Is Your Home Listening to You?

When I was a teenager, science fiction books envisioned a future where people talked to their home to take care of mundane tasks. For somebody willing to spend the money on new appliances and devices that future is here today.

Just consider the Amazon Alexa voice assistant, which is installed in the largest number of devices. GE has built Alexa into its new stoves, refrigerators, wall ovens, dishwashers, washers and dryers, and air conditioners. Samsung has built Alexa into refrigerators, washers, dryers, air conditioners, and vacuums. Alexa is built into smart light bulbs, smart wall plugs, televisions, thermostats, smart door locks, security cameras, speakers, and numerous other devices. The chips and/or software to add Alexa to devices are getting cheap and it shouldn’t be long until the app is built into most electronics you might buy.

The convenience of talking to home devices is not without a cost, and companies like Amazon, Apple, and Google are listening to you through the devices. Like other voice assistants, Alexa listens all of the time waiting for a ‘wake word’ that activates the app. There are major privacy and security concerns related to the constant listening. We have to trust the company controlling the device not to listen to us all of the time because there is nothing stopping them from doing so.

Amazon swears they don’t listen or record except for a short period of time after the wake word is spoken. They also swear that they only preserve those recordings in an effort to improve Alexa’s responses to questions. If you are going to use Alexa in your home, you are trusting that Amazon is telling the truth. Back in 2017 Samsung got a huge black eye when they were unable to make that promise concerning their smart TVs.

The other big concern is hacking. There is zero chance that all of the companies making devices that include a voice assistant have iron-clad security. While Amazon really might not be listening to you, a hacker will surely be willing to do so.

To make matters even more uncomfortable, a lot of lawyers and privacy experts believe that if a person knowingly installs a device that listens and transmits information to a third party, that person has waived their Fourth Amendment privacy rights and any rights granted by the Electronic Communications Privacy Act. The concept has not yet been challenged in a court, but if it’s true, then people have no recourse against Amazon or anybody else using the information gathered from a voice assistant device.

My house has four Amazon Echos that we bought when the devices first hit the market. They are convenient and I use them to listen to music, check the weather or news, check the hours at stores or restaurants, and to make the occasional reminder in the middle of the night. My family has gotten uncomfortable with being listened to all of the time and we now unplug the devices when we aren’t using them. This kills all of the spontaneous uses of the devices, but for now, that feels safer than being listened to.

I’m going to be leery about buying any new household appliance that can listen to me. If I can’t disable the listening function, I’m not going to buy the device. It’s impossible to feel secure with these devices right now. It’s impossible to take the word of big company that such devices are safe. You only have to look at the current experiences with the hacking of Ring cameras to know that smart home devices are currently anything but safe.

Small ISPs have never worried much about the devices that people hang off their networks. ISPs provide the bandwidth pipe, and how people use data has not been a concern for the ISP. However, that is slowly changing. I have a lot of clients that are now offering smart thermostats, smart security systems, and other smart devices as a way to boost revenue. ISPs need to be careful of any claims they make to customers. Somebody advertising safety for a smart security system might have liability if that system is hacked and the customer exploited.

Maybe I’m being overly cautious, but the idea of somebody I don’t know being able to listen to everything said in my house makes me uncomfortable. As an industry person who has been following the history of IoT devices, I’m even more uncomfortable since it’s now obvious that most smart home devices have lousy security. If you don’t think Amazon is listening to you, I challenge you to activate Alexa and say something vile about Jeff Bezos, then see how much longer it takes to get your next Amazon shipment. Go ahead, I dare you!

The Battle over DNS

One of the hottest topics in the computer world this year is controversy over DNS-over-HTTPS (or DoH). DNS stands for domain name system and is the protocol that acts like the telephone directory for the web. The DNS system translates domain names, such as ‘https://www.google.com/’ to an IP address so that the request can be routed over the Internet. Every device connected to the Internet has a unique IP address, and the DNS system helps to establish a 2-way connection across the web, in this example, between a Google server and a user.

DNS is one of the oldest protocols on the web and hasn’t changed much since it was created. Domain name requests are sent in plain text to an ISP which then converts the domain name to an IP address and routes the user’s request to connect.

DoH takes the ISP out of the picture since web browsers will initiate the DSN lookup. Currently, DoH is built into a few browsers such as Mozilla Firefox and Google Chrome, and most of the major browsers have plans to enable DoH. A web brower will use the DoH protocol to encrypt a domain name request and send it to a third party DNS database provider for routing.

Proponents of DoH cite several advantages of the new routing protocol. First, DoH stops ISPs from recording browser history – one of the biggest privacy concerns, since an ISP knows every web site visited. A user’s browser history reveals a huge amount of information. Of course, some new entity will take over the role of DNS routing and could also create a browser history. Mozilla is using Cloudflare to route DNS, and Cloudflare says that it deletes all browser history every day. This same promise of privacy may not be true for all DoH providers and users might want to think twice before choosing somebody like Google to initiate DoH and collect browser history.

DoH also stops man-in-the-middle attacks. That’s where somebody intercepts a DNS request and sends the user to a different web site. There have been cases in the past where viruses rerouted user traffic to specific web sites to stimulate web usage. Other schemes have rerouted traffic to fake banking or shopping sites to try to coax credit card or account numbers out of users.

DoH also makes it harder for ISPs to engage in targeted advertising. This is something the big ISPs have been eyeing as they try to chip away at the huge advertising revenues earned by Google and Facebook. One of the most interesting benefits of DoH is that it makes it harder for authoritarian regimes to track the web activity of dissidents.

DNS-over-HTTPS is not the only alternate DNS routing protocol and web companies are also exploring DNS over TLS (DoT), which uses the transport layer security protocol on the web to encrypt the DNS request. Over time, the safest alternate protocol will likely prevail, but the goal of both of these new protocols is to encrypt the DNS process to make it safer, with a secondary goal of improving privacy.

Many big ISPs clearly hate the alternate DNS routing schemes since they lose access to customer browsing history. Vice recently reported about a big lobbying effort by Comcast to convince lawmakers to disallow DoH. The protocol is causing controversy in Great Britain where ISPs are required to block pornography unless a user specifically allows it. For now, Mozilla does not offer DoH in Great Britain, but there will be no easy way to stop it after it gets built into the core Android browser and other ubiquitous platforms. Corporate IT staff are also worried about DoH because it makes it more difficult to track employees visiting social media during work hours or browsing dangerous parts of the dark web.

There will be more public discussion about DoH routing as more web browsers include the protocol. Before the dust settles there is likely to be an ongoing tug-of-war between big ISPs, big web companies, and users as the public demands privacy.

Are You Paying to Spy on Yourself?

Geoffrey A. Fowler of the Washington Post recently engaged a data expert to track everything going on behind the scenes with his iPhone. What he found was surprising since Apple touts itself as a company that doesn’t invade user privacy. The various apps on his phone were routinely handing out his personal data on a scale that shocked him.

Fowler’s information was being gathered by trackers. This is software built directly into apps and is different than ad tracking cookies that we pick up from web sites. App makers deliberately build trackers into apps and a user can’t get rid of them without getting rid of the app.

Most apps on his phone had these trackers. That included sites like Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post, and the Weather Channel. Some apps came with numerous trackers. He had a food delivery service called DashDoor that included nine separate trackers. Third parties must be paying to share app space because the DashDoor app included trackers for Facebook and Google – those two companies know every time that app is used to order food.

Almost none of these apps disclosed the nature of what they were tracking. When first loaded, most apps ask for somewhat generic permission to track user certain data but don’t disclose the frequency and the extent to which they will gather data from a user.

This issue has relevance beyond privacy concerns because the apps on Fowler’s phone could collectively use as much as 1.5 gigabytes of data per month on his phone. Industry statistics show that the fastest-growing segment of Internet traffic is machine-to-machine communication, and these app trackers make a significant contribution to that traffic. Put bluntly, a lot of machine-to-machine traffic is either being used to back up files or to spy on us.

This has to be concerning to people who are still on measured cellular data plans. This unintended usage can cost real money and a user can end up paying to have trackers spy on them. Our cellphones are generating broadband usage without our knowledge, and mostly without our explicit permission. I’ve had months where I’ve barely roamed with my cellphone and still have seen more than a gigabyte of usage – I now understand where it’s probably coming from.

PCs and tablets have the same problems, with the data tracking coming more from marketing cookies that are loaded when we visit web sites. I scrub these cookies from my computer routinely. My desktop is only used for work and I still find 40 – 100 cookies every week. One of my blogs last year mentioned a guy who had gone on vacation for a month and was shocked when he returned and discovered that his home network had used several gigabytes of data in his absence.

There are ways to block the trackers on your phone, but this mostly involves deleting apps or turning off permission in your privacy setting, and that largely means the apps won’t work. You can also take steps to disguise your data by passing everything through a VPN, but that doesn’t stop the data from being transmitted.

The phone manufacturers are complicit in this tracking. I just got a new Samsung Galaxy and my new phone came with over 300 apps – most for services I don’t use like Facebook, Spotify, and ton of others. These various companies must have paid Samsung (or perhaps AT&T) to include their apps and their trackers. I’ll be spending a few days deleting or disabling most of these apps. I find it creepy that Facebook follows me even though I stopped using the site several years ago. And unlike when I download a new app, I didn’t have the opportunity to allow or deny permission to the many apps on my new phone – I assume AT&T gave that permission.

It might be a generational thing, but it bothers me to have companies reaping my personal data without my permission, without disclosing what they are gathering, and how they are using it. I know young people who are not bothered by tracking and assume that this is just a part of being connected.

The other big concern is that the tracking apps are contributing to the capacity problems on cellular network. I just saw last week that the average US cellphone now uses about 6 GB of data per month. If trackers are pushing out even half a gigabyte per month in usage that is a significant contributor to swamped cellular networks. Cellphone companies are working furiously to keep ahead of the demand and it must be maddening to cellular network engineers to know that 15% – 20% of network usage is being created behind the scenes with app trackers and not from actions taken by users.

In an ideal world, this is something regulators would be investigating to establish rules. Apps like DashDoor shouldn’t be allowed to install a Facebook tracker on your phone without asking for specific and explicit permission. All trackers should have to disclose the exact information they gather about a user and the frequency of that tracking. Unfortunately, this FCC has walked away from any regulatory role in this area. Congress could address the issue – something that European regulators are considering – but this doesn’t seem to be high on anybody’s radar.

A Corporate Call for Privacy Legislation

Over 200 of the largest companies in the country are proposing a new set of national privacy laws that would apply to large companies nationwide. They are pushing to have this considered by the upcoming Congress.

The coalition includes some of the largest companies in Silicon Valley like Apple and Oracle, but it doesn’t include the big three of Facebook, Google and Amazon. Among the other big businesses included the group are the largest banks like Bank of America and Wells Fargo, big carriers like AT&T and big retailers like Walmart.

As you might expect, a proposed law coming from the large corporations would be favorable to them. They are proposing the following:

  • Eliminate Conflicting Regulations. They want one federal set of standards. States currently have developed different standards for privacy and for issues like defining sensitive information. There are also differing standards by industry such as for medical, banking and general corporations;
  • Self-regulation. The group wants the government to define the requirements that must be met but don’t want specific methodologies or processes mandated. They argue that there is a history of government technical standards being obsolete before they are published;
  • Companies Can Determine Interface with Consumers. The big companies want to decide how much rights to give to their customers. They don’t want mandates for defining how customer data can be used or for requiring consumer consent to use data. They don’t want mandates giving consumers the right to access, change or delete their data;
  • National Standard for Breach Notification. They want federal, rather than differing state rules on how and when a corporation must notify customers if their data has been breached by hackers;
  • Put the FTC in Charge of these Issues. They want the FTC to enforce these laws rather than State Attorney Generals;
  • Wants the Laws to Only Apply to Large Corporations. They don’t want rigid new requirements on small businesses that don’t process much personal data.

There are several reasons big companies are pushing for legislation. There are currently different privacy standards around the country due to actions brought by various State Attorney Generals and they’d like to see one federal standard. But like most laws the primary driver behind this legislation is monetary. Corporations are seeing some huge hits to the bottom line as a result of data breaches and they hope that having national rules will provide a shield against damages – they hope that a company that is meeting federal standards would be shielded from large lawsuits after data breaches.

I look at this legislation both as a consumer and as somebody working in the small carrier industry. With my consumer hat on there are both good and bad aspects of the proposed rules. On the positive side a set of federal regulations ought to be in place for a complex issue that affects so many different industries. For example, it is hard for a corporation to know what to do about a data breach if they have to satisfy differing rules by state.

But the negatives are huge from a consumer perspective. It’s typical political obfuscation to call this a privacy law because it doesn’t provide any extra privacy for consumers. Instead it would let each corporation decide what they want to disclose to the public and how companies use consumer data. A better name for the plan might be the Data Breach Lawsuit Protections Act.

There are also pros and cons for this for small carriers. I think all of my clients would agree that we don’t need a new set of regulations and obligations for small carriers, so small carriers will favor the concept of excusing smaller companies from some aspect of regulations.

However, all ISPs are damaged if the public comes to distrust ISPs because of the behavior of the largest ISPs. Small ISPs already provide consumer privacy. I’ve never heard of a small ISP that monitors customer data, let alone one that is trying to monetize their customers’ data. Small ISPs are already affording significant privacy rights to customers compared to the practices of AT&T, Verizon or Comcast who clearly view customer data as a valuable asset to be exploited rather than something to protect. The ISP industry as a whole would benefit by having rules that foster greater customer trust.

I’m not sure, however, that many small ISPs would automatically notify customers after a data breach – it’s a hard question for every corporation to deal with. I think customers would trust us more if there were clear rules about what to do in the case of a breach. This proposed law reminds me that this is something we should already be talking about because every ISP is vulnerable to hacking. Every ISP ought to be having this conversation now to develop a policy on data breaches – and we ought to tell our customers our plans. Small ISPs shouldn’t need a law to remind us that our customers want to trust us.

Small ISPs and the Internet Bill of Rights

Recently Ro Khanna, a California Congressman, worked with some of the biggest thinkers in Silicon Valley to develop what he’s calling an Internet bill of Rights – the document included at the end of this blog. This Bill of Rights lays forth the ideal basic right of privacy that users most want out of the Internet.

This document is possibly the start of the process of discussing regulation for the big Internet companies – something that doesn’t exist today. Currently the Federal Trade Commission theoretically can pursue web companies that rip off the public and the Justice Department can tackle monopoly abuses – but otherwise the web companies are not regulated.

It’s becoming increasingly clear in the last few years that web companies have grown to the size where they value profits first, and any principles that were loosely followed in the early days of the Internet are long gone. There are constant headlines now declaring abuses by web companies. Recent Congressional hearings made it clear that the big companies are misusing customer data – and those hearings probably barely uncovered the tip of the iceberg.

The European Union has begun the process of trying to reel in some of the biggest abuses of the web companies. For example, web companies in Europe now have to disclose to users how they intend to use their data. In this country we’re starting to see sentiment from both Democrats and Republicans that some level of regulation is needed.

It won’t be easy to regulate the big web companies, which are now gigantic corporations. I read recently that there are now more lobbyists in DC working for web companies like Facebook and Google than work for the big telcos and ISPs. There will a major pushback against any form of regulation and it would obviously require a significant bipartisan effort over many years to create any worthwhile regulations.

My guess is that the public wants some sort of protection. Nobody wants their data released to the world through data breaches. Most people want things like their medical and financial records kept private and not peddled between big companies on the web. Almost everybody I know is uneasy with how the big web companies use our personal data.

I think this creates an opportunity for small ISPs. There are aspects of this Bill or Rights that the big ISPs will oppose. They are clearly against net neutrality. All of the big ISPs have purchased companies to help them better mine customer data – they obviously want to grab a slice of the money being made by Google and Facebook off user data. The big ISPs are likely to fight hard against regulation.

It’s virtually impossible for small ISPs to violate any of these principles. That creates an opportunity for small companies to differentiate themselves from the big ISPs. I think small ISPs need to tout that they are for net neutrality, that they value customer privacy and that they will never misuse customer data. I have a few clients that do this, but very few make this one of the key ways to differentiate themselves from the big ISPs they compete against.

I strongly recommend giving this some thought. Supporting consumer data rights can be made a key part of small ISP advertising. Some statements akin to the Internet Bill of Rights can be made prominent on web sites. These concepts should be prominent in your terms of service. These are concepts your customers will like and it shouldn’t be hard for any small ISP to embrace them.

Internet Bill of Rights

The internet age and digital revolution have changed Americans’ way of life. As our lives and the U.S. economy are more tied to the internet, it is essential to provide Americans with basic protections online.

You should have the right:

(1) to have access to and knowledge of all collection and uses of personal data by companies;

(2) to opt-in consent to the collection of personal data by any party and to the sharing of personal data with a third party;

(3) where context appropriate and with a fair process, to obtain, correct or delete personal data controlled by any company and to have those requests honored by third parties;

(4) to have personal data secured and to be notified in a timely manner when a security breach or unauthorized access of personal data is discovered;

(5) to move all personal data from one network to the next;

(6) to access and use the internet without internet service providers blocking, throttling, engaging in paid prioritization or otherwise unfairly favoring content, applications, services or devices;

(7) to internet service without the collection of data that is unnecessary for providing the requested service absent opt-in consent;

(8) to have access to multiple viable, affordable internet platforms, services and providers with clear and transparent pricing;

(9) not to be unfairly discriminated against or exploited based on your personal data; and

(10) to have an entity that collects your personal data have reasonable business practices and accountability to protect your privacy.

The Dawson Internet Act of 2018

A few days ago I wrote that we are not likely to get any significant telecom legislation this year. That’s unfortunate because we really need a major new Act to update all of the regulatory rules concerning broadband, telephone and cable TV. That got me thinking what I might write into such an act if I was the author, so following are the highlights of the envisioned Dawson Internet Act of 2018 (it’s time we stop calling this the telecom industry):

Cable TV. It’s time to scrap all requirements that dictate cable tiers. Cable companies need to be able to offer whatever channels they think make economic sense, including offering a la carte channels, if that’s what the public wants. I’d also scrap the must-carry rules for major network stations. The retransmission costs for those channels are one of the primary culprits for rate increases and removing the requirement to carry channels will return cable companies to a position of fair bargaining for price since they could walk away from any local station that wants too much.

Telephone. Other than a few rules that govern customer privacy I’d totally scrap federal regulations for landline service. I’d eliminate the CLEC classification and deregulate traditional telephone and VoIP equally to put the products on a non-regulated level playing field. I think I would retain the historic monopoly service territories, although I’d have to give that a lot more thought.

Interconnection. I’d keep the mandate that network owners must continue to interconnect with other carriers. They can’t be allowed to shut out a competitor by refusing to give them access to the underlying backhaul networks. But since I would eliminate the CLEC status, the big network owners need to be required to interconnect with anybody who meets specified technical standards.

ETC Status. Today a company must become an Eligible Telecommunications Carrier in order to participate in Universal Service Funds or other federal funding programs. I’d eliminate this requirement because it’s nothing more than a paperwork barrier to market entry. The current rules also disallow certain types of providers, such as owners of open access networks, although customers almost universally prefer that operating model.

Broadband. The FCC needs to regulate broadband, even if they elect to regulate it lightly. Congress can mandate this and get rid of the nonsense of trying to make broadband fit under Title II and just explicitly give the FCC the authority and obligation to regulate it.

Network Neutrality. I would make network neutrality the centerpiece of broadband regulation. The most important aspect of network neutrality is prohibiting paid prioritization – because once the ISPs start doing that all of the nightmare scenarios of a broken Internet emerge.

Spectrum. I think the FCC is already on a good path to free up spectrum for broadband. But I think they are missing the boat by not providing more spectrum for public access. One only has to look at the huge economic boom created by WiFi to see that giving all spectrum to big monopolies is not the best answer. I’d also make a firmer use-it-or-lose it rule for rural spectrum. A huge amount of spectrum sits unused in rural America but is still under control of the big carriers who purchased large-area licenses. Finally, rather than turn spectrum auction proceeds over the US Treasury I’d redirect these revenues towards meeting universal service goals.

Universal Service. I’d maintain the requirement that the FCC monitor broadband connectivity and require them to try to find solutions for areas without good broadband. I’d also prohibit them from funding any broadband programs like CAF II that support technologies that are slower than the federal definition of broadband. I’d also mandate an ongoing process for defining the official speed of broadband.

Privacy. I like what I’m reading about the European Union privacy rules. They are allowing ISPs and others to monitor and track customers only with customer consent. That will allow people who care about privacy to maintain it while allowing others who choose to sacrifice privacy for services to allow tracking. The penalties for violating customer privacy must be economically severe.

Municipal Broadband. I’d eliminate all barriers to municipal competition. Local communities ought to be able to decide themselves if they want to tackle the risk of building broadband. This is particularly needed in rural America where, in many cases, the local government might be the only one willing to tackle funding a network.

Access to Poles, Ducts and Dark Fiber. I’d make these assets available to anybody that can meet technical standards to use them. I’ve still not decided how I feel about federal one-touch rules, but I’d have the FCC institute a major rulemaking to get more facts on the issues involved.

I’m sure everybody in the industry has a different list than mine. I remember all of the discussions and negotiations leading up to the Telecommunications Act. That Act took  some political bravery since Congress was taking on the big telcos for the greater public good – and that Act did a fairly good job of promoting competition. But I don’t see this same courage in Washington today and most of the topics on my list are sadly not even being discussed.

Who Owns Customer Data?

Our homes are starting to get filled with Internet-enabled devices. I recently looked around my own home, and in addition to the expected devices like computers, printers, tablets and smartphones we have many other devices that can connect to the Internet. We have a smart TV, an eero WiFi network, three Amazon Echos, several fitness trackers, and a smart watch. Many homes have other Internet-connected devices like smart burglar alarms, smart thermostats, smart lighting and even smart major appliances. Kids can have smart toys and game consoles these days which have more computing power than most PCs.

Every one of these devices gathers data on us and a good argument can be made that we are all being spied on by our devices. Each device witnesses a different part of our lives, but add them all together and they paint a detailed picture of the activity in your home and of each person living there.

There are numerous examples of companies that we know are using our data:

  • Last year it was revealed that Roomba was selling detailed information about the layouts of homes to data brokers.
  • The year before we found out that Samsung smart TVs were capable of listening to conversations in our living rooms and also had backdoor connections to the Internet.
  • There has been an uproar about smart talking toys that not only interact with kids but also listen and essentially build profiles on them.
  • Smart devices like smart phones, tablets and computers come with software that is aimed at gathering data on us for marketing purposes. This software generally is baked in and can’t be easily removed. Some companies like Lenovo (and their Superfish malware) went even further and hijacked user web traffic in favor of vendors willing to pay Lenovo.
  • Buyers of John Deere tractors found out that while they own the tractor they don’t own the software. The company penalizes customers who try to repair their tractor by anybody other than an authorized John Deere repairperson.

Probably the most insidious result of all of this spying is that there are now data brokers who gather and sell data that can paint a detailed profile of us. These data profiles are then used to market directly to us or are sold to politicians who can target those most sympathetic to their message. It’s also been reported that smart criminals are using this data to choose victims for their crimes.

I’m sure by now that everybody has searched for something on the web, and then noticed that for the next few weeks they are plastered with ads trying to sell them the subject of their search. This happened to me a few years ago when I was looking at new pick-up trucks on the web. But today this goes a lot farther and people complain about getting medical ads after they have searched the web about an illness.

To make matters worse, we have a government regulatory policy in this country that benefits the corporations that are spying on us. Last year Congress passed privacy rules that let ISPs and anybody else gathering raw digital data off the hook. There are essentially no real privacy rules today. Data privacy is now under the purview of the Federal Trade Commission. They might intervene in a particularly egregious case of invasion of privacy, but their rules are not proactive and only can be used to find companies that have already broken the rules. Unless fines grow to be gargantuan it’s unlikely that the FTC will change much of the worst practices using our data.

The European Union is in the process of enacting rules that will clamp down on data gathering. Their rules that go into effect in a few months will require that customers buy-in to being monitored. That is great in concept, but my guess that it’s going to take a decade of significant fines to get the attention of those companies that gather our data. Unless the fines are larger than the gains from spying on people then companies will continue to monitor us, and they will just work harder to hide evidence of spying from the government.

I think there are very few of us who don’t believe our data should belong solely to us. Nobody really wants outsiders knowing about their web searches. Nobody wants unknown companies tracking their movement inside their homes, their purchases and even their conversations. But for now, the companies that are gathering and using our data have the upper hand and are largely free do nearly anything they want with our data.

The New European Privacy Standards

It’s worth keeping an eye on the new European privacy standards that go into effect in May. Titled the General Data Protection Regulation (GDPR), the new rules provide significant privacy protection for European Union citizens. The new rules are required for all companies doing business in the EU, so that means it applies to the majority of web companies operating in the US. The GDPR rules also apply to brick and mortar companies that collect customer data like banks and doctors. The privacy rules apply to companies that collect data directly from customers (data controllers) as well as any secondary companies that process that data (data processors). Interestingly, under the new rules a data controller is responsible to know what data processors do with the data they provide to them.

The major basis for the new rules are that consumers own and have control of their own data and companies can only use data if there is at least one lawful basis for doing do. This includes:

  • A consumer gives specific permission to use personal data for one or more specific purposes;
  • Processing the data is necessary to meet a contractual arrangement with a consumer;
  • Processing the data is necessary to meet a legal obligation which applies to the consumer;
  • Processing is necessary to protect the vital interests of the consumer or some other natural person;
  • Processing is allowed for the performance of a task carried out in the public interest, such as by the government;
  • Processing is necessary to pursue legitimate interests of the data controller or a third party.

For the most part the new laws require consumers to give explicit consent to use their data, including the specific purpose for the use. Just like in the US, there are provisions for law enforcement to gain access to customer data through subpoena or court order.

Larger companies are expected to create the position of Data Protection Officer who is tasked to make sure that all parts of a company are compliant with the law. As you might expect, meeting these requirements is a major change for many companies and there has been a two-year transition period leading up to the May implementation.

The new law also changes the way that companies store customer data to minimize the impact of data breaches. For example, companies are encouraged to store data in such a way that the stored data cannot be attributed to a specific person without the use of additional data. The law calls this pseudonymisation which means encrypting stored data and storing it in a manner to make it hard for an outsider to use. For example, a company would not store things like a social security number, date of birth, address and email address all in the same record.

The law has teeth and allows for fines up to 4% of the worldwide revenues of a business for massive violations of the rules. The expectation is that there will probably have to be a few serious fines levied to get most companies to get serious about following the new rules.

Overall this law creates a drastic change in the handling of customer data. Companies will not be allowed to mine and sell customer data without specific customer approval. It seems to particularly discourage the practice of selling data to brokers who can then use the data in any manner they choose. In this country companies like Google and Facebook make huge revenues from data mining and the big ISPs are now leaping into this same business line. In Europe this is going to greatly restrict the value of selling customer data.

This new law is worth following since the big web companies that are so predominant in this country are going to be complying with the new rules. This means it would be relatively easy at some point to require similar rules here concerning customer data.

The GDPR data storage rules also have the purpose of limiting the value of data breaches. If we see a great reduction in damaging hacking in the EU because of this law, then companies here might begin following the EU recommended data storage methods even if the privacy rules are never implemented here. Some of the most damaging hacks we’ve seen here are when a hacker gets records that provide multiple data points for a given customer. If a hacker can’t use the data to put together a coherent picture of a given customer then the value of a breach is greatly reduced.

Two Tales on the Privacy Front

Protecting customer data has been in the news a lot recently and today I’m going to discuss two different news stories concerning the privacy of customer data.

The first story involves a case that will be decided soon by the U.S. Supreme Court. The case, Carpenter vs. United States, is contemplating the rules of how the government can access historical cellphone call records (and one assumes all other telecom records for calls and emails).

Without discussing all of the details of the case, the short version is that police had asked MetroPCS for the complete cellphone records of sixteen people suspected of robbing cellphone stores. MetroPCS supplied the details of all of the calls to and from each suspected cellphone as well as information about the location of the cell sites servicing each phone during the duration of the calls. The legal question being asked is if this represented a warrantless search and specifically as asked by government attorneys, “Whether the government’s acquisition, pursuant to a court order issued under 18 U.S.C. 2703(d), of historical cell-site records created and maintained by a cellular-service provider violates the Fourth Amendment rights of the individual customer to whom the records pertain.”

Recently fourteen companies including Google, Apple, Facebook, and Microsoft filed an amicus brief in the case that argues that the government is relying on outdated privacy laws from the 1970s that allow for the government to ask for telephone records without a warrant. Interestingly, Verizon joined in this argument.

Most small carriers are aware of this issue by the fact that local police often ask them for call records without a warrant. I can’t recall a time when a telco hasn’t responded to such requests, but I’ve talked to many companies who are often uncomfortable with the process. The fourteen companies get similar requests for call records but also for email records, web search results and other kinds of customer information. They argue that such requests should only be made with a warrant that reflects some level of probable cause. Court experts are calling this the biggest Fourth Amendment case in years because it’s going to consider the issues involved with the search for digital records.

The second news story is a different take on privacy. The Electronic Privacy Information Center (EPIC) has asked the Federal Trade Commission (FTC) to investigate how Google tracks customers. Specifically they say that Google analyzes credit card data to understand the in-store shopping habits of customers. They then sell this data to retailers. EPIC is asking the FTC to investigate the actual practices being deployed as well as to provide some sort of mechanism for people to opt out of this kind of tracking program.

If the FCC takes up this investigation it could also be groundbreaking. This case is the first specific case that asks the government to create some boundaries for such tracking and to allow people to opt out of being tracked.

There are many other companies other than Google who are now using ‘big data’ to compile detailed profiles of people. These profiles are being marketed to vendors of products and services, but there is a great fear among privacy advocates that these same profiles can be used for nefarious purposes by governments and others. For instance, scam artists would probably love to know the identity of every household in the country that has somebody suffering from early-stage dementia.

Anybody that is getting involved in selling smart home products needs to be concerned about these issues. Recently researchers Ming Jin, Ruoxi Jia and Costas Spanos of the University of California at Berkeley examined some routine data collected by smart electric meters and were surprised at how much they were able to figure out about the occupants of a home using the data. For example, they were able to understand the patterns of when homes were occupied and unoccupied and were fairly easily able to tell when a given residence was unoccupied.

As we get more smart devices in homes the combination of the data collected by the various devices will be able to paint a detailed picture of the occupants of a home. This case could be the first step towards defining customer rights for control of their personal data.