Hacker News new | more | comments | ask | show | jobs | submit login
Senator Wyden: Your data’s yours no matter on whose server it lives (washingtonpost.com)
96 points by Libertatea on Aug 16, 2014 | hide | past | web | favorite | 22 comments

This article blurs the line between personal documents stored on remote storage systems (the email and Google Docs case) and business transaction records (calling data).

But that distinction is important. The latter case involves data that is not actually "yours"; it's generated by observations made from counterparties you do business with, and concerns only the details of those transactions, not the purpose to which those transactions are put.

And yet it's the latter case that represents the most outrageous transgression by NSA (the Verizon call records database). Which suggests to me that the "my data" / "your data" divide is actually not all that useful in the policy debate about where NSA's limits need to be.

I'm not sure the distinction is as clear, or as relevant, as you imply. At what level are 'business transactions' defined? Is there a separate transaction with your ISP for every packet you send or receive? I would have thought that the relevant business transaction occurred once per month, when I paid them $X to carry Y GB of data on my behalf (and similarly with phone companies). Anything more granular than that is an implementation detail of the service: sure, the ISP has the ability to observe and log the full header+data contents of any packets I send, and might even have good business reasons to do so, but it doesn't follow (to me at least) that every packet I send through this connection is now a business transaction record over which I have no reasonable claim to privacy.

It's clear that there are some forms of metadata (call records, packet destinations, etc) that are useful and perhaps necessary for service providers to observe and log, in the course of providing their services. But insofar as the privacy implications of releasing that data fall almost entirely on consumers, not on the service provider, it makes sense to give consumers some say over what happens to it. In this view, metadata really is "my data" in the sense that a service provider should have an obligation to protect it, analogous to medical records (which are records of 'business transactions' with my doctor that they nonetheless have an obligation to protect) or documents provided to an attorney under attorney-client privilege.

> it makes sense to give consumers some say over what happens to it

The only way to give individuals this choice is by enabling non-techies to encrypt and anonymize their data, freely, easily and in a way that respects the UX. It isn't up to a politician or Comcast.

Increasingly, people are going to make a binary choice with every new technology decision: do I opt _out_ of suspicionless blanket surveillance of entire populations, or do I use something else that gives me no choice in the matter?

Ceteris paribus, apps enabling you to opt out of it all, are just plain more valuable.

It may be more useful to talk about "what the government is allowed to know about you," rather than strictly where or what your data is.

In the case of call records (well, any records regarding an individual), this could be a 4th Amendment issue, but it's also a 1st Amendment freedom of association issue. If the government is perusing call records, that puts pressure on your sense of whether you are free to associate with someone. If you know the government is looking at call records, then you may be reluctant to call your brother, or a journalist, or someone in Ferguson MO.

I agree, except that I'd ask that we be more careful about "ownership". The issue can't be "where" "your" data is if what we're discussing is the location of someone else's data, which is what (for instance) call records actually are.

So I agree, we need to be diligent about cabining the surveillance powers of the state as an intrinsic policy goal, and not as a side-effect of who generated what bits and where they put them.

Yes, it's someone else's data, but it says something about you that the government shouldn't know.

We already have a type of data that's treated like that, medical information, protected historically by patient/doctor confidentiality and formalized in HIPPA in the US. A lot of the medical data about you is essentially the doctor's or industry's data, not yours. It can be difficult to impossible to get everything about you disclosed to you; it is for all intents and purposes data about you but not owned by you. And yet, doctors and the industry are prohibited from sharing that data beyond business and medical purposes, and (I think) the government has laws prohibiting itself from having access to that data.

It's a good start.

I'm the founder of a health-tech startup, so HIPAA is something I spend a lot of time thinking about. (Disclaimer: IANAL)

> A lot of the medical data about you is essentially the doctor's or industry's data, not yours. It can be difficult to impossible to get everything about you disclosed to you; it is for all intents and purposes data about you but not owned by you.

Quite the opposite - a large portion of HIPAA is about the rights of the patient to access their medical data. Actually going through this formal process has a number of steps, but some of the first lawsuits regarding HIPAA were actually about this, not about the safeguards on sharing or security.

In fact, under HIPAA, doctors and insurance companies are allowed to share your data with other entities ('associates') without consulting you first, as long as they sign another agreement with that entity promising that they'll abide by certain rules. Those associates are allowed to share it with other associates, and so on, etc. - all of it is legal as long as there's a trail of these agreements going all the way back to the doctor, hospital, or insurance company.

Anytime that you sign a document authorizing release of your information to a third party, that's generally referring to releasing data that they can't legally share under HIPAA via the above means.

There are some caveats, but this is more or less what is already happening to your medical data - you just don't know about it.

Great explanation.

(I am a lawyer, but this is not legal advice!) I would just add that HIPAA does limit what constitutes a permissible disclosure. Without a written authorization, PHI sharing is usually limited to disclosures necessary to provide treatment, seek payment, or operate the healthcare business.

Thanks for the correction. It does still sound like they're free to hand off your data, so it does seem like it's not entirely "yours," you just have some rights to see it.

Sadly, "business and medical purposes" covers a great deal, and in the day-to-day that is where the impact really is felt, not from some mustachioed government thug (much as I'd like to claim otherwise).

The best reform we could probably see is to say that your health and medical data belongs to you, full stop, and consider it a work-for-hire. Then, a national regulation on how to represent that data (normalizing what is pulled in) and interoperability specs, as well as a public option for warehousing your data if you choose not to go free-market.

There are a lot of issues even with the simple data-representation part...terminology and whatnot, for example--and getting that straightened out is exactly the sort of boring work that, in the long-run, yields extravagant dividends.

"What the government is allowed to know about you," isn't useful either since the government is allowed to know anything about you.

The issue is how the government learns it.

The 4th amendment only protects against information within a reasonable expectation of privacy.

The Supreme Court has found that information turned over to a third party (like the phone company) no longer has a reasonable expectation of privacy.

The general idea is that if you turning over data for a third party to read it is not private data.

Things like email and text messages are private because they are kept private from even the business.

However, there will be major issues in the future because of some of the practices that tech companies have engaged in. Google, facebook, etc. do not keep your private email and messages actually private. They data mine the shit out of it.

There will eventually be a case that argues Gmail falls under the third doctrine. The tech community will be outraged at the government overstep. But the real problem is the tech corporate communities total disrespect of the their users privacy.

Interesting. To restate a bit: the concept of "ownership" might not work here, as meta data can be as useful as actual data, and businesses just recording one end of the transaction can learn pretty much all there is to know about you. See example: post office automatically recording the address of every letter you send or receive.

Perhaps just like there are strict requirements around credit card data, personal data is treated the same say. Maybe a 30-day limit for storage on some types of information, and a 90-day limit on others?

Allowing the collection but forbidding the persistence of the data (by both corporate and government interests) would allow commerce to continue but would cut back on privacy violations.

Don't know. Just thinking aloud.

Intellectual property is an arbitrary construct and there is nothing to stop a law that makes business records the personal property of customers, to be relinquished to those customers once transactions are complete.

You don't just see how you invoked "intellectual property" to serve your own policy goal here?

My point is that the rubric of intellectual property is unhelpful in defending privacy. To the extent that society demands privacy, privacy must be an intrinsic goal, orthogonal to IP. And yet right now it isn't; significant privacy rights seem to fall out of happenstances about who "owns" what data.

Which is my critique of this article about Wyden.

The hypothetical law I described is no less "helpful" or workable than the legal and technical tools for copyright enforcement in digital media. For example, why shouldn't customers be able to reach into every government's and vendor's IT systems and control how their data is used? Vendors reach into our PCs and phones to control their supposed property that we bought.

Property is property, and my data should be my property. Right?

You are suggesting that I have to build some mechanism to allow everyone who visits my blog to review their entries in my log files? No, thank you.

Why not? Intellectual property theft is a serious issue. If I can't impose an enforcement mechanism on your computing systems, that property is in danger of theft or misuse.

Yale discussion of Fourth Amendment protections in the context of ongoing technology-driven reduction in the costs of surveillance, http://yalelawjournal.org/forum/tiny-constables-and-the-cost...

I'm shocked by the supreme court's logic that resulted in the third party doctrine. I absolutely have an expectation of privacy when it comes to any data gathered by counter-parties that I enter into a business relationship with. Even if I didn't, and event if those contracts allowed for sharing of that identifying (or anonymized) information, it is an incredible leap to assert that government agencies are within their rights to access this information without a warrant!

It was easy when we would draw imaginary lines around the earth and harm those who dared to encroach upon them and declare that this is "mine". To stop actively engaging in such behavior, one looses what is "theirs". Now we're trying to apply such ideals to a realm where anyone can step anywhere (few truly choose exercise such abilities, though its easier/cheaper than ever for the individual to engage in such behavior) and not face the same repercussions on avg (compared to other realms for those who seek comfort in making such distinctions), so to stop that, do people think trying to do more of the same will work?

Maybe as society, we're coming to terms with the limits on ideas such as ownership as a whole when we have to create rules (an intangible in of itself) around things that are mostly intangible (bits) to the everyday person, and then flail in retrospect to see how such constructs don't hold water, and maybe that no one "truly" can own anything?

There can't possibly be any other ways to live/deal with such other than the way we do now in face of these realities…

Isn't this the way Europe conceives and legislates this? (I ask half rhetorically and half genuine.)

I'm a big supporter of Sen. Wyden, but I feel like he's mainly talk, not action.

As a Senator, he holds one of the most powerful positions in the US. If he wanted to, he could cause real trouble; as an example, by putting a hold on all apointments by the Obama administration. (I'm sure there are more ways to make a point in the Senate).

But he doesn't. Yes, he does bring some of the problems to light; but I wish he'd lace up and actually do something drastic to make the administration change its ways.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact