Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 0:14
CT. Tea.
Speaker 2
0:17 – 1:19
Welcome to CDT's tech talk where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski and it's time to talk tech. The Department of Homeland Security appears to be targeting activists, journalists, and lawyers for enhanced screening at ports of entry based on their speech and association with asylum seekers. A diverse coalition of groups coordinated by CDT demanded answers about these alleged practices and called on DHS to stop targeting immediately. Pueblos and Fronteros is one group that is part of that coalition and its members have experienced firsthand enhanced scrutiny from DHS. Alex Mensing from Pueblos and Fronteras joins us today to share more about their work and their experience. Welcome, Alex. Hey. How's it going? Thanks so much for having me me on, Brian. It is our pleasure. So first, tell us a bit about Pueblos in Fronteras and the the important work you do.
Speaker 1
1:20 – 4:15
Yeah. So Pueblos in Fronteras is an organization that was actually founded in The United States and Texas with a group of primarily Salvadoran refugees who were day laborers at the time. And it's morphed a lot over the years. In the last few years, one of the primary activities that we've engaged in is accompanying migrant caravans, which is what we've become known for recently. But aside from that, we describe ourselves as a collective of individuals of a diverse array of nationalities and immigration statuses who are all in solidarity with displaced people from all around the world. And so we've primarily worked in Mexico and The United States, and there are currently three migrant shelters that we help manage Wow. In Northern Mexico in Tijuana and two in Sonora. So there'll be anywhere from a 100 to 200 people in all three shelters combined. And then you have a day and and food and shelter, a place to to shower while while people are are passing through typically. Aside from that, particularly, more recently with with the onset of the the refugee care events, as as we call them, we've collaborated with a lot of volunteer attorneys and legal assistants from The United States to coordinate provision of orientation, legal orientation, and know your rights, in Mexico and for people who are in immigration detention centers in The United States who are intending to seek asylum. And so we work with Central Americans pretty much from the time they enter Mexico at the Guatemala Mexico border, typically in Tapachula, through the asylum process do aid work, we we do leadership building. And so we, we work with people in we've done campaigns in Tijuana against police brutality there. We've helped work on people campaigns to get people humanitarian visas so that they can have some sort of legal status in Mexico. And throughout those processes and throughout the process of the caravans, we work with people to, to come together to have leadership to speak out about abuses in Mexico, abuses in The United States, and do collective actions like protests, marches, vigils, so that they can stand up for their rights and call for call for changes in the laws,
Speaker 2
4:16 – 4:28
and and in many, many ways, promote and defend the human rights of migrants and refugees throughout the region. That's amazing. I mean, how big is your team? That sounds like her plan effort that you have to take on.
Speaker 1
4:29 – 5:25
It's it's a very fluctuating size of a team. Okay. We don't have any employees. This is all volunteer. Volunteer. Wow. None of us so there's no staff. There's no Provo Simpretera staff. And so, I've been collaborating for a while. There's, about a dozen of us who are frequently active. And then there are dozens more who, at various points in time, have participated in in campaigns, and we share responsibilities and are working on growing as well, particularly in The United States with people who have participated in past caravans and continue to stay in touch once they're in The United States going through their immigration court processes. And so it's a fluctuating number, but it takes a lot of people to do some of the campaigns that we do. And it involves a lot of collaboration with people who don't necessarily identify as member of members of Fibrils Infobteras
Speaker 2
5:25 – 5:46
Sure. And collaborate on the project. Wow. That's incredible. So, obviously, you and your volunteers are very front and center when it comes to helping migrant communities and are probably crossing The US border, a fair amount. Do you believe that your volunteers have actually been profiled, by Department of Homeland Security, because of
Speaker 1
5:47 – 7:57
your work? Absolutely. It seems really, really clear. Starting in May 2018 after well, during, really, one of the migrant care vans that we accompanied that became very widely talked about in the media, I began getting sent to secondary inspection by customs and board protection whenever I crossed the border. And then starting particularly Infobteras who crossed a border into The United States would be, set a secondary inspection and then interrogated by a DHS agent. Agent. In some cases, plain clothes. In some cases, the CBP agents in in secondary inspection. Wow. And Pueblo San Fuentes has been mentioned many, many times by government agents both in Mexico and in in The United States. And so I think that the visibility of Pueblo Cio Fronteras, particularly with the with the migrant caravans, that unfortunately, the the right wing in in The United States has taken them as kind of a banner of all all that is evil and the danger of of migrants to to promote anti anti immigrant and xenophobic racist policies. We've been a very visible part of resistance to that. And, I think that the clear messaging from the US government makes me believe that photosynthesis is being specifically targeted along with a lot of other groups like no more deaths with people who are currently on trial for criminal charges, with people like Maru Villalpando, who is an undocumented activist in in Washington opposing immigration detention. So I think that what's happening is that Trump is essentially using the Department of Homeland Security and its law enforcement agencies like border patrol, ICE, to as as his kind of personal police to to attack anybody who goes against him, particularly in, particularly in the realm of immigration policy.
Speaker 2
7:58 – 8:18
And what impact do you think this kind of enhanced scrutiny is having on organizations and volunteers like the ones you work with? You know, are we seeing a lot of times people say that these sort of tactics will, you know, scare people away from volunteering, will chill speech? Are you seeing that kind of direct impact?
Speaker 1
8:20 – 11:29
There's absolutely direct impact, and we're seeing both. We're being we're seeing both people who hunker down and refuse to to to stop, their human rights defense activities. But there's also a certain level of, of change that you change in in protection tactics, change in protecting data, and that increases kind of the the the level of commitment that you have to make in order to in order to get involved. I I can tell you that there have been groups that we've reached out to support for support that have basically said, we believe in what you do, but we are not willing to get involved because of the risk, because of what we see happening. And so so it is having, to a certain extent, it's having a dampening effect. But with some people, I think it's it's simply lighting lighting the fire more and motivating us to keep to keep working on this because it's it's completely unacceptable that people are being targeted the way they're they're being targeted. Yeah. But a a very clear example, with I'll give a couple examples. One of the the the caravans themselves, the Mexican government clearly under pressure from from DHS and the US government with all the kinds of statements and tweets, meetings with high level Mexican immigration enforcers, and the head of the Department of Homeland Security in The United States. So the Mexican police have started arresting and, if possible, deporting anybody who has a kind of a visible role in one of the caravans. And so this year, several people who we know and several people who we don't know have been picked up, arrested, oftentimes by plainclothes officers in Mexico along the way, literally picked out of a crowd of people and singled out. And in some cases, deported to Honduras, deported to Cuba. And so there's there's a very And so there's there's a very clear targeting happening. And what what happens, the result of that, is that people don't want to take on those coordinating roles. People just want to keep stay low. And when there's no kind of leadership and coordination, when a group is trying to band together to protect themselves, this is not an invasion. This is not an attack. These are people who are trying to protect themselves from corrupt immigration authorities, from organized crime, in in Mexico. And it makes that much more difficult. And then you see, Mexico. And it makes that much more difficult. And then you see people who have this who previously would help bring humanitarian aid across the border, say, from San Diego into Tijuana, who just don't don't do it anymore because they get harassed when they cross the border. I stopped crossing the border into The United States unless I absolutely have to. I haven't been been to The US for quite a while now because every time I cross, I get harassed by the DHS agents. And so it does have an effect. I did not go to an important meeting that we had in Los Angeles as a result of of this. And, and so I think
Speaker 2
11:29 – 11:59
that it it's challenging. And when you can't take your phone cross because you know that your privacy is gonna be invaded if you if you try to cross Yeah. Tell us a bit more about that. I hear that, you know, one of your volunteers actually had their phone taken from them and searched. I mean, I would imagine that you have some fairly sensitive data that, you know, in in trying to support these communities, you would have some fairly sensitive data that they might be trying to obtain. What what was that experience like, and what sort of data might you do you think DHS might be
Speaker 1
12:01 – 15:01
after? Yeah. We we have had volunteers get their phones confiscated. In in my case, I sort of saw this coming, and I I avoided taking a phone with me, but I've had my phone requested by DHS agents while being interrogated in a cell. And in the case of particularly one volunteer, this has happened twice, there was one instance where, he crossed and was sent to secondary inspection from secondary into an interrogation cell, and the interrogators asked if they could see his phone. And this basically told him he had no option. Otherwise, they would hold him there or confiscate it. And so they had him open up his, images, his image gallery, and they scrolled through his personal phone. Wow. This the next time that he went, they asked him for his phone again. And this time, they took it from him, and they took it away for about two hours. Oh my goodness. Had it in another room, and asked him to unlock it first. And they gave him a piece of paper that said, if you don't unlock your phone, we're just gonna take it from you, and we'll give it back to you whenever we're done with it. Wow. And you'll just leave us a mailing address. And there's a lot of things that are really, really dangerous about this. One of them is that since we, help facilitate legal orientation, we oftentimes have people's personal information, which is used for, for advocacy and for legal support. And this can include dates of birth, places of origin, contact information for family members back in the home country. And these are people who are fleeing their home countries. So oftentimes, there's death threats against them. And this kind of information can be used for a couple things. One, if that gets out, it can negatively impact the person because of that information getting into the wrong hands. And, unfortunately, there's a long history of border patrol corruption. There There are border patrol agents who take bribes from cartel members in order to pass people through. That is is clear. It's happened. There's been cases that have been resolved, that have proved this. And so I don't trust the US government people's information like that. The other problem is retaliation. There are people who have organized inside immigration detention centers. And as a result, ICE and the private prison companies retaliated against them, and sometimes beating them, tear gassing them, or putting them in arbitrary, solitary isolation. If we go through and all of a sudden the names and contacts of people who were facilitating coordination, and humanitarian support for other migrants who are now in immigration detention, they could be retaliated against. And so it has all of our communication. I mean, if imagine everything that you have in your phone these days and all of that getting
Speaker 2
15:01 – 15:20
Yeah. Scanned. No. It's terrifying. It's terrifying, especially when you're serving, you know, potentially targeted and vulnerable individuals. I mean, it makes it even more important. We are about out of time, but I wanna give you a chance, to just let people know how they should reach out if they wanna be involved or support, the work that you do.
Speaker 1
15:21 – 15:48
Absolutely. The the two best ways to reach out are either via email. Our email address at Pueblos Infronteras is refugeecaravan@gmail.com. Refugeecaravan@gmail.com. And, our Facebook page, Pueblos Infronteras, that's p u e b l o f I n f r o n t e r a s. Pueblo Sin Fronteras, our Facebook page is where we keep the most updated information,
Speaker 2
15:49 – 16:00
about what we're doing, and you can send us a message there as well. That's wonderful. Alex, thank you so much for joining Tech Talk and sharing your important work. Keep up the good fight. You're doing amazing things.
Speaker 1
16:01 – 16:04
Thanks so much for having me on the show. I really appreciate it.
Speaker 2
16:10 – 17:05
Momentum is growing for comprehensive federal privacy legislation in The US. And in fact, CDT has its own draft legislation. As Congress considers a variety of proposals, one aspect of privacy that seems to be getting less attention is the data security side. Is that intentional, or is it something policymakers should be for focusing more on? Today, I'm joined by two wonderful guests who both have thoughts on this topic. The first is CDT alum, Harley Geiger, who is now with cybersecurity focused company, Rapid7. Welcome, Harley. Thank you. And our other guest is CDT's own and beloved Michelle Richardson. Welcome, Michelle. Hi, Brian. Alright. This is like a star studded episode. Thank you for being a part of it. So before we get to actual federal privacy legislation, let's do some some definitional stuff. What would you say is the difference between privacy and security?
Speaker 0
17:06 – 17:55
So this actually is very important, and people use the terms interchangeably. So there's a lot of confusion. I would say security is the objective ability to keep bad guys out of your data, to be able to control what's happening to it. Privacy though is what do we decide as a society and by law what's an appropriate use of data. So this is sort of what do we choose to collect about people, what types of decisions do we think are okay to be made on data, and really is a little stickier. Right? It's much more context based, and sometimes you want data for certain things but not others. They can interact, though. A lot of times making sure that these privacy rules are followed means that you have control of data and security controls in place.
Speaker 2
17:55 – 17:57
Harley, do you agree? Yes and no.
Speaker 3
17:58 – 18:47
Oh, yes. Controversy. So privacy is sort of a bundle of rights, and security is one of the principles that makes up privacy. So it's it's there's definitely a an overlapping portion of the two. And so their privacy is not so different from security because I think that it encompasses security. But one of the ways that security is different from the other privacy rights is that a lot of the other, privacy rights are focused on authorized collection and use and disclosure of information, whereas security focuses on unauthorized collection use and disclosure. And it's not just about keeping, bad guys out, although that is definitely a significant part of it. It is also about preventing unauthorized, accidental disclosure or breach of information. Because accidental breaches make up a great deal of security incidents.
Speaker 2
18:47 – 18:55
So when we're thinking about policy around this, should they be linked? It sounds like both of you are saying that there is a definite link between them when it comes to policy.
Speaker 3
18:55 – 19:26
I think, overall, you just do not have privacy without security. If if you want any sort of privacy legislation to be effective, then you need to have security. But I, you know, we I think it's also very important to make the point that you security is not all of the other privacy rights. We would not wanna see privacy relegated to just security concerns. Although security is fundamental to it, privacy, of course, is is broader than that. But without security, privacy is like putting valuables into a vault that is not locked.
Speaker 0
19:26 – 20:32
And so on a practical matter, right now, we don't have a federal law for data security or privacy. Right? So now at this moment where we have public concern and political motivation, it's a good time to deal with both of them. What we see is the states have gotten further down the road on data security, though. Right? There are some states who have requirements that people who hold the sensitive data make reasonable efforts to protect it, But we don't have that at the federal level. And so we wanna use this opportunity where everyone's talking about privacy interests to make sure that this gets on the same train. Like Harley said, they're very interrelated. I would say they're sort of two sides of the same coin. And, especially since this is supposed to be our grand theory of the case. Right? This federal law is supposed to be a gap filler to cover all of this data that's unregulated. It's hard to pass laws, so we are gonna be stuck with this for quite a while probably. We really need to make sure that data security is a piece of this. Otherwise, it might be much longer before we get around to dealing with it on a federal level in such a substantive and,
Speaker 2
20:33 – 20:46
specific way that legislation can. So you're saying this would be a missed opportunity essentially, if something moves forward in terms of federal privacy law and security is not dealt with in a kind of comprehensive way as well? Absolutely. Although,
Speaker 3
20:47 – 22:50
there's we should also recognize that privacy legislation at the federal level has been tried over and over. Oh, yes. I thought when I I started at CDT, ten about ten years ago, and this was one of the things that I worked on. Look a day older, Harley. Well, thanks thanks a lot, Brian. It's it's space lotion. It's it's staying out of the sun always. But, it's, so, yeah, I I worked on it ten years ago. And and at the time, there felt like there was a lot of momentum because of a high profile string of breaches, and it feels like deja vu. You know, every few years, we have a lot of momentum. There is well meaning efforts by by the administration, the Obama administration, for example. And then for some reason or or another, it just fails to to change. I think that something that makes this very different, though, is what happened in California with, California's legislation as well as GDPR. It's because of the federal inertia around privacy, everybody else, states and internationally, are now moving on privacy, but not everybody is incorporating security into their their different efforts. GDPR did. Article 32 of GDPR does include security. California did not, but but California already had an existing data security law. So Michelle mentioned, some of the states that have security laws. There's about about half of them do. About 24 of them of them do. And they they're similar, but they vary a bit on the details. Half of them don't. And some of the states that are moving on privacy legislation now, sort of in a copycat manner of, based on what California is are, did, previously, are not including security. And I think there's a couple of reasons for that. One of them is that they are mimicking what California did, but not perhaps realizing that California had an existing data security law and these other states don't, but also because there is a, conflation of data security and breach notification. Every state, including the territories, including DC, has a breach notification law. And a lot of times, those two issues are conflated or breach notification ends up getting outsized attention
Speaker 2
22:50 – 23:18
rather than data security when the two are, in fact, very different. Yeah. Tell me a little bit more about that. I mean, one of the questions I had was when you were talking about security, where does breach policy play into this? I mean, data breach. Certainly, those are the type of things that grab headlines in terms of a data breach happening. But then, of course, you build a lot of states or a lot of times when it happens, people are like, well, there's mechanisms in place for this. So how does the policies that are in place relate to data security and what we want to see or both of you would like to see happen?
Speaker 0
23:18 – 25:07
Sure. So all states have breach notification requirements. They're different. Right? And this is when something goes wrong, people have to be told. And it can vary depending on the type of information it is. There are different time frames on which someone has to be notified. But there are 50 laws now in place. The last one's passed just last year. It actually took fifteen years to cover every state with breach notification, which is the pitch for why we need a federal law. Right? Because if you go state by state, we can really lose fifteen years to this. You've got that pitch down. Yes. But, but the data security is more proactively what do you require people to do to prevent something from going wrong in the first place. And there's no reason it shouldn't be in a federal law because there's far more agreement around data security substantively than privacy. And there's more consensus, and it's usually about having a reasonableness test. Right? If you consider the size and sophistication of the actor, the sensitivity of the daddy that they're using, and what they're using it for, their obligations are going to scale. So very much you can think of a small person if they of small business and they update their software and their devices and they use passwords and two factor and other things, they can get to reasonableness. Right? But if you have a big data processor who's actually in the business of cutting and trafficking data, they need to be much more sophisticated and aggressive about what they need to do to secure that data. And that's actually been sort of endorsed by all sorts of different federal agencies, trade associations, and that's what a lot of state laws look like in one form or another. It should not be that controversial to import that into a federal law. I just wanna Yeah. Make a so Michelle is raising excellent points about what
Speaker 3
25:07 – 27:12
data security should look like, in legislation and law. But I wanted to also bring up one of the differences some of the differences with data security and breach notification is just to make the point that breach notification is a requirement of notifying after a breach. It's not a requirement that companies take steps to prevent the breach in the first place. Yeah. So you can violate a breach notification law by failing to notify, but you're not necessarily on the hook for having a breach. The breach notification laws only kick in after the breach has occurred. The only thing that's gonna prevent that is having data security. In the case of Equifax, for example, I mean, Equifax, the it was it was due to poor security that this massive breach occurred. And it is driving a big part of the privacy debate now, but it is it is a result of a security failure, not a failure of breach notification, not a failure of notice or choice or transparency or any anything like that. It is security. Same thing with Marriott. The only principle in privacy that will protect that is security, not breach notification. But often, you hear when you talk with, legislators, I see this happening at the federal level as well as the state level. When you talk to them about data security, they they think that you're talking about breach notification. And you can see why is because a lot of the states that have, data security laws actually had paired them with their breach notification laws. And, you know, so these data security laws came into effects, you know, a bunch of them because they were part of data, breach notification. And, also, at the federal level is sort of the same thing. House Financial Services, last year, the the subcommittee, passed a data breach notification law that included data security. But again, all of the focus was really on, breach notification. So it you can see why it goes together notification, which has its own quagmire, its its own, points of controversy, necessarily needs to be attached to a privacy bill. I think that that might overcomplicate it. But without security, I think then you, you know, you you are undermining the effectiveness of the privacy legislation.
Speaker 0
27:12 – 27:50
Good point. That's totally right. And I think if you go back to why breach notification was passed in the first place and was so popular, it was because we thought, in part, companies would be shamed into behaving better. Right? And that has not worked. Yeah. And part of it is to empower consumers, right, so they can take defensive measures, and that will always be necessary. But it is not doing the hard work of fundamentally changing behavior so people build better systems and better products. So we need to let go of that idea and instead move to actually just having some affirmative data security requirements. It's time to do that.
Speaker 3
27:51 – 28:19
Yeah. More proactive approach. That's right. It was like the idea was that, well, breach is gonna be expensive and complicated, and so it's gonna inspire the covered entity to hold on to information in a secure way and therefore prevent a breach. But, obviously, that calculus is too roundabout and has broken down, And we are not seeing a a decrease in the number of personal records that are being breached. In fact, it seems like an increase on some levels. At least the news would lead us to kind of draw that conclusion. So, Michelle, you already started to talk on this a little bit. What data security federal
Speaker 2
28:21 – 28:29
privacy legislation? What would you explicitly like to see? What do they look like? Are there ones that are gonna be super controversial and hard to push forward?
Speaker 0
28:31 – 30:32
So this is part of CDT's model legislation that we've been sharing with the Hill and the states over the last six months, and we agree that there should be a reasonableness test. We think they should be housed at the FTC, who right now has this sort of general purpose data security enforcement, and that they should have rule making authority to flush out some of the details about what it means to take reasonable security. Again, scoped for the size, sophistication, and sensitivity of the situation and the actor and all the data that they have. This, I think, will be modeled after some successful things that we've seen in places like Massachusetts, for example. They've had a regulation on the books for five, six, seven years. Now, that applies to everyone, even small businesses. And then it's been enforced in a way that really tries to change behavior, not be horribly punitive. Mhmm. And I think there are seeds that we've seen in existing legislation. So, Rep Schakowsky, Rep Rush, others in the past have had similar models where they've mimicked some of the things that are going well at the states. So that's the type of thing that you could put into a federal bill. I think what might be more controversial is, the scope of rulemaking. Right? And this is always controversial. It doesn't matter if it's data or health care or, I don't know, farming. But, you know, how much do we want to write into the statute upfront for clarity purpose, and how much do we wanna delegate to the agency so that they can have some flexibility over time to keep it up to date? So I think that is gonna be something that will be debated. But, again, this should not be as hard as privacy. Data security standards, there's been, you know, coalescence around the same ideas for decades now. So I would not even think that even if there were rulemaking here where the FTC could provide some details about what it means to be reasonable, that they would be surprising. They're gonna be exactly what people know right now and what are already in guidance that is not binding.
Speaker 3
30:33 – 33:34
Yeah. So that I mean, the the most basic the most basic way that I've seen this described is just a requirement of reasonable security, and that ought to really be a a given. I mean, why why should we accept unreasonable security for personal information? And, but there are states and federal regulations that go into some description about what reasonable ought to look like. Like Michelle mentioned, sensitivity of the data, size and complexity of the business. I agree that, FTC rulemaking is gonna be a controversial point. I'm not convinced that it's gonna make it into at least the first round of federal legislation. Other things that have been controversial. I don't know I don't know, of course, what the the next round of privacy legislation will look like. But other things that have been controversial are whether or not the protections are to protect against economic harm harm only. In the states, there has been, several may maybe half of the states half of the half that have data security laws in the books, only protect against economic harm. And so that means that things that cause extreme embarrassment or reputational damage, these things that are unquantifiable, it's a familiar debate, a familiar problem with privacy, are not necessarily protected. That has that may be controversial. And then in a number of different states, I hope that this is not the case in a federal bill. A number of different states have made a mistake, I think, or there's an anachronism in their definition of personal information, which is which is that they include a real name requirement to a lot of personal information. California, as a matter of fact so when they passed their privacy law, the privacy, bill, took a broad look at personal information. And but they because they did not change the definition of personal information as it relates to their data security law, they still have this problem where they have you have to attach the different parts of personal information to your real name. So for example, if my Social Security number is breached, that's not going to qualify for, you know, for for notification or even data security protection unless my name is attached to it. And, same thing with, many different states on, your credentials, like your username and password for your different accounts. You know, you if if it's not worthy of data security protection or breach notification if your name is not attached to it. And in an age where we have had so many large breaches and there is so many pools of breach data that are out there, finding that real name with, non real name, data, like your username or password is actually not gonna be that difficult for malicious actors. Yeah. So we think that that is a major anachronism that needs to go. Yeah. My head instantly went to also biometrics layered on top of that. It's something that may not be attached to your name, but, gosh, that would be really sensitive information if breached. Exactly right. And there's a your your photographs, for example, don't necessarily have your name, but there is a face. And we are seeing a, you know, an explosion in the sophistication of facial recognition software, which will be able to identify you with, you know, reasonable accuracy based on on your photographs.
Speaker 0
33:35 – 34:30
Right. And I sometimes forget just how bad some of the state data security laws are, but they were written a while back, some of them. You know? And we had very different ideas about how easy it was to connect data and how it could be processed in ways to real reveal things we didn't even realize back then. But, and this is how you justify a federal law preempting state laws is that we actually can do better, right, on data security. We could do a federal level bill that is more holistic and doesn't have some of those old requirements that Harley brought up that really limit enforcement in some of the states. And, but I think that's what we would wanna see and how most people think about it. The conversation has changed quite a bit in DC just over the last year or two about the scope in-depth of what a privacy bill would contain, including the parts that would apply for security purposes.
Speaker 3
34:30 – 35:35
And I just wanna point out for for states, I mean, states as they are considering privacy legislation, the states several states have sort of lept to mind, as states that don't have underlying data security laws but are considering, privacy legislation that does not include data security, including states that I would have thought would know better based on the presence of technology companies within their their borders. So for example, Washington state. That was that that that bill made it quite far in the Washington state legislature. It says nothing about security. And they don't have an underlying data security requirement. Others include, Illinois, Montana, New Jersey, North Dakota. There are several more that are moving ahead with privacy privacy legislation at various stages of feasibility and consideration that do not include security. And I think that, again, a a big reason for that is that California didn't include data security and so there's sort of set a precedent without sort of under understanding that California at least had, despite some flaws, at least had a data security requirements already in place. Is there any case,
Speaker 2
35:36 – 35:41
where you would say we should just do a straight up data security law as opposed to coupling it with privacy?
Speaker 3
35:44 – 36:14
I think that it would help, because I do think that data security is important. However, I don't know whether or not that would undercut an effort to also get the other, privacy principles encoded in legislation, and I view those as societally important. So if if data security moves ahead by itself, I think that that would be helpful. But I would also hope that privacy the other privacy principles would follow suit. Certainly, the ideal situation is all of them together in a single bill.
Speaker 0
36:15 – 37:08
And these state laws on data security have been around for quite a few years now, and it didn't really, goose all of us in DC into acting at a federal level. Right? And so it's really more at this moment that data security is riding on the popularity of privacy. The concerns about that California bill requiring such broad changes possibly in how products are designed. So I it might be hard to get data security going on its own as a political matter. But who knows? You know, if it seems like getting a federal privacy law is a multiyear project, which let's talk on wood that it does not become that. This year. Right? Right? This year, I got six months left. Done. So, I wish everyone could see Harley's face right now. He doesn't find this funny at all. But, that, you know, maybe data security moves on its own.
Speaker 2
37:09 – 37:45
But, you know, there's still time, I think, to get both of these in a federal bill and get it passed this congressional session so by the end of next year. Let's not waste the shot. Right? That's what we're doing. So, Harley, great to have you on Tech Talk. Love to have you back on. And Michelle, always great to have you. Very insightful conversation. I appreciate it. Thank you. That's it for this episode of Tech Talk. For the very latest on what CDT is doing to shape a vibrant digital future, follow us on Twitter, like us on Facebook, or visit cdt.org. I'm Brian Wasilowski. Thanks for listening.