
Senate Testimony on Privacy Rights and Data Collection in a Digital Economy - aaronbrethorst
https://idlewords.com/talks/senate_testimony.2019.5.htm
======
idlewords
I should explain how this process works, and how I wound up giving this
testimony.

Basically, a staffer on the committee found me online, was interested in my
ideas, and asked for a phone call. A couple of days later, he scheduled a
second phone call, this time including the committee chairman's staff from the
opposing party.

I got a formal invitation to appear with about eight days' notice, along with
a request for written testimony on specific topics. You pay your own way to
get to D.C. for the hearing.

The testimony was due 24 hours before the hearing, so that staff had a chance
to review it and plan their questions.

In the hearing, there is a two-hour block of time, and senators each get five
minutes to ask questions, alternating parties, in order of seniority. Some of
them want to know stuff, others want to read a statement into the record. You
get a glass of ice water and a little countdown clock at your desk that tells
you when the five minute blocks of time are up.

At the start of the process, the three witnesses each get a five minute
opening statement. In my hearing, we had a former diplomat and expert on the
GDPR, and someone from the financial industry. The hearings are open to the
public and if you are in D.C., you should attend one! It is quite a spectacle!

I'm very thankful to Matt Blaze and others who wrote about what hearings are
like, to help me prepare for this. And I am happy to answer questions in turn.

~~~
skrebbel
I watched a portion of the video, and I get the impression that the people
asking the questions appear to have a pretty good idea what they're talking
about. Do you feel the same? Those are the senators, right? Gives some good
hopes for the future.

~~~
idlewords
Those are all senators, yeah. They have staff experts who brief them for these
hearings so they can go into knowing what they want to ask (or say), as well
as what they are likely to hear. The level of staff expertise is extremely
high, and the senators themselves are no fools. They are used to regulating
the financial industry, which is even more slippery than big tech.

~~~
YokoZar
Perhaps today's Senators have learned not to completely wing it - we're a long
way from the "series of tubes" era.

~~~
lostlogin
Perhaps in the legislative branch, the executive branch suffers no such
limitations. Eg. [https://www.whitehouse.gov/briefings-statements/remarks-
pres...](https://www.whitehouse.gov/briefings-statements/remarks-president-
trump-marine-one-departure-30/)

------
viburnum
Here's the video of the question and answer part:
[https://www.banking.senate.gov/hearings/privacy-rights-
and-d...](https://www.banking.senate.gov/hearings/privacy-rights-and-data-
collection-in-a-digital-economy)

~~~
dredmorbius
Hearing begins at 10m30s

Maciej's remarks at 42 minutes.

The video (or audio) can be played directly from:

    
    
        mpv --ytdl 'https://www.senate.gov/isvp/?comm=banking&type=live&stt=&filename=banking050719&auto_play=false&wmode=transparent&poster=https%3A%2F%2Fwww%2Ebanking%2Esenate%2Egov%2Fthemes%2Fbanking%2Fimages%2Fvideo%2Dposter%2Dflash%2Dfit%2Epng'

------
tzs
For any given type of item of information about me that a site may be able to
see and want to use, it is going to fall into one of these groups:

• Items that I'm OK with sharing with every site.

• Items that I'm OK with sharing with some sites, but not with others.

• Items I'm not OK with sharing.

It might be nice if there was a standard list of items and a way to tell my
browser which group each item falls under, and a standard way for the site to
tell the browser which items it wants. The browser could then tell the site
which group each such item falls under, and the site could dynamically
generate a permission request and privacy disclosure that just covers those
things I'm not willing to share with every site.

Maybe add some other dimensions to this covering things like how the site uses
the item (internal use or shared with third parties; just to provide the
services I use or also for marketing, for example), the category of site, and
the location of the site.

~~~
idlewords
Where this consent model gets tricky is things like group chat. Who owns this
exchange between us? You? Me? Hacker News?

~~~
anon1m0us
Why not everyone who participates in the exchange? Or perhaps only the words
they contribute?

~~~
schoen
Well, there's a fact that idlewords _responded to_ tzs, which could be viewed
as a fact about idlewords, a fact about tzs, a fact about both of them, or a
fact about this overall conversation, among other things.

For copyright purposes idlewords already has copyright in his post, but I
don't think that's the kind of "owning" that we're talking about here.

There's also the fact that, for example, you read what idlewords and tzs had
to say to each other, and the fact that some people in the discussion upvoted
their comments.

That's already a lot of different sorts of facts about this conversation, and
doesn't even reflect everything that HN (or readers) knows.

