Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 0:13
CT.
Speaker 2
0:15 – 3:08
Welcome to CDT's Tech Talk where we dish on tech and Internet policy while also explaining what these policies really mean to our daily lives. I'm Brian Wasilowski, and it's time to talk tech. Today, we're talking all about data flows, although exploring the issue in two very different contexts. First, we'll discuss the relatively new phenomenon of cross device tracking and how it's now possible to track an individual's actions across multiple devices. Many marketers see it as a tremendous opportunity to better reach the right customer, but privacy advocates are seeing bright red warning flags. We'll then unpack the invalidation of the EU US safe harbor agreement and the impact the ruling by a European court will have on commercial data flow between The US and the EU. Did the ruling really have any impact on government intelligence surveillance? And what does this mean for companies that do business or want to do business on both sides of the Atlantic? We've all been served ads online and thought, ugh, it's creepy how much they know about me. Thankfully, we have also all likely received ads that are so off base that we maintain a sense that companies don't know everything, such as the recent one I received for discount diapers, which thankfully is something I do not need now and most likely will never need. However, new approaches to data tracking are allowing some companies to monitor your actions various devices, which can help them develop a far more detailed profile of you. Think about it for a second. You might first get an idea for a birthday gift for your partner while the two of you are out on the town. You then do some quick research as they run off to the bathroom on your your phone and then send a quick email to your work email making a note to remember to look into it. The next day, you use your work computer to do more research for that perfect gift gift. And then over your lunch break, you head out to an actual physical store and buy the gift. In the past, companies likely wouldn't know it was the same person searching for the item on their phone and then searching for it on their work computer and then going to the store and buying it. But now, all of that might just be possible. Joining us today to talk about cross device tracking is a new legal fellow at CDT, Katie McInnis. Welcome, Katie. Thank you for having me. She's a recent graduate of Georgetown Law, and we're lucky to have you for, what, six months here. So we need to make sure we get all that work. And then you get to go off to a a company. Right? Is that how the program works? Or maybe a government agency. Or a government agency. So that's great. So you get to see the good side first and then we'll send you over to, the evil side. We obviously don't believe that at CDT. We love all our partners. From the inside. There you go. That's perfect. So the FTC is holding a workshop on cross device tracking and CDT recently submitted comments, which I know you spearheaded them, did a lot of the writing on them. What is CDT's top level take on this phenomena of cross device tracking?
Speaker 1
3:09 – 3:29
So our top level take is that it's a new and better way of tracking you across everything. And also, like, most users have no idea that this is happening. So that's very concerning, especially since most Americans have at least four, or on average, about four smart devices. And we spend about sixty hours a week looking at content across those four or five devices.
Speaker 2
3:30 – 3:34
So these are what? Like your cell phone and iPad? Cell phone, smart TV,
Speaker 1
3:35 – 3:36
laptop, tablet.
Speaker 2
3:37 – 3:45
And then eventually, maybe some more, you know, toaster maybe. Mhmm. Or wearables. I mean, that's a big thing. A lot of people have the fitness trackers. Okay.
Speaker 1
3:45 – 4:16
So that's very concerning and it's happening without much user idea or much of an idea that user knows this and knows this happening, which I think is very concerning. You have no control over this and you have no idea it's happening. Yeah. No. I certainly would not imagine that, you know, what I do on my phone easily translates back into what I'm doing on a different computer or on, like, my television, you know, let alone my television or if my toaster or fridge gets connected. And it further reinforces something that most people, I think, already know, which is very hard to do anything, with some level of anonymity
Speaker 2
4:17 – 4:39
online. Absolutely. So in your comments, to kind of, like, dig into what cross device tracking really is and how it's done, you highlight two primary ways or forms of this tracking, probabilistic and probabilistic and deterministic. So what do these mean? How do they differ? And, you know, is either one kind of freakier than the other? So I think deterministic is the one that most users have some level of
Speaker 1
4:41 – 5:52
interaction with. You see on, for instance, Facebook is a top, a top contender in this field. You see that most of your friends are getting engaged and then you start seeing ads on the side for wedding gifts or engagement gifts. And so that's a there's a clear connection that what you're seeing on the site is also playing into some kind of ad sales. This would explain the diapers. All my kids and all my friends are having babies. So Right. So but this kind of information is information is only available to companies that provide some platform or service that requires a login. Okay. So that's things like Google and Facebook and, Pinterest, everything else. But the one that I think most users don't know about is probabilistic tracking. And that was a little more creepier, mostly because you have no is probabilistic tracking, and that was a little more creepier, mostly because you have no idea that it's happening and there's no way to opt out. For instance, if I don't wanna be tracked by Pinterest, I can just not have a Pinterest account. It's pretty easy and I have, higher level control over that. However, if with probabilistic, just by being on the Internet, you are being tracked and your actions are being cataloged in order for companies to put it into a statistical model and figure out which user is using which four or five devices in the course of a day. This is especially important because groups like Google have said that most users, 90% of all users, start an activity on one device and finish it on another.
Speaker 2
5:53 – 6:22
So So this is kind of that ability to predict that the one user over here is the same user over here. And then by that, kind of create a data set that creates a pretty unique profile of a person. Pretty unique profile and with How accurate is this? Is there any information on how accurate some companies can be? So only about a dozen marketing firms are in this space right now. Okay. And they're hitting an accuracy rates of over 90%. Oh, wow. And this is an, quote unquote, emerging market. So that's very concerning. Pretty impressive accuracy for an emerging market.
Speaker 1
6:23 – 6:29
Yeah. And you there's no way to truly opt out. There's no user control and there's no user, like,
Speaker 2
6:29 – 6:57
transparency that this is occurring. Fascinating. So in the intro, I, you know, kind of did a fairly flip, you know, buying a gift for your partner, which would be interesting. It would kind of stink though if that gift appeared on your smart TV. It's like an ad. And they're like, oh, crap. But so, I mean, maybe not so flip. But in our comments, you talked about, you know, someone seeking treatment for an STD. Can you walk us through that? I mean, that's one where you're like, oh, wow. This is really kind of awful. So we can imagine a user sitting at home and looking at STD symptoms on her home computer,
Speaker 1
6:57 – 7:54
then getting on her phone and looking for probably in parenthood or another health care center. And then go into the health care center, sitting there for a while, browsing on her phone, and then later go into a pharmacy. So all these all these different things in the past, all these different pieces of information would have been isolated on each device that you've used. However, with cross device tracking, we can now correlate all these actions by one user and also with a high level of location tracking. Mhmm. So