[HN Gopher] US spies are buying Americans' data - Congress has a...
___________________________________________________________________
US spies are buying Americans' data - Congress has a new chance to
stop it
Author : arkadiyt
Score : 154 points
Date : 2023-07-09 16:01 UTC (6 hours ago)
(HTM) web link (www.wired.com)
(TXT) w3m dump (www.wired.com)
| coldtea wrote:
| Perhaps what should stop is the collection from the third parties
| and ability to sell them altogether?
| mhoad wrote:
| That's the only obvious and reasonable answer.
| pixl97 wrote:
| Companies that collect that data: "Dear Congressperson, here
| are 100,000 donated reasons to ignore the obvious and
| reasonable answer"
| mhoad wrote:
| There are actually a bunch of really compelling strategic
| level national security style reasons to come to the same
| conclusion, it's not purely just a consumer rights issue.
| pessimizer wrote:
| Think tanks: "Congresspeople, here's some compelling word
| salad designed by the best. You can memorize and repeat
| this while pocketing 100,000 donated reasons from one of
| our funders."
| vacuity wrote:
| Firstly, it'd be nice if those national security reasons
| were clearly stated without the other bullshit. Secondly,
| as far as I've heard, there's no real success story for
| all the dragnet surveillance. If there's a legitimate
| application that is too broad that a warrant for targeted
| surveilance doesn't cover it, I'd like to hear it.
| pixl97 wrote:
| And until those other interest ^Hbribe their congress
| people, or said congress peoples data leaks to the world
| in a way they are effected on re-election they will be
| ignored by said people that make our laws.
| hospitalJail wrote:
| Devils advocate:
|
| "So the data isnt owned by the host company, its owned by the
| support company which is a child of the parent company. We are
| selling that child company to Amazon/FB/Google."
|
| Google didn't buy nest because they were IOT fans.
| phpisthebest wrote:
| 1. Data about me should be owned by me, not the entity that
| collects it.
|
| 2. Disseminating false info about a person should trigger a
| statutory defamation liability akin to statutory copy right
| infringement, where the person does not have to prove damages
| then expand the Credit Reporting laws to include all
| Information and force them to tell you who all they have sold
| or given that info to.
|
| #2 would do the most, if we reform defamation to make it
| where if a credit reporting agency, or Google gets something
| wrong and tells someone else that wrong thing they are liable
| you would see a massive curbing of private information
| collection, and even more of it being up for sale.
| hunglee2 wrote:
| At least they are buying it, a validation of the freedoms
| inherent in the US
| Dah00n wrote:
| Is that sarcasm?
| exabrial wrote:
| I have a better idea: instead stopping the purchase, how about we
| stop the collection?
| [deleted]
| mindslight wrote:
| This is still missing the 800,000 pound gorilla in the room.
| There's little point to preventing the de jure government from
| using commercial surveillance data, when corporations are all too
| happy to create an unregulated _de facto government_ to stand in
| its place - eg credit bureaus, retail equation, unilateral
| account closures, etc.
|
| The US desperately needs a port of the EU's GDPR, critically
| including its exact definitions of consent, personal information,
| and the right to deletion.
| parineum wrote:
| I don't want GDPR. I want two things.
|
| No sale of personal (even unidentifiable) data without consent
| coupled with no punishment for not consenting and a requirement
| of explicit affirmative consent.
|
| Deletion of data upon request.
|
| As a bonus third, retrieval of data on request.
|
| I want those in that priority. I'd be pretty happy with just
| the first one.
| kelnos wrote:
| That's more or less the GDPR, no?
|
| The problem is that you can't just write those three things
| down on a single sheet of paper and call it a day. There --
| unfortunately -- needs to be a lot of legalese that addresses
| various loopholes and edge cases, some of which will also
| increase the scope of the law/regulation. And so you either
| end up with something simple that's so riddled with holes
| that it doesn't work, or you end up with something like the
| GDPR.
| lockhouse wrote:
| The problem is that we'll have to consent to allowing the
| sale of our data just to use a service. From what I've seen a
| statement to that effect is already in the click through
| license fine print.
| mindslight wrote:
| I don't see your reason for downplaying the GDPR. That plus
| saying you're willing to forgo your second/third ask
| (deletion is paramount!) just feels like trying to bargain
| with the surveillance-industrial complex for something it'll
| accept. But most anything in that direction is just creating
| loopholes for the surveillance industry to nullify the intent
| of such law.
|
| Your simple regulations sound great for the cases they
| address, but there are a lot of corner cases that the GDPR
| addressed that your "simple" requirements do not. For
| example, what happens when a surveillance company uses a
| third party data processor outside the jurisdiction? That is
| not a sale, and yet the processor can proceed to do whatever
| they want. Or when a company insists that it has obtained
| indefinite "consent" by some claimed assent to a contract of
| adhesion, or as part of a contract with a third party?
|
| The surveillance industry would love nothing more than to
| pass fig-leaf regulation that purports to create rights but
| actually just enshrines their regime into law while giving
| them further protections. That's precisely what they managed
| to do with the "Fair" Credit Reporting Act, which is why that
| segment of the surveillance industry has continued to spiral
| out of control, pushing nonsense like "identity theft" onto
| us.
| ClumsyPilot wrote:
| I dont want GDPR, I want [describes like 70% of GDPR]
| RcouF1uZ4gsC wrote:
| I think US intelligence should have access to any data that is
| already out there for purchase. If you have an issue with that,
| then regulate the sale of data.
|
| Otherwise, this is all just PR, due to agreements such as Five
| Eyes where for example British intelligence buys American data
| and shares with CIA, etc.
| Dah00n wrote:
| No need for five eyes.
|
| 1) Three letter agency cannot collect X
|
| 2) Big Business Inc. can and sells it
|
| 3) Three letter agency can buy commercial information
|
| With your logic the government will have access to everything
| because these laws are written to be circumvented, by the right
| people, just like tax laws. Stop Give eyes instead, simple, but
| impossible.
| pessimizer wrote:
| 4) If you have an issue with that, then regulate the sale of
| data.
|
| So, with this logic included, three letter agencies cannot
| buy commercial information.
| lcnPylGDnU4H9OF wrote:
| Why is 1 not violated by 3 in this context?
| vacuity wrote:
| Presumably, the three letter agency can't actively perform
| surveillance but the data bought from companies wasn't
| illegally collected, so it's fine.
| kelnos wrote:
| Apparently this isn't the first go-around for this; Davidson and
| Jacobs proposed something much weaker last year[0], though I
| can't tell if it made it to the final bill. Their amendment last
| year merely required law enforcement to _disclose_ when they
| purchase user data from a third party, and only applied to the
| feds, not to state and local law enforcement.
|
| It's a little hard to believe that Congress is in a _better_
| position to pass privacy-related legislation (regardless of what
| bill it 's attached to) this year than it was last year.
|
| But I'd love to be proven wrong! It seems even Breitbart is
| reporting on this year's proposed amendment in a more-or-less
| positive way. That's... something.
|
| [0] https://www.eff.org/deeplinks/2022/07/department-defense-
| sho...
| mhoad wrote:
| This story is adjacent to some topics I follow fairly closely for
| various reasons.
|
| I had seen a lot of not super well informed commentary on it when
| it was talked about here previously and so in that spirit I
| wanted to offer a short 20 minute chat that was aimed at policy
| makers between a well respected infosec journalist and someone
| who previously spent a long time working at the Australian
| equivalent of NSA about this particular topic.
|
| I'd like to think it helps provide the outlines of how
| professionals in and around that field tend to think about it
| while not getting so caught up in a strictly US perspective.
|
| Hopefully some of you find it helpful.
|
| https://overcast.fm/+5Sl8Ai8LA
| thisisthenewme wrote:
| So on the side of wanting easy access to American data -
| - People in the gov who want to monitor the general populace for
| dissent - Power hungry individuals and governments -
| Governments wanting to learn about their foreign
| adversaries/allies - People in the gov who want to monitor
| other gov agents for whatever reason - Corporations wanting
| to learn about their adversaries - Corporations wanting to
| maximize their profits - Corporations wanting to learn
| about their users for whatever reasons - And so on and on.
|
| On the side of limiting access to user data - -
| People wanting privacy
|
| Don't want to sound too pessimistic but I can't help it.
| allenrb wrote:
| This feels like a correct summary of the situation. I wish it
| were not so, but that genie is so far out of the bottle, she'd
| need GPS to find her way back in.
| mhoad wrote:
| It's correct in the same way Joe Rogan talking about anything
| other than MMA or comedy feels correct to some people.
|
| It's great at feeling like you've said something clever but
| also makes it clear you haven't actually thought about the
| topic for more than five minutes and you just said the first
| thing that came to mind and missed a bunch of important
| points in the process.
| twojacobtwo wrote:
| Since you seem to be an authority of some type on this
| topic, do you care to add any examples, for the sake of
| those who don't have as broad an understanding as you?
|
| As it stands now, it seems like you posted this just to say
| something clever.
| mdhb wrote:
| It's posted further down the page
| badosu wrote:
| I understand the point, but it feels disingenuous to have
| it directed at someone who makes a living out of inviting
| guests and making interesting talk out of it.
|
| I don't think he ever claimed to be an expert at the stuff
| he talks about and that we're free to talk about stuff we
| don't know everything about.
| [deleted]
| nwoli wrote:
| Patriotic people in government (they exist) who understand
| spying on innocent citizens can cause untold economic harm and
| damage America in the long run
| raincom wrote:
| Most of these patriotic people in the government are either
| powerless or keep silent.
| freeopinion wrote:
| Is that like vegetarians who eat hamburgers?
| pessimizer wrote:
| > spying on innocent citizens can cause untold economic harm
| and damage America in the long run
|
| I'm on the side of people who believe in privacy, but not on
| the side of people who believe this. I do not believe that
| privacy should be contingent on how it affects the US
| economy, and as such I do not believe that if I can engineer
| a wealthy totalitarian economy, there's no reason for
| privacy.
| imagine99 wrote:
| Most - if not all - the people in your first group are also in
| the second group! That is, I think, what they (and everyone)
| really needs to realize and understand:
|
| The all-powerful CEO who wants access to detailed customer
| data? He will be in The Database himself (if not his own, then
| in the one that a rival company offers). As will his favorite
| son with the drug habit, and the questionable thing he did on
| holiday that one time... Might not even be that bad or illegal.
| But would he want his workers to know those things about him?
|
| The policitian whose party is in power right now? She is in The
| Database, too. As is her shady half-brother, all the info about
| the medical procedures she had done while in college, plus her
| husband's business dealings. Sure, they are legal but will it
| sound good to her constituency if it leaks? After all, her
| party might not be in the majority anymore after the next
| election...
|
| Whenever your unbridled greed for tracking, profiling and
| surveillance becomes overwhelming, please attend your closest
| meeting of "Data Collectors Anonymous" and memorize the mantra:
| IYDTS - It's your data, too, stupid!
|
| Your own daughter will be spied on by creeps. Your mother may
| be discriminated against when trying to get a mortgage.
| Whenever you collect people's data for profit or control, you
| WILL hurt yourself and the ones you love.
|
| Even if you personally are the cleanest Mr. goodie two shoes to
| ever live, those around you surely aren't - and don't forget,
| in the end it's very easy for The Database to have some entries
| about you that might not even be true. Mistakes happen. Good
| luck proving or correcting them.
|
| If you don't do whatever you can to protect privacy and
| minimize data collection, every day the chance increases that
| your own data will be collected and used against you or the
| ones you love. Then you might not be in a position to stop it
| anymore. And you may never be happy again...
| mhoad wrote:
| What on earth is this absolute word salad?
| natpalmer1776 wrote:
| Lack of privacy is a double edged sword for those in favor
| of reducing individual privacy.
| omniglottal wrote:
| Please do not contribute if your reading comprehension
| falters so absolutely that your recourse is to be rude.
| newuser94303 wrote:
| Gov'ts that want to monitor citizens for say a tendency to get
| an abortion have more power than a corp that wants to sell me
| diapers. One step at a time. Try to stop the worst offenses
| then work your way down.
| pessimizer wrote:
| Governments are monitoring citizens for the corporations.
| They don't care about abortions. They care about abortions
| turning out a base that will elect politicians who will pass
| laws written by the corp that wants to sell you diapers.
| Loquebantur wrote:
| You paint a defeatist picture of the situation, which should be
| obvious not to be helpful in any way.
|
| You list many categories of small groups of people opposed to
| one encompassing the absolute majority of all. How is the
| former more powerful by necessity?
|
| The key is people realizing they are part of a large group with
| a common cause. And powerful if they organize as such. Your
| comment appears designed to prevent that.
| kelnos wrote:
| > _You paint a defeatist picture of the situation, which
| should be obvious not to be helpful in any way._
|
| Recognizing obstacles to your goals is hardly unhelpful. GP
| is clearly pessimistic (and admits as much), but that doesn't
| change anything. If we (presumably in the "people wanting
| privacy" camp) want to win, we need to go down that first
| list and either decide why each of those sorts of people
| don't matter, or figure out how to counteract their political
| power.
|
| "How is the former more powerful by necessity?" is a good
| question that deserves an answer, but I think you seem to
| have already decided, without evidence, that those people are
| _not_ powerful, which I think is mere wishful thinking.
| Loquebantur wrote:
| You utilize power as a group via coordinated action
| targeting pressure points and leverage. Understanding how
| the system you want to influence actually works is a
| prerequisite surprisingly often omitted.
|
| "Counteracting" individual groups as you propose is a
| nonsensical approach. It is reactive and at best a second
| order addendum.
|
| How you read from my comment I was making any assumptions
| about these groups is your secret alone.
| kelnos wrote:
| > _You utilize power as a group via coordinated action
| targeting pressure points and leverage._
|
| Ok, sure...
|
| > _" Counteracting" individual groups as you propose is a
| nonsensical approach. It is reactive and at best a second
| order addendum. Understanding how the system you want to
| influence actually works..._
|
| I don't think you really understand how "the system you
| want to influence" works? Knocking down "the other
| side"'s argument is often an integral part of getting
| things done in politics. Certainly there are other ways,
| including trading favors and agreeing to support someone
| else's pet project for their support on yours. But that's
| not everything, and often is not sufficient.
|
| Regarding coordinated action: I agree, but it turns out
| that's very hard to coordinate, especially when it comes
| to privacy issues, as most of the US electorate either
| doesn't care about privacy, or doesn't understand why
| they should care (seems they often fall victim to the
| whole "if I've done nothing wrong, I have nothing to
| hide" fallacy that the government always pushes). It's
| very hard to coordinate a group that at best thinks what
| you're talking about isn't important, and at worst has
| bought your opposition's propaganda efforts and thinks
| you're wrong.
|
| > _How you read from my comment I was making any
| assumptions about these groups is your secret alone._
|
| Then what was the point of your post? OP was listing
| obstacles to getting this legislation passed. Some of
| them may not be relevant, but I don't think it's safe to
| blanket assume they all are. If you think they are indeed
| all irrelevant, then that's fair, but I'd disagree. If
| you think we don't need to care about those other groups,
| then I also disagree. If you don't hold either of those
| positions, then, again, what was the point of your post,
| and what did it have to do with what the OP was saying?
| phpisthebest wrote:
| >>The key is people realizing they are part of a large group
| with a common cause
|
| COVID Shattered my belief that people "wanting privacy from
| government" is a "large group" as you seem to imply
|
| People are more than willing to trade their privacy for the
| promise of the government provided safety blanket, even if
| that promise is false, can never been realized and will
| result in massive abuse.
|
| I dont think there is a a large group to organize.
| kQq9oHeAz6wLLS wrote:
| Part of the problem is it's hard to find people who want
| privacy due to that very privacy they crave, and their
| general mistrust of large organizations make it difficult
| to form them into a large organization for that reason.
|
| Basically they find security in obscurity, and feel they
| have a better chance of surviving under the radar on their
| own.
| landemva wrote:
| 1) Those who are willing to pay to get your data
|
| vs
|
| 2) Those who think it should be easy and convenient to use
| services and free to keep that data private
|
| Which group is in fantasy land? Privacy takes work and
| meaningful trade-offs.
| vacuity wrote:
| Well, I'm not getting paid for all (any) of the data
| collected about me.
|
| How about this: services/sites make it abundantly clear what
| data they collect (no full page of legalese designed to make
| people scroll to the bottom). Make it a list of bullet
| points, maybe. Explain how the data will be used, maybe
| collapsed by default so it's not overwhelming. Depending on
| the service, it may be appropriate to notify users about an
| updated privacy policy. Enforce antitrust and whatnot so
| Google and co. aren't just dominating the landscape and
| forcing their way. Also remove dark patterns. This isn't
| exhaustive, by the way.
|
| Then set a price. And no "here's a constant subscription
| notice that you can't really block". Guess what happens in my
| ideal world if a service is found violating the privacy
| policy.
| landemva wrote:
| >> Then set a price.
|
| How about a cell phone service that would not sell any
| location data connected to you or your phone usage. Would
| you be willing to pay over $200/month or less? What would
| you pay?
|
| I recognize some folks want privacy at no cost to them.
| vacuity wrote:
| As far as I can tell, $200/month is ridiculous compared
| to competitors. If I knew how to enforce "don't be a jerk
| and clearly overcharge" in law, I'd lay it out right
| here. It would be fair to require a moderate premium for
| legitimate privacy-upholding reasons.
| freeopinion wrote:
| Your first sentence isn't exactly accurate. If you are not
| receiving a benefit from Facebook, why do you use it? If
| you don't benefit from your credit card or cellphone or
| bank, why do you use them? If you don't benefit from the
| relationship you have with your employer, why do you have
| that relationship?
|
| All of those parties are collecting data about you. While
| there is some value to using that data internally, it is
| obviously valuable as a commodity to be sold to others. You
| might complain that your cellphone company benefited
| instead of you. But you gave up your data to somebody for
| some reason.
|
| You can't complain about not getting invited to this
| weekend's party if you aren't willing to share your phone
| number with the organizers. If you weren't willing for them
| to sell that data later, you should have put them under
| contract. Of course, they may have responded by charging
| you admission to the party. If you don't like being charged
| admission AND getting your data sold, go to a different
| party or no party at all.
|
| I know, I know. It isn't fair. Parties are a basic human
| right.
| j45 wrote:
| Everything that can be used for bad can be used for good.
|
| Take memes for example and how they out educated press
| conferences during the pandemic.
|
| Creating content that is anchored to hell the everyday person
| learn and decide what's important to them beyond conscience at
| the expense of security and privacy should be an informed
| decision.
|
| On the other hand, if people went through this 20 years ago,
| chances are it will start to happen some more with a much
| larger group, only less technical.
| Animats wrote:
| Congress could require that certain personally identifiable data
| could not be kept in computers. Congress has done this for gun
| registrations. BATF's out of business records repository for gun
| registrations is all paper and microfilm. When they receive data
| in digital form, they print it and microfilm it, to increase
| lookup time. Really.[1]
|
| [1] https://www.npr.org/2013/05/20/185530763/the-low-tech-way-
| gu...
| neilv wrote:
| Presumably _non_ -US spies are also spying on US people _using US
| companies_. (Not necessarily the same companies.)
|
| As harmful as the OPM hack presumably was for US national
| security, countless US companies have been collectively
| assembling comparable-and-more intimate profiles of everyone, and
| an ongoing basis.
|
| Want to map out social networks (in the original sense of the
| term)? Know who to focus on and target? Know what an individual's
| weaknesses are, for neutralizing, compromising, or more subtly
| manipulating? Automate personalized mass influence operations?
|
| Good news to adversaries: half of the national technology
| infrastructure is _built upon_ trying to construct that
| existential vulnerability, and sell it.
|
| (Just trying to frame a pervasive industry/societal problem in a
| different way, in case that helps to understand it better.)
| analog31 wrote:
| I propose a system of statutory damages for offering to sell
| personal information, similar to those imposed for sharing
| copyrighted music recordings. This might create an industry of
| bounty hunters who track down violators, for a percentage of the
| damages.
| hospitalJail wrote:
| My approach is to acknowledge that all of my data is compromised.
| Sometimes I obfuscate it with nonsense to throw off a trail, but
| even that I consider is probably worthless.
|
| Maybe you could legislate this, but you wonder how a trillion
| dollar industry is going to lay down and take it. Most likely
| they will lobby, find loopholes, or do it anyway, accepting the
| fine as the cost of doing business.
|
| I know this is defeatist, but I just don't see bandaids working.
___________________________________________________________________
(page generated 2023-07-09 23:01 UTC)