------
mbesto
This is the most succinct explanation and description I've ever seen regarding
privacy and regulation.

Maciej - thank you for writing this and spending time with congress.

~~~
idlewords
It was an honor! I am still flabbergasted I got the opportunity, but I didn't
want to waste it.

~~~
CamperBob2
I'd say you definitely didn't waste your time, even if you had only posted the
essay online. That's a great piece of writing on the subject, especially the
perspective on the GDPR's effects. Not being an EU resident, I had no idea it
was that cumbersome.

~~~
rdiddly
Strictly speaking I would call that the effect of companies' resisting the
spirit, and in some cases letter, of the law, not an effect of the law itself.

~~~
TeMPOraL
The same thing happened with the "cookie law" too. The law was created to
gently nudge companies away from abusive tracking, by requiring to inform
users about third-party cookies. But instead of stopping to use third-party
trackers, the web world has simply shown the finger to the regulators, and
that's how we got cookie notices on every site.

My guess is that's where GDPR got its teeth from - the regulators tried the
"industry self-regulation" route before, and it failed spectacularly.

------
temp99990
If there is one company I hope gets the spotlight in this debate it is Plaid.
I think there are among the least transparent when it comes to what data they
collect, have zero way of auditing/ensuring compliance among devs, and
arguably dealing with some of the most sensitive personal data (banking,
transactional).

------
switch007
> They [Silicon Valley] see a regulation and they find a way around it. We
> don't like banking regulations? So we invent cryptocurrency and we're going
> to disrupt the entire financial system. We don't like limits on
> discrimination in lending? So we're going to use machine learning. Which is
> a form of money laundering for bias.

Could you expand on what you meant by this Maciej? The first sounds a bit like
a conspiracy theory - that Bitcoin (I presume) was invented by Silicon Valley
to avoid banking regulations? Or did I completely misunderstand?

EDIT: to be clear, I'm not contradicting or being nasty. I would just like to
learn more as I've never heard that take on it before.

~~~
idlewords
No, I don't think Bitcoin is a conspiracy theory. I think it was a genuine
novelty that came out of tech. But at a certain point in its rise, it became
clear that you could create an unregulated securities market with initial coin
offerings, and it was off to the races.

The dynamic that I am describing is new technologies being used to circumvent
regulation, with the excuse that this is something new and technical, and so
should be exempt.

We've seen the pattern over and over again, from sales tax exemptions to
cryptocurrency to taxi and hotel laws.

~~~
novok
What about ICOs make it unique in creating a securities market vs somebody
just doing it with java, payment provider integration and a mysql database?

------
mindslight
Maciej - I think my viewpoint on the surveillance industry is pretty similar.
But reading your description of the current state of affairs _still_ put a
shiver up my spine. I can't even pinpoint a single passage that did it. Rather
the sheer disconnect between the technological world we envisioned and the
world they built is overwhelming, and you really got that across.

I think throwing the GDPR under the bus based on how the surveillance industry
is doing its best to malinterpret it is a bit off. A popup with a list of
task-orthogonal surveillance companies demanding consent is obviously an anti-
pattern. The prudent course feels like to wait and see how the GDPR actually
turns out in practice, and then hopefully adopt it as-is.

What I worry about in the meantime is a half-baked "Americanized"
implementation that guts its strongest provisions ("Right To Download" ->
"correct" feels like already trying to fortify a backstop! Why can't I simply
just erase?), and blesses ongoing abuses. A disingenuous standard of purported
consent is pervasive in our entire society, and I don't see why this topic
will turn out any different. I can forsee EU regulators concluding that
surveillance-based-advertising is not a necessary part of simply viewing a
news article, whereas I can see a US regulator blessing that practice.

Which maybe implies that "copy GDPR" is actually a decent answer right now,
even not knowing how it will turn out. For one, it tells US companies that
they need to take the GDPR seriously rather than throwing "block EU" hissy
fits. If it's really as unworkable as the surveillance industry public
relations make it sound, I'm sure they'll have no problems modifying it.

~~~
idlewords
I'm sorry that you read my statement as so hostile to the GDPR. The consensus
at the hearing I think was unanimous—that so much of the GDPR is open to
regulatory interpretation that it is hard to evaluate yet. My fellow witness
said there's a value to not going first, and I wholly agree with him. I
believe we all testified it has made people safer.

That said, there is time pressure on Congress because of the 2020 California
law. The tech companies and data brokers are scared of 50 state laws on this
and are pushing for the mildest form of Federal regulation they can get, to
pre-empt state laws, and that is the context of the fight.

I think the GDPR is inadequate but much better than nothing, and I tried to
convey that in my testimony.

~~~
mindslight
I didn't take it as outright "hostile", but rather more of a basis with which
to pivot into the idea of doing something different. Which feels like playing
to lawmakers' interest / American exceptionalism of doing something "better",
but counterproductive given how the US lawmaking process works.

I'm also not personally a huge fan of the GDPR as is, because I agree we have
no idea how it will actually play out. But I don't think the American
philosophy will be productive at coming up with a different approach. So if
it's to be one national regime, why not simply match the EU for now?

If we can't do that, then honestly each state having a different approach
sounds better for individuals (assuming it it doesn't devolve into companies
demanding one's physical address for compliance). It's more likely that one
state will properly codify the idea that users should have full control over
data about themselves.

Ultimately I don't think we'll end up with sensible-looking legislation unless
legislators actually get down and dirty with the technical specifics. For
example, the brokenness of the cookie law actually necessitating cookies could
have been avoided by mandating a fixed cookie/header format to express the
preference rather than allowing every site to come up with its own bespoke
implementation.

~~~
idlewords
The problem with saying "let's just match the EU" is that key parts of the
GDPR are still undecided. What is a "legitimate business interest" for data
collection? What are the limits to algorithmic decisionmaking? No one knows.

A regime with 50 state privacy laws would result in every website you visit
having a consent click-through where you agree to abide by Alabama privacy
laws (or whoever wins that race to the bottom).

~~~
mindslight
But how can it _not_ come down to judgment calls? We're essentially trying to
define the contour of a new right. If we stick with the axiomatic approach,
then it feels like we can only end up essentially right back where we are now
- data collected by companies is theirs to do with as they like.

FWIW are you sure it would be a race to the bottom (companies going to the
least-restrictive state) ? In the context of salestax/cookie-nexus, I would
have hopes that it would be a race to the top (users benefiting from being in
a more-restrictive state). Which is why I'd think the worry would be every
random service demanding to verify your address to keep you from claiming to
be in the more restrictive states.

------
skybrian
It seems like this is emphasizing the big five a bit much, when there is an
entire ecosystem of smaller adtech firms that will be, if anything, harder to
regulate since they're scrappy firms operating under the radar, sometimes
overseas. At least the big five are likely (under pressure) to put in place
the bureaucracy to follow regulations, and attempt to impose their rules on
smaller vendors as well.

I also wonder about the idea that it's "traditional" that users own their own
data. Maybe that's true in Europe, but in the US, selling customer lists in
the direct-mail industry goes back many years. I'm guessing that salesmen
keeping customer lists in rolodexes goes way back as well, and these lists
were sometimes shared or sold. No user ownership of their own data there!
Gossip seems more traditional than privacy.

GDPR-style regulations seem more like a new thing, long overdue as this stuff
scales up rapidly.

------
HNthrow22
This is fantastic, thanks for writing it and for your testimony!

my favorite bits

"The emergence of this tech oligopoly reflects a profound shift in our
society, the migration of every area of commercial, social, and personal life
into an online realm where human interactions are mediated by software."

"Consumers will just as rightly point out that they never consented to be the
subjects in an uncontrolled social experiment, that the companies engaged in
reshaping our world have consistently refused to honestly discuss their
business models or data collection practices, and that in a democratic
society, profound social change requires consensus and accountability."

Brilliant!

------
brilee
"The training process behaves as a kind of one-way function. It is not
possible to run a trained model backwards to reconstruct the input data; nor
is it possible to “untrain” a model so that it will forget a specific part of
its input."

I don't have a concrete reference, but my understanding is that it is quite
likely to be possible to reconstruct outliers in the training data by
inspecting the model's weights.

~~~
bo1024
This is a good point. We have some concerns and evidence that neural networks
do memorize their training data.

Also, the "untraining" idea is an open research question (I just saw a talk
about it). We don't know exactly how to do it yet, definitely not in general,
but "impossible" is too strong.

------
dgudkov
>The internet economy today resembles the earliest days of the nuclear
industry. We have a technology of unprecedented potential, we have made
glowing promises about how it will transform the daily lives of our fellow
Americans, but we don’t know how to keep its dangerous byproducts safe.

This is one of the best analogies about the internet that I've ever heard.

------
idlewords
The title on this is horked, it should be "Senate Testimony on Privacy Rights
and Data Collection in a Digital Economy"

~~~
snazz
If it isn’t obvious from the domain name and parent’s username, the author of
the linked page would like the HN title changed to the original one.

