same).
After I started my single-person company, it has gotten a bit harder to do, though. Being both a private individual and a public institution makes parts of my personal data publicly available. Which is as it should be, but does annoy me occasionally (e.g. with the damn phone salesmen, which I had reserved myself against previously – when they call me now, I make them delete their records of my number, but every now and then new ones trawl the public listings and find it.)
But I do think you're reading Schneier wrong. Emails discussing this blog post, for instance, are obviously private communications and protected by current privacy laws anyway. I think he is quite simply arguing for a law curtailing the right of institutions to store data about you. It's a great idea, and while I haven't read all of this thread yet, I have yet to see a good argument against it.
Jim Harper
· 1 year ago
Having read it several times, I'm quite certain that Schneier didn't limit his proposal to exclude private communications as the Norwegian law does.
But sense you have a commercial enterprise, I'll bite:
Given my right to request it under Chapter III, Section 18, of the Act of 14 April 2000 No. 31 relating to the processing of personal data, please inform me of the kind of processing of personal data your company is performing, and specifically: a) the name and address of the controller and of his representative, if any, b) who has the day-to-day responsibility for fulfilling the obligations of the controller, c) the purpose of the processing, d) descriptions of the categories of personal data that are processed, e) the sources of the data, and f) whether the personal data will be disclosed, and if so, the identity of the recipient.
You may post it here or send it to me at jharper at cato dot org and I'll start a new thread about it.
This oughtta be fun!
Jan
· 1 year ago
A difference in quantity can become a difference in quality - if large enough. Horseback riding and the automobile are both forms of transportation. In fact the first cars were worse transportation means than horses. Yet gradual enhancements finally became qualitative difference - and changed the face of our civilization. To me it's evident, that the same is happening to our data shadow going from analog to digital: Our shadow is quickly taken to modeling so many of our real life facets, habits, preferences, means, abilities, history, opinions, contacts etc, etc, that the impact of others analysing or manipulating our shadow have quickly gone from a small quantative to a big qualitative change - in out behavior and in terms of the power this holds over us.
Martin G.
· 1 year ago
Interesting! Well, I started writing this long, legalese response, but then I realised I should make you work for it:
As it happens, I'm just a guy commenting on a blog, and I'm not my company. So if you would just send the request in writing to my company's mail adress, and I'm sure my company will be happy to supply the information to you within the 30-day time limit.
Sincerely, Martin
John David Galt
· 1 year ago
Jim Harper asked me: JDG, do you realize that you're talking about limiting the freedom of the employer and the landlord to deal with whom they choose? Why should one "side" in any transaction enjoy legal rules giving them superior information to the other?
Two reasons. Employment (for everyone not already rich) and rental homes (for everyone who doesn't own one) are necessities. There are also horrendous, ongoing shortages of both employment (due to overregulation) and housing (due to the scam known as urban planning).
As a result, an employer or landlord can put whatever terms he likes in a contract, and 99 percent of us have no recourse but to sign it. After all, the next employer or landlord might not even decide to make you an offer -- and good luck finding out why.
So if employers and landlords are not restricted this way, they can and will impose all sorts of rules on areas of your private life that are absolutely none of their business. For proof of this read just about any employment contract or lease.
Remember when Adolph Coors Co. was known for subjecting all its job applicants to lie-detector exams about their entire past including their sex lives? It took a federal law to make them stop the practice. Every time I see one of their "Love Train" TV ads I still want to throw a few of their own bottles at their CEO's head. But without privacy protection laws, companies will soon be able to buy that same data from commercial database operators. The record may even be full of lies about you, but it'll render you homeless just the same, and you'll never know why or who's to blame.
Anyone who says the solution is just to negotiate better is out of touch with reality -- and is probably one of those Washington insiders who has never had to work for a living in his life.
Jim Harper
· 1 year ago
JDG - When people declare what "reality" is, you know that cuts down on the "willing to discuss fairly and openly" vibe, right? Continuing this thread with you doesn't seem like a good use of time.
All Comments
Organizations have to protect the collected data from unauthorized access and send an yearly report to the independent "Privacy authority" stating what you do with the data, who accesses it, ...
As far as I know, the law works quite well. Well-organized businesses do not usually have trouble implementing the necessary changes, while individuals and scientific research bodies have only limited responisibility (except for "critical data" such as health information).
And I'm not impressed with the Italian law. In January, I spoke at a small conference there, and we had to sign forms agreeing to allow the other speakers to learn who we were. It was silly, unnecessary bureaucracy, and I still don't know who half the other speakers were.
http://www.cato.org/tech/tk/050329-tk.html
However, I am so glad I did not go to Oklahoma State University...See the URL below:
http://chronicle.com/wiredcampus/article/3010/s...
As new technology removes these inabilities, it becomes imperative that the law either put them back in place, or introduce new laws to prevent employers and landlords from discriminating based on information of the types in my examples. Otherwise you are no longer free to have a private life that your boss or landlord doesn't approve.
And discrimination about those things is going to be impossible to prove. That is why gathering the info needs to be banned.
Maybe you think that there should be elaborate rules dictating what employers and landlords (and participants in all kinds of other markets) can consider, denying them the ability to control the nature of their society, but that sounds like the administrative nightmare I talked about. And it would be quite unfree.
Normally, if one person's negligent act or omission injures another, the negligent person can be liable in tort. So, for instance, if you get distracted and drive into the back of someone else's car, you can be legally liable for the damage you cause to their car. This same principle should apply to a corporation that injures someone by leaking that person's sensitive data, unless there is some law that shields the corporation from liability. I don't know whether such a law exists, but for the sake of argument let's assume it doesn't.
So, assuming these people are already liable in tort, the next question is why aren't they changing their behavior under a flood of lawsuits?
Two possibilities come immediately to mind. The first is that no one person is hurt enough to justify the year or two of effort and $50K-$150K in legal fees it'd take to win a judgment. The classic solution to that sort of problem is to allow class actions: let a whole class of plaintiffs pool their similar claims, with one legal team leading the charge, and divvy up any damages they recover. I, personally, don't have a big problem with class action lawsuits in the right circumstances, but the current political and legal climate seem to frown on them.
The second possibility is that those data collecting entities may be able to contract around liability. Maybe when you sign up for your credit card, for instance, the contract includes a clause that says, in effect, "you agree not to sue us if we lose your data." But if all the credit card companies had a clause like that, then no one would end up suing them for data loss because the only way to get a credit card would be to agree to a contract waiving your right to sue. The classic solution to that kind of problem is to pass a consumer protection law which says, in effect, you can't waive your right to sue someone who loses your data even if you want to waive that right. Again, I don't have a big problem with consumer protection laws in the right circumstances, but they're not the sort of thing I'd normally expect this forum to support.
Finally, if you're interested in overall economic efficiency, litigation is usually a poor choice. It's generally slow, expensive, and inefficient. There are times when it's necessary or appropriate, but are you sure you really want it as your primary enforcement mechanism?
If you're asking why there isn't a flood of lawsuits right now, I think it's the first possibility you mention: because there isn't very much in the way of damages. Only a tiny percentage of data breaches result in any identity fraud happening.
I, too, would be amenable to well-circumscribed class actions, pursuing actual damages only, but that's hard to reach. It seems like half the world hates litigation, and the other half wants to use it as a quasi-regulatory tool and a source of jackpots.
That said, I prefer litigation to regulation because at least common law is self-correcting over time. Regulation represents the best guess of a legislature or bureaucracy about what the rules should be, which draws interest groups around it to freeze it in place, and it almost never changes. (I agree it's a close call between the two options.)
