World Privacy Forum statement on federal privacy regulation & data brokers

WPF is issuing this statement in response to the Senate Commerce Committee hearing Oct. 10, 2018 on consumer data privacy. The committee is considering drafting legislation that seeks to address consumer data privacy.

Read the WPF statement below, or in PDF (WPF Statement Oct 10, 2018 .)

====

World Privacy Forum Statement on Federal Privacy Legislation

Media Contact:
Pam Dixon
World Privacy Forum
760-712-4281
www.worldprivacyforum.org

October 10, 2018

Portland, Oregon: Consumer data privacy comprises the core of World Privacy Forum’s mission and purpose. A meaningful part of our work and research has focused on data brokers and secondary uses of consumer data. The debate over what the contours of federal privacy regulation should look like must be inclusive of the lynchpin issues of secondary and tertiary uses of consumer data.

WPF Executive Director Pam Dixon says: “Through our longstanding work regarding data brokers and related harms to consumers, it is abundantly clear that if Congress enacts privacy legislation that fails to effectively regulate data brokers and stop the consumer harms they directly cause, any legislation enacted will be a failure.”

Privacy legislation in the U.S. has a long and storied history. However in all of the rich legacy of privacy law there exists a gap that is still unresolved: there are not controls over most secondary uses of data and tertiary sales or uses of consumer data. Nowhere has this deficit been more problematic than in the data broker industry. The World Privacy Forum has spent years researching and documenting data broker practices.

Our research has found:

Data brokers sell, trade, and share highly sensitive and identifiable information about consumers – usually without any knowledge on the part of consumers about these activities.WPF has meaningfully and repeatedly documented that data brokers sell information about consumers who have bought a particular item, take certain medications, read certain books, or engage in certain activities. Thousands of data broker lists exist, with millions of consumers identified in the lists by name.
The data broker industry has evolved to also focus on detailed consumer data analysis that results in predictive profiles of consumers, often with a score attached. WPF calls this “consumer scoring,” and we documented these practices extensively in our report, The Scoring of America.
Consumer scoring covers everything from consumer loyalty to employability to personality scores to medical risk scores, and more. These analytical scores become a kind of shorthand to describe consumers and can influence meaningful marketplace opportunities in consumers’ lives. Again, without consumers’ knowledge or control.
Data brokers, data compilers, and large technology platforms do not have absolute control of tertiary uses of data, including malicious uses. Consumers in particular do not have enough controls over their data. Real consumer harms can result from secondary and tertiary uses, and the harms can continue forward for years in some cases. When consumer data escapes into third party hands, there are almost no existing controls for fully recapturing the escaped data or fully understanding everywhere the data might have gone. This is illustrated by the Facebook Cambridge Analytica scandal, by the Equifax data breach, and most recently, by the Google + data breach.

Solving the problem of applying meaningful controls of secondary and tertiary sales and uses of consumer data must be at the core of what gets resolved in any federal privacy legislation. If federal privacy legislation does not address this set of core issues, then the secondary uses gap will continue unabated, and no real privacy can be had as long as this gap exists. This gap can be narrowed by meaningful work to provide:

Consumer controls of certain data flows and data uses, including long-term controls,
Creating transparency, choice, and meaningful rights around consumer scoring,
Creating technological, procedural, and policy controls over secondary and tertiary data uses. This can range from data tracking techniques to standards for de-identification to technological measures that audit data for inappropriate/appropriate uses over its lifetime.

No one expects perfect solutions. But if solutions do not address the lynchpin of the consumer privacy data challenges, then we will not accomplish what we need to.

Posted October 10, 2018 in Data Breach, Data Brokers, News, Press, and Media

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.