58 comments

[ 2.8 ms ] story [ 120 ms ] thread
Disclaimer: I am neither for nor against Andrew Yang as President; I merely find affinity with the idea of data as a property right.

In other words, I think it's a good idea.

You can enter into binding contracts to sell, rent, or donate your property under pretty much any terms. This makes “data as property” a lot weaker than GDPR, which treats it more like your person in constraining what you can give up.
Sort of. I think it falls apart quickly.

If I draw a picture of you, is it your data or mine?

If you walk through my house and I store the pattern you leave in my WiFi signal, is it your data or mine.

I think we’d have to narrowly define what belongs to an individual and it would be too narrow to address the problem.

Also data as property would get signed away for nothing like how arbitration clauses are in practically every contract with no added benefit to the signer.

> If I draw a picture of you, is it your data or mine?

Clearly mine. You recorded information about me without my consent.

And when you use a Visa card? Is it yours, visa’s, the store’s, or the bank’s?

Or all of the above?

Who is impacted and fiscally responsible when it's mis-used? That helps quickly identify whose data it is.
But you are using their card, their network, and their credit. So that is clearly their information, is it not?
If you’re in a public place, why would I need your consent? Does TNG’s Geordi La Forge need consent from every being in sight because his visor is recording them and relaying images to his brain?

There should be no expectation of privacy in public places. Commercialization is a different story, I think.

Thank you for posting this! I had the same thought using a Visa card transaction, but you saved me the work!

Second order effects from this crazy policy are nearly infinite.

Note that I’m not talking about the intent of the regulation, but rather the issues of implementing it.

I appreciate Yang as a candidate and I hope his ideas gain traction. That having been said, implementing these rights is a huge task. For example: "The right to download all data in a standardized format to port to another platform" Just deciding on a standardized format for all data will involve significant political effort and technical effort.

I don't think it's even possible to apply these as blanket rights to all data. Focusing on certain domains (healthcare, finance, etc...) will help.

All of those rights or stronger are already in effect in the EU since last year, which means most companies doing online business already have to comply with them. In fact it's pretty clear that Yang mostly just copied GDPR with this whole proposal. I'm not complaining, it's a great law if you're for consumer protection.

Many companies already provide the option to download all data, and I've written GDPR data request mails to multiple US based companies with success. Mostly you get the data in JSON files (without schema).

Right now, many companies are trying as hard as they can to skirt the law, but there's land mark cases happening already that will hopefully put an and to that soon [1].

[1]: https://techcrunch.com/2019/10/01/europes-top-court-says-act... ironically, techcrunch is a prime example of a "tracking cookie consent" popup that is absolutely illegal and will hopefully get them huge fines once the data protection agencies have their hands less full with bigger fish (google, facebook, etc).

Some control over this stuff would be nice.
The cost of complying with such regulations would effectively fall on companies as a regressive tax. Which companies benefit in relative terms from a regressive tax? The already-large ones.
Yang is also fairly pro-blockchain. One of the key innovations of blockchains is being able to encode data as a property right and enforce it through software, moving the cost of compliance from the legal system (expensive) to the CPU (cheap).
How do blockchains help you "enforce" restrictions on downstream uses of personal data?
Encrypt your data; publish to public blockchain. Instead of ever giving out the data itself, you give out the right to do something with that data, in the form of signing a method call on a smart contract platform. This is basically the capability security model applied to data in the cloud. Capabilities have well-known patterns for things like revoking access over time (see eg. the Membrane Pattern).

To prevent cases where the "something" that the smart contract does is "copy all your data bit-for-bit and upload it to my evil masters", you could perhaps apply information entropy, on a platform level, to the source and output data, and only allow the transaction if the output data contains many fewer bits than the input. So say you have all of your location data and review history on the blockchain, encrypted with a private key known only to you, and you want to grant an application the ability to recommend nearby restaurants that you might like. You authorize the transaction, and expect that the contract will release ~1K to you (a restaurant name, description, menu, reviews, and geocode) and will increase the data stored within its own data ownership by 0 bytes. If it does something otherwise, it's broken the contract, and can be automatically penalized financially (because this is a blockchain, it inherently needs a cryptocurrency).

I've had an idea for something like this since hearing about Google's Federated Machine Learning research paper and reading the Ethereum spec, but have other more pressing projects right now and don't have time to implement it. If anyone feels it's interesting, feel free to steal - I'd still love to work on it at some point in the future, but there're still some holes in the idea (notably around the information theory & federated learning aspects) and another speculative research project isn't really what I'm looking for now.

This isn't making a whole lot of sense to me. Capabilities seem to be about making sure that sandboxed software doesn't get unauthorized access; it presumes you have a trusted environment (whether software, OS, or hardware) to enforce the capabilities.

Meanwhile, blockchain computation is about getting useful work out of untrusted participants. It doesn't seem like a fit.

Also, how do you do any calculation at all without decrypting the data? Or if you're thinking homomorphic encyption, what does a blockchain have to do with it?

To do this meaningfully on any dataset that changes (finance, health, etc) will cost too much to store on blockchain. It’s expensive enough trying to store it on s3 or even glacier. If the chain stores everything forever it will get too expensive too fast.

I think a more realistic (but way less money for speculators) is to store PKI on a blockchain, then encrypt any blob anywhere and sign. Send that signature to the smart contract and have them pull blob from non-blockchain store.

If it’s something that the owner has agency issues with (eg, calculating fico score) then register the hashes of the data with a blockchain.

No need to store the data on the chain unless you’re worried about it disappearing.

Yeah, this assumes the existence of something like FileCoin/Storj that stores the actual data off-chain, with metadata & access keys on-chain. The blockchain is used to validate the integrity of the data blob and to financially compensate the host(s) that are physically storing the data.
It's cool, but the older I get the less time I want to spend learning tricks like this, in the same way that I don't want to waste as much time learning the intricacies of new videogames. Technology can be liberating but only in proportion to the amount of time people can invest in it. If technological liberation is just about getting an asymmetrical advantage for oneself and not extending that to everyone else (without demanding that they become experts in this latest way of gaming the system) then it's trash.
Many data protection regulations, GDPR included, have exemptions that ensure that smaller organizations are not impacted until they are sufficiently large to bear responsibility for and provability of their actions.
I’d agree that theoretically the regulations could be made more complex in order to mitigate their regressive second-order effect. I believe that familiarity with the evolution of regulation in other domains should disabuse one of the idealistic notion that such complexity would “ensure that smaller organizations are not impacted” by the regulation. In practice, such complexity has a way of inhibiting companies from growing, for one thing because it creates levers which the incumbents can co-opt to make life more difficult for their aspiring competition.
Only large companies are capable of building a car that complies with emissions and safety expectations, but that doesn't mean that we'd be better off if there were tens of millions of black-smoke-spewing death-trap shitboxes on the freeway.

Frankly, given the long history of data abuse, security problems, and generally anti-human practices by IT and tech companies, I'd be perfectly fine if cowboy developers not be allowed to touch this product space.

That's not to say that large tech companies are blameless angels in any of this.

Unfortunately I think your view is going to become the prevailing view and the internet is going to become cable 2.0. People are just obsessed with finding corners to round.

For some reason people think comparing loss of privacy when voluntarily visiting a website to deaths caused by car accidents isnt intellectually dishonest.

You're almost right.

Sure, I don't value my privacy, the security of my financial information, etc as much as my life.

But it's close.

Again a false equivalence. Financial information is already protected by numerous regulations. We are talking about generic cookies that are being used for tracking user behavior for a large number of useful and benign purposes. Most of the data is already pseudonymous.
So it just falls on users as a regressive theft instead. Great!
>>>

- The right to be informed as to what data will be collected, and how it will be used

- The right to opt out of data collection or sharing

- The right to be told if a website has data on you, and what that data is

- The right to be forgotten; to have all data related to you deleted upon request

- The right to be informed if ownership of your data changes hands

- The right to be informed of any data breaches including your information in a timely manner

- The right to download all data in a standardized format to port to another platform

>>>

The vast majority of these rights only work when applied to commercial entities. They don't protect you from government invasion, and they don't protect you from individual/social invasion. When applied on the individual level, many of them are flat-out unconsitutional (the right to be forgotten is a particularly obvious example).

Does this matter? Is it a problem if we specifically target corporations first? I think it does matter.

Even though corporations are currently some of the worst privacy offenders, I think there's real harm in orienting the privacy debate around Capitalist terms, and I think it sets a really bad precedent for future conversations. I strongly suspect that a pivot to talking about privacy as a property right being violated will make it easier for the government to dismiss future criticism, and easier for malicious groups to claim that data from public sources should be fair game.

My right to privacy is not based on the idea that I am being economically harmed. It's based on the idea that I have a fundamental right to hide my identity, and a fundamental right to choose what I disclose to the people around me. Money has nothing to do with it.

This proposal also goes against years of collective advocacy from activists for both an Open web and a private web that no one can own a fact. I firmly believe that the expansion of IP laws are counterproductive, even when expanded ostensibly for the sake of privacy.

Andrew Yang may speak for some members of the privacy community, but he doesn't speak for all of them. I really wish the politicians who are just now jumping on the privacy train would spend more time looking at the history behind these debates and the history of the activists that were working before them.

These rights are strikingly similar to the ones outlined in GDPR.
How is the right to be forgotten unconstitutional? I would think me being able to have my data deleted upon my request wouldn't necessarily infringe on my own freedoms, but I could be wrong.
Freedom of speech includes the right to spread the truth about others. The "right" to be forgotten is the right to silence others.
Why are you implying that the right to be forgotten only applies to silencing "truths?"

What truth am I forcing someone to be silent about if I simply don't want my personal data used for malicious or unwarranted commercial purposes?

It not that the Right to be Forgotten only applies to truths, it's that in addition to everything else, it also applies to truths.

If people are spreading lies about you in the US, you can sue them for defamation. Beyond that, silencing someone because what they're saying 'isn't relevant' goes against the US interpretation of the 1st Amendment.

Arguably, we can create exceptions there for corporations (although we should expect a few court cases about it). But the (US) government can't restrict me as an individual from talking about another person's past in private or public spaces.

The right to keep and bear arms exists, yet it's illegal to commit murder with a firearm. The right to vote exists, but not the right to commit vote fraud. The fact that a right can be abused is not a valid argument that it doesn't, or shouldn't exist.

If one objects to the right to be forgotten altogether, then one objects to the right to demand that even false and libelous content can be removed from the internet. You can sue for defamation, but you can't prevent the publication and spread of defaming content.

>But the (US) government can't restrict me as an individual from talking about another person's past in private or public spaces.

Yes but the right to be forgotten doesn't apply to private or public spaces, it applies to data on the internet, or am I mistaken?

Harm principle.

The government doesn't ban firearms, automobiles, knives, etc. because they have potential to cause harm, so why would the government break freedoms to censor information on the basis that it has potential to cause harm?

Defamation (libel/slander) is not a crime and is not censurable as such, but you can be sued for the damages (harm) that it causes. You are free within your first amendment rights to leave that defaming information up after it is proven to cause harm in civil court, but then you are still liable for the damage it continues to cause.

> You are free within your first amendment rights to leave that defaming information up after it is proven to cause harm in civil court, but then you are still liable for the damage it continues to cause.

IANAL, but this is a weird interpretation to me. I'm not sure how to describe a court fining you for publishing information other than, "compelling you to remove that information."

I dunno, this really doesn't line up with my understanding of libel laws.

Of course, bear in mind that the Right to Be Forgotten has very, very little to do with libel. If we were just talking about libel, we'd use existing libel laws. The fact that Right to Be Forgotten exists in addition to libel laws should be enough to show that it is targeting different information.

I dislike that people bring up libel when debating Right to Be Forgotten, because I view libel laws as largely irrelevant to the debate. It's just trope #3 again[0].

[0]: https://www.popehat.com/2015/05/19/how-to-spot-and-critique-...

I didn't bring it up - I was explaining how it's different and not a form of government censorship.
The 1st Amendment, as it is interpreted in the USA, bars this. It's not absolutism that's blocking a US Right to Be Forgotten, it's decades of court precedence. It's not arguing that we can never restrict information ever, it's just that the US Supreme court has consistently ruled that publishing factual information is protected.

> If one objects to the right to be forgotten altogether, then one objects to the right to demand that even false and libelous content can be removed from the internet. You can sue for defamation, but you can't prevent the publication and spread of defaming content.

We have exceptions to the 1st Amendment for defamation and copyright. They are very, very narrow exceptions.

The Right to Be Forgotten works in Europe largely because Europe has different standards than the US on what Freedom of Speech means. When a US citizen and a European citizen talk about Freedom of Speech, they're not necessarily talking about the same thing.

That's not to say Europe's take is necessarily wrong. But it is to say that Andrew Yang is running to be the president of the US, so the European interpretation of Free Speech isn't relevant to his platform proposals.

> the right to be forgotten doesn't apply to private or public spaces, it applies to data on the internet

Public/private spaces don't go away on the Internet.

A corporation or private actor can delete content from a forum/website they control for any reason. They have a Freedom of Association. But the US government may not compel them to do so, except where that content falls into extremely narrow exceptions that have been carved out over decades of legal debate.

The right to be forgotten has been used to sue news sites into shutting down, for not taking down past stories that are factual: https://www.nytimes.com/2019/09/23/technology/right-to-be-fo...
Agreed. Privacy should be right for the everyday person, and not a right for the powerful, who should have no right to privacy. Progressive rights make a lot of sense in a context where people with power can take a right that is helpful in most contexts and twist it to increase their personal power and harm others.
How does requiring a company to delete info from a specific computer materially impact the ability for others to speak truth?

It feels like you’re talking purely philosophically and ignoring the nuance of our legal system.

SCOTUS, including right wing literalists, have held that Constitutional rights are not iron clad in all contexts.

Main Street seems to believe the first amendment is very broad, but then there’s the whole shouting fire in a crowded room. Instigating acts of violence and threats, etc.

Freedom from and freedom to are distinct concepts in our legal system.

Which is why we have things like patents and copyrights.

I fail to see the issue you bring up.

Yup. Governments enforcing information about individuals to be deleted is a form of censorship that violates the first amendment. GDPR tries to make stipulations about how deletions related to 'public interest' do not need to be deleted, but they are still enforcing government-backed censorship.

It's something that some people want, obviously, but is the government really the best candidate to enforce it?

Who will if the government does not? What entity has power is greater than the corporation who can force them to act?
What are the requirements? If having power is the top priority requirement, then China's information censorship is okay.
Personal opinion - freedom of speech should apply to people, and not corporations. If you want to publish "truths", then do it as an individual, don't hide behind a corporate shield.
(comment deleted)
This is the wrong approach.

It doesn't address the biggest privacy concern: the government's collection and use of personal data. No restrictions there, I guess.

Information wants to be free - even when it's about you. Putting that genie back in the bottle - the right to be forgotten - creates a world that is less free.

We should be really going the other direction and not allowing these corporations to hold this data in private silos to re-enforce their monopolies. They use the force of law to hold these monopolies over the things you've written so that it's their property and not the property of the individual. That's wrong and that's granted by the government.

Well, as we are finding out, freedom results in people being hurt. If you limit the freedom, you can prevent people from getting hurt.

Is freedom worth the harm it enables? That is a choice everyone has to make. Most people are willing to give up a lot of freedom in exchange for mitigating harm.

Generally yes.

When someone says "I give up this freedom" it's often because they don't use it or it doesn't affect them. The problem is that what they are really saying is "I give up this freedom for myself and everyone else."

This is bad when you have a large group willing to give up a freedom they already don't use or care about that only affects a minority of people. The problem comes that a different, overlapping large group is willing to give up another freedom and now the minority affected by that loss was part of the first large group. It's easy for this to continue until everyone has lost a freedom they enjoyed because they signed up with some large group, often thinking they were 'right'.

TL;DR: The road to hell is paved with good intentions.

I certainly agree with you, that the larger concern here has to be the government, and its overt, broad, barely regulated, data collection efforts.

I'm pretty sure Yang is the best thing to come out of this election season so far, even though I have to disagree with him on a large number of items, at least he's forcing some conversations.

> It doesn't address the biggest privacy concern: the government's collection and use of personal data.

I don't agree that this is the biggest privacy concern. In my opinion, this is just as concerning as corporate collection and use of personal data.

> We should be really going the other direction and not allowing these corporations to hold this data in private silos

We should not be allowing anyone to collect this information (without informed consent) in the first place.

I second this. As of right now, the Government is doing a lot less (with a lot more data) than private companies are. That doesn't mean we ignore them, but a bigger priority is to to nail down the corporations who have virtually no restrictions on how they use our private data.

As a singular example, right now a private corporation (Equifax) has as much say in my ability to be employed as the government (if not more).

> Information wants to be free - even when it's about you. Putting that genie back in the bottle - the right to be forgotten - creates a world that is less free.

It is accepted (I believe) that it is reasonable that federal judges and police officers don't have publicly published phone numbers, similarly people who have been stalked or threatened or doxed have demonstrated why things shouldn't always be public.

I definitely agree that private corporate data silos are no good (since they're essentially public data silos as soon as they're compromised but serve to monetize your privacy by selling it to third parties in the mean time) but I disagree that all data must be free and I am certainly not offended by people's desire to have a modicum of privacy in the modern world...

All that said if the monetary value of this data is removed by restricting private usage of it then we'll likely see the equation of value vs. cost for companies storing data shift back to preferring to store as little as possible. Disallowing private data silos may effectively restore a measure of privacy to most people by removing anyone's motivation to collect data.

> All that said if the monetary value of this data is removed by restricting private usage of it then we'll likely see the equation of value vs. cost for companies storing data shift back to preferring to store as little as possible. Disallowing private data silos may effectively restore a measure of privacy to most people by removing anyone's motivation to collect data.

on the other hand, the first few years of having everyone's search history be public could be pretty chaotic...

I prefer actual privacy rights that are inalienable than having my life commoditized and made the subject of contractual bargaining for every little thing.