I’ve mentioned more than a few times how the singular hyperventilation about TikTok is kind of silly distraction from the fact that the United States is too corrupt to pass a modern privacy law, resulting in no limit of dodgy behavior, abuse, and scandal. We have no real standards thanks to corruption, and most people have no real idea of the scale of the dysfunction.

Case in point: a new study out of the University of Pennsylvania (hat tip to The Register) analyzed a nationally representative sample of 100 U.S. hospitals, and found that 96 percent of them were doling out sensitive user visitor data to Google, Meta, and a vast coalition of dodgy data brokers.

Hospitals, it should be clear, aren’t legally required to publish website privacy policies that clearly detail how and with whom they share visitor data. Again, because we’re too corrupt as a country to require and enforce such requirements. The FTC does have some jurisdiction, but it’s too short staffed and under-funded (quite intentionally) to tackle the real scope of U.S. online privacy violations.

So the study found that a chunk of these hospital websites didn’t even have a privacy policy. And of the ones that did, about half the time the over-verbose pile of ambiguous and intentionally confusing legalese didn’t really inform visitors that their data was being transferred to a long list of third parties. Or, for that matter, who those third-parties even are:

“…we found that although 96.0% of hospital websites exposed users to third-party tracking, only 71.0% of websites had an available website privacy policy…Only 56.3% of policies (and only 40 hospitals overall) identified specific third-party recipients.”

Data in this instance can involve everything including email and IP addresses, to what you clicked on, what you researched, demographic info, and location. This was all a slight improvement from a study they did a year earlier showing that 98 percent of hospital websites shared sensitive data with third parties. The professors clearly knew what to expect, but were still disgusted in comments to The Register:

“It’s shocking, and really kind of incomprehensible,” said Dr Ari Friedman, an assistant professor of emergency medicine at the University of Pennsylvania. “People have cared about health privacy for a really, really, really long time.” It’s very fundamental to human nature. Even if it’s information that you would have shared with people, there’s still a loss, just an intrinsic loss, when you don’t even have control over who you share that information with.”

If this data is getting into the hands of dodgy international and unregulated data brokers, there’s no limit of places it can end up. Brokers collect a huge array of demographic, behavioral, and location data, use it to create detailed profiles of individuals, then sell access in a million different ways to a long line of additional third parties, including the U.S. government and foreign intelligence agencies.

There should be hard requirements about transparent, clear, and concise notifications of exactly what data is being collected and sold and to whom. There should be hard requirements that users have the ability to opt out (or, preferably in the cases of sensitive info, opt in). There should be hard punishment for companies and executives that play fast and loose with consumer data.

And we have none of that because our lawmakers decided, repeatedly, that making money was more important than market health, consumer welfare, and public safety. The result has been a parade of scandals that skirt ever closer to people being killed, at scale.

So again, the kind of people that whine about the singular privacy threat that is TikTok (like say FCC Commissioner Brendan Carr, or Senator Marsha Blackburn) — but have nothing to say about the much broader dysfunction created by rampant corruption — are advertising they either don’t know what they’re talking about, or aren’t addressing the full scope of the problem in good faith.

The Fourth Amendment exists for a reason. It’s supposed to protect our private possessions and data from government snooping, unless they have a warrant. It doesn’t entirely prevent the government from getting access to data, they just need to show probable cause of a crime.

But, of course, the government doesn’t like to make the effort.

And these days, many government agencies (especially law enforcement) have decided to take the shortcut that money can buy: they’re just buying private data on the open market from data brokers and avoiding the whole issue of a warrant altogether.

This could be solved with a serious, thoughtful, comprehensive privacy bill. I’m hoping to have a post soon on the big APRA data privacy bill that’s getting attention lately (it’s a big bill, and I just haven’t had the time to go through the entire bill yet). In the meantime, though, there was some good news, with the House passing the “Fourth Amendment is Not For Sale Act,” which was originally introduced in the Senate by Ron Wyden and appears to have broad bipartisan support.

We wrote about it when it was first introduced, and again when the House voted it out of committee last year. The bill is not a comprehensive privacy bill, but it would close the loophole discussed above.

The Wyden bill just says that if a government agency wants to buy such data, if it would have otherwise needed a warrant to get that data in the first place, it should need to get a warrant to buy it in the market as well.

Anyway, the bill passed 219 to 199 in the House, and it was (thankfully) not a partisan vote at all.

It is a bit disappointing that the vote was so close and that so many Representatives want to allow government agencies, including law enforcement, to be able to purchase private data to get around having to get a warrant. But, at least the majority voted in favor of the bill.

And now, it’s up to the Senate. Senator Wyden posted on Bluesky about how important this bill is, and hopefully the leadership of the Senate understand that as well.

Can confirm. This is a huge and necessary win for Americans' privacy, particularly after the Supreme Court gutted privacy protections under Roe. Now it's time for the Senate to do its job and follow suit.

[image or embed]

— Senator Ron Wyden (@wyden.senate.gov) Apr 17, 2024 at 3:30 PM

The Fourth Amendment exists for a reason. It’s supposed to protect our private possessions and data from government snooping, unless they have a warrant. It doesn’t entirely prevent the government from getting access to data, they just need to show probable cause of a crime.

But, of course, the government doesn’t like to make the effort.

And these days, many government agencies (especially law enforcement) have decided to take the shortcut that money can buy: they’re just buying private data on the open market from data brokers and avoiding the whole issue of a warrant altogether.

This could be solved with a serious, thoughtful, comprehensive privacy bill. I’m hoping to have a post soon on the big APRA data privacy bill that’s getting attention lately (it’s a big bill, and I just haven’t had the time to go through the entire bill yet). In the meantime, though, there was some good news, with the House passing the “Fourth Amendment is Not For Sale Act,” which was originally introduced in the Senate by Ron Wyden and appears to have broad bipartisan support.

We wrote about it when it was first introduced, and again when the House voted it out of committee last year. The bill is not a comprehensive privacy bill, but it would close the loophole discussed above.

The Wyden bill just says that if a government agency wants to buy such data, if it would have otherwise needed a warrant to get that data in the first place, it should need to get a warrant to buy it in the market as well.

Anyway, the bill passed 219 to 199 in the House, and it was (thankfully) not a partisan vote at all.

It is a bit disappointing that the vote was so close and that so many Representatives want to allow government agencies, including law enforcement, to be able to purchase private data to get around having to get a warrant. But, at least the majority voted in favor of the bill.

And now, it’s up to the Senate. Senator Wyden posted on Bluesky about how important this bill is, and hopefully the leadership of the Senate understand that as well.

Can confirm. This is a huge and necessary win for Americans' privacy, particularly after the Supreme Court gutted privacy protections under Roe. Now it's time for the Senate to do its job and follow suit.

[image or embed]

— Senator Ron Wyden (@wyden.senate.gov) Apr 17, 2024 at 3:30 PM

So we’ve noted for a long while that the fixation on China and TikTok specifically has often been used by some lazy thinkers (like the FCC’s Brendan Carr) as a giant distraction from the fact the U.S. has proven too corrupt to regulate data brokers, or even to pass a baseline privacy law for the internet era. The cost of this corruption, misdirection, and distraction has been fairly obvious.

Enter the Biden administration, which this week announced that Biden was signing a new executive order that would restrict the sale of sensitive behavioral, location, financial, or other data to “countries of concern,” including Russia and China. At a speech, a senior administration official stated the new restrictions would shore up national security:

“Our current policies and laws leave open access to vast amounts of American sensitive personal data. Buying data through data brokers is currently legal in the United States, and that reflects a gap in our national security toolkit that we are working to fill with this program.”

The EO fact sheet is vague, but states the Biden administration will ask the The Departments of Justice, Homeland Security, Health and Human Services, Defense, and Veterans Affairs, to all work in concert to ensure problematic countries aren’t able to buy “large scale” data repositories filled with U.S. consumer data, and to pass new rules and regulations tightening up the flow of data broker information.

We’ve noted for a long, long time that our corrupt failure to pass a privacy law or regulate data brokers was not only a frontal assault on consumer privacy, it was easily exploitable by foreign intelligence agencies looking to build massive surveillance databases on American citizens.

It’s why it was bizarre to see lawmakers myopically fixated on banning TikTok, while ignoring the fact that our corrupt policy failures had made TikTok’s privacy issues possible in the first place.

You could ban TikTok tomorrow with a giant patriotic flourish to “fix privacy,” but if you’re not willing to rein in the hundreds of sleazy international data brokers doing the same thing (or in some cases much worse at even bigger scale), you haven’t actually accomplished much beyond posturing to get on TV.

The EO sounds at least like a first step (depending entirely on the implementation), but is filled with some flowery and revisionist language. This bit, for example:

“These actions not only align with the U.S.’ longstanding support for the trusted free flow of data, but also are consistent with U.S.’ commitment to an open Internet with strong and effective protections for individuals’ privacy and measures to preserve governments’ abilities to enforce laws and advance policies in the public interest.”

Again, we don’t have a privacy law for the internet era in 2024 not because it was too hard to write one, but because Congress is too corrupt to pass one. We have, repeatedly, made the decision to prioritize the profits of an interconnected array of extractive industries over the public welfare, public safety, and even national security.

The result has been a massive, interconnected, hyper-surveillance market that hoovers up data on your every fart down to the millimeter, bundles that data up in vast profiles, and monetizes it across the globe with very little if any real concern for exploitation and abuse. All under the pretense that because much of this data was “anonymized” (a meaningless, gibberish term), there could be no possible harm.

The result has been just a rotating crop of ugly scandals that have gotten progressively worse. All while we (mostly) sat on our hands whining about TikTok.

The FTC has been cracking down on some location data brokers, but generally lacks the resources (by design) to tackle the problem at the scale it’s occurring. They lack the resources because the over-arching policy of the U.S. government for the better part of the last generation has been to defund and defang regulators under the simplistic pretense this unleashes untold innovation (with no downside).

This myopic view of how government works is all pervasive in America, and has resulted in most corporate oversight in the U.S. having the structural integrity of damp cardboard. And it’s all about to get significantly worse courtesy of a handful of looming Supreme Court rulings aimed at eroding regulatory independence even further. There’s a very real cost for this approach, and the check has been, and will be, increasingly coming due in a wide variety of very obvious and spectacular ways.

But we also don’t have a privacy law and refuse to regulate data brokers because the U.S. government benefits from the dysfunction, having realized long ago that the barely regulated data broker market is a great way to purchase data you’d otherwise need to get a warrant to obtain. Data broker location data is now tethered tightly to all manner of U.S. government operations, including military targeting.

The press has also played a role in failing to educate the public about the real risks of failing to regulate data brokers or pass a privacy law. Just 23 percent of the U.S. public even knows the government has failed to pass a privacy law for the internet era. And when the U.S. press does cover privacy, the fact that rank corruption is at the heart of the dysfunction is routinely never mentioned.

So yes, it’s great that we’re starting to see some growing awareness about the real world costs of our corrupt failures on privacy policy. Senator Ron Wyden, in particular, has been doing an amazing job sounding the alarm on how this failure is being exploited by not just a diverse array of self-serving companies, but a surging authoritarian movement in the post-Roe era.

But it’s going to take a hell of a lot more than an EO to course correct. It’s going to take shaking Congress out of its corrupt apathy. And the only thing I think will accomplish that will be a privacy scandal so massive and unprecedented (potentially including mass fatalities or the leaking of powerful figures’ data at unprecedented scale), that elected officials have absolutely no choice but do do their fucking job.