
Ask HN: Opinions on a regulation which could solve most privacy converns - ilovetux
I had an idea about how most of my personal privacy concerns could be mitigated.I would like to solicit opinions on the idea.<p>I believe that if use of our personal data (including aggregation, correlation, study and sale) were required to be reported, we could provide real knowlegable consent to the use of our personal data. In other words we would be able to know who is tracking us and why.<p>The current system where we blindly click &quot;I agree&quot; is broken. People do not want to wade through the legalese and they shouldn&#x27;t have to.<p>If we were notified every time our personal data was used, we could finally know what we were agreeing to.
======
ilovetux
I have put some thought into the possibility of implementing this requirement
"client side". In other words I wanted to think through what would be needed
to implement this for myself.

I think an access point with the ability to proxy requests with tls
termination support could be used to decrypt/encrypt all traffic inbound and
outbound.

This has two problems. First this would not allow visibility into messages
where the encrypted payload was itself encrypted. Second this would only be as
trustworthy as the hardware, drivers and operating system. In other words,
unless you have the ability to build the hardware yourself or knew a
trustworthy manufacture you could never be 100% that you are aware of all
collected data.

This also addresses less than half of the issue. To know when your data is
being used the best way would be to catalog, index and correlate all known
information about the business in question including all official filings,
mergers, acquisitions and any trustworthy news reports or blog posts. This
information could be mined for possible disclosures of your information. This
algorithm would of course have to be recursive to provide insight after the
data leaves the hands of the original collectors.

Now comes the fun part, information is gathered about us in multiple ways
including tax filings, credit card purchases, facial recognition within photos
(which you may only be in the background).

All of that leads me to believe that this is not something which can be done
alone.

What I believe we need is a law which would guarantee us the right to receive
notifications when data concerning us has been collected, used or sold.

As far as a regularatory body, that would be nice and could be used as a
trusted third party to collect all the information which should be reported to
individuals, this could lead to a web portal which aggregates all disclosures
for us. This however is not necessarily needed in the short-term, I believe if
such a law was passed we could rely on whistle-blowers to report
transgressions. The important thing would be to establish the right, we can
worry about enforcement at a later point.

------
siegel
I'm trying to better understand the proposal:

1) What exactly would be reported? 2) To whom? 3) How would it be reported?

~~~
ilovetux
Basically any time one person's data is collected or used in any way, that
person would have the right to be notified of the actual data in question, how
that data is being used and by whom. This could be an email containing a csv
file with the actual data points and a brief summary of what is happening with
the data.

This is the ideal and I haven't fleshed out the idea too much which is why I
am soliciting opinions and ideas.

~~~
siegel
I would think that this would first require the adoption of something much
closer to the EU data privacy regime: actual rights to know what data is
collected, how it would be used prospectively, rights to collect and be
forgotten, etc...I think this would be a precondition to the setup you are
proposing.

It would also seem clear to me that, from a regulatory standpoint, there would
need to be a regulatory body in charge of developing regs around this and
enforcing it.

So, in other words, this would be expensive to implement (both in terms of
adding government regulatory costs + costs of private enterprises complying).

That being said, what I find particularly attractive about your proposal is
that it might shock people into understanding what they are really doing by
pressing "I agree." In other words, it could cause a huge cultural shift that
I think is really necessary. There are a lot of things written about how
people (particularly younger people) do not really value privacy anymore. I
would bet a large sum of money that if your proposal were implemented, many of
these people who "don't care about privacy" would start caring because the
implications of their giving up their personal data would suddenly become
clear.

I can't see this being all that difficult to implement technologically, would
it be?

~~~
ilovetux
Technically I do not believe so, in python (with which I am most familiar) it
is trivial to add a handler to a logger. That handler can do anything
including sending emails or http requests. A similar technique should be
possible within similar technologies such as log4j (a common framework written
in java).

What I like about my idea is that nothing need to be changed by the business
except implementation of the new requirement. In other words the "I agree" you
clicked still applies but now they have to tell you what actually happened
with the actual data which could be used to inform future decisions.

What I find troubling about your prerequisites is the word "prospectively".
Reporting of actual facts should be the goal and this is only possible in the
past and present tense.

By the way, thank you for your response, I need to research current European
laws more thoroughly before I can give a proper response.

~~~
siegel
I wonder if this could be marketed as a 3rd-party service? Plenty of companies
pay for privacy certifications that are not legally required - presumably
because there is some amount of customer demand.

I could imagine incredible demand for a service like you propose, if people
knew that they could get this kind of information.

~~~
ilovetux
@siegel I want to express my appreciation for your responses, simply
discussing this has made me more at ease.

I had time to mull this over. I even went so far as to draft a few emails and
even started in on a business plan for a business which could offer this type
of certification.

I have had to reconsider. There is no finality to this solution. The details
of the certification would have to be ironed out beforehand and would need to
be fluid enough to allow for changes as needed. Then there would have to be a
penal framework defined around the entire process. In fact the only real
benefit to this would be that the barrier to entry for starting a new business
(or NGO) is less than that for getting a law passed.

I feel the need to accommodate both sides of the isle here as I love creating
and using technology, so I would never want to hurt the technology sector. I,
however, feel very strongly that some fundamental, undefined right of ours is
being violated.

We have absolutely no idea what is happening with the data collected about us,
therefore I do not believe that we have the ability to enter into a contract
in any sensible way. Some might argue that we have no right to know what a
company is doing with the money we gave to them, but that argument is flawed
because money has no significant attachment to ourselves after we tender
payment.

Copyright law provides a default of no rights except to the author of a
creative work, could this be used to enforce the duplication of our data or at
least force some sort of dual-licensing for the co-creators of the data.

As an example:

I am a user of a fictional online service, monitor.com.

I interact with the service in a variety of ways which in turn generates a lot
of data about my use of the service.

Also present on the page is a social network integration (ie. a facebook
"like" button) which also reports on data generated by not only my interaction
with monitor.com, but also correlates this with my actions on other sites.

Now in this scenario, monitor.com and myself work together to create a series
of data-points. At the same time, I am working with the social network to
create a larger data set.

If we could be acknowledged as co-creators of the data, what ramifications
could that have on the legalities involving the duplication of the data?

When the data is transmitted over a network, it is indeed copied. Does one co-
creator have an inerrant right to use the data without a specific license
being granted, more importantly can a co-creator grant licenses to third
parties without the explicit consent of the other co-creator?

This is probably a false argument based on a certain level of legal ignorance
on my part.

Ideally, I would simply like an established right to know when data about me
is collected or used so I can make an informed decision on whether or not to
continue using the service.

I believe a law is necessary as a free-market solution could not provide a
consistent level of assurances, there would always be doubts. I am not looking
to punish anyone or to be petty, but I would like it to be established that
this right exists.

Violations could be a civil matter, I could sue or initiate a class action
lawsuit. Is it possible to simply pass a law without specifically defining the
penalties and governance policies?

~~~
siegel
I'm impressed by the careful thought you are putting into this.

On the copyright front, that body of law is not going to do it for us. And
it's such a well-developed body of law motivated by very different sets of
concerns, that I don't think trying to shoehorn privacy rights into it would
yield the right results.

Typically when laws are passed regarding these types of regulatory matters,
there are penalties specified (either in the statute or in regulations) and
there is a regulatory body setup to enforce the law.

But you don't technically need a regulatory body, as you point out. Take the
example of labor laws in California. Yes, there is a labor department and an
enforcement body. But several years ago, the State of California realized that
its regulatory enforcement division was understaffed and underresourced. So,
the Private Attorney General Act was passed (PAGA), which allows private
litigants to initiate something like a class action to enforce labor laws
against their employers, without all the requirements of certifying a class
action. There's no reason this couldn't be done for privacy law enforcement.
Of course, there are also regular old class actions, as well. But if you
wanted to encourage enforcement, a more friendly mechanism would be
preferable.

At the federal level (and in many states), the tides are against class
actions. It's become more and more difficult to bring them. So, there's that
issue.

But the bigger problem here goes back to the fact that the US hasn't seen fit
to enact much in the way of basic data privacy protection compared to other
developed nations. That's why I point to the EU, as a comparison. I'll try to
find a good resource to compare US vs. EU data privacy laws. You might be
shocked.

The reason I pointed to private business as a way to start is that a
constituency has to develop in favor of any law requiring this type of data
privacy reporting/protection. It doesn't appear to exist yet. It seems like we
need a cultural shift. And the genius behind your idea is that it would
provide information that might start a cultural shift.

So, if one were to create an ACME INC. that would offer an easy software
solution other companies could subscribe to in order to get do this type of
reporting AND the market started to demand it to some extent (which might
require good marketing by ACME INC.), at least that might start the ball
rolling towards creating a constituency.

Let me give you a non-privacy related example. You might not realize that
dietary supplements (like vitamins) are not really regulated for content.
False advertising laws apply to supplements, like anything else. But there is
no agency verifying that your vitamins contain what the bottle says. An
organization called USP, which is a private organization, has begun offering
verification services. A company (like Nature Made) can pay to have a
supplement verified by USP and then they can put that verification on their
labels. But that's not a government verification. It's a private verification.

In some ways, that's the data privacy system in the US. There's little data
privacy regulation outside of certain fields (healthcare, banking, schools).
In the unregulated fields (most things), companies may have a privacy policy.
You can sue for violation of the privacy policy, perhaps. But that's it.
Private organizations offer certifications (Trustee, for example). Yours would
be another private attempt to create something akin to a regulatory system
(though it would really be an information delivery system).

If you wanted to get a law passed, I'd go abroad to somewhere like the EU. If
one could lobby to get this passed there, plenty of companies in the US might
start adopting this technology anyway.

~~~
ilovetux
I was heartened by a recent article I read about a tracking protection feature
being added to safari desktop browser. While I do not know their reasoning,
affiliations or motives Apple Inc. has been in the news recently supporting
their users privacy rights.

I do not know if Apple would support this proposal, but it demonstrates the
recognition of the market demand by a major economic player in the technology
sector.

I was able to put a couple of hours into research on EU privacy laws, while I
did not stumble upon the aforementioned right to know what data is being
collected, it sounds like it is half of my proposal. I just believe that we
also need the right to know what has been done with that data, only then can
we make an informed decision to continue a business relationship.

While I agree with the right to be forgotten, I believe that the issue at play
there is fundamentally separate from what I might dub "The right to an
informed decision".

I have also come to realize another fundamental difference in an example
presented about the vitamin supplement which might come into play. There is a
very mature example of this with the United Laboratories (UL). I see their
stamp of approval on most electrical devices. The difference here is that it
focuses on the product in question instead of the user.

What we really need is the fundamental right to be acknowledged. Once it is
recognized that we have this right, then we can begin building specific laws
through the use of the judicial system.

This is more akin to freedom of speech. It was recognized long ago and set in
law as an ammendment to our constitution and problems were delt with as they
came up. Is there any regulatory body around freedom of speach?

This leads me to a possible path. In recent conversations based entirely on
anecdotal evidence, there are two main ways rights have been established
through litigation and through constitutional amendments. I think if we were
able to make one constitutional amendment other rights might build up in a new
body of law through litigation.

If we could convince one state to recognize this right then it would provide
legitimacy to our claim. This plan, I think, will fit into the current
political climate of deregulation nicely as it would allow companies to decide
themselves about the details of how they honor this right.

