Despite the day to day situation in congress, it seems inevitable that in the short to mid term, the US will have to stand up new privacy legislation in order to maintain participation in the digital economy.
The question will be how they define privacy, and who will write the law.
If activism doesn't interest you and you're looking for a reasonable shortcut, follow the work/proposals of Sen. Ron Wyden. He employs actual expert technologists who advise him on policy, and their expertise frequently shows up in the legislation he proposes.
> The question will be how they define privacy, and who will write the law.
Just like in Germany. The rich will define the legislation and will write the law. Privacy means "If i am rich you have no right to look at my personal belongings". "If you are poor we need your credit score and some account ballance at least".
Fully half of Congress these last few decades has been violently opposed to basic privacy rights (with some of their supporters literally violent). I'm not sure we can expect any progress on this front until we see the congressional makeup shift substantially.
I'm curious how you expect the random people on HN to affect change by "following" someone's proposals sans activism?
It seems like a "reasonable shortcut" around activism would involve... actually accomplishing things? Otherwise I can just say staying at home is a "reasonable shortcut" to getting to work. It's certainly much shorter, but it doesn't really accomplish the task at hand, no?
I'm suggesting that folks not interested in following the developing activism around privacy instead follow Wyden's work on this as their primary source of information, so that they can be aware of the best work going on and have a higher signal-to-noise ratio on this topic.
When it comes time to actually accomplish things, there is no shortcut around action.
> In May 2017, Wyden co-sponsored the Israel Anti-Boycott Act, Senate Bill 720, which made it a federal crime, punishable by a maximum sentence of 20 years imprisonment,[55] for Americans to encourage or participate in boycotts against Israel and Israeli settlements in the occupied Palestinian territories if protesting actions by the Israeli government. The bill would make it legal for U.S. states to refuse to do business with contractors that engage in boycotts against Israel.[56]
It amazes me how otherwise sensible legislators look like goons when it's AIPAC calling, approving bills that make free speech a crime.
While I am not in favor of the bill, his description of it is far different from the one presumably on his Wikipedia page.
He said it adds to an existing law, one that has never sent a person to prison, that forbids people from following a boycott organized by a foreign state. You'd be free to form your own boycott.
Again, not something I support. But on the "bullshit Representatives support" scale, not a huge deal
> The bill would make it legal for U.S. states to refuse to do business with contractors that engage in boycotts against Israel.
I fail to see the problem in the government not indirectly funding entities supporting agitation against a close military and political ally of the US.
I do not think the government should police my views on Israel just so I can be allowed to be a teacher or a municipal worker. I shouldn't be required to sign a pledge supporting Israel.
Doing that is a problem. Contractors are a lot more broad than you think.
He says the right things sometimes but is often ineffective - why didn't he call out Clapper when he was lying to him in congress? It is up to the legislature to control the government.
I think you've expressed a US-centric perspective, where the US leads the world and the world reacts.
The rest of the world is advancing privacy legislation and making it difficult to do business in jurisdictions that don't enforce similar privacy concepts. This will increasingly become untenable for US businesses.
I think he is pointing out the lack of legislation in the US is a positive for these US based multinationals : they extract valueable info from it, which they can use in other markets too.
An upcoming EU startup which might want to target these multinationals markets is at a disadvantage because they can't.
It is a California regulation, yes. I suspect that OP is making reference to the fact that as California goes, often so goes the national policy. Or, at least that's how it's played out with regularity in the past.
CA is 14.6 of US GDP and 12% of the population. It's hard to have a large business in the US that doesn't have $25m revenue or handle the information of 100k CA residents, so there is very broad applicability.
So right: "This is now the classic Big Tech move: deploy money and armies of lobbyists to fight meaningful reforms in the shadows but claim to support them publicly."
A reminder that no one's making you use Amazon, especially the Alexa stuff.
I invested in Mycroft to try and kickstart a privacy-focused alternative; the hardware isn't there yet but they've made good strides on the software side. You can invest too! https://www.startengine.com/mycroftai
Voting with your wallet isn't a situation where you're concerned about the results. The point isn't so much to change bad behavior as it is to disassociate yourself from it.
If enough people become aware of the option and follow suit, change might occur that you'd like. That isn't what motivates you.
> Voting with your wallet isn't a situation where you're concerned about the results.
Unclear what you are trying to say but honestly it's a pain I have to do this everywhere. That's why we have regulation & legislation: so corporations don't have to get "market signals" they're free to ignore, vs laws they must actually follow or get fined/held liable.
It's like removing a jerk from your life who happens to make amazing tacos. I'm going to miss those tacos but life is too short. The 2nd best taco truck is a block away in this scenario.
> but honestly it's a pain I have to do this everywhere.
Some of it is foisted on you whether you like it or not though. Like your across-the-street neighbor's Ring doorbell sharing HD footage of you, your house, etc, to law enforcement.
I noticed an Alexa in a family member's bathroom recently. Yeah, I don't have to own them, but that doesn't mean their existence doesn't affect me. This is ripe for legislation.
That's quite a leap from "scan SSID" to knowing "all about your home network" and sounds like hyperbole. What can I gather from just passively scanning SSID and possibly putting out some probes on a properly configured WiFi network? I imagine some things like number of hosts, MAC addresses, traffic stats - which is not ideal, but hardly what I would call knowing "all about it".
I'm quite the privacy nut, but I always think its ridiculous that people cry foul about what people do with data that is being broadcast over the airwaves. If you really care about privacy and don't trust WPA2 then don't fucking use WiFi!
Intent matters a great deal. Very few people intend for their wifi to reach their neighbors or the street. There is already an expectation of privacy for visible and IR wavelengths of the EM spectrum.
I don't agree intent has any relevance here vs the other issues at hand, and it is news to me that there is some actual distinct expectation of privacy with regards to wavelength as you state.
Visible and IR wavelengths don't reach outside through non-windows, because of physics - but I don't think there is any inherent expectation of privacy - quite the opposite. If you leave your front bay window open and people outside can see in, and you call the police for privacy invasion they will laugh in your face in most places - in fact if you are doing something deemed obscene or distasteful you may be the one arrested - and for good reason. They'll tell you to get something to block the light like a curtain.
Whether or not people intend it - wifi signals easily will make it to the street - and they're on shared spectrum. Especially if you're going to pollute the public ISM band - it's sort of on you to take whatever precautions you need to stay safe whether that is better encryption, a faraday cage or just abstaining and finding alternative means.
If you start blasting loud noises 24/7 constantly in your neighborhood and someone complains, is your response going to be well, "I don't intend for this garbage to reach my neighbors"?
distinct expectation of privacy with regards to wavelength
AIUI police aren't permitted to use anything that lets them see through walls without a warrant, and the same should apply to corporations and individuals.
it's sort of on you to take whatever precautions you need to stay safe
In other words, "I'm going to take what I can because you didn't know you didn't lock your door," is that it?
No reasonable non-tech person would look at a wifi router in their closet and think, "I expect waves radiating from this device to pass through the walls of my house and be used by large corporations for tracking purposes." They think, "I plug this in and I can use the Internet on my phone inside my house."
US lawmakers can't even take on robocallers and spammers, so I don't have much faith in their ability. When they are willing to actually impose harsh criminal liability on companies and employees like they do for citizens, then things like this won't be an issue.
Same here. I feel like of they'd just label robocallers terrorist and treat them as such, it would be a lot harder to find people willing to take that risk even in foreign countries. Sanctions would go a long way as well in other countries taking it more seriously.
Wait, so Amazon allegedly undermined privacy by spending tons of money lobbying, and Congress wants to pass legislation on privacy. How about passing legislation on LOBBYING?
This is the real problem. All meetings should be public and a matter of public record. We may need some workarounds for Defense/Sensitive issues, but standard conversations need to be disclosed.
This sort of cynicism is confusing. Bringing attention to an issue is an obvious component of enacting legislation when there are many different topics competing for that attention in the legislature.
If it was a resolution passed by the full house calling on Amazon to be nice guys, well then okay, be as cynical as you want about that.
The number one thing competing from legislature's time is creating soundbytes that make them seem tough. So many bills are intentionally politically infeasible because people vote for politicians based on what they say rather than what they accomplish. They don't have any time left to learn about areas that they aren't particularly passionate about, so they'll just listen to that intelligent-sounding Amazon lobbyist has to say about how a bill would destroy a million jobs.
> Internal documents reveal how a former aide to Joe Biden helped the tech giant build a lobbying juggernaut that has gutted legislation
nothing is going to happen, especially considering the complaints are related to Alexa recordings. NSA/DOJ love the idea of having recording devices they can hack/subpoena whenever they want, they are basically opt-in 1984 telescreens. All Amazon has to do is remind Congress behind closed doors that they are an extension of the surveillance state
It's really interesting to see, on the one hand, the claim from the former Alexa engineer that they're not doing this and take privacy seriously, and on the other hand, the claim that they're government surveillance devices.
Because it's possible that they could both be true. The engineers take privacy seriously, think they're preserving it well, and then the man from the government comes in and PRISMs their servers and only he and one other person at the whole company knows about it.
But obviously privacy legislation isn't going to fix that.
You know it's a crackpot theory when it's so unfalsifiable as to be absurd. You think one person--just one person--can manage the data of millions of people, the backups, the government requests, the exporting, and the IT troubleshooting? That's awfully convenient, and I expect you'll never be proven wrong and have to feel dumb for believing it.
The rest of the people work for the government, not the corporation? All they need is someone inside the company whose job it is to keep other people inside the company from finding out. It's the same model as police use for informants and intelligence services use for espionage.
It's also kind of pointless to talk about how to falsify a class of thing we have affirmative evidence is happening. When we found out about PRISM, the heads of the companies said they didn't know anything about it. So either they were lying or their subordinates successfully kept it a secret from them.
Moreover, the interesting question isn't whether it's happening right now. It's that given we know it can happen, how do we prevent it from happening? For example, by using software with published source code that runs on your own device instead of someone else's.
>It's also kind of pointless to talk about how to falsify a class of thing we have affirmative evidence is happening.
Can you elaborate on the logic behind this a bit more and perhaps explain how it wouldn't justify McCarthyism as well? (e.g. we know that there was a Soviet spy in one office, so every office that acts displeasingly is filled with Soviet spies)
The problem with McCarthyism is that you're accusing people of being spies without any real evidence. They are, in all likelihood, innocent people being punished for no reason. It becomes a witch hunt and a pretext for punishing anyone you don't like but have no legitimate reason to punish.
By contrast, "spies exist" is a thing that we know is true. There have been documented instances. We don't need to know that there is there is a spy in a particular company at a particular time to know that we should take rational countermeasures against them. Encrypt everything. Eliminate centralization to avoid a single point of compromise for millions of people.
This can't be used for a witch hunt because it's defensive rather than offensive and isn't singling out any particular entity for special scrutiny. If we don't know which particular company or technology is targeted at which time, if we don't know if the adversary is Russia or China or organized crime or corrupt law enforcement, the course of action is still the same. Make mass surveillance as difficult as possible for everybody everywhere.
The cartoon playing out in the media once again reminds me of Gell-Mann Amnesia because I used to work at Alexa. The lengths that they go to for preserving consumer privacy actually seemed absurd to me. Alexa engineers and applied scientists' lives would have been much easier if they didn't take customer privacy -- and their right to request and delete their data -- so seriously.
Yes, they are lobbying against regulation. But that's because no business wants to have to deal with 50 different laws in 50 states. They're saying let's have one federal regulation so it's easier to comply. It's not that they don't care about privacy -- they very much do. In fact, all these large companies want regulation because it strengthens their moat. A startup won't have the resources to comply with such regulations on Day 1. They just want it to be reasonable because dealing with different state-level regulations is too much.
The original Reuters article[0] about Amazon's lobbying efforts addresses that point. It says:
> Amazon said it wants one national privacy law rather than a “patchwork” of state regulations. Asked for details of any federal privacy legislation it has supported, Amazon did not name a specific bill. The company did provide three examples of what it described as statements of public support by its executives for federal consumer-privacy legislation.
> In those cases, Reuters found, the executives were expressing either direct opposition to such a law, opposition to existing state privacy protections, or advocacy for industry-friendly measures opposed by consumer advocates. No major federal privacy legislation has passed Congress in years because members have been deadlocked on the issue.
The article goes into great detail about the efforts to stop state-level legislation. If Amazon truly wanted to see a federal-level law, then we should expect to see them putting a similar sort of effort (or, hell, any effort at all) at the federal level towards getting one written and passed. The simple fact is, we don't.
Until we see that effort from them, anyone using the excuse that, "State laws make this a difficult patchwork to navigate so we want a federal law," is just largely spouting bullshit.
Edit: This is compounded by the fact that, as another user pointed out, they already deal with patchworked state laws in many other areas of their business, but they don't go to these levels to stop that.
Thank you for sharing the original Reuters article. In that article it says Amazon helped draft Virginia's privacy bill. So I guess they are making exactly the effort you talked about? But of course Reuters is calling them out on it:
"In Virginia, the company boosted political donations tenfold over four years before persuading lawmakers this year to pass an industry-friendly privacy bill that Amazon itself drafted."
After a lot of insinuations and handwaving about lobbying, the article has this short paragraph about what's actually in the law:
"The Virginia law allows technology companies to track consumer searches on their platforms to create marketing profiles. It gave tech companies exemptions to collect and analyze smart-speaker recordings without customer consent. And it prevented consumers from suing companies over privacy violations."
Seems totally reasonable to me. Amazon already lets you get a copy of your data and you can request for it to be deleted. And from having worked there (note: I no longer work there and don't have a dog in this fight), I know how the org ties its own hands and makes things difficult for itself, just to protect customer data and their right for that data to be deleted forever.
> So I guess they are making exactly the effort you talked about?
> The Virginia law allows technology companies to track consumer searches on their platforms to create marketing profiles. It gave tech companies exemptions to collect and analyze smart-speaker recordings without customer consent. And it prevented consumers from suing companies over privacy violations."
> Seems totally reasonable to me. Amazon already lets you get a copy of your data and you can request for it to be deleted.
Uh, what? Trying to give the benefit of the doubt but it seems disingenuous to call that a privacy bill in a positive sense, unclear what you mean is reasonable about it (though I guess people can disagree on that point), and while I can appreciate strong internal controls that are difficult to codify in law, that seems orthogonal to any of the merits of the "privacy" bill in question.
>In that article it says Amazon helped draft Virginia's privacy bill. So I guess they are making exactly the effort you talked about?
They are not. What you just highlighted is a privacy bill in the state of Virginia. That is not at the federal level.
>Seems totally reasonable to me.
That's fair, for you. For many others, giving "tech companies exemptions to collect and analyze smart-speaker recordings without customer consent" is unsettling, as is the fact that those customers would be "prevented ... from suing companies over privacy violations."
>Amazon already lets you get a copy of your data and you can request for it to be deleted. And from having worked there (note: I no longer work there and don't have a dog in this fight), I know how the org ties its own hands and makes things difficult for itself, just to protect customer data and their right for that data to be deleted forever.
In your initial comment, you said that, "The lengths that they go to for preserving consumer privacy actually seemed absurd to [you]". Yet the only reason Amazon lets you get a copy of your data and allows you to request it to be deleted is, per the same Reuters article, because the state of California forced their hand on that issue. The article states:
>Under a 2018 California law that passed despite Amazon’s opposition, consumers can access the personal data that technology companies keep on them. After losing that state battle, Amazon last year started allowing all U.S. consumers to access their data.
>Amazon tried but failed to derail the 2018 California law, the first of its kind in the United States, that allowed consumers to request the personal data companies stored on them. The 2018 Amazon document reviewing executive goals discussed plans to oppose the measure, noting concern about its “right to know” provisions for consumers. The 2018 public-policy update said of the proposal: “We strongly prefer no regulation, but if regulation becomes inevitable, we will seek amendment language to narrow any new requirements to the greatest extent possible.”
>The law’s passage was considered a major failure internally, a former Amazon public-policy employee said. An Amazon legal-strategy document written after the bill became law called the measure emblematic of “troubling regulatory and legislative trends” that “caught us by surprise.”
So really, the only reason they "make things difficult for [themselves], just to protect customer data and their right for that data to be deleted forever" is because they're now legally required to. If they truly went to "absurd" lengths to protect consumer privacy, this obvious option should've been something they offered to consumers beforehand and not something that "caught [them] by surprise", which is a phrase taken from an actual internal Amazon document. Instead, they fought against it and consider the fact that they had to give consumers this option to be a "major failure".
no business wants to have to deal with 50 different laws in 50 states.
Amazon already does this in a thousand ways, from labor laws to labeling laws to paying thousands of different sales tax rates to thousands of different states, towns, and other municipalities.
If this was a startup, maybe you'd have a case. But it's a trillion-dollar company. Suck it up, buttercup.
Or just do the simple thing: Follow the most restrictive state laws. Somehow, following California emissions standards in the 1970's didn't bankrupt the auto industry. And following Pennsylvania Department of Agriculture standards didn't bankrupt the food industry in the early part of the last century.
Following the rules is a cost of doing business. If Amazon can't afford to follow the rules, then it should go out of business and let someone else innovate.
Congratulations. Now we can have no new start ups that compete with Amazon, because the regulatory burden is too high.
Also, you can’t make privacy laws that only apply to large corporations. Why should a smaller company get to pass on privacy laws when Amazon doesn’t? That violates 14th amendment of the constitution.
not wanting to deal with 50 sets of different rules is eminently reasonable. They have the resources to manage, so no improvement is necessary? Is that really the argument here?
And yet you're collecting insane amounts of data with little or no way to opt out of it, and storing that data in a country where the secret police can rifle through it any time with effectively no oversight.
You can ask to see the data Amazon has on you, and for it to be deleted. If you ask for it to be deleted, they will delete it all. And you can keep asking every month if you like. Not to mention no one is forcing you to use Alexa in the first place.
I was just having a conversation yesterday about how complex it can be to follow 50 different state regulations, but also 200+ different national regulations.
Would the ideal case for you to be a federal (national) regulation or a global regulation?
How about we regulate AND make it easy for startups to compete. Living in world where the big corps can all responsibly handle your data (what ever that actually means) and competition stagnates. Our brand of capitalism pretends in runs on competition.
*edit and from the article, if Amazon is quietly curtailing and preventing privacy laws on a state basis, what effort are they using ton unify those laws on a federal basis?
> No major federal privacy legislation has passed Congress in years because members have been deadlocked on the issue.
I assume Amazon is assisting here as well.
All large corporations have a lot of folks at the edges actually doing the work. The internal controls for privacy are strong, but those are nearly orthogonal to the larger corporate goals. If you leak or improperly use customer data, that could have huge ramifications from the political and legal fall out. The amoral or immoral use of customer data at the whole org level are what people are generally talking about when it comes to data privacy from corporations.
The laws are written to entrench incumbents and their moats. Startups have neither the resources or the lobbyists to compete while they try to get their bare feeble MVP off the ground. The only way you can do that is if you carve out exemptions for smaller companies. This law does not apply if you have less than 300 employees and 100 million is net turnover etc.
this cynical post misses the fact that corporate executives also decry invasions of privacy when it hits they themselves, their dear ones and their inner circles. You can bet that there is privacy available, but how, from whom, under what terms, and of course how much money does it cost.
When reading reports like this, remember that HN commenters frequently try to discredit major news media reports on privacy issues by pointing to news websites' use of ad tech.
Watch for it. It has been going on for years. HN commenters will infallibly comment on news reports relating to privacy issues by pointing to news website use of ad tech.
The question to ask is would this argument have made a difference here. Did these members of the Senate and House consider if a Reuters website uses ad tech.
If the Reuters reporting is factually correct, then Reuters' use of ad tech should not have any effect on the potential for others to take action on the basis of Reuters reporting. As the saying goes, "Don't shoot the messenger."
HN commenters keep trying to shoot the messenger. It only diverts attention from any facts contained in the message.
The question will be how they define privacy, and who will write the law.
If activism doesn't interest you and you're looking for a reasonable shortcut, follow the work/proposals of Sen. Ron Wyden. He employs actual expert technologists who advise him on policy, and their expertise frequently shows up in the legislation he proposes.