Computers, Privacy & the Constitution

Inadequacies of Personal Information Protection in Practice and Theory

-- By AustinCollier - 12 Mar 2020

There are many claims by corporations, made voluntarily or, as of 2020 in the United States, in order to comply with the California Consumer Privacy Act (CCPA) and other states’ legislation, that they will protect the personal information of their users. However, they do this in a legal system that is highly permissive of the sale and use-without-compensation of personal information. Below the CCPA and Google are used as examples to discuss what protections exist in theory, and whether they actually provide any security or privacy to the average U.S. citizen.

I. How Personal Information Protections Are Defined

A. Statutory Protection of Personal Data

The California Consumer Privacy Act provides six rights to California residents regarding their personal data, including rights to know what personal data is collected and to access it, rights to be informed of and refuse sale of their personal data, and a right to request that personal information held by a company be deleted. The CCPA defines “Personal Information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” CCPA 1798.140(o)(1).

There are, of course, many permissive exceptions in the CCPA. For instance, any information that was obtained through public records is excluded from regulation. Here the CCPA is ripe for circumvention by any company with basic database management skills, and is bereft of an effective enforcement mechanism. It is entirely unrealistic to ask the California Attorney General, who is in charge of enforcing the CCPA, to verify on a case-by-case basis whether information that exists in a public record was, in fact, gathered from that public source, or from a California Resident’s online activity. Similarly, because the CCPA requires individual, certified requests to trigger any of its protections, the California AG can only target companies for non-compliance when individuals fail to get a response from a company, and then file a complaint – with sufficient evidence to open a case – against that corporation. The cost of pursuing these kinds of complaints at scale is well beyond what the California AG can handle, and companies that derive revenue from selling targeted ads are likely to resist the degradation of their most valuable asset: users' databases.

The majority of Google’s revenue comes from advertising. Accordingly, they are incapable of refusing to allow their users’ personal data to be exploited via targeted advertisement, and thus cannot be trusted to resist their clients’ requests to aggressively gather and re-target personal information to promote their sales or other interests. The CCPA provides almost no resistance to Google either, because it requires individual requests and, again, because the Act does not consider the way that Google employs personal information to be a “sale.”

B. Google’s “Voluntary” Data Protections

Google’s Privacy Policy claims that Google and its parent company, Alphabet, only use your data to improve its products and services, and denies selling it. This is difficult to believe considering that Facebook gave assurances regarding its data policies that were hardly criticized until the abuses of personal data to distort Americans’ perception of the 2016 presidential election were revealed through the Cambridge Analytica scandal. Google’s claim is further undermined by complaints that Google sold personal information through hidden webpages to third parties, and that the practice continued even after Google claimed it stopped in September 2018.

Regardless of whether Google “sells” personal data in a direct sense, it is important to ask whether there is a meaningful difference between directly selling databases and offering companies the opportunity to purchase finely-targeted advertisement that Google serves using that same personal information. Looking to Google’s peers, Facebook and others have already taken advantage of the loose definition of “selling” data in the act to claim that the CCPA would not require them to significantly adjust their data usage.

II. Theoretical Efficacy of Data Protections

For the sake of discussion, let us imagine that privacy laws in the United States had adequate enforcement mechanisms in place, and that companies were impeccably careful to not sell “personal information” as it is defined in the CCPA. Would there be a meaningful protection of internet users’ data and privacy?

A. Breach

The threat of data breach has existed as long as people have stored and transmitted information online. Breaches have targeted social media sites like Facebook, and financial institutions including a breach of Capital One credit cards that exposed over 106 million cardholders and did not even rank in the top ten breaches of all time. If large, sophisticated, and tech-savvy companies like those cannot prevent breaches even where they have massive legal incentive to do so, it leads to the conclusion that no personal data stored online is truly safe.

B. Re-Identification

Another issue with the very existence of data derived from people’s personal online activity is re-identification. As any data analyst will tell you, it is simple in the data-rich environments of web-based tech companies to combine bits of information that, alone, are not personal data to re-assemble a profile on someone and even identify them individually. For instance, as of 2006, 63% of the U.S. population could be individually identified with their birthdate, gender, and ZIP code alone. This means that even data that was “anonymized” for sale could be used to indirectly create personal data without violating even a strict prohibition on personal data sale or transfer. Add to this the fact that there is no widely accepted definition of, or regulation regarding “anonymized” data, and the issue of online privacy shifts from preventing companies from selling the “whole package” of personal information, to selling the constituent parts – for which there are no significant protections either on the books as of today, or even on the horizon.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 22 Apr 2020 - 16:05:42 - AustinCollier
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM