Skip to content
Naked Security Naked Security

Tech giants back bill that privacy advocates claim is toothless

The main disagreement: if consumers will be able to delete their data or whether the law would give companies ways to wiggle out.

Washington state is on the road to passing a privacy bill that tech giants think is great and that the American Civil Liberties Union (ACLU) thinks is toothless.

Shankar Narayan, director of the Washington ACLU’s Technology and Liberty Project, clashed with the bill’s sponsor, Washington State Senator Reuven Carlyle, on Thursday during a panel discussion that featured privacy and antitrust experts.

That panel was hosted by the Seattle media organization Crosscut. As Crosscut reports, Carlyle has said that his proposed bill, which will address how companies collect and share internet users’ data, borrows best practices from the privacy bills we now have: the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA).

The proposed bill recently cleared the Washington State Senate and is now being considered in the State House.

A global, de facto standard?

In January, the bill’s backer, Sen. Carlyle, said the law is designed to take best practices for collecting and sharing users’ data “from around the world.”

The proposed law could have repercussions that spread far beyond the state. Microsoft President Brad Smith – who’s recently been calling for laws about the use of facial recognition and stumping for this Washington bill – recently said that he believes the law could become a de facto standard globally, given that it would rule tech giants such as Microsoft and Amazon, which are both based in Washington.

But beyond that, the Washington law would also affect companies that aren’t based in the state, as in, any that do business in Washington and that either process data of 100,000 or more consumers or that get half their revenue from the sale of personal data. Insurance Journal quoted Smith in a February article:

If it passes, it takes an important and much needed step to be a regulatory foundation for facial recognition technology and create a model that can be considered by other states and countries.

Or then again, it could be a step backwards

Privacy advocates disagree: Washington’s proposed bill would, in fact, be a step backwards from the CPA or GDPR and wouldn’t go nearly as far when it comes to protecting consumers, they say.

“Nobody wants data privacy for consumers more than we do,” Narayan said during the panel last week. However, he added that this bill won’t get us there and is just masquerading as one that would.

At the heart of the disagreement is whether consumers will, in fact, be able to delete their data under the new law, or whether the law would present companies with myriad ways to wriggle out from that requirement, as Narayan points out:

The company can continue to use my data because there’s so many exemptions and loopholes. They can just find one and override my consent.

Carlyle, sitting next to him, accused the ACLU of having the “luxury” to “make perfect be the enemy of the good,” adding:

I live in the world of making meaningful steps forward.

Narayan’s response:

I also live in the real world. Perhaps as a brown person, I live in a realer world, in some ways, in terms of the impact of face surveillance. We would take a step forward on both data privacy and face surveillance but Microsoft and other tech companies have had, undoubtedly, an outsized influence on this conversation just because they have a lot more lobbyists.

Narayan’s reference to being a “brown person” may relate to studies which have found that black faces are disproportionately targeted by facial recognition technology. The algorithms themselves have been found to be less accurate at identifying black faces – particularly those of black women.

It’s because of such research findings that New York City in December 2017 passed a bill to study biases in the algorithms used by the city for public services.

The ACLU knows first-hand how prone to error the technology is: it’s tested Amazon Rekognition, the company’s facial recognition technology, which is used by police in Orlando, Florida, and found that it falsely matched 28 members of Congress with mugshots.

Microsoft lawyer begs to differ

In response to Narayan’s comments, Julie Brill, Microsoft’s general counsel for privacy and regulatory affairs, said the bill is “a meaningful and important step in the right direction.”

Today, there is an urgent need for new, comprehensive privacy laws that provide strong protections for consumers within a framework that enables innovation to thrive.

Is the fox setting up the henhouse-guarding legal framework?

Carlyle said that he takes exception to Narayan’s charge that the bill has been “designed and written in a corporate environment” – a response to Narayan’s saying that tech giants are backing “watered down” state-level regulation so that they can eventually…

…go to the feds and say, ‘look, this patchwork of laws isn’t working. Let’s enact something even weaker.’

The ACLU had thrown its support behind a separate privacy bill in the state earlier in this legislative session. It would have called for stronger data regulations and a ban on facial recognition technology until it could be vetted for bias against people of color and other historically marginalized groups. Narayan said:

Unfortunately, Microsoft came and lobbied against that bill while supporting an enabling approach that will end us up with a face surveillance infrastructure in a lot of public places.

As goes the state, so goes the country: In February, the US House and Senate were debating a new, nationwide data privacy law. Privacy rights advocates complained that the debate was similarly near-monopolized by corporations, leaving consumers and groups such as the Electronic Frontier Foundation (EFF) out of the conversation.

From the EFF’s India McKinney and Katharine Trendacosta:

Last year, the US Senate held a hearing about consumer privacy without a single voice for actual consumers. At the time, we were promised more hearings with more diverse voices. And while a hearing a month later with consumer advocates did seem to be a step forward, this week’s two hearings – only mostly full of witnesses from tech companies – make us worried about a step back.

2 Comments

Here’s a thought, how about just not collecting any personal data?!

Thing is, lots of people love it – look at the popularity of impulse-purchase-enablement service Amazon… if you’re marketing and selling things online them you need to collect *some* personal data. And for some industries, such as where there’s a know your customer rule, you have to collect it.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?