Tech Brew Ride Home - The State of Consumer Data and Privacy With Consumer Reports' Justin Brookman
Episode Date: March 16, 2019When issues of consumer data, and consumer privacy come up on the show, I think I've asked a couple of times before, what are the laws here? In the United States. Who owns my data? What are the rules?... What mechanisms are in place to give me control over my data? Are there any? Well, Justin Brookman is the Director of Consumer Privacy and Technology Policy at Consumer Reports. He was also previously at the Federal Trade Commission... and as you'll hear, he confirms that there are essentially no nationwide rules or laws in place around a lot of this stuff. Whatever rules are in place are sort of tangential statutes that have been drafted into service in an attempt to address modern issues that the statutes weren't even designed for. Is a big federal data and privacy regulatory regime coming soon? What might it look like? And by the way, the states aren't waiting, they're beginning to pass consumer data and privacy laws, but do they even have the right to do that? Oh, and is the FTC about to bring the hammer down on Facebook? Spoiler alert, Justin thinks most definitely, because the FTC knows it needs to make a statement. Anyway, another episode where I educate myself on corners of the tech world I don't know super much about, and hopefully, education you along with me. Sponsors: Eero.com/ride and promocode RIDE at checkout Skillshare.com/ride Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco.
Hey, who did this to you?
What happened next turned the story into a political firestorm.
Reports have identified the victim as Bob Lee, the founder of Cash App.
From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16.
Welcome to another weekend bonus episode of the TechMeme Ride Home.
I'm Brian McCullough.
When issues of consumer data and consumer privacy come up on the show, I think I've asked out loud a couple of times before, what are the laws here in the United States?
Who owns my data?
What are the rules?
What mechanisms are even in place to give me any sort of semblance of control over my data?
Are there any at all?
Well, Justin Brookman is the Director of Consumer Privacy and Technology.
Policy at Consumer Reports. He was also previously at the Federal Trade Commission. As you'll hear,
he confirms to me that there are essentially no nationwide rules or laws in place around a lot of
this stuff. Whatever rules are in place are sort of tangential statutes that have been drafted
into service in an attempt to address modern issues that the statutes weren't even designed for.
So is a big federal data and privacy regulatory regime coming soon? What might that look like?
And by the way, the states aren't waiting.
They're already beginning to pass consumer data and privacy laws, but do they even have the right to do that?
Oh, and is the FTC about to bring the hammer down on Facebook?
Spoiler alert, Justin thinks most definitely because the FTC knows it needs to make a statement.
Anyway, think of this as another episode where I educate myself on corners of the tech world that I don't know super much about.
And hopefully, I educate you along with me.
What is, I feel like I've read conflicting things about this.
What is the current, like, framework for things like privacy and regulations around our data?
Like, is there even a legal or regulatory framework in terms of the control I have over my own data?
So historically, no.
So, like, over the years, like, lots of countries around the world have passed, like, private.
laws or comprehensive privacy laws. The United States never got around to that.
What the Federal Trade Commission is the organization that enforces what the little privacy law we
do have in the U.S., but it mostly used this kind of old general purpose consumer protection
statute that was passed at the beginning of the last century, which says don't commit
deceptive and unfair practices. And so it mostly is the deception side.
So the law is basically don't lie.
And that's good.
That's a good law to have.
But because of that, there's not a lot of affirmative limitations on what companies can do.
They just can't misrepresented.
So that's why privacy policies tend to be really long and vague and expanses and written by lawyers.
And in most cases, as long as they don't violate something they went out of their own way to say, they're going to be okay.
There's an unfairness side, and there's like a long kind of legal test for that, but it's hard, and it wasn't really written with privacy in mind.
The FTC hasn't used it on that very much, though they're starting to get pressured to do more.
And then we've had a few statues here and there that have been passed over time to look at specific issues like kids' privacy or financial records or super sensitive things, but they're definitely the exception and not the rule.
And so a lot of what's happening in Congress and the States and the general conversation is that maybe we need to have something a little more stringent and comprehensive than we currently have.
So what you're describing is whatever sort of like slaps on the wrist or, you know, you got caught doing something bad, we're going to find you.
That's all basically up to this point in the U.S. happened sort of via scotch tape and, and, you know,
stitching together like existing laws that don't actually fit what we would think they're trying to do.
Yeah, there's that and then there's like the fact that the Federal Trade Commission, like,
they kind of got fairly aggressive on consumer protection issues in the 1970s,
doing stuff around kids in advertising, and like the critics would say they're kind of micromanaging funeral homes,
and like they kind of were perceived overstepping their bounds.
And so some of their authority was actually, and it's not about privacy specifically, but overall was taken away, like in the early Reagan years.
And so they actually can't find most of the time, even if you do committed to theft to practice or break the law such as it is, FTC can mostly say, okay, promise not to do that again.
And that's it.
They can't issue rules in most cases.
So they, and they've been, you know, half their staff is gone.
They got, they just got kind of defamated.
And so, you know, they're stuck trying to enforce, like I said, a statute that doesn't quite, wasn't meant to apply to this with a lot less resources than they ever had.
Maybe this is a slightly different issue, but so then there is no legal framework for my data.
For I visited this website or you know that I am within 30 feet of where I'm standing or you.
You know how long.
Like, there is no framework for, I guess, the ownership of that.
Like, this is mine and I have some say on how it's used or who it's given to.
That's right.
The law probably says, as long as in their privacy policy, they don't mischaracterize that, then they're probably fine.
So which is why when you download an app, it can collect your location and can spew it to a bunch of other places.
with no consequences or accountability.
There's just no affirmative protections in place to deal with that.
So is it a case of because there's been nothing in place,
it's just all of these companies have rushed into the void and been like,
well, there's no reason why we can't do this.
So we'll just keep doing it until someone tells us to stop?
I think that's right.
I mean, yeah, and it's a very competitive marketplace.
They're all looking for some angle.
But, I mean, you know, advertising has been,
what, you know, we decided
were, whether it was a conscious
decision or not, but that's been
the model by which a lot of stuff
has been monetized online.
I think a lot of folks are starting to revisit
that, like, was that the right
decision? Like back in the 90s, when
you know, the web business model
were being set up and, you know, back
then, Clinton administration,
internet seemed pretty awesome, and everyone's
like, let's not regulate this.
This is really cool.
And then, like, you know, but it's been like,
concerns around privacy, they've just gotten more acute over time as companies have gotten better about doing stuff.
And so now, you know, you surf around and all your ads are based on where you were like a few minutes ago.
And like you said, like geolocation, something that is freely trafficked.
And I think this combination of growing awareness about what's going on combined with, you know, concerns around micro-targeting, a 2016 election.
and just in general, the general sense that maybe the Internet isn't just all awesome.
Maybe there are some more rules we need to have in place to address some of this stuff.
So then what is your take on the political mood or the legislative move?
Do you think we're going to see some meaningful nationwide laws at least proposed or coming down the pike soon?
Yeah, I mean, there's definitely been, I mean, there's been a lot of things proposed already.
you think there's been like five, six, seven, eight or so bills that have been put out there so far.
So it's definitely a flurry of interest.
And, you know, in both like the House and Senate and, you know, the House of the Democratic, the Senate's Republican, but they both have a lot of hearings on this.
And so I think there's like more bipartisan interest in passing laws and passing regulations than there was, you know, even like five years or so ago.
So Republicans tend to be kind of more anti-regulatory, but during the Mark Zuckerberg hearings last year,
you heard a bunch of Republican congressmen saying, maybe we need GDPR, like stuff like the European privacy law here in the United States.
You don't usually hear a lot of Republicans advocating for European-style regulation, but you're starting to hear that a lot more than you used to.
in general, I bet against Congress doing something just because the default is they won't,
and it's hard enough for them to pass a budget.
So, you know, imagining them coming up with a framework to comprehensively address privacy,
it would be surprising, but there's definitely more interest in it than there ever was.
And there's also, I guess, you know, some concerns about, you know, California just passed the law,
a bunch of other states are considering passing laws.
Right.
So the federal part of this is only one part of it.
The states can also do their own thing here.
The states are definitely doing their own thing, whether they're allowed to or not.
I guess the court will decide.
But it's probably suboptimal if each state regulates the Internet in radically different ways.
And I think there have been court challenges to the one law that has passed in California.
Yeah, but you can understand, like, where states are coming from, like, you know, the federal government's not going to do it.
Well, they want to, you know, offer citizens of protections.
And so, you know, the California law went into place, and now you're seeing other states say, well, yeah, why should California citizens have some semblance of privacy rights and we don't?
So, like, you know, Washington states looking at stuff, Maryland, New Mexico, North Dakota, again, traditionally a red state.
But, you know, I think this is a fairly bipartisan issue that we want some more.
agency over our digital lives.
What specifically is in that California law?
Yeah, so there's four main pieces.
The one, like better transparency.
We talked about privacy policies.
They don't really stay much today.
There should be more information in there for those who do read them.
Access to your information.
If someone has that information about you, you should tell them what it is.
the right to delete data.
So if I have a file with someone,
if it's not needed for, like,
if it's not needed to fill a transaction or, you know,
fraud prevention,
then in most cases they have to get rid of it,
take my data down.
And then, like, the biggest piece is, like,
I can opt out of the sale from my information.
So if I go to a store and, you know,
they sell information about me to data brokers
to add me to, like, marketing lists or whatever,
I have a right to say,
no, don't do that.
And that's the kind of affirmative rights around privacy that we really never had in this country.
And that's being challenged in the courts because it's unclear if California has the legal ability to do that on its own?
Yeah, so there's a couple of challenges and probably going to not get all of them.
But one is the element, the Constitution called the Commerce Clause, which is the premise.
being that the states can't do things to that radically undermine commerce.
And so there's like old cases in like the 1890s where like every state had like the same
railroad gauge and then Michigan to favor some local business.
Like said, every railroad gauge needs to be like a foot or six inches shorter.
So they had to change, they had to change cars once they cross the line into Michigan.
And the Supreme Court said, no, you've got to interfere in commerce.
You can't do that.
I think there are some folks saying that California, by putting in, you know, rules around privacy is effectively doing the same thing, burdening interstate commerce.
You know, there's other challenges, too. There's First Amendment challenges. If I go to a store and I buy some shoes, like the store might say, I have a First Amendment right to say that Justin Lake shoes or just to sell it to a debtor burger.
You know, there's been some successful, the courts have taken a more expansive view of corporate free speech in the last 20 years.
Certainly, New Justice Kavanaugh has taken a very expansive view of corporate free speech.
And so, you know, it could will be struck down on those grounds as well.
We'll see.
We had a discussion on here recently about the idea that maybe the cat's already out of the bag or the horses are out of the barn or whatever analogy you want to use.
use that maybe either you have to just throw your hands up in the air and give up, or you have to
start drawing the line at whatever the next frontier is.
So what about like things like connected devices inside the home?
That clearly seems to be the obvious sort of next big thing that everyone's moving towards.
What do you think about the idea of privacy and data now that we're talking about literally,
eyes, ears, inside the privacy of our own home?
Yeah, no, I think you can be, I'm not willing to see the rest of it as well,
because again, geolocation information is really sensitive.
You know, web browsing often takes place in our own home and is incredibly revealing.
It's hard to retrofit privacy protections onto all that,
but I think most people want to, and I think is a reasonable goal.
But you're absolutely right that inside the home, you know, super sensitive stuff.
You know, more and more appliances have sensors, microphones, cameras.
You know, we don't necessarily want those to be on all the time.
There should probably be some rules about, you know,
when the manufacturer can just flip on a switch and figure out what's going on.
And it can't just be like, well, this is big data.
It's interesting.
we want to train our AI.
No, I think it's reasonable for folks to not want that.
And certainly in the government privacy context, there has been this idea that, you know,
like a fortress of your home, right?
This is like Justice Scalia was all about.
Exactly.
Your own property.
There's the rules there.
And so, like, you know, you can't, and even like using technology to try to penetrate that, right?
You can't hold a heat lamp or a heat sensor if there's someone's house.
to get a sense that they're growing pot inside.
You can't bring like drug-smithing dogs,
or like it's kind of low-tech,
but you can't bring them to the porch
to try to see what's going on.
So there is like this concept in criminal law,
where again we have constitutional protections.
And so I think it does make sense
that at the very least from a policy perspective,
you know, we should have higher, heightened expectations
about how these devices are going to treat our information
within the context of her own home.
And so I think that could certainly be an element of privacy legislation.
What about the idea of software updates and things like that?
I did a story a couple weeks ago about, I mean, this was hardware where it turned out
that there was a microphone in a nest thing or whatever that no one knew about that they did.
But forget about that where it's like, oh, we hit a microphone.
Oh, by the way, we had an extra microphone in there.
But you can functionally do things with software now where if I buy a device,
and bring it into my home to do a thing,
and then via a software update,
it can end up doing something completely different down the road.
Is there anything in place to,
I guess I know the answer is there's nothing in place
to prevent that from happening?
I don't know, maybe.
I guess it depends on what it does.
But you can certainly make an argument that it could be deceptive
to fundamentally change the nature of the product.
Or as I said, you know,
the other general legal authority is unfairness, and there you're going to have to prove
it's been harmful, and the consumer can't avoid it.
And, like, you know, it's something like, you know, radically changes such that it does,
you know, deprive the consumer of the benefit of the bargain, and obviously they can't
avoid it because the software was, it didn't change remotely.
Then that you might be able to make the case.
So when I was at the, I was at the Federal Trade Commission before I picked this job,
And one of the cases that I worked on was it was a smart hub that Ness bought called Revolve.
And Ness bought Revolve, then Google bought Nest, and Google's probably like, we've got too many hubs here.
And so they just shut down server support for it.
And so like this thing that people paid $250 for, it suddenly was like a brick at the paper wage.
Right.
There's a lot of that been hacking lately.
There was a story recently about like those $800 robots that all of a sudden the company shut down.
They shut it down from the server like it became a paperweight.
That's right.
And so in that case, the FDC sent a letter saying, like, okay, because you are issuing full refunds to everyone who did this, and you're sending out notice to everyone we're not going to bring a case.
But I think the implication being that, you know, maybe if they didn't do that, right, then maybe it would potentially violate the law.
And so certainly if you sell someone something for $800 the next day, you know, they make, they make, they, they, they, they, they, they, they, they, they, they, they, they.
they snapped their fingers like Thanos and it just shut it down.
I would argue that that's probably prohibited by existing law.
You could, again, it's deceptive, but you sold someone something,
and then they're not getting what they paid for.
Then query, you know, where the line is, right?
You know, is someone required to issue, like, security updates
to a smart toaster for 40 years, like, probably not?
But, you know, where's the line?
And I think, you know, that's a place where consumer expectations are,
people are behind them.
I don't actually there are
expectations.
Certainly,
but legal norms
are being developed.
But it's something
that I think,
you know, if you buy
something,
there has to be
some reasonable
expectation that it's
going to work
for like some
natural life of the product.
But I think
there's just not a lot
of like understanding
of what those norms
and legal requirements
are.
Okay, I'm not going to,
this is a little unfair.
I'm not going to ask you
to be,
like, all right, solve all the problems for us.
But are there two or three maybe simple, common sense,
like regulations or rules that we could put in place
that would help us in the area of either consumer privacy
or just even consumer rights and control over personal data?
Yeah, so I guess an easy one is around security.
And the FCC in some of the states have done a little bit.
I have tried to interpret the law to require a reasonable security,
but just passing statute saying,
you know, if you have a connected device or you have information,
you know, something that could be misused,
you know, you need to use reasonable security to safeguard
either the information or prevent, like,
a connected device from beat-offing someone.
You know, I think we've seen statutes get clear,
close to that. I think that's that's an area where I can imagine Congress doing something.
And, you know, it's being pretty bipartisan. Privacy is a trickier piece. You know, I think one
element that I'd like to see in law is a kind of notion about data minimization. Like, you know,
just collect what you need for what the consumer is asking for, not, again, like in a smart home,
not just having a sensor on all the time because it might end up being interesting. But to kind of
just collect was needed and keep around only as long as needed and only share it.
Right. Sorry to interrupt it, but I mean, like, it could be, this is what I'm saying.
I wasn't saying the horses are out of the door, but, and so screw everything in the past.
It's too late.
But I'm saying, like, now, what if you just passed a law that said, if I buy a speaker
that I intend to use primarily to stream music or whatever, that it can only collect the data that it needs to do that function
that I expected it was going to do when I brought it into my home.
Like, is that, as simple as that, is that something that's possible?
Yeah, no, I think, I think that would be reasonable.
And I think that, again, another case I worked on at the, at the FTC,
was around smart TVs that were, you know, trying to generate records about what you were watching.
And so the FTC brought a case against Vizio, which, you know, was a smart TV.
It worked well as a smart TV.
You can connect to Netflix and do lots of stuff with it.
But it was also like watching what you were watching and then phoning home and I think
potentially phoning the third party too about like the sort of stuff that you did.
And I don't know how much they're actually doing it or they were just reserving the rights
to doing it, but they were definitely collecting it.
And the FTC in that case said, and this is one of the cases where they use that that
unfairness authority.
They said, well, that is like harmful to have someone watching like, you know, what you're
watching is pretty sensitive stuff.
We obviously can't control it because they don't really know what's going on.
And so I'd love to see, you know, I did the FTC try to use that case and in similar cases against smart speakers or other folks who are like, again, turning sensors on, like totally unrelated to what I paid money for.
But if, you know, if they're not able to do that, then, yeah, I think seeing some new statute to reinforce, like, what reasonable expectations are when you buy a product would be a great idea.
Do we expect the FTC to bring some sort of hammer down on Facebook in the near future?
For specifically violating the consent decree?
That's right, yeah.
They had a consent decree from 2011 from a bunch of previous sins.
But the FTC is like, you know, under a huge microscope.
And again, like bipartisan criticism.
from like, you know, Blumenthal, Senator Dick Limenthal from Connecticut, a relative liberal,
and then we have a new, you know, Republican from Missouri, Holly, who's, you know, saying FTC is asleep at the wheel.
And so, like, they know they have to get, like, a much bigger settlement than they've ever gotten in one of these cases.
And so, like, and I expect that they have the, and they know, you know, they, they, they, they, they, they,
Facebook knows, like, we can't just, like, sign, like, you know, $15 million and we're done.
like Facebook knows that's not in the cards.
So I expect it to see a pretty substantial fine, you know,
whether they can fundamentally reform Facebook,
whether they can get Facebook to agree to like stop watching everything I do,
not on Facebook.
I'm not sure they had a legal authority to do that.
But again, I think there will be pressure to try to get some fencing in
both Facebook's underlying data practices.