{"id":15156,"date":"2019-04-23T10:10:08","date_gmt":"2019-04-23T18:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/04\/23\/news-8905\/"},"modified":"2019-04-23T10:10:08","modified_gmt":"2019-04-23T18:10:08","slug":"news-8905","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/04\/23\/news-8905\/","title":{"rendered":"Consumers have few legal options for protecting privacy"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Tue, 23 Apr 2019 17:03:20 +0000<\/strong><\/p>\n

There are no promises in the words, \u201cWe care about user privacy.\u201d <\/p>\n

Yet, these words appear on privacy policy after privacy policy, serving as disingenuous banners to hide potentially invasive corporate practices, including clandestine data collection, sharing, and selling. <\/p>\n

This is no accident. It is a strategy. <\/p>\n

In the US, companies that break their own privacy policies can\u2014and do\u2014face lawsuits over misleading and deceiving their users, including making false statements about data privacy. But users are handicapped in this legal fight, as successful lawsuits and filings are rare.<\/p>\n

Instead of relying on the legal system to assert their data privacy rights, many users turn to tech tools, installing various web browsers, browser extensions, and VPNs to protect their online behavior. <\/p>\n

Luckily, users aren\u2019t alone in this fight. A small number of companies, including Apple, Mozilla, Signal, WhatsApp, and others, are truly committed to user privacy. They stand up to overbroad government requests. They speak plainly about data collection. And they often disengage from practices that put user data in the hands of unexpected third parties. <\/p>\n

In the latest blog in our series on data privacy and cybersecurity laws, we look at the options that consumers actually have in asserting their digital privacy rights today. In the US, it is an area of law that, unlike global data protection<\/a>, is slim. <\/p>\n

As Jay Stanley, senior policy analyst with the ACLU Speech, Privacy, and Technology Project, put it: \u201cThere\u2019s a thin web of certain laws that exist out there [for digital consumer privacy], but the baseline default is that it\u2019s kind of the Wild West.\u201d <\/p>\n

Few laws, few protections<\/h3>\n

For weeks, Malwarebytes Labs has delved into the dizzying array of global data protection and cybersecurity laws, exploring why, for instance, a data breach in one state<\/a> requires a different response than a data breach in another, or why “personal information<\/a>\u201d in one country is not the same as \u201cpersonal data\u201d in another. <\/p>\n

Despite the robust requirements for lawful data protection around the world, individuals in the United States experience the near opposite. In the US, there is no comprehensive federal data protection law, and thus, there is no broad legal protection that consumers can use to assert their data privacy rights in court.<\/p>\n

\u201cIn the United States, the sort of default is: Consumer beware,\u201d said Lee Tien, senior staff attorney with the digital rights nonprofit Electronic Frontier Foundation. <\/p>\n

As we explored last month<\/a>, US data protection law is split into sectors\u2014there\u2019s a law for healthcare providers, a law for video rental history, a law for children\u2019s online information, and laws for other select areas. But user data that falls out of those narrow scopes has little protection. <\/p>\n

If a company gives intimate menstrual tracking info to Facebook<\/a>? Tough luck. If a flashlight app gathers users\u2019 phone contacts<\/a>? Too bad. If a vast network of online advertising companies and data brokers build a corporate surveillance regime<\/a> that profiles, monitors, and follows users across websites, devices, and apps, delivering ads that never disappear? Welcome to the real world. <\/p>\n

\u201cIn general, unless there is specific, sectoral legislation, you don\u2019t have much of a right to do anything with respect to [data privacy],\u201d Tien said. <\/p>\n

There is one caveat, though. <\/p>\n

In the US, companies cannot lie about their own business practices, data protection practices included. These laws prohibit \u201cunlawful, unfair, or fraudulent\u201d business practices, along with \u201cunfair, deceptive, untrue, or misleading\u201d advertising. Whatever a company says it does, legally, should be what it actually does, Tien said. <\/p>\n

