86 comments

[ 3.2 ms ] story [ 140 ms ] thread
What's needed is a ban on usage of location and health data unless very specific conditions are met, targeting the purchasers of data not only the middlemen and ensuring that it's illegal to use personal data which "fell off of a truck".

Data brokers can go underground to circumvent a ban on sales, but the end users funding that industry are legitimate businesses who (hopefully) would have to follow the laws, so it's important to target them.

Isn't that a war on billionaires using drugs? Where "information usage being criminalized" is "drug consumption being criminalized" and the "billionaire doing drugs" is the "multi-billion dollar corporation using the data"?
"War on drugs" and alcohol prohibition are frequently used by libertarians to suggest that all forms of prohibition are doomed to cause more damage than that which they prohibit. But this is a sleight of hand, drawing attention to two specific prohibitions which generally failed, away from the myraid of prohibitions that work just fine. Such as the prohibition against selling cars without airbags, or the regulation of CFCs, or asbestos in new construction, or selling live frag grenades to the unlicensed public, or a thousand other things governments around the world successfully regulate and prohibit every day.
A corporation (or LLC) is not equivalent to a singular person or a small informal group, but rather a bureaucracy that operates according to openly promulgated rules and goals. Operating outside of those rules exposes one to individual liability, regardless of specific individuals often being judgement proof or otherwise impractical to assign blame to.

One of the practical problems with the "war on drugs" was its bumping up against individual privacy. Corporations have no such privacy nor right to privacy - being chartered under government authority means they need to continually file compliance reports and are essentially closer to being organs of the state rather than individual humans. So no, if a company does decide to illicitly process personal information for nonconsensual purposes, that most certainly can be enforced upon.

> What's needed is a ban on usage of location and health data unless very specific conditions are met

We need a ban on collection of that data, not just the sale or use of it. The conditions under which it is legal to collect that data should be subject to very strict regulation and involve explicit informed consent of every person tracked, ideally refreshing that consent on a regular basis so that it's not something you could consent to once years ago and forget about.

Not just collection. You want to know how health data is sold? Because the SaaS platforms that small doctor's offices and clinics use to run their practice, they turn around and sell "anonymized" visit and prescription data.

But those platforms clearly have legitimate need to collect/house that data. They need to be restricted from selling/licensing it to third parties, regardless of any amount of anonymization or differential privacy applied.

Health data is only part of it, and there needs to be more regulations about what and when it can be collected, stored, digitized, transmitted, sold, etc. Every aspect of this needs more regulation and much of it needs to be prohibited entirely. Regulating just sale/licensing of the data is not enough, but is obviously a necessary part of it. We need to also regulate the conditions under which this data is collected and stored as well. Informed patient consent is needed before digitizing any patient data, let alone before a doctor entrusts that data to some SaaS provider. Patients need to know which SaaS provider is storing their data on their servers, and have the opportunity and right to veto it without abstaining from medical treatment. Furthermore if the patient does opt into the third-party recordkeeping, they each need to be contacted and asked for consent if that company is ever sold or otherwise acquired, and given the opportunity to have their data deleted instead of transferred to the new owner of the company. Just because I consent to Small SaaS Provider A having my records 5 years ago doesn't mean I consent to Conglomerate B buying out A today and getting all my data in the process. Consent should be confirmed at every single time a new company wants to possess it, let alone transfer it or sell it.

For instance, suppose I consent for Fitbit to track me five years ago. Then Fitbit gets bought by Google. It should be illegal for Fitbit to transfer that data to Google without my consent, and illegal for Google to receive that data without my consent. It shouldn't even be legal for Fitbit 5 years ago to secretly store that data on rented Google or AWS servers without telling me which company they are subcontracting my data out to.

tl;dr: Possessing any data about people should be considered a toxic liability and a huge regulatory pain in the ass. User data should not be considered a valuable asset, but rather an evil that you loath to touch at all unless there's no other way.

Do you suppose the same thing would have to apply if Fitbit bought a company? Should they be able to share data "downstream"? What if they ditch the purchased brand and absorb the company's employees into Fitbit Prime -- do they have access?

I think it can get tricky. I'd rather just not allow them to track me in the first place, I guess.

I want anonymized data to be used for research purposes. I want it possible to unblind the data when a research seems to show something and they need more information. However the purposes the data can be used for needs to be strictly controlled, and when it is unblinded even more strictly.
> We need a ban on collection of that data.

So, how am I supposed to use Google Maps?

Maybe you mean long-term storage?

Still - I like to be able to see all the restaurants and places I went to. What if I like that?

HN is generally very hostile to the idea that many people want their data collected, or at least don’t care much at all.
The surveillance industry is very hostile to the idea of letting the public know what's going on and giving them a choice. If people consent to it after being informed, then fine. But they need to be told and asked.
Like how everyone just clicks on "I AGREE" to the EU cookie popup without reading anything?

Most people don't even read their mortgage contract carefully.

People aren't ever going to read a EULA to read a recipe for chicken soup.

People click "I agree" when the "I disagree" button is non-existent or buried where they can't find it.

The people making those popups wouldn't be going to such great lengths to make it hard to opt-out if people didn't want to opt-out.

The only places I ever read people complain about cookie consent dialogs is on forums with lots of people in the web/surveillance industry. I don't take this complaint seriously.

Anyway, the forms should all be standardized government forms, not bespoke anti-pattern devices cooked up by web designers in a competition of malicious compliance.

Have none of these people considered that maybe the "people in the know" are "hostile" about these "data collection" actions for good reason perhaps? That maybe, just maybe the people abusing these data collection activities are doing hostile things, or taking unnecessary risks with the data, and we're concerned about the past, current, and future consequences of those actions?

I personally hate being the "I told you so" guy. I try to warn people about things like security, privacy, and backups of important data, and am frequently ridiculed as "paranoid" (and much worse) right up until their cavalier attitudes about these things bite them in the ass and they lose decades of irreplaceable important data, or they get "doxxed" or worse yet, become the victims of "identity theft" and then they inevitably come crying back to me to help them "fix it". I don't want to have to tell people "Yeah, sorry. You're screwed at this point." That never feels good to say.

This uncontrolled corporate and government collection of (what should be private) data is another such situation, where people don't need it to be happening, but they've been trained by these corporate and government entities to believe it's "necessary" or "useful" somehow, and those people absolutely refuse to accept that there may be better (and safer) ways to handle such situations other than just blanket collection of data on corporate or government servers. Maybe we're "hostile" to these activities because they're hostile activities and we're trying desperately to convince folks there's better options.

> Have none of these people considered that maybe the "people in the know" are "hostile" about these "data collection" actions for good reason perhaps?

Have none of these people considered that maybe other "people in the know" AREN'T "hostile" about these "data collection" actions for good reason perhaps?

Most people are aware that everything has a cost. Some people want us all to live under rocks because they don't like big companies. Other people think it's worth the cost. The vast majority of people just like "free" stuff.

At the risk of being presumptive, approximately nobody wants their data "collected" in the manner being discussed.

They do want their data "collected", in the sense that they are happy with it being used for some kind of legitimate purpose – like providing a service to them. Most people will also accept their data being collected for various other reasonable purposes – like logging, fraud monitoring, that kind of thing. I will accept that there are probably quite a few people who don't care either way.

There's a weird kind of reaction—among some tech people in particular—to the idea of regulating data collection – all sorts of total non-sequiturs, like "but are you telling me I can't have web server logs any more!!!" or "how would we have google maps!!" that requires either a stunning lack of imagination or deliberate feigned ignorance.

> So, how am I supposed to use Google Maps?

Atlas data can be sent to the map application without the map application sending personal data back to the atlas provider. If that means the map application can no longer be "free" (funded by user giving up their data) then so be it. Of course the atlas provider could log users and which map regions they request, but the point is to regulate that logging so severely that the data becomes a liability not an asset.

Google maps can still work without any of your data.

> I like to be able to see all the restaurants and places I went to

This isn't difficult to implement either without sending any information out.

Any easy solution here would be to classify the collection of personal data as stalking and then treated accordingly under existing law.
There's no chance such a ban proposal survives in Congress as Google, Apple, Facebook and hundreds others would battle to death against it...
I think we need a ban on all three and heavy penalties for those caught doing it. Not just a fine that could be potentially a cost of doing business.
> We need a ban on collection of that data

If you send me data, why shouldn't I be able to collect it?

And if you sneak around and collect data behind my back without telling me, how is that not "stalking"?
Interesting idea. I kinda would go with both. I'd rather see the sales banned to some extent as well even if it was underground anyway.
I agree to all of that. That said, data also has a positive value, for society and democracy. Our societies need data to find fair, just and equal solutions, e.g. to resource distribution. This is not possible without data, and location data is the most important of all.
M&A teams can “innovate” new systems where companies merge and spin off subsidiaries all of the time to amass large volumes of historical data that is of course shared equally with the divested interests.

I think we are mistaking how important recency is. Sure the current data on me has value, but there is also value in figuring out what my current behavior has meant in the past with other people, and trying to figure out what I might do next even if you haven’t tracked me specifically within an inch of my life, right now.

Knowing what I did five years ago and what people in my social groups do might be valuable enough even though you’re “protecting me” going forward. As you say, we might have to make this data a hot potato. Create situations where hoarding is a liability rather than an underutilized asset.

If you're not going to include supporting evidence, then why make the comment at all?
Evidence of what? I'm saying I like her decision. How do I provide evidence of an opinion?

> If you're not going to include supporting evidence, then why make the comment at all?

Can you provide evidence of this?

You are saying, "she says the same shit all the time, she was right this one time"

Your comment is a zero value snipe at Warren and not about data collection. You literally were just triggered by a name in the headline and had to comment. I assume "AOC" probably causes you to do the same.

> How do I provide evidence of an opinion?

That seems fundamental to reasoned discussion?

This is just bad faith after bad faith. If you say something bad about someone either back it up or don’t say it. I want to hear why Elizabeth Warren is bad so I can decide for myself, otherwise your comment is the equivalent of saying nothing. It contains zero information.
OK sounds great to me so what are the downsides?

For example a navigation app itself could still collect and use the data itself, but couldn’t sell that to a third-party. A geofenced application could be woken up by the system when I entered the region (say OmniFocus reminding me that I could stop in and pick up a prescription that is ready — I would be explicitly asking for this to happen).

So what great functionality could I miss out on if this became law?

>"So what great functionality could I miss out on if this became law?"

We are just at the beginning of analyzing and using health and location data; if there are groundbreaking use cases for them, it's very likely that we haven't seen (or even thought) of them yet.

Great - in that case now is the best time to get ahead of the curve in making sure that such use cases are ethical and not used by scumbags to target advertising.
The one big downside I see is Google (and the cell phone carriers, and a few others).

They already HAVE this data. It’s part of running Maps or a cell network.

So this further entrenches them in some ways because they can make decisions and products off data no one else has.

You know that thing when you search a place and it tells you how busy it is at certain hours?

Bing could never replicate that. They have no way of knowing.

The way to deal with that is to enshrine into law that Google are not the owners of this data, but merely stewards. My maps location data should not be available to other divisions within Google, and should only be available to the maps team to serve my interests. There are effective rules that your bank is not allowed to sell your account information. Your location information should be subject to much the same.
That's where you bump up against copyright problems. For example anyone who composes a book or an opinion piece in the New York Times is obtaining data/information and publicizing it for profit. If you're going to argue that publishers of information don't/can't own the substance of their publication, how does one make a claim to the rights of what one has published? I would think GPS software operates on the same principle.

The bank cannot directly sell your location information but they can disclose it to financial partners, likely for some financial quid pro quo. If you read the contracts on the You have to manually opt out by way of mail. I'm assuming Google does the same thing.

Facts can't be copyrighted.
But compilations of facts can be copyrighted. Textbooks, encyclopedias, and research papers are all copyrightable. In that regard, map data seems no different.
I’m not saying I’m against this law, but it gets messy very fast.

When a business is busy is a part of Google Maps, but no one else but Apple could realistically try to duplicate it. That’s a hell of a wall against innovation.