The Data Inspectorate mostly takes care of these things _for_ me, ensuring that the creation of new archives containing information about me are strictly monitored for need, privacy & so forth. The law is not a sleeping law at all, quite the contrary, it is very active (mostly in that it is followed, more observed than violated), and while it is a source of debate (e.g. the unification of medical records: expediency of medical help vs. right to privacy and risk of data theft), it is also generally held to be one of the most successful specifically Norwegian institutions.
But yes, I have used this law on several (at least three that I can think of) occasions in order to make companies delete information about me that they shouldn't have, and were using for commercial purposes. On one occasion I reported the company (a small, dubious cell-phone-oriented internet portal, which is thankfully no longer around) to both the Data Inspectorate and the consumer protection doodad, the official name of which escapes me at the moment. Both institutions came through for me, and they forced the company to change its practices or face substantial daily fines (the doodad got there first, but the inspectorate could have done the same).
After I started my single-person company, it has gotten a bit harder to do, though. Being both a private individual and a public institution makes parts of my personal data publicly available. Which is as it should be, but does annoy me occasionally (e.g. with the damn phone salesmen, which I had reserved myself against previously – when they call me now, I make them delete their records of my number, but every now and then new ones trawl the public listings and find it.)
But I do think you're reading Schneier wrong. Emails discussing this blog post, for instance, are obviously private communications and protected by current privacy laws anyway. I think he is quite simply arguing for a law curtailing the right of institutions to store data about you. It's a great idea, and while I haven't read all of this thread yet, I have yet to see a good argument against it.
But sense you have a commercial enterprise, I'll bite:
Given my right to request it under Chapter III, Section 18, of the Act of 14 April 2000 No. 31 relating to the processing of personal data, please inform me of the kind of processing of personal data your company is performing, and specifically:
a) the name and address of the controller and of his representative, if any,
b) who has the day-to-day responsibility for fulfilling the obligations of the controller,
c) the purpose of the processing,
d) descriptions of the categories of personal data that are processed,
e) the sources of the data, and
f) whether the personal data will be disclosed, and if so, the identity of the recipient.
You may post it here or send it to me at jharper at cato dot org and I'll start a new thread about it.
This oughtta be fun!
To me it's evident, that the same is happening to our data shadow going from analog to digital: Our shadow is quickly taken to modeling so many of our real life facets, habits, preferences, means, abilities, history, opinions, contacts etc, etc, that the impact of others analysing or manipulating our shadow have quickly gone from a small quantative to a big qualitative change - in out behavior and in terms of the power this holds over us.
As it happens, I'm just a guy commenting on a blog, and I'm not my company. So if you would just send the request in writing to my company's mail adress, and I'm sure my company will be happy to supply the information to you within the 30-day time limit.
Sincerely,
Martin
JDG, do you realize that you're talking about limiting the freedom of the employer and the landlord to deal with whom they choose? Why should one "side" in any transaction enjoy legal rules giving them superior information to the other?
Two reasons. Employment (for everyone not already rich) and rental homes (for everyone who doesn't own one) are necessities. There are also horrendous, ongoing shortages of both employment (due to overregulation) and housing (due to the scam known as urban planning).
As a result, an employer or landlord can put whatever terms he likes in a contract, and 99 percent of us have no recourse but to sign it. After all, the next employer or landlord might not even decide to make you an offer -- and good luck finding out why.
So if employers and landlords are not restricted this way, they can and will impose all sorts of rules on areas of your private life that are absolutely none of their business. For proof of this read just about any employment contract or lease.
Remember when Adolph Coors Co. was known for subjecting all its job applicants to lie-detector exams about their entire past including their sex lives? It took a federal law to make them stop the practice. Every time I see one of their "Love Train" TV ads I still want to throw a few of their own bottles at their CEO's head. But without privacy protection laws, companies will soon be able to buy that same data from commercial database operators. The record may even be full of lies about you, but it'll render you homeless just the same, and you'll never know why or who's to blame.
Anyone who says the solution is just to negotiate better is out of touch with reality -- and is probably one of those Washington insiders who has never had to work for a living in his life.