Enforcing laws against illegal use of sensitive data sounds cool, except that only the most incompetent ones will ever meet that bar federally. HIPAA’s privacy protections are so weak that companies can just shove things like this in their EULA[0] and they are good to go:
> Any information in the FollowMyHealth Universal Health Record is considered PHR Data. PHR Data might include, but is not limited to the following:
> Your name and contact information, such as your address, phone number, or email address
> Your medical history, conditions, treatments, and medications
> Your healthcare claims, health plan account numbers, bills, and insurance information
> Demographic information, such as your age, birthdate, gender, ethnicity, and occupation
> […]
> Allscripts may use your PHR Data for marketing and advertising purposes, including sending you customized marketing and advertising communications whether on our behalf or on behalf of third party partners with whom we may engage.
As a postscript, if you are curious how some Allscripts subsidiaries used PHR Data for marketing purposes in the past, the answer is to get doctors to push opioids[1].
The whole idea of EULA needs to be scrapped. As currently configured they will never be fair to consumers. They institutionalize unethical, bad faith agreements.
> For a contract to be treated as a contract of adhesion, it must be presented on a standard form on a "take it or leave it" basis, and give one party no ability to negotiate because of their unequal bargaining position. The special scrutiny given to contracts of adhesion can be performed in a number of ways:
> If the term was outside of the reasonable expectations of the person who did not write the contract, and if the parties were contracting on an unequal basis, then it will not be enforceable. The reasonable expectation is assessed objectively, looking at the prominence of the term, the purpose of the term and the circumstances surrounding acceptance of the contract.
Thats one side of the argument. However they are necessary for companies to function, and have some protections from fraudsters, con artists, hackers, litigious opportunitists, etc
now you may argue that there are not freq enough instances of these frauds to require EULAs. anticipate that the counterargument could be that they aren't BECAUSE of the presence of EULAs
ULAS didn't exist 50 years ago and we survives somehow!
Now my phone, TV, and my floorlamp has a EULA. Industry thatsl can't function without EULA are the ones defrauding consumers, they should burn down to the ground.
definately the floorlamp one, iylt refuses to connect to the app because it's in a different country, the lamp is country-locked, its telling me what do to, and none of this was in the original contract of sale.
Also arson is illegal. I am thinking more like witch-burning
"By reading this message you agree that me [the writer of the message] gets access to all your data and that you [the reader of the message] agrees on using the data for all purposes deemed as necessary to exploit such data for fun and economic gain."
EULAs are a joke and everybody knows that people does not read them.
Can you explain further please? Or give some links? Here in Germany reading those „internet contracts“ doesnt count in court because they are intentionaly unreadable and to long
In common law jurisdictions contracts generally require consideration. Consideration is a technical legal term which roughly means that both sides need to have some kind of obligation. E.g. maybe I give my labour and you give me money.
One weird consequence you used to get were friendly entities leading things to each other for trivial rents (e.g. one Oxford college might lease land to another for a few pence a year) instead of for free so that there is consideration.
The counter-argument they would give is that you get to use the site/service, thus, that is your consideration -- of course consideration for both parties has to be balanced/equivalent. Thus, the "consideration."
But contracts also require both parties to explicitly acknowledge them and understand them -- thus e.g. modifying in secret a contract before signing will just offer a cause for invalidation and fraud to be brought up etc. EULAs are hilarious in this respect that it is an open secret that only a few devout users read them or even skim them.
It is one one of the things that sometimes trips up someone trying to publicly release software. Often they try to give a free license or release to the public domain but this may be considered invalid if they don't explicitly state that they expect nothing in return. This is why free software licenses have explicit terms about this.
I'm hoping this gets established, and then expands so data brokers can't sell data sets with labels like "anxious" or "likely depressed".
Right now, corporations are intentionally or unintentionally behaviorally conditioning people. Given behavioral shaping is a medical practice and is largely being performed without consent, it needs to stop.
If Congress cared about privacy they would have enacted relevant laws decades ago. They sure were quick to protect their own video rental records when those were weaponized.
The data broker industry is relied upon by the government to sidestep 4A and Congress has been complicit in not regulating them. Because of the attention, there will be some hollow gestures to further protect health data outside the current reach of HIPAA and nothing more.
I'll just add that the brokers don't need app data to get information about menstrual cycles. I sat in a meeting at a long established data broker in the late 90's (pre-Google) where they gushed about their ability to track cycles from purchase records. A lot of detailed personal information can be gleaned with data analysis from seemingly innocuous sources and, without broad data protection laws, none of us are immune to this invasiveness.
Maybe these superhuman marketers with perfect understanding of human behavior exist, but since I've never met one it's hard for me to picture. What does it matter when the cycles are? Is it to try and sell pain medication for the low percentage of women that suffer during it? Whenever these stories are told you'd think someone is achieving world domination, but my suspicion is that the large majority of companies can't even do anything very interesting with this data that they collect unethically.
Missouri officials used women's menstrual cycle data in 2019 in a quest to shut down the state's last abortion clinic.[0] This was legal due to a lack of HIPAA restrictions.
It would not be difficult to use this data in a post-Roe US to litigate against abortions.
> companies can't even do anything very interesting with this data that they collect
I'm not concerned about the companies. I'm concerned about domestic agencies that purchase that data to workaround restrictions that prevent them from collecting it.[1][2][3][4](stretching to inf.) Like your parent commenter stated, this is to avoid Fourth Amendment restrictions.
The harm is real, even if you try to ridicule it. None of your refutation is founded on the reality of the harm (or what was claimed, AFAICT). This is called a strawman.
But I didn't say there was no harm? I asked for examples as it's hard for me to picture them. Another commenter gave a good example of how government agencies can use this data for nefarious things, I was originally curious of ways of profiting from knowing what was initially discussed, when the cycle is. I think because the topic is charged you saw ridicule where there was none.
A women’s health app recently tried to capitalize on the Roe decision by claiming they keep data private. I read through their privacy policy, and sure enough they allow themselves several liberties including using data for “research.”
Amusingly, I caught “[INSERT COMPANY]” in their privacy policy. Apparently they haven’t even read their own policy! It was quite long —there should be an Internet law that the longer the privacy policy, the more likely your data is being abused.
I think the person you are replying to is trying to say something more along the lines of "name the company so we can shame them, and avoid them", not "what is '[INSERT COMPANY]' actually.
Ban the collection in the first place unless company can prove it is necessary and will completely delete it after not needed for that purpose. Once location data is collected, it will and does leak. I fear this effort by the FTC will have too many loopholes and exceptions to be meaningful and only provide a false sense of security.
Yawn. I'm done caring about what government figures and departments say they stand for, commit to doing, or promise is coming soon. It's proved fairly meaningless.
Come back to me and show what you've done or just don't say anything.
I think people need to become much more hostile towards "saying" and insist on "doing" or nothing.
Even if they start "doing", US law is so lenient that even if they actually start enforcing it, most privacy violations will remain in place simply because they aren't illegal.
The US legislative branch is the true source of regulatory capture. Executive agencies are secondary. I don't think the founding fathers anticipated, or could have anticipated, the entire legislature becoming an organized cabal.
The one group, generally, that has been driven away from privacy via scare tactics of the surveillance state has finally been given the required incentive to recognize the grave importance of privacy.
This is no longer a political issue or an issue of only people that 'have something to hide'.
Public support for privacy will be the majority opinion regardless of political ambitions.
Good news! Now we can accomplish what people with sense have known for the last few decades
> Public support for privacy will be the majority opinion regardless of political ambitions
This is usually not true. At least in America. The issue is compounded by a lot of privacy advocacy’s beachhead constituencies having low trust in government and/or unusually nihilistic opinions about public rulemaking. (I worked on the frontlines of this a few years ago.)
It's clear that privacy hasn't had enough support by our sheer lack of privacy.
Most people genuinely don't even know tracking is taking place at all times or by what means. Ask someone whether they're aware of cursor dwell time tracking. They will think you are babbling.
No, privacy runs counter to a world with free information. If privacy was an actual right we would need to destroy most history books because we never got those people's permission to reshare information about them. News reporters would have to get permission from people and companies they are writing reports about.
You're being downvoted, I think, because this entirely ignores the extent to which modern dragnet surveillance snoops on and categorizes every last person. We have history books that tell a lot about important public figures (and society generally) without data brokers or Palantir being a thing for any part of that history.
>We have history books that tell a lot about important public figures
That's because the process doesn't scale. With technology we can scale this to a large percentage of the population of Earth. Imagine being curious about someone and just being able to look up what they did in life.
Dead people don't need privacy or most other human rights.
The living ones need them. And we need to separate between public interest and mining information about every individual. It is fine to show the Rajapaksa's bedroom on TV, because it was paid for with stolen money that was taken from the people.
> Dead people don't need privacy or most other human rights.
Dead people obviously don't need the exact same rights as live people, but I guess many (most?) people would rather their most intimate secrets, nude photos, etc etc not get uploaded and publicly shared 5 minutes after death even if we won't be around to witness it ourselves. And if you go to a graveyard and unilaterally start digging up bodies you'd find a lot of relatives (and people generally) not happy on behalf of those dead people.
But I do agree those rights are less important compared to those of the living, if there's a conflict between them.
Famous people who donate their stuff to archives often disallow access— even to the archivists themselves— for multiple-decades. Dead folks’ possession could have serious privacy implications. PII aside, people might have letters discussing quietly miscarried children, other people’s non-public embarrassing financial mistakes, or any number of other things that would be unethical to expose any other people while it could be consequential. It’s not like everybody they interacted with is dead, too.
The census laws in many countries protect access to the actual raw data until at least a few years and usually a few decades after the people in question are dead and sometimes there’s even blanket rules on accessing anything more recent than 75 to a hundred years ago. So even the governments with extensive historical records tend to follow similar rules to the ones you mention about archives access.
>And we need to separate between public interest and mining information about every individual
It's the same thing. One man's junk information is another man's treasure. The interest of the public is very wide since different people can have widely different interests.
> One man's junk information is another man's treasure.
Just because someone wants to know the color of my underwear (even if they regard that knowledge as a treasure), there is no valid public interest in that. Preemptively and forcibly opening up all personal information is a very dystopian thought.
and how is a valid public interest defined? To me I would consider it to mean a piece of information that a person may be curious about or may want in order to make a decision. If someone is making an underwear recommendation system then I can see how they can be interested in collecting the color of everyone in order to offer this service.
>opening up all personal information is a very dystopian thought
I don't think it needs to be like that. Freedom of information will allow things to be made more efficient and for better decisions to be made and their impact measured. Anything you are curious about you are able to find out.
> The public interest is "the welfare or well-being of the general public" and society.
So unless someone can prove that the knowledge about the color of my underwear is crucial for ensuring "the welfare or well-being of the general public", I would say that I should have the right to keep that secret.
Journalists usually write about public individuals, or where private people do something in the public interest. History is usually written about dead people, who you can find in publicly released census records. Companies have no right to privacy, only the limited concepts of trade secrets, etc.
You may want to distinguish between what is published and what is collected for analysis. The GDPR covers both.
> There are plenty of news stories involving people who aren't public individuals.
Typically because there is a public interest in the story and/or because that individual did consent. It is not common to publish investigations of common people's bedrooms without their consent.
I think that is caused more by there not being a demand for news about random bedrooms. If you look more at social media if you are at someone's house and take a selfie, you aren't going to ask your friend if having their room as your background is okay.
> If you look more at social media if you are at someone's house and take a selfie, you aren't going to ask your friend if having their room as your background is okay.
Prepare to get kicked out if you post my private space on the internet without asking.
"basic human right" does not mean "absolute right disregarding any other consideration and for eternity":
* Should you have the same level of privacy after you die as when you were alive?
* If you assume a public position of power, can you not be considered to have relinquished some measure of privacy to allow for public evaluation of your conduct?
I called State Farm yesterday to file a claim and an automated message prompted me that if I was a California resident, I could press 1 and opt out of having my personal data sold. Seeing as how I'm not a California resident, it felt like a subtle little "f** you" since I couldn't even opt out but I still heard the option.
Online you can benefit if your IP address geolocates to California. I'm not in California nor is the particular server I use as a web proxy but because the company is based in California the whole address range usually geolocates there (plus I send "do not track") and I've seen sites that apply the California rules because of that without asking.
The concept of "illegal use" does not, of course, apply to things like ICE/DHS buying access to this data without a warrant to conduct fishing expeditions.
Took them long enough. Though I'd wonder what changed. I don't see why they're worried about location data that much, as phone location is not accurate enough to say an individual was somewhere at a specific time or to show their route in a city within a few feet, or at least that data probably doesn't meet the legal standard of being evidence of a crime, or of being an accessory or co-conspirator to one, so it seems pretty low risk from a privacy perspective.
> I don't see why they're worried about location data that much, as phone location is not accurate enough to say an individual was somewhere at a specific time or to show their route in a city within a few feet,
Cell phones can provide precise GPS coordinates and cell phone tower data alone can give a person's location to within a mile while things like bluetooth beacons and wifi network info can give accurate data to within several meters. One of the major concerns with 5G is that because of the need for a much more extensive network of towers cell phone companies will have everyone's location data with precision measured in feet.
As for not meeting the legal standard for evidence of a crime, it's already being used to identify suspects. It may not enough evidence on its own to convict someone, but it is enough to get you questioned/investigated/arrested.
See:
> I don't see why they're worried about location data that much, as phone location is not accurate enough to say an individual was somewhere at a specific time or to show their route in a city within a few feet, or at least that data probably doesn't meet the legal standard of being evidence of a crime, or of being an accessory or co-conspirator to one, so it seems pretty low risk from a privacy perspective.
Eh? My phone can pinpoint its location to a part of a room in my 800 square foot flat. And the government uses phone location data for tactical and investigative stuff all the time— the Muslim Pro example most immediately comes to mind. Even seemingly innocuous data in the hands of correlating/mining data brokers would give them insights into your live that would make most people shudder.
> Now let’s consider a particularly sensitive subset at the intersection of location and health: information related to personal reproductive matters – for example, products that track women’s periods, monitor their fertility, oversee their contraceptive use, or even target women considering abortion.
Until the OS vendors wake up and start addressing the elephant in the room - that our operating systems are no longer servicing our needs as users, but serving up our data as consumers - there is no point in any of this political theater.
It is because OS vendors decided to use their technology to gain access to our eyeballs that we are in this mess.
OS vendors deciding not to make encryption a first-tier service provided to their end users, with a user interface abstraction that enlightens and educates instead of obfuscates and minimizes. OS vendors deciding to hide filesystems and shared data from us, because making a UI that makes them usable is hard, and prefer instead to replace it with broken cloud services.
It is because OS vendors are selling ads and eyeballs, not operating systems - which are secondary to the purpose of creating a consumer database.
I suppose you feel this way about net neutrality as well, since it was established and then reverted as a partisan issue, also part of the so-called "culture wars"? Don't forget, they make everything part of the culture war so people will vote based on their "culture."
Right now people who want to get abortions are a group of major concern in the privacy debate. Others also need these protections, but people getting abortions and abortion-adjacent care are in immediate, real danger and their privacy is suddenly much more important than a few weeks or months ago.
The FTC is expressing that it intends to protect the privacy expectations of all Americans in mind, regardless of state rules limiting certain medical procedures, medications, or even sexual orientations. The current data economy provides numerous opportunities to get around those expectations and protections. That's something that should change - though it will need legislation, probably, not just an agency rolling up its sleeves.
By this logic we're not supposed to defend anything because one day some people can (and I agree will) destroy it? Your argument argues for the opposite, it makes more sense to defend this now when there is political capacity to defend it. And later when we won't, it'll be banned. But at least there will be political and legal precedent to this so that makes (1) harder for next person to destroy it (2) easier for the next next person to re-create it. Your strategy is by definition doomed to fail.
EDIT: Also RvW was legally dependent on Americans' constitutional right to privacy as per the Fourteenth Amendment. So this issue is already organically tied to the issue of abortion, whether you like it or not (at least with the framework current SCOTUS is attempting to destroy (it cannot be said they already destroyed it fully given many of the precendents Thomas listed still are the law of the land)).
Roe vs Wade was based on the notion of a constitutional right to privacy. So it is very much tied to privacy!
There is currently real doubt that what were assumed to be constitutional privacy protections (far beyond abortion) will hold going forward and so the executive is keen to demonstrate and exercise its existing powers in regulating affairs which previously would have been assumed to be protected by such a right.
> so the executive is keen to demonstrate and exercise its existing powers in regulating affairs which previously would have been assumed to be protected by such a right.
No, what has actually happened is that the democrats very recently broke the deadlock [1] and got their appointments into the FTC, which caused the organization to actually start doing its job. The senate republicans were delaying the appointment, and their appointees inside the FTC were stonewalling any actual enforcement by it.
"One side of abortion debate" sounds exactly like "one side of the flat earth debate". There's no debate: there's a fringe view of "life from conception" and there's the opposite view founded on ethics.
I think the focus is misplaced. I’d much rather people have my health and location data than my browsing history, which reveals so much more about you.
The data brokers have both and more for most people. It is easier (not easy) to keep browsing history private. It is much more difficult to make mobile phones not leak your location. You need to run a custom OS, stay in airplane mode or use no SIM, and install only certain apps to accomplish this. Since few people know how to do this, regulatory enforcement on location data is more important.
I would caution you not to speak in absolutes here, and consider that life has a lot of nuance. There are a fair many people who are in pretty darn good health, and only need the occasional checkup. That person's location data and browsing history is far, far more enlightening into who they are than their medical history.
Your health data can be used to produce ransomware attacks against the clinics, hospitals, etc. you go to. It's much more valuable data because people will pay more for it when stolen.
You’re not the demo. This is pursuant to Biden's executive order providing a floor to abortion restrictions[0][1], and specifically the lack of HIPPA guidelines on period tracking apps.
I.e you may not want your history shared, but someone’s period app data may result in a felony (or worse[2]) in the future
> Any information in the FollowMyHealth Universal Health Record is considered PHR Data. PHR Data might include, but is not limited to the following:
> Your name and contact information, such as your address, phone number, or email address
> Your medical history, conditions, treatments, and medications
> Your healthcare claims, health plan account numbers, bills, and insurance information
> Demographic information, such as your age, birthdate, gender, ethnicity, and occupation
> […]
> Allscripts may use your PHR Data for marketing and advertising purposes, including sending you customized marketing and advertising communications whether on our behalf or on behalf of third party partners with whom we may engage.
As a postscript, if you are curious how some Allscripts subsidiaries used PHR Data for marketing purposes in the past, the answer is to get doctors to push opioids[1].
[0] https://www.followmyhealth.com/UseDocuments/PrivacyPolicy
[1] https://www.justice.gov/opa/pr/electronic-health-records-ven...