Data as an instrument of war

[jmcquate]

The best method to protect PII is not to have it. Much of the PII that is maintained is not needed to perform the mission for which it is being requested.

 

[Pags]

The US government just closed down a sizeable piece of the gun industry (bump stocks) overnight. People lost jobs and lost products, sure, but society said it wasn’t worth the risk of misuse. The US government can similarly close down the sale or transfer of user data overnight, if we so choose.

Your IMEI does not need to be connected to your home address, grocery store purchase history, and current precise geolocation. Nobody needs that data (outside of law enforcement with a warrant) and you sure as shit should be able to have some say in the matter of whether it’s sold for profit without your awareness/consent, which happens all the time today.

Tech companies might claim that user data is free speech - but that’s baloney. I would alternately claim that your private information is trademarked to you, and that selling it without your consent is infringement on your rights and constitutes piracy of your personal data (and Congress should codify it as such).

Bump stocks were shut down due to a clearly articulated risk/perceived risk (whether or not that risk is real isn't germane here) and FDIC protections were put in place due to issue (realized risk) from runs on the banks. Not familiar enough to know if vaults are required by FDIC, since banks with vaults predate FDIC I'd say that's just part of the standing bank business model. Banks that leave your money and valuables out in the open won't be in business long as folks would go to banks that have an optic of more security.

All that said I still haven't seen a real risk of all this stuff being out there other than "I don't like it." What is the risk to the average american that you're trying to prevent? If it's the risk of the "top 25" being known then perhaps we should just focus on scrubbing them from the data. Or not publish the president's address (if the pres was a vet, I wonder if he/she'd get VA IRRL mailers at the white House?) or to not have live press engagements from known locations.

I'm also not sure if the things that make up your personal "digital twin" really belong to you. Id be willing to be that the telecomm companies see them as being part of their proprietary infrastructure and something you have to have to play. Sure, they could keep it under lock and if there were a federal law but I don't see the issue we're trying to solve. At the end of the day, the world needs easy access to your digital twin to work; mail, email, IP address, etc are all needed to make those systems work.

 

[Flash]

The best method to protect PII is not to have it. Much of the PII that is maintained is not needed to perform the mission for which it is being requested.

I don't think that is realistically possible in today's world, and even for those that minimize their PII exposure data breaches from the health insurance industry to the OPM doom many of those attempts when it comes to nation-states looking for data.

 

[Pags]

I don't think that is realistically possible in today's world, and even for those that minimize their PII exposure data breaches from the health insurance industry to the OPM doom many of those attempts when it comes to nation-states looking for data.

At the end of the day PII is inescapable. There will always be a need to correlate you as a person to a database. Technically, if I have an xls office roster with you name on it the row and column that you're in is now PII.

 

[Brett327]

he US government just closed down a sizeable piece of the gun industry (bump stocks) overnight.

Dude, bump stocks aren't a sizeable piece of the gun industry. That statement is ridiculous on its face. It's a niche within a niche.
Unlike bump stocks, the trade in personal data is ubiquitous, global and unregulatable. When the USG declares victory in ending the online piracy and illegal trade of intellectual property like music and movies, give me a call. I mean, we have laws like DMCA, so that has eliminated all IP piracy, right? No? Well at least it has made it harder for piracy to occur. Oh wait, that's also not true.

 

[Hair Warrior]

Dude, bump stocks aren't a sizeable piece of the gun industry. That statement is ridiculous on its face. It's a niche within a niche.

Ok. How about lead pipes for plumbing, lead based paint, and certain pesticides. All outlawed once we found out how dangerous they were.

Unlike bump stocks, the trade in personal data is ubiquitous, global and unregulatable.

It’s definitely regulatable. Congress can pass laws and federal agencies can inplement regs. California and the EU have already done so. Just because something is hard doesn’t mean we should accept defeat and not try at all, if the cause is worthy.

 

[Hair Warrior]

At the end of the day, the world needs easy access to your digital twin to work; mail, email, IP address, etc are all needed to make those systems work.

I’m not proposing that companies can’t collect and store that data, for your use. What I’m suggesting is that Facebook doesn’t need to share user data across Instagram and WhatsApp for ad targeting, and that the three of them don’t need to make money off selling your data to third parties. If that means we all have to start paying $3/mo for a Facebook acct, I’m ok living in that world.

If anyone is wondering how China was able to squash Hong Kong protests so easily, they did it by connecting people and places with online accounts and smart devices. That may not matter today to your average American in Townville USA, but it will matter in the next peer conflict. And it will facilitate the ongoing dictatorships in Russia and China who can exploit it to secure their regimes.

 

[taxi1]

I remember way back when I had my SSN printed on my checks. Saved me from having to constantly write it on there.

Now I'm supposed to protect it like its the crown jewels, or pay the credit union for insurance to protect me from identity theft when they give my money to someone other than me (that was an interesting conversation with the NFCU worker that day).

HairWarrior, I’m with you. When PII is lost by a company, there should be a massive price to pay. Companies should go under that allow it to happen. Shoot a few in the head, and you get everyone’s attention.

 

[SlickAg]

I’m not proposing that companies can’t collect and store that data, for your use. What I’m suggesting is that Facebook doesn’t need to share user data across Instagram and WhatsApp for ad targeting, and that the three of them don’t need to make money off selling your data to third parties. If that means we all have to start paying $3/mo for a Facebook acct, I’m ok living in that world.

If anyone is wondering how China was able to squash Hong Kong protests so easily, they did it by connecting people and places with online accounts and smart devices. That may not matter today to your average American in Townville USA, but it will matter in the next peer conflict. And it will facilitate the ongoing dictatorships in Russia and China who can exploit it to secure their regimes.

I don’t think you understand. Russia isn’t a threat and hasn’t been a threat. Same with China. Besides, things are going to be different starting in January. You should really watch the news more.

 

[Pags]

Ok. How about lead pipes for plumbing, lead based paint, and certain pesticides. All outlawed once we found out how dangerous they were.

It’s definitely regulatable. Congress can pass laws and federal agencies can inplement regs. California and the EU have already done so. Just because something is hard doesn’t mean we should accept defeat and not try at all, if the cause is worthy.

Yeah, but you can replace lead with a different material. What you're proposing is more akin to outlawing plumbing.

I totally get the notion of why this stuff should be kept safe by companies but I don't see what you're saying working for the following reasons:

1. The risk isn't there. The cases you mentioned are interesting for sure but aren't really applicable to the average American citizen. If youre concerned about hiding from the US Govt you probably shouldn't be working for them.
2. We're not at war. Maybe turning this off would make sense for war but acting like we're at war when we're not will really limit certain sectors
3. Economic impact: billions of dollar are made selling your data. Those industries will lobby hard against this. Without any sort of actual risk to push back on them with I see them winning the argument.
4. Punishing companies for loosing your stuff won't work. It's already bad for business to loose your data. We don't punish banks if they get robbed.

Like I said, I understand the notion of why it's odd to have all your info out there. But it's always been out there. And it will still always be out there ripe for the plucking. And at some point, everyone has already willing signed consent forms saying they all agreed to this. Maybe you didn't realize it but we all agreed to this. If you don't like it then don't have a bank account, a mortgage, a job, etc.

 

[Hair Warrior]

Yeah, but you can replace lead with a different material. What you're proposing is more akin to outlawing plumbing.

I totally get the notion of why this stuff should be kept safe by companies but I don't see what you're saying working for the following reasons:

1. The risk isn't there. The cases you mentioned are interesting for sure but aren't really applicable to the average American citizen. If youre concerned about hiding from the US Govt you probably shouldn't be working for them.
2. We're not at war. Maybe turning this off would make sense for war but acting like we're at war when we're not will really limit certain sectors
3. Economic impact: billions of dollar are made selling your data. Those industries will lobby hard against this. Without any sort of actual risk to push back on them with I see them winning the argument.
4. Punishing companies for loosing your stuff won't work. It's already bad for business to loose your data. We don't punish banks if they get robbed.

Like I said, I understand the notion of why it's odd to have all your info out there. But it's always been out there. And it will still always be out there ripe for the plucking. And at some point, everyone has already willing signed consent forms saying they all agreed to this. Maybe you didn't realize it but we all agreed to this. If you don't like it then don't have a bank account, a mortgage, a job, etc.

1. I'm not concerned about the US. I have nothing to hide, and we have strong Constitutional protections. I'm concerned about Russia/China, and to a lesser extent, Iran/DPRK/nonstate actors.
2. Yet. This would take a long while to do. There's no instant off-switch.
3. I never said my opinion would be popular.
4. I don't think they need to be punished for unintentionally losing data - especially if what they lose is encrypted at rest. I think there should be a law against companies intentionally selling it or trading it to third parties.

W/r/t signing consent forms, there are certain things you cannot consent to, no matter what the form says. For example, when you read a software EULA or really any legal document, there is always a clause that says the agreement cannot violate US law. Change the law, and consent forms will adapt or be unenforceable. You can't consent to something that is inherently unlawful - e.g. murder, slavery, buying votes/ voter suppression, etc. It's unenforceable in court no matter what any contract might say.

The EU has been moderately successful at getting tech companies to change their privacy practices globally. California has been highly successful at steering vehicle emissions standards to be greener. It may take a while, but I feel it's a worthy cause. Like seatbelts in cars.

I am fine having a bank account and a mortgage. I would rather not have my bank or mortgage lender selling my data to third parties, but it's no big deal to throw out the Pella window mailer for the 50th time. That is all less concerning to me, however, than smartphone user data being easily accessed by China and Russia. We all saw what happened in Hong Kong.

 

[Brett327]

Ok. How about lead pipes for plumbing, lead based paint, and certain pesticides. All outlawed once we found out how dangerous they were.

It’s definitely regulatable. Congress can pass laws and federal agencies can inplement regs. California and the EU have already done so. Just because something is hard doesn’t mean we should accept defeat and not try at all, if the cause is worthy.

Feel free to address my IP analogy and how your proposed regulations would fare better.

 

[Hair Warrior]

Feel free to address my IP analogy and how your proposed regulations would fare better.

Sure. Just because an unwanted behavior is hard to detect/prove/stop doesn’t mean we should make it legal. Intellectual property theft shouldn’t be legalized just because we have trouble stopping it. Insider trading of financial securities is notoriously hard to detect, prove, and stop from happening - but it’s still illegal, and it would be far more prevalent and harmful if it were to be legalized.

 

[BigRed389]

Sure. Just because an unwanted behavior is hard to detect/prove/stop doesn’t mean we should make it legal. Intellectual property theft shouldn’t be legalized just because we have trouble stopping it. Insider trading of financial securities is notoriously hard to detect, prove, and stop from happening - but it’s still illegal, and it would be far more prevalent and harmful if it were to be legalized.

I think you might do better separating what seem to be the 2 different issues you're advocating to change:

1. Encryption standards for personal data
2. Curtailing the sale of personal data

There's also a weird larger discussion earlier about the Chinese kicking our asses but I'll table that for now.

#1 is probably much more easily achievable from a legal perspective. Simply telling (or "recommending") businesses with large volumes of consumer data encrypt their records to X or Y commercial standard isn't going to be hard. (In fact, pretty surprised that it already isn't - your reputable cloud storage service SHOULD already) Whether or not that is technically simple, I don't know. You already have some level of security to authorize you to access your data held by a company (passwords, 2 factor authentication) so having the company database encrypted as well doesn't seem to be too hard.

#2 is, as pointed out earlier, very difficult legally. Unless you can find a way to do it that isn't overly burdensome to international trade, you run the risk of creating a bigger problem (economic) to solve this issue. I would say this would actually be better as an international effort than a solely US one. If you get the US and our allies and closest global economic partners (ie enough of our friends with enough money to actually matter) to all agree to a standard of data transfer behavior to protect consumers, that puts everybody in the same boat and would also incidentally, isolate China. That said, that would take globalist oriented leadership which appears to be growing out of fashion in domestic politics.

 

[Hair Warrior]

Parts 1, 2, and 3:

China Used Stolen Data to Expose CIA Operatives in Africa and Europe

The discovery of U.S. spy networks in China fueled a decadelong global war over data between Beijing and Washington.

foreignpolicy.com

Beijing Ransacked Data as U.S. Sources Went Dark in China

As Xi consolidated power, U.S. officials struggled to read China’s new ruler.

foreignpolicy.com

Tech Giants Are Giving China a Vital Edge in Espionage

U.S. officials say private Chinese firms have been enlisted to process stolen data for their country’s spy agencies.

foreignpolicy.com