But can Google include that graph in search results? It’s part of Maps. But it’s derived from location data. But Google Search has location data, so maybe. But what if that would show different busy time? Do you have to show a different graph?

What does Google Assistant do?

I don’t know how we put the genie back in the box on this stuff. I like the idea. But I don’t know if it’s executable.

A downside is that it strengthens huge companies (e.g. Google, Apple) that have that information from one of their products (e.g. Google Maps) and are able to use it in another one (e.g. Google Ads).

That being said, data brokers seem to be rather poorly behaved players in the market with little respects for users privacy. So it's a tradeoff I guess.

> Nothing in this Act shall be construed to prohibit a disclosure of the data of an individual for which the individual provides valid authorization.

Nothing will change. You'll just be bombarded with requests for permission or it will be buried in the fine print you agreed to in the non-negotiated "contract".

What about the health and location data that is already out there? How would that be handled, can it be sold, exchanged, or does it have to be destroyed?
It's unexpected that they're coming at this from an abortion angle... but I'm all for it.

Just last month it was reported that the CDC was buying troves of this data (from the same vendor Warren is calling out) to monitor millions of us without our permission. Similarly DHS, ICE, and the FBI have all been found to be buying this data -- which is a legal loophole to get around actually getting a warrant.

I hope lawmakers don't carve out any exceptions for government in any such ban.

> It's unexpected that they're coming at this from an abortion angle

Even if there was a chance that the GOP would let this through the Senate on its own merits, tying this to abortion-related issues all but guarantees this bill is dead.

I fear you're right. There are some privacy issues GOP voters care about though; privacy regulations could also be framed in terms of protecting private gun sales for instance. Or to prohibit stores from keeping track of who the preppers are (those that care probably pay with cash already, but what about facial recognition in the stores? Frame that as a threat, and prohibit it.)
I have to think that she knows as much too. It's a bad bill (it would be ruinous for healthcare research), and I think it's more about scoring points with pro-choice and pro-privacy voters than it is about actually passing policy (at least I hope she wouldn't seriously try to upend healthcare research).
Based on TFA, this bill sounds disastrous for healthcare research which depends on access to this sort of data to find treatments and cures for diseases like cancer, HIV, COVID, etc. I'm all for preventing advertisers from sweeping up our data, but a blanket ban on the sale of healthcare data would be lethally short-sighted (note that "personally identifiable" healthcare data is already protected by HIPAA, so I'm pretty sure this bill aims to eliminate the sale of "de-identified" healthcare data).
What about banning the postal service from selling customer's data, and funding it some other way?

What about changing the "do not call me register" to a "please call me register" and making do not call me the default, and penalizing those who break the rules?

How about banning all those websites that aggregate and sell personal information from social media and public records?

> What about banning the postal service from selling customer's data, and funding it some other way?

If you actually read the article, you'd see that this is in response to the upcoming Roe v. Wade vote and how health app data could be used against citizens in the future.

More broadly though, if we always chose to reject legislation based on the fact that we believe it could go further in some way, nothing would ever get done. It's never good enough for somebody. We're OK with businesses shipping half-baked MVPs but we always expect elegant and complete waterfall legislation from our government.

The problem is that because this move is partisan it won't be effective accept as political ploy.
Well I got bad news, everything that happens in US Federal politics today is partisan. That's not an excuse not to try.
What data does the USPS sell other than change of address (which I'm a fan of since it means I rarely have to update my address when I move, the businesses I care about find out from the USPS). I know they scan incoming mail, do they sell any of that information?
I don't know if they're personalized or not but there are ads within the Informed Delivery emails, and it wouldn't surprise me to learn there is at least superficial tracking and/or personalization based on who you're [not] receiving mail from.
I don't know if this constitutes "selling data", but the USPS allows you to run direct mail campaigns on routes and neighborhoods. The USPS provides moderately granular, aggregate data about the route/area, which you can then target. Some of the data includes household income, household size, and age brackets. Insofar that I know, you cannot unsubscribe from this type of mail.

You can see for yourself here: https://eddm.usps.com/eddm/select-routes.htm

"We can't do anything unless we do everything" is always a weird stance.
Why, every time someone suggests a fix to something they see as a problem (regardless of whether it's actually a problem, or even the merit of the solution), is there no shortage of people saying "yeah but what about these unrelated problems?!"

I think everything you suggested is something that should be addressed in one way or another. I think banning the sale of medical data is probably a good thing more often than not. All these things can be true, but responding to a statement about banning the sale of medical data with "yeah well what about the post office?!" seems weird, and perhaps politically motivated.

(comment deleted)
The phenomenon of responding to a statement with a "well what about {quasi-related|unrelated topic}" is called Whataboutism[1].

I think most people use it because they feel there is a larger systemic cause not being addressed by treating a specific symptom, but it does tend to read as a way to shift conversation away from the topic at hand.

1: https://en.wikipedia.org/wiki/Whataboutism

(comment deleted)
Does anybody fall for this bunkum anymore? She's pandering to the fearflavor of the day for media attention.

---

Re the gender obsessives - sorry, dropped an s.

Does anyone else feel like op did not read the article and is just taking a stance for the sake of taking a stance?
To what male Senator Warren are you referring?
Yeah, Warren hasn't done anything of substance since the CFPB. And even that has been of questionable value. She's just doing the typical saber-rattling to get her already-liberal base to keep voting for her.
A very solid start.

Personally, I believe it should be illegal to sell, or buy, personal data for the purposes of marketing or monetization. Companies can use the data they've acquired through direct integration, and companies can provide services which utilize that data to other companies, but the actual data should never change hands or be exposed to a third-party.

I'd also like to see a ban on politicians sharing, renting or selling donor lists but I have absolutely no faith that bill would pass.

Right after they used location data to expose election fraud lol... plugging that hole in their fraud.
What hope does this have of passing? The Democrats act as if they live in a psychotic delusion: as if the GOP won't disrupt this attempt and everything else the Dems do, and as if the Dems were not even aware of that problem - not only not confronting it, but not even naming it, like it doesn't exist!

The issue with privacy (and many other problem) is politics. The US has a critical political problem. There is a political problem to solve. Why would the GOP stop doing it if they keep gaining at the ballot box, and if the Democratic Party doesn't make them pay a price for it? Who would ever vote for a party that advertises it's haplessness?

Senator Warren loves to introduce bills, as far as she is concerned that is the only goal - very little of what she proposes ever goes anywhere, likely by design.
Well Warren's pissing off her fellow Democrats by submitting bills like this.
No, the Democrats act as if they are there to govern, and force the GOP to admit over and over that they are there to prevent governance.

The problem is that too much of the GOP base actually wants that obstructionism.

Now, granted, the Democrats do have a big problem with admitting that the game has changed and changing how they do things to take that into account, but personally, I believe continuing to introduce bills to try to genuinely address some of the problems in our country, thus showing that they do have the will and the ideas to continue governing, is something they absolutely should be doing even in this situation.

What, exactly, would you propose the Democrats do instead?

> No, the Democrats act as if they are there to govern, and force the GOP to admit over and over that they are there to prevent governance.

That's what the Dems tell themselves, but everyone know it's BS - that's why everyone is so anxious and stressed, why it seems that the world is going crazy. We are in a crisis and our leaders are hiding their heads in the sand, telling us - against all reality - that they will proceed like everything is normal. It's just a way for the leaders to stay in their safe space (legislation) and not get into the political fight, which is all that matters at this point - nothing can happen until that problem is solved, and our society and freedom will continue to be destroyed.

The Democratic leaders are cowards - just like military commanders who avoid engaging the enemy, with every rationalization in the book. The enemy is advancing, they are over the next hill, you need to fight (lawfully, politically, peacefully, with integrity) - and WIN. Is that too strong? That it seems strong shows how backward the Dems are. There is no doubt, they need to fight and must win, but they aren't even in the mindset of fighting. 'Trying' is for losers. The Dems are content to lose.

> I believe continuing to introduce bills to try to genuinely address some of the problems in our country, thus showing that they do have the will and the ideas to continue governing, is something they absolutely should be doing even in this situation.

Showing who? Who in the public knows what bills they've introduced (HN is a rarefied population)? Who even knows what they've passed? What effect does this have on the crisis? Legislation is their safe space. It's like the insurgency has broken into the Capitol and the Democratic leaders say, 'Let's introduce bills!' And don't forget, 'but only introduce bills that don't risk any conflict or confrontation - we don't want any of that!' (like the gun control bill).

> What, exactly, would you propose the Democrats do instead?

Here's what they could do: Don't compromise on the gun control bill, push for the really needed measures and hold it over the GOP all the way through November. Hammer on the GOP's inaction, their sociopathic response to these murders. Keep repeating it, keep challenging them publicly, make the GOP leaders piss in their pants fearing the next mass shooting. Then we might get real, sane gun regulations (no, not taking away everyone's guns), by voting out the obstructionists. Instead, the hapless Dems gave the GOP a major victory, making the GOP look reasonable and non-obstructionist, and demonstrating again to the public that the GOP holds the real power and must be appeased - and that the Dems are the appeasers. Unbelievable - and entirely expected.

What happens when the Democrats enact these laws, and the shootings continue?

The only way to stop these shootings is to make it very hard to get and keep weapons.

That’s how every other country solved this.

In the 1990s, there was a ban on assault weapons. Studies showed these laws helped a bit, but weren’t game changers.

Same is true with everything being proposed: background checks, “red flag laws,” etc.

Realistically, we need to take away peoples guns to stop mass shooters.

Here's another way Democrats avoid confronting the problem: Claim powerlessness. 'Powerless' really attracts voters too!
As it stands, both parties are pretty powerless.
Biden's administration is a lot of the same people that made up Obama's administration. They've had years to think about what they'd do differently, and most of them decided that trying to negotiate in good faith with Republicans was a mistake. The Republican playbook has been to block everything for any reason, then when election time rolls around, loudly proclaim "the Democrats can't get anything done, and they're unwilling to compromise." It's a strategy that works, and it works well.

In response, today's Democrats are drafting up bills that have broad public support (even among Republican voters), and forcing the Republican congresspeople to put their names down voting against it. As we get closer to midterms, they're going to harp on this point endlessly: Republicans are nothing but obstructionists that prevent anything from getting done.

Personally, I think it's a better strategy, but I also think they're fighting the last war. They might be better off trying to find tiny cracks in the Republican ranks and then magnifying them.

> I think it's a better strategy

It's completely ineffective! Better than what? What has it achieved?

> today's Democrats are drafting up bills that have broad public support (even among Republican voters), and forcing the Republican congresspeople to put their names down voting against it.

This is a performance by insiders, for insiders. Few other people have any idea those bills exist, that the votes take place, or who voted what.

And because the Democrats barely try to contest the public narrative - the foundation of the reactionary movement and GOP power - it's all spun to make the Dems look bad regardless.

It is a strategy of people who only can think of legislation - like a ship captain who only will use the rudder, not the engine, the anchor, etc. It's so bizarrely focused on legislation, it's like the rest of the world doesn't exist. Really, the Dems are cowards and legislation is their safe space. They will not acknowledge the rest of the world. Did you read that they are 'tired' of dealing with voting rights?

This seems rife for catastrophic unintended consequences. Even given this one absurdly narrow use case:

> When abortion is illegal, researching reproductive health care online, updating a period-tracking app, or bringing a phone to the doctor’s office all could be used to track and prosecute women across the U.S. It amounts to uterus surveillance

The pro-abortion folks could use this to identify where abortion services are in the highest demand, so limiting access to the data isn't an unmitigated good (assuming you think abortions are "good").

Moreover, healthcare researchers buy a whole bunch of data from these brokerages--how are we supposed to advance healthcare research without access to good data (at least it seems from reading this article that this bill would prohibit this sort of access)? I'm all for making it harder for advertisers to track people, but I'm not willing to trade off prospective treatments and cures for serious diseases. There has to be a more selective approach.

Ironic, considering the Democratic party pioneered demographic data mining.

Don't get me wrong-- I think stopping the exploitation of consumer data would be a good step-- but politicians (of all parties) are some of the most enthusiastic purchasers of such data.