
Senator Wyden: Your data’s yours no matter on whose server it lives - Libertatea
http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/15/sen-wyden-your-datas-yours-no-matter-on-whose-server-it-lives/
======
tptacek
This article blurs the line between personal documents stored on remote
storage systems (the email and Google Docs case) and business transaction
records (calling data).

But that distinction is important. The latter case involves data that is not
actually "yours"; it's generated by observations made from counterparties you
do business with, and concerns only the details of those transactions, not the
purpose to which those transactions are put.

And yet it's the latter case that represents the most outrageous transgression
by NSA (the Verizon call records database). Which suggests to me that the "my
data" / "your data" divide is actually not all that useful in the policy
debate about where NSA's limits need to be.

~~~
a3n
It may be more useful to talk about "what the government is allowed to know
about you," rather than strictly where or what your data is.

In the case of call records (well, any records regarding an individual), this
could be a 4th Amendment issue, but it's also a 1st Amendment freedom of
association issue. If the government is perusing call records, that puts
pressure on your sense of whether you are free to associate with someone. If
you know the government is looking at call records, then you may be reluctant
to call your brother, or a journalist, or someone in Ferguson MO.

~~~
tptacek
I agree, except that I'd ask that we be more careful about "ownership". The
issue can't be "where" "your" data is if what we're discussing is the location
of _someone else 's data_, which is what (for instance) call records actually
are.

So I agree, we need to be diligent about cabining the surveillance powers of
the state _as an intrinsic policy goal_ , and not as a side-effect of who
generated what bits and where they put them.

~~~
a3n
Yes, it's someone else's data, but it says something about you that the
government shouldn't know.

We already have a type of data that's treated like that, medical information,
protected historically by patient/doctor confidentiality and formalized in
HIPPA in the US. A lot of the medical data about you is essentially the
doctor's or industry's data, not yours. It can be difficult to impossible to
get everything about you disclosed to you; it is for all intents and purposes
data about you but not owned by you. And yet, doctors and the industry are
prohibited from sharing that data beyond business and medical purposes, and (I
think) the government has laws prohibiting itself from having access to that
data.

It's a good start.

~~~
chimeracoder
I'm the founder of a health-tech startup, so HIPAA is something I spend a lot
of time thinking about. (Disclaimer: IANAL)

> A lot of the medical data about you is essentially the doctor's or
> industry's data, not yours. It can be difficult to impossible to get
> everything about you disclosed to you; it is for all intents and purposes
> data about you but not owned by you.

Quite the opposite - a large portion of HIPAA is about the rights of the
patient to access their medical data. Actually going through this formal
process has a number of steps, but some of the first lawsuits regarding HIPAA
were actually about this, not about the safeguards on sharing or security.

In fact, under HIPAA, doctors and insurance companies are allowed to share
your data with other entities ('associates') without consulting you first, as
long as they sign another agreement with that entity promising that they'll
abide by certain rules. Those associates are allowed to share it with other
associates, and so on, etc. - all of it is legal as long as there's a trail of
these agreements going all the way back to the doctor, hospital, or insurance
company.

Anytime that you sign a document authorizing release of your information to a
third party, that's generally referring to releasing data that they _can 't_
legally share under HIPAA via the above means.

There are some caveats, but this is more or less what is already happening to
your medical data - you just don't know about it.

~~~
chasb
Great explanation.

(I am a lawyer, but this is not legal advice!) I would just add that HIPAA
does limit what constitutes a permissible disclosure. Without a written
authorization, PHI sharing is usually limited to disclosures necessary to
provide treatment, seek payment, or operate the healthcare business.

------
hifier
I'm shocked by the supreme court's logic that resulted in the third party
doctrine. I absolutely have an expectation of privacy when it comes to any
data gathered by counter-parties that I enter into a business relationship
with. Even if I didn't, and event if those contracts allowed for sharing of
that identifying (or anonymized) information, it is an incredible leap to
assert that government agencies are within their rights to access this
information without a warrant!

------
cinquemb
It was easy when we would draw imaginary lines around the earth and harm those
who dared to encroach upon them and declare that this is "mine". To stop
actively engaging in such behavior, one looses what is "theirs". Now we're
trying to apply such ideals to a realm where anyone can step anywhere (few
truly choose exercise such abilities, though its easier/cheaper than ever for
the individual to engage in such behavior) and not face the same repercussions
on avg (compared to other realms for those who seek comfort in making such
distinctions), so to stop that, do people think trying to do more of the same
will work?

Maybe as society, we're coming to terms with the limits on ideas such as
ownership as a whole when we have to create rules (an intangible in of itself)
around things that are mostly intangible (bits) to the everyday person, and
then flail in retrospect to see how such constructs don't hold water, and
maybe that no one "truly" can own anything?

There can't possibly be any other ways to live/deal with such other than the
way we do now in face of these realities…

------
allard
Isn't this the way Europe conceives and legislates this? (I ask half
rhetorically and half genuine.)

------
discardorama
I'm a big supporter of Sen. Wyden, but I feel like he's mainly talk, not
action.

As a Senator, he holds one of the most powerful positions in the US. If he
wanted to, he could cause real trouble; as an example, by putting a hold on
all apointments by the Obama administration. (I'm sure there are more ways to
make a point in the Senate).

But he doesn't. Yes, he does bring some of the problems to light; but I wish
he'd lace up and actually do something drastic to make the administration
change its ways.