\u201cMost of consumer privacy that\u2019s not already controlled by a statute lives in this space of \u2018Oh, you made a promise about privacy, and then you broke it,\u2019\u201d Tien said. \u201cMaybe you said you don\u2019t share information, or you said that when you store information at rest, you store it in air-gapped computers, using encryption. If you say something like that, but it\u2019s not true, you can get into trouble.\u201d <\/p>\n

This is where a company\u2019s privacy policy becomes vital. Any company\u2019s risk for legal liability is only as large as its privacy policy is detailed. <\/p>\n

In fact, the fewer privacy promises made, the fewer opportunities to face a lawsuit, said ACLU\u2019s Stanley. <\/p>\n

\u201cThis is why all privacy policies are written to not make any promises, but instead have hand-wavy statements,\u201d Stanley said. \u201cWhat often follows a sweeping statement is 16 pages of fine print about privacy and how the company actually doesn\u2019t make any promises to protect it.\u201d <\/p>\n

But what about a company that does make\u2014and break\u2014a promise? <\/p>\n

Few laws, fewer successful assertions<\/h3>\n

Okay, so let\u2019s say a company breaks its data privacy promise. It said it would not sell user data in its privacy policy and it undeniably sold user data. Time to go to court, right? <\/p>\n

Not so fast, actually. <\/p>\n

The same laws that prohibit unfair and deceitful business practices also often include a separate legal requirement for anyone that wants to use them in court: Individuals must show that the alleged misconduct personally harmed them. <\/p>\n

Proving harm for something like a data breach is exceedingly difficult<\/a>, Tien said. <\/p>\n

\u201cThe mechanism of harm is more customized per victim than, say, an environmental issue,\u201d Tien said, explaining that even the best data science can\u2019t reliably predict an average person\u2019s harm when subjected to a data breach the way that environmental science can predict an average person\u2019s harm if they\u2019ve been subjected to, for instance, a polluted drinking source. <\/p>\n

In 2015, this difficulty bore out in court<\/a>, when an Uber driver sued the ride-hailing company because of a data breach that affected up to 50,000 drivers. The breach, the driver alleged, led to a failed identity theft attempt and a fraudulent credit card application in his name. <\/p>\n

Two years later, the judge dismissed the lawsuit. At a hearing she told the driver<\/a>: \u201cIt\u2019s not there. It\u2019s just not what you think it is\u2026It really isn\u2019t enough to allege a case.\u201d <\/p>\n

There is, again, a caveat. <\/p>\n

Certain government officials\u2014including state Attorneys General, county District Attorneys, and city attorneys\u2014can sue a company for its deceitful business practices without<\/em> having to show personal harm. Instead, they can file a company as a representative for the public. <\/p>\n

In 2018, this method was also tested in court, with the exact same company. Facing pressure from 51 Attorneys General\u2014one for each US state and one for Washington, D.C.\u2014Uber paid $148 million to settle a lawsuit<\/a> alleging the company\u2019s misconduct when covering up a data breach two years earlier. <\/p>\n

Despite this success, waiting around for overworked government attorneys to file a lawsuit on a user\u2019s behalf is not a practical solution to protecting online privacy. So, many users have turned to something else\u2014technology. <\/p>\n

Consumer beware? Consumer prepared <\/h3>\n

As online tracking methods have evolved far past the simpler days of just using cookies<\/a>, consumers have both developed and adopted a wide array of tools to protect their online behavior, hiding themselves from persistent advertisers. <\/p>\n

Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, said that, while the technology of tracking has become more advanced, so have the tools that push back. <\/p>\n

Privacy-focused web browsers, including Brave and Mozilla\u2019s Firefox Focus, were released in the past two years, and tracking-blocking browser extensions like Ghostery, Disconnect, and Privacy Badger\u2014which is developed by EFF\u2014are all available, at least in basic models, for free to consumers. Even Malwarebytes has a browser extension for both Firefox and Chrome that, along with obstructing malicious content and scams, blocks third-party ads and trackers that monitor users’ online behavior.<\/p>\n

Stephens said he has another philosophy about protecting online privacy: Never trust an app. <\/p>\n

\u201cWe have this na\u00efve conception that the information we\u2019re giving an app, that what we\u2019re doing with that app, is staying with that app,\u201d Stephen said. \u201cThat\u2019s really not true in most situations.\u201d <\/p>\n

Stephens pointed to the example of a flashlight app that, for no discernible reason, collected users\u2019 contact lists, potentially gathering the phone numbers and email addresses for every friend, family member, and met-once-at-a-party acquaintance. <\/p>\n

\u201cQuite frankly,\u201d Stephens said, \u201cI would not trust any app to not leak my data.\u201d <\/p>\n

Corporate respect for consumer privacy<\/h3>\n

There is one last pillar in defending consumer privacy, and, luckily for many users, it\u2019s a sturdy one: corporations. <\/p>\n

Yes, we earlier criticized the many nameless companies that window-dress themselves in empty privacy promises, but, for years, several companies have emerged as meaningful protectors of user privacy. <\/p>\n

These companies include Apple, Signal, Mozilla, WhatsApp, DuckDuckGo, Credo Mobile, and several others. They all make explicit promises to users about not selling data or giving it to third parties that don\u2019t need it, along with sometimes refusing to store any user data not fundamentally needed for corporate purposes. Signal, the secure messaging app, takes user privacy so seriously that the company cannot read users\u2019 end-to-end encrypted messages to one another. <\/p>\n

While many of these companies are household names, a smaller company is putting privacy front and center, and it\u2019s doing it for a much-needed field\u2014DNA testing. <\/p>\n

Helix DNA not only tests people\u2019s genetic data, but it also directs them to several partners who offer services that utilize DNA testing, such as The Mayo Clinic and National Geographic. Because Helix serves as a sort of hub for DNA testing services, and because it works so closely with so many companies and organizations that handle genetic data, it decided it was in the right position to set the tone for privacy, said Helix senior director of policy and clinical affairs Elissa Levin. <\/p>\n

\u201cIt is incumbent on us to set the industry standards on privacy,\u201d Levin said. <\/p>\n

Last year, Helix worked with several other companies\u2014including 23andMe, Ancestry, MyHeritage, and Habit\u2014to release a set of industry \u201cbest practices,\u201d<\/a> providing guidance on how DNA testing companies should collect, store, share, and respect user data. <\/p>\n

Among the best practices are several privacy-forward ideas not required by law, including the right for users to access, correct, and delete their data from company databases. Also included is a request to ban sharing any genetic data with third parties like employers and insurance companies. And, amidst recent headlines about captured serial killers<\/a> and broad FBI access to genetic data<\/a>, the best practices suggest that companies, when possible, notify individuals about government requests for their data. <\/p>\n

Helix itself does not sell any user data, and it requires express user consent for any data sharing with third parties. Helix also brought in privacy executive and current head of data policy at the World Economic Forum Anne Toth to advise on its privacy practices before even launching, Levin said. <\/p>\n

As to whether consumers appreciate having their privacy protected, Levin said the proof is not so much in what consumers say, but rather in what they don\u2019t say. <\/p>\n

\u201cThe best way to gauge that is in looking at the fact that we have not gotten negative feedback from users or concerns about our privacy practices,\u201d Levin said. She said that any time a company is in the news for data misuse, there is never a large uptick in users reflexively walking away, even though Helix allows users to remove themselves from the platform.<\/p>\n

Consumer privacy is the future<\/h3>\n

Online privacy matters, both to users<\/a> and to companies. It should matter to lawmakers, but in the US, it has taken Congress until barely last year to take substantial interest in the topic. <\/p>\n

Until the US has a comprehensive data privacy law, consumers will find a way to protect themselves, legal framework or not. Companies should be smart and not get left behind. Not only is protecting user privacy the right thing to do\u2014it\u2019s the smart thing to do. <\/p>\n

The post Consumers have few legal options for protecting privacy<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Tue, 23 Apr 2019 17:03:20 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Amidst never-ending headlines about data breaches, data misuse, and opaque data-sharing agreements from major companies, users have few legal options to actually protect their privacy in court. Instead, they rely on technology.<\/p>\n

Categories: <\/p>\n