E291 - Eric Null, Director, Privacy & Data Program, Center for Democracy & Technology
[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.
[00:11] Hello, my name is Debbie Reynolds. They call me the Data Diva. This is the Data Diva Talks Privacy podcast, where we discuss data privacy issues with industry leaders around the world with information that businesses need to know.
[00:24] Now, I have a very special guest on the show, Eric Null. He is the director of Privacy and Data Program at the center for Democracy and Technology.
[00:34] Welcome.
[00:35] Eric Null: Thank you very much, Debbie. Really appreciate the invite.
[00:38] Debbie Reynolds: I'm excited to have you on the show.
[00:40] I have seen your name pop up in articles because I follow the space obviously very closely, and I thought, let me call him up and see if he wants to be on the show.
[00:51] You talk about a lot of things that I care a lot about, obviously data and privacy.
[00:56] But one of the things that you had talked about that I thought was really interesting and we can talk more broadly,
[01:03] but I felt like you have the finger on the pulse about what's happening in the US around federal privacy.
[01:10] Because we hear it's so funny because I have a lot of clients and people in Europe and they're like, what's going on with the US and privacy? Why don't you have a federal privacy bill?
[01:19] And a lot of people don't understand how difficult it is to actually do. But I want you to tell me, first of all, how on earth did you get this job?
[01:28] Which sounds amazing,
[01:30] and then like, where are we? What's going on with federal privacy?
[01:35] Eric Null: Sure. Happy to talk about this. So my origin story is a bit different than a lot of people's. I was born and raised in Vermont, and I actually spent most of my early childhood and teen years as classical clarinetist.
[01:49] And I actually started my undergrad as a classical clarinetist major.
[01:54] And ultimately that did not work out for me, as you can probably tell. And so I transferred back to the University of Vermont and ended up taking a college con law course with a constitutional law course with a professor who I really loved.
[02:10] And he got me super interested in it and realized, oh, maybe the law actually is kind of an interesting topic that I would be interested in pursuing further.
[02:19] I think ultimately,
[02:21] looking back, I probably went to law school for all the wrong reasons. It was right around the time of the Great Recession. There weren't a lot of jobs, and so I sought particularly for fresh undergraduate.
[02:32] So I sought shelter in more schooling. So I ended up going to law school and. And took a class called the Law of Surveillance, which was taught by a professor named Susan Crawford, who was big in the tech policy world at the time.
[02:45] And I learned all about tech policy and particularly broadband issues at that point,
[02:51] and learned particularly about net neutrality, which has since become sort of household name.
[02:57] And actually, I fought for net neutrality protections for about a decade from 2012 to 2021.
[03:04] But I also worked on a variety of other tech and telecom issues over those years. I started out working at a law school clinic that represented nonprofit organizations that worked a lot on media ownership rules at the Federal Communications Commission, as well as municipal broadband issues.
[03:23] But that clinic was really where I got my first taste of privacy. And that's because one of our clients was interested in having the Federal Trade Commission enforce COPPA and protecting kids privacy online.
[03:38] And so I,
[03:40] through that law clinic experience,
[03:42] had students often writing requests for investigation for the Federal Trade Commission to take up. And basically that's where I learned all about sort of what privacy is, what the data flows on the Internet are like.
[03:55] And of course, that was back 14 years ago now. So things have definitely changed since then. But that was where I got my first taste. And then I started to sort of just continue that work through all the other jobs I had.
[04:08] I've worked at various other nonprofits between then and now. I started a consumer privacy practice at a different nonprofit. And then I learned during 2016,
[04:18] when the federal Communications Commission was working on broadband privacy, that was another sort of deep dive moment for me where I really dug deep into the issues and submitted several very lengthy comments to the Federal Communications Commission about this, about what should be in a.
[04:35] A broadband privacy rule. And then they ultimately passed something that was, at least for the time, quite good.
[04:40] And then it was promptly overturned by Congress the following year,
[04:46] which was unfortunate to see all that work end up not leading to anything.
[04:52] But through those experiences, I think what really crystallized for me is,
[05:00] and why privacy matters, is that it has a very close relationship with power.
[05:05] Information is power,
[05:07] especially in the online age.
[05:09] At a very basic level,
[05:11] knowing information about people allows for a variety of things, but including, on the worst end of it, manipulation,
[05:18] control, extortion, that sort of thing.
[05:22] And generally, just knowing someone well and understanding how they function can help you convince them to do things. Are they an analytical thinker?
[05:30] Debbie Reynolds: Are they.
[05:30] Eric Null: Are they an emotional thinker? Are they quick to make decisions, or do they deliberate?
[05:34] What are they motivated by? Money, altruism, food, what have you?
[05:39] Knowing all of that stuff really helps you try to convince people to do things in the broadband space. What I saw was very powerful,
[05:48] arguably monopolistic companies getting access to a ton of data about people, particularly at least before HTTPs was as widely used,
[05:58] essentially your entire browsing history for your entire household.
[06:03] And what I saw was, okay,
[06:06] some of the data that these Internet service providers collect is to ensure that the network functions correctly, that traffic is being routed in the correct way and to the correct endpoints.
[06:17] But there's a variety of data that these companies have access to that maybe it should not be a sort of limitless ability to collect, process, use, et cetera, that information.
[06:30] So outside of the broadband space, over the past 20 plus years we've seen companies develop the quote, unquote free online business model,
[06:40] where companies have essentially demanded we give up everything about our online lives in service of that business model and for various other motivations. Profit obviously usually being the primary one, but there are others and it doesn't have to be that way.
[06:58] We didn't need to completely give up our privacy to have the Internet,
[07:02] nor to access free services.
[07:05] But that's essentially where we are.
[07:08] And looking at the debate today,
[07:10] you see tons of anti big tech sentiment from both federal and state legislators. You see this everywhere,
[07:21] but a lot of them have focused so much on a law called section 230 of the Communications Decency Act. This is the platform liability shield for user generated content.
[07:33] I think they've missed sort of step zero of that approach, which I think might accomplish more than repealing section 230 would, which is limiting their ability to collect and process data about people.
[07:46] I think that would protect against a variety of different harms and prevent some of the harms that the people who want to repeal section 230 are trying to address.
[07:55] Obviously not all of them, but I think it's a sort of a precursor to it.
[07:59] So with all that in mind, I saw this position at my current organization to focus exclusively on privacy. I'd sort of been a lifelong civil society person. I've been fighting for the consumer for almost 15 years now.
[08:14] I find that it's a passion of mine,
[08:17] both personally and professionally, to fight for better privacy. And so I've been at my current organization for four and a half, almost five years.
[08:25] Debbie Reynolds: That is an excellent background and that says a lot about you. I find the people who are most effective in this area are people who have a personal interest in it as well as professional interest.
[08:39] So that plays why it really what you say and the things that you've done and written and spoken about resonate with me very much,
[08:47] very much so.
[08:48] Eric Null: Thank you.
[08:49] Debbie Reynolds: Well, let's talk about federal privacy right now.
[08:54] So this is something people talk about a lot. And I'm almost shaking my fist at the sky a lot of times because I feel like people don't stand what they're asking for and they don't understand where we are or how we got here and why we don't have, you know,
[09:08] a federal privacy law. But what's the landscape? What are we dealing with right now?
[09:13] Eric Null: So at the federal level we have what we call sectoral privacy protections. Congress has decided that there are certain sectors of the economy that need additional privacy protections. And so they've passed sort of narrow protections, one of which is Health Information Portability and Accountability Act.
[09:35] HIPAA protects to some extent the privacy of essentially your health records that sit at your doctor's office or at your insurance company or at your pharmacy.
[09:46] It does not protect health data outside of those situations.
[09:50] So health data that's sent, you know, if you have a smartwatch that collects your heart rate data or anything like, that's all just protected by general Consumer protection Section five authority at the ftc, which I'll get to in a second.
[10:03] There's others, there's Gram Leach Bliley act, which has some opt out protections for banking and financial institution data.
[10:14] There's as I mentioned before, coppa, the Children's Online Privacy Protection act, which protects data that's collected specifically directly from children online.
[10:25] But other than the sort of narrow sectoral approach,
[10:30] the privacy protections at the federal level have fallen to the Federal Trade Commission.
[10:36] Federal Trade Commission's authority is very high level and it covers deceptive and unfair acts and practices.
[10:45] With the exception of a couple of cases during the Biden Administration,
[10:50] most privacy protections that exist at the federal level are based on the Deception Authority,
[10:56] which essentially means companies cannot lie to consumers about what they do with data.
[11:03] This led to the explosion, this and other things led to the explosion of privacy practices online. Now every website has a privacy privacy practice. They all have very long winded legalese documents that nobody ever reads linked on their websites to try to make sure that they comply with or that they're not deceptive with regard to their privacy practices.
[11:26] That has essentially led to what's called a notice and choice framework,
[11:31] which means the company who is acting on my data, collecting it, processing it, et cetera,
[11:38] tells me how they're using my data.
[11:40] And if I accept those terms, then I continue using their service.
[11:46] And if I don't accept those terms, then I cannot use the service.
[11:51] And this becomes particularly important because for services like Facebook,
[11:59] like TikTok, like all these social media Companies that have millions and millions of users, which is called the network effect. As more people join the network, it becomes more valuable to everybody else.
[12:10] So if you want to talk to your friends and family on Facebook,
[12:13] you have to accept their privacy practices. You don't really have a choice to.
[12:19] So that's basically led to the privacy situation that we have today, which is that we have lots of data breaches, we have lots of data misuse, we have collection and use of data, including sensitive data,
[12:34] sort of indefinitely.
[12:36] Which means all these companies are basically honeypots for hackers who want to access personal data about people, release it on the dark web, that sort of thing.
[12:46] Congress has tried several times, I will say twice in recent memory, very seriously,
[12:53] to pass comprehensive privacy legislation.
[12:57] There was the American Data Privacy and protection act in 2022 and then there was the American Privacy Rights act in 2024.
[13:06] Both were bipartisan,
[13:08] both were bicameral,
[13:09] which means they came, they were versions in the House and the Senate.
[13:15] And we everyone tried very hard to get to an agreement and both times we were not able to get there. The Bill got the ADPPA, the one in 2022 got the furthest along.
[13:29] It passed out of full committee,
[13:31] out of the House Energy and Commerc,
[13:34] but unfortunately did not get further than that.
[13:36] And the American Privacy Rights act of 2024 I do not believe got out of committee.
[13:43] So Congress still has not passed a comprehensive privacy law.
[13:50] And that brings us to 2026,
[13:52] our apparently now biennial new attempt at protecting privacy.
[13:58] The publicans on the House Energy and Commerce Committee recently released the Secure Data Act.
[14:05] And I'll just jump into this just because already talking about it. So my sort of legislative goal, legislative philosophy for privacy is I want people to be able to experience the Internet for all of its benefits.
[14:21] You know, talk to their friends and family,
[14:23] educate themselves,
[14:25] create new things,
[14:27] purchase the goods and services they want, et cetera,
[14:29] without having to worry about the vast over collection and use of data about them. People should be able to trust that the online services that are collecting the data,
[14:43] that they're only collecting the data necessary to provide the service they're asking for,
[14:47] which would then help reduce the potential harms they might experience later on from the sale of that data in the vast data brokerage market,
[14:56] or from inevitable data breaches, or from sensitive data being misused or author getting unauthorized access or and this is basically a long way of saying we should be treating privacy like a human right,
[15:10] not like this is some purely individual problem that only individuals can solve or that People have to trade away for access to services.
[15:19] We need to align the law with consumers expectations,
[15:23] which in my view consumers generally expect that companies are going to collect data to provide their services. Of course if you purchase a product from someone, they have to collect your credit card information, they have to collect your address information to ship it to you, et cetera, et cetera.
[15:37] These are the kinds of things that are necessary to provide a service.
[15:41] They generally don't expect companies to collect everything under the sun about them, about what they do on the Internet. Having a Facebook pixel on every website that reports back to Facebook when you go to a certain website, they're generally not expecting that.
[15:56] They don't expect tons of cross device third party tracking which is happening everywhere on the Internet right now,
[16:03] all to create a massive profile of them for advertising and other purposes.
[16:09] Now some people will say that consumers actually do expect companies to do all this. And my response to that is well, consumers expect companies to comply with the law and right now the law lets those companies do all those things.
[16:23] But I suspect if you ask them in a vacuum,
[16:26] that they actually would not necessarily expect Facebook to be collecting data about every other third party website or every third party app that they access,
[16:35] which is something that meta currently does.
[16:38] So the Secure Data act specifically,
[16:40] and this also applies to a variety of state privacy laws that have passed because the Secure Data act is based on the Kentucky Privacy Bill.
[16:48] The basically the Secure Data act continues to scaffold on top of this sort of broken and failed notice and choice regime that the FTC built out of their deceptive authority.
[17:01] And now states are starting to say okay,
[17:03] as long as companies disclose all of their data practices to consumers,
[17:10] then you're good. And the data minimization standard in these laws is that anything that's reasonably necessary or proportional to providing or to data processing as disclosed to the consumer, and that will be in a privacy policy,
[17:26] then they, that's all they have to do. There's no affirmative limit on anything they really have that they any of their data practices as long as they tell the consumer, okay, we collect your data for behavioral advertising,
[17:38] we collect your face, we collect your name, we collect your address, telephone number, credit card, et cetera. We do all that, we retain it forever.
[17:47] And you just have to accept those terms if you want to use the service.
[17:51] That's not exactly what I want, but that is what essentially the many of the state laws that have passed have already said and what the Secure Data act has said.
[18:02] And so basically this means industry doesn't have to change anything and compliance is very easy. Consumers get essentially nothing.
[18:11] And it reflects an approach to privacy that has prioritized industry burden reduction instead of consumer burden reduction.
[18:21] I was talking about notice and choice and privacy policies. And like, we know that people don't read privacy policies. We know they don't like them. We know they don't think they're particularly useful.
[18:31] If anything, they give people the false impression that their privacy is protected because a company has a privacy policy. But if you actually read it, the answer to that is, oh, actually they don't.
[18:41] They basically collect whatever they want from you and do whatever they want with it, including selling it to data brokers or advertisers for a variety of reasons.
[18:49] So it ends up, yeah, industry doesn't have to do a whole lot and consumers get nothing out of it. Basically.
[18:56] Basically, all that is to say the states and the Secure Data act would cement the failed notice and choice privacy regime.
[19:04] And the Secure Data act in particular is so weak and has so many loopholes and also preempts all state privacy laws that it would end up being a significant net negative for privacy all around.
[19:17] And so what do we actually want privacy policies to say?
[19:21] Obviously, in my view, this approach is not the best solution.
[19:25] I think we should be placing the privacy burden on the companies that gain the most from the collection and exploitation of the data that they're collecting.
[19:34] The default essentially should be, why are you collecting this data instead of, why not collect this data?
[19:41] And the ADPPA from 2022 and APRA from 2024 approach,
[19:48] also the Maryland approach,
[19:50] which is similar to those two, is far better.
[19:53] It basically requires companies to minimize the data collection and processing based on the services that they're providing to individuals,
[20:01] and then also allows for some additional permissible purposes that people generally agree on, like fraud detection and that and incident response and that sort of thing.
[20:10] They also protect civil rights because we know that data practices, particularly through AI and algorithms,
[20:17] can be discriminatory based on protected classes.
[20:20] It they avoid consent fatigue by saving consent requests for specific situations like the transfer or sale of data or for ad targeting,
[20:31] they both would limit data brokers. They would give people a private right of action to enforce their own rights.
[20:39] And I think these approaches maybe wouldn't be the magic bullet, but they would lead to, I think, a much more enjoyable, safe,
[20:46] trustworthy Internet experience for everybody.
[20:50] And I'll just add, because everyone's talking about AI now, I might as well talk about it too.
[20:57] My view is that privacy policy is AI policy, because AI and data are so linked, inextricably intertwined. You might say you can't regulate AI without protecting privacy in a substantive way.
[21:10] And we need comprehensive privacy legislation that actually moves the needle to solve many privacy related AI issues like transparency, particularly around AI training, data sets discrimination. As I alluded to before,
[21:23] lowering a variety of types of risks with AI limiting secondary uses of data collected for AI training, et cetera,
[21:32] the Secure Data act would do very little, if anything, to combat these AI issues.
[21:37] I think at best you might be able to argue that the right to delete would have a marginal impact. The right to delete being that a consumer can ask a company to delete the data that they have about them.
[21:49] But that also only would impact future AI training,
[21:53] because once a model's trained on data, it can't be untrained until it's trained again.
[21:58] So even the right to delete is actually a pretty limited right.
[22:02] The negative impact of the Secure Data act is that it would very likely preempt all state civil rights laws as it relates to online data practices,
[22:11] which would be a very bad outcome, I think. And then the one AI issue. Well, there are many AI issues that keep me up at night, but one of them that I've been thinking about recently is personalized persuasion,
[22:23] which is essentially figuring out how to persuade people at scale.
[22:28] And we got part of the way there with behavioral advertising because the assumption was if you did something in the past, you were interested in seeing advertisements for similar things in the future.
[22:40] Now AI might be able to figure out the exact right moment to maximize the chance of a sale or some particular outcome, even if the person wouldn't engage in that activity.
[22:52] So if someone is feeling sad or depressed, an AI might know that and might be able to exploit that for monetary gain.
[22:59] If someone's inebriated, an AI could take advantage of that knowledge and try to sell you something based on that information.
[23:06] Basically any moment of weakness can be exploited by an AI for monetary gain in some way. And it could try to figure that out and I think would lead, could potentially lead to a very serious privacy issue, but also a pretty big revenue increase for AI companies.
[23:23] So, and then you imagine that scaling to millions, billions of users of these chatbots, and all of a sudden you have a pretty serious systemic societal issue.
[23:34] So we need privacy protections to protect against various AI harms. We also are going to need more than privacy. Privacy is necessary, but not sufficient. As they say. There'll be, there'll need to be more protections for a distribution of deepfakes data Centers, IP protections and personalized persuasion, which I'm actually not sure how we solve for yet.
[23:55] But it is something that I'm thinking about a lot.
[23:58] So that was, that was a long story about federal privacy and the Secure Data Act. Happy to chat about any of that or any of other questions.
[24:07] Debbie Reynolds: Yeah,
[24:08] very cool. Thank you for that synopsis. Just so we understand what's going on,
[24:12] the thing that concerned me and I want your thoughts. I have many concerns here.
[24:17] First of all, I feel like the ftc,
[24:21] their permit is around consumers, right? And I feel like not every human is a consumer, but we know that humans data and information is being taken and manipulated. And if you're not a consumer,
[24:35] you have no rights.
[24:36] There's like no redress, there's no mechanism for you to be able to complain about different things.
[24:43] And that's one concern that I have.
[24:45] And then also the fact that we are putting even more work on a consumer that already I have a job, I don't need another job. So to me, my other sidebar thing, I feel like a lot of the AI things that companies are doing,
[25:01] they're basically putting the work on you. So basically in effect you become the free employee of a company. So an example I give you that is like when you go to the grocery store and you're doing like self checkout,
[25:15] you're literally their free employee because they're really supposed to hire somebody to do that, right? And so that's what I'm seeing.
[25:22] And a lot of AI stuff is pushing things to the consumer. But a consumer doesn't really have any right,
[25:27] you know, to redress or to complain about that. But I want your thoughts about just the ftc. This bothers me a lot because,
[25:35] and I'll give you an example, there was a story about a woman who was.
[25:40] Cashmere Hill had written in the New York Times. You probably heard this about this woman.
[25:45] She was divorced from her husband, he was abusive and in the divorce, she got a car out of the divorce when they split their assets or whatever.
[25:56] So he started stalking her through this car. Cause he had the app and he knew where she was and he would show up where she was or leave. Like he left a baseball bat in her car, like threatening her.
[26:07] And then she had contacted the car like manufacturer or whatever and she was like, I want you to turn off like the GPS in the car cause this guy's stalking me.
[26:17] And they basically said, well,
[26:20] when they were married he bought the car,
[26:23] right? And so even though she got it in the divorce,
[26:26] they were like you're not our customer, like he is our customer, so we don't owe you any obligation or anything.
[26:33] So she essentially, she had to find a mechanic that disabled the GPS in the car, which also like voided her warranty.
[26:41] But she didn't have any choice. She's like, do I let this guy like stalk and kill me or do I like void the warranty to this car? And so this is the concern that I have about the FTC working on privacy, even though I think it's good that they're doing that.
[26:56] But there's still a gap there. So there are still people in a gap that is not covered by under the consumer umbrella. What is your thoughts for sure?
[27:04] Eric Null: Yeah, I'll take the car thing first. So we actually work a little bit on car privacy as well. And one of the things we've been pushing for is to protect the occupants of the car, like all of the occupants, and not just the driver, not just the owner of the car.
[27:19] Like making sure that whoever's in the car,
[27:21] that's the privacy we care about and not just about, you know, whoever the owner is or whoever the driver is.
[27:26] And we've also worked on the domestic violence aspect of it as well. Trying to make sure that victims of domestic violence can separate ownership and can turn off location if they need to.
[27:37] I think all of those are super important to make sure that victims are not revictimized over and over and over again on the consumer and FTC and putting the burdens on people issue.
[27:50] Yeah. So because privacy has been formulated as this sort of trade related protection,
[27:59] it's focused a lot on consuming things.
[28:03] Now we generally take a pretty wide interpretation of consumer. We basically think that anyone who agrees, you know, goes to a website,
[28:14] regardless of whether they actually purchase something, is a consumer. So that's. It could be worse for sure.
[28:21] But we are absolutely continuing to place burdens on these people who don't have the time or understanding or inclination to be able to read all these privacy policies. There was a study several years ago that showed that if somebody had chose to read all the privacy policies they interact with every year,
[28:42] they would spend several hundreds of hours every year just reading them, much less actually trying to understand them. And I think that's the, the next step that I'm a privacy professional.
[28:53] I read a lot of privacy policies and I've done a lot of privacy policy comparisons and it is very hard to understand exactly what companies do. This is made worse by the fact that a lot of companies writing privacy policies as basically liability shields.
[29:10] So they will say, we may do this, we may do that, we may do a hundred different things to cover if they don't actually do them.
[29:18] They just want to make sure that if they decide to do it in the future, they don't have to issue a privacy notice update.
[29:24] So they just cover anything that they might want to do. Which of course leads to more confusion, because then if you think a company is doing something with their data but it's not, you know, that actually seems like something worth telling people.
[29:36] But if you list it under we may do X, Y and Z, then that's actually not good in the other direction as well.
[29:43] So, yeah, we continue to place burdens on individuals and consumers. I think it's made even worse with dark patterns,
[29:52] which is now we're not even talking about the free choice of someone to decide whether they want to be tracked with cookies, for instance,
[30:00] but it's just someone who, like,
[30:02] saw the bright blue accept all button and was like, all right, I'm just going to click that. Or the options are accept all and more options. And then if you click more options, it brings you to another website.
[30:14] And then there are five different toggles you have to toggle on or off, depending on which type of cookies you want to track you. And I do this all the time because I get a special sense of accomplishment by clicking on more options and doing going through the dark pattern,
[30:27] even though I know most companies expect you not to,
[30:30] but it is legitimately difficult. And then there's different types of cookies, like the strictly necessary cookies, which you can't disable,
[30:37] and then the tracking cookies and the functional cookies and the analytics.
[30:41] Debbie Reynolds: Like who?
[30:42] Eric Null: I barely understand this stuff, much less someone who's just trying to buy a product or talk to their friends and family on a. On a service.
[30:49] So it's incredibly infuriating to me that we've had 30 years of this system.
[30:55] Most people understand that it has failed us over and over and over again and continues to fail us in new ways all the time. And yet 20 of 21 states now have passed laws that cement this exact practice.
[31:09] That's what we tried to do with ADPA and apra, tried to affirmatively limit the collection on the business side.
[31:15] So as I said, consumers can just surf the Internet and not have to worry about all this stuff. But we continue to place the burden on individuals. And it would be really nice if we could, you know, sort of flip that switch and make it so we didn't have to do that anymore.
[31:29] Debbie Reynolds: I Agree. I would love for things to be opt in instead of opt out because I feel like we're always trying to fight, you know, all the hundreds of things that we see every day.
[31:38] We're always fighting our ways to get out of things as opposed to not getting into things in the first place.
[31:44] But I want your thoughts on aid verification. I feel like this is just going bonkers in the US and in other countries.
[31:51] But.
[31:52] And, And I guess my, my issue and I talk about this a lot, so I'm like, okay, Oh, I hear people say, oh, yeah, we should protect children online. It's like, okay, well,
[32:03] how, how, how do we do that? So I was like, okay, well,
[32:08] I'm like, kids don't have IDs, so how do you age verify them? And then they're like, oh, well, we'll find some way, or whatever. Like, well,
[32:15] because of that. That's why a lot of adults now are going to websites and just asking for their identity or their information,
[32:24] because there really is no good way to tell an adult from a child.
[32:29] Adults have IDs. Children don't. Right.
[32:32] So that's why we're seeing companies trying to do things like selfies or trying to put people in, like, age bands or different things like that. But I just want your thoughts, because I feel like what we're doing, we're saying we want to protect children online.
[32:46] We're actually collecting more data.
[32:48] And for me, I'm very concerned, especially certain companies, I wouldn't trust them with a lot of this information.
[32:53] So I just want your thoughts on what's happening here.
[32:57] Eric Null: Absolutely. So obviously protecting children is a laudable goal. It's very important. We should be protecting children.
[33:04] My personal view, and I wrote about this several years ago, is that the best way to protect children's private privacy is to protect everyone's privacy.
[33:11] And then you can maybe have a couple additional protections for children if you want, on top of those, like baseline privacy protections. But one of the main reasons we're even talking about this is because there's so little privacy protections overall that we're now sort of freaking out and saying,
[33:26] oh,
[33:27] wait,
[33:28] companies are getting all kinds of data about kids. Kids are ignoring the terms of service that say no one under 13 is allowed to have an account, blah, blah, blah.
[33:36] So it's very. I think it's very important to try to protect kids online.
[33:41] But with the FSC vs. Paxton decision recently, the Supreme Court has opened the door just a little bit to age verification. They've allowed it for adult websites as Not a constitutional violation.
[33:54] And I think that has empowered website operators, app developers, the age verification system providers in general,
[34:04] to try to get age verification out everywhere.
[34:09] The main issues from our perspective with age verification are one that you're burdening access to speech for everyone, but in particular, adults who would normally be able to access the speech without having to prove their age, but now they have to prove their age.
[34:27] But also, you know, a lot of people will make the comparison of like, oh, kids can't go into a store and buy alcohol, they can't go to a bar, and people are checking IDs there.
[34:37] It's not exactly the same as conditioning access to speech on that, that on those grounds of being able to prove you're a certain age.
[34:48] So we were concerned about it from that angle. And I'm not the First Amendment expert at my organization, but the thing that worries me the most about it is that it is a massive loss of privacy for everybody online to now have to verify their age.
[35:03] And there's a variety of different ways to verify age. And we're looking into a bunch of them. And some of them are highly accurate, but also very privacy intrusive. Some of them are maybe less accurate and less privacy intrusive.
[35:17] There's stuff in the middle which you. I would probably put the biometric stuff there, which is what you were sort of alluding to is how do you prove a kid's a kid?
[35:26] Because the lack of ID does not prove you're a kid. Because adults also, some adults also don't have IDs or they might just not have an ID on them. And so what do you do about that situation?
[35:37] So we're somewhat ironically encouraging facial biometrics for kids online in order to protect their access to certain content,
[35:49] which is just very strange to me and I feel like is a huge problem privacy wise. Even if you,
[35:56] you know, take additional privacy protections with this information,
[36:00] if it's ever leaked or anything like that, that's obviously, you know, you can't change your biometrics.
[36:05] Unlike, you know, a credit card, you can change the number.
[36:08] It's not so easy to change your face.
[36:11] So any data breaches of that information would obviously cause serious, serious issues, ID theft or security issues, et cetera, like that.
[36:22] So we have been trying to think of this as trying to reduce the privacy invasion as much as possible because it seems like websites are very interested in getting age verification up.
[36:34] We saw Discord do it, infamously had a data breach of that data. And so we're trying to think through like age signaling, age group, like grouping different ages. My view is like, unless someone is born exactly 18 years before, you actually don't need anything other than the date, the year of your birth.
[36:53] You don't need the date at all. I was born in the 80s, you don't need to know what day I was born to, to verify that I am over 21.
[37:02] So stuff like that. Trying to think of ways to reduce the privacy burden here. Because if we had a comprehensive privacy legislation,
[37:10] law protecting people,
[37:11] maybe some of these issues would be addressed by that legislation.
[37:16] At least ideally it would be,
[37:17] but because we're working on basically no protections at all, we have to start thinking about, okay, what are the ways we can actually reduce harm here? And that's data minimization,
[37:28] immediate deletion, once you don't need the data anymore, like tokenization, assigning a token to somebody instead of retaining their date of birth forever, et cetera, et cetera. So there's a variety of ways to protect privacy with age verification.
[37:39] Of course, I would rather it not be required at all. But if we're going to do it, we have to protect privacy because we're about to see one of the biggest privacy invasions in our lifetimes, probably other than AI, which is also a privacy invasion.
[37:54] Debbie Reynolds: I had a lady I saw on LinkedIn, she said that her sister is autistic, I believe, and she said her sister's 40 and she was trying to go on some website and they said that they needed her credit card to verify her age or something, and she doesn't have a credit card.
[38:11] So it's like, so now what, you know what I'm saying? Like, so you created this system,
[38:16] you're taking people out. Like she just wants to do what she needs to do on the Internet. And it's like you're asking people now to give all this information. And like you said,
[38:25] some of these organizations who were not probably that great at collecting data or protecting anyway,
[38:30] now have more information. So they now have IDs or passport photos and things that they were not good at protecting.
[38:37] And we're seeing breaches as a result of that that really just harm the person.
[38:42] Pivot a little bit here.
[38:44] This is a topic that I love to talk about and it's the intersection of competition and privacy. So I co wrote an article in Bloomberg 10 years ago and I was talking about privacy and competition, how I was connected.
[39:00] And I had an antitrust lawyer who shall remain nameless who just thought there was like no connection there. And I'm like, There is a connection here, like, I swear. But what are your thoughts?
[39:12] Eric Null: Yeah, so I've been working on this issue on and off for many years. At a previous organization,
[39:17] I was part of an effort to write some model legislation about data portability,
[39:23] which we viewed as a pro competition function to allow people to take the data from one,
[39:31] usually social media site, but it would apply to any site and then bring it to a different company. So you could then not have to re enter several years, maybe even several decades of data about yourself into a different service and also porting sort of the inferences about you.
[39:46] So not only would you have information about you in the past, but the company could use inferences about you to serve ads to you, what have you. So there's like a competition benefit as well as an individual benefit.
[40:00] And then we start seeing a lot more of this,
[40:03] particularly in the EU and in Japan and now in California.
[40:07] We actually just sent a letter recently,
[40:09] what's called, called the Based Act. B, A, S, E, D. I forget what it stands for. There's too much Alphabet soup everywhere.
[40:16] But it was basically a competition law and it,
[40:20] in our view,
[40:21] did not protect against privacy violations because basically what we're talking about. So data is the source of a lot of the, as I said before, power that companies have,
[40:32] their ability to infer information and target you with, with ads, and now increasingly the ability to,
[40:38] to create useful AI systems. It's all based on how much data they have.
[40:43] And third parties want access to this data.
[40:46] Generally, as a competition matter, we are supportive of that. We want that to happen. We want there to be more competitors out there to compete against the big, big companies.
[40:55] But at the same time,
[40:57] if you force companies who are doing good privacy things with data that they have,
[41:04] then you are creating new vulnerabilities because you're now forcing companies to either decrypt encrypted data or share,
[41:16] say, location data that the company might protect in a very specific way, but the third party wouldn't be protecting it at all.
[41:23] And you're also allowing for another vector for law enforcement or, or ICE or whoever to access more data about people, especially if it's being transferred to a company that's less protective about it.
[41:39] So basically our view is,
[41:41] yes, pro competition, great, love it. But you do need to have some kind of protections built in for privacy. So we don't just end up having a proliferation of everyone's data to all these random third parties, some of whom might be operating in good faith and are just trying to provide a product and some may not be acting in good faith and may be opportunistically seeking access to data that they wouldn't otherwise have and abusing it and
[42:06] harming people with it.
[42:08] So there's definitely a connection, I would say. And they we definitely need more competition, but we also need to make sure that privacy is protected there and also that it's not used as a pretense.
[42:17] Because this is really where the line drawing comes into play. Because sometimes there will be legitimate privacy concerns for not sharing data and sometimes there will be not so legitimate concerns for not sharing data.
[42:27] And we need somebody to decide when is the legitimate kind, when's the not legitimate kind. And that's obviously a hard question, but it needs to be answered. I don't think we can just default force companies to be sharing data willy nilly.
[42:40] Debbie Reynolds: I was hoping that there would be more talk around what I call data monopolies. So if, if for example, let's say a video game maker wants to buy another video game maker, competition comes into play, right?
[42:58] But if a video game maker wants to buy a grocery store,
[43:02] that's not considered. People think, well that's not competition. But to me it is. Because what you're doing is you have these companies getting a more fulsome view of the individual by getting information and putting it together in a way that they would not normally have.
[43:20] And actually we're seeing,
[43:22] I don't know if you've read this, you probably have about companies who are going out of business,
[43:28] like they're selling their data to AI companies for training and stuff or companies that are going out of business, they're selling their data to other companies so that they can, you know,
[43:38] merge the data together to create like more fulsome views of people. And the people whose data that they have, they don't want that. Right? So they're like, I don't want to,
[43:49] you know, XYZ company have my data because if I did I would have like become a customer of that company. But what do you think?
[43:55] Eric Null: Yeah, it's an interesting point that it's not necessarily just the sectors that the companies operate in, but it's really the subject and the content of the data that they're purchasing and the,
[44:06] the uses they plan to put it to.
[44:08] Obviously this happens all the time. As companies are become more and more data hungry, they want bigger profiles.
[44:15] Data brokers come into play here because you can obviously buy any data you want from data brokers and it will be,
[44:21] you know, fairly accurate, although probably not super accurate, but there's still a significant market for it,
[44:28] so. Yeah, that's. That's an interesting point. I hadn't actually considered that, but yeah, that's.
[44:32] I appreciate that.
[44:35] Debbie Reynolds: Well, thank you. Thank you. Yeah, that's why, you know, I asked the deep questions.
[44:39] Well, it just fascinates me because I'm like,
[44:41] you know, you're getting more information about a person.
[44:45] Right. And so actually, the Biometric Information Privacy act, the reason why that was created is because there was a grocery store going out of business and it wanted to sell his biometric data to another person.
[44:58] And they said they don't want that to happen because they saw that would be a bad thing.
[45:03] And then once you, like, say, for instance,
[45:07] if your biometric data was going to be sold, you don't really have any control over that. So that's the issue.
[45:14] Eric Null: Yeah. And we saw that with 23andMe as well when they went out of business. And selling genetic data is not a great thing to do when you don't have the consent of the people whose genetic data it is, because that's also data that cannot change.
[45:29] Debbie Reynolds: Exactly. Exactly.
[45:31] Well, if it were the world according to you, Eric, and we did everything you said, what would be your wish for privacy anywhere in the world, whether that be human behavior, regulation, or technology?
[45:42] Eric Null: Sure.
[45:43] I think what I most wish is just if companies would start doing the right thing regarding privacy practices and AI in particular.
[45:52] I'm not holding my breath for that outcome. So I think I would probably.
[45:57] 1 1/2, 1.5. I would choose legislation that aligns company practices and consumer expectations so people can actually realize the dream of just going online and using the Internet and not having to see a cookie consent pop up, not having to read a privacy policy or pretend to read a privacy policy and just be able to enjoy the fruits of the Internet without worrying about privacy at all.
[46:22] Debbie Reynolds: Yeah. I share your wish. I share your wish. I hope we can get there for sure.
[46:27] Eric Null: Me too.
[46:29] Debbie Reynolds: Thank you. Well, thank you so much for being on the show. This is very, very good. This is a lot of information,
[46:34] so I'm sure we'll be. Hopefully we'll have chance to connect in the future.
[46:39] This is a fascinating topic.
[46:41] Eric Null: Yeah, great. Thank you so much. Really appreciate the invite.
[46:44] Debbie Reynolds: Thank you. Thank you so much.
[46:46] Eric Null: Thanks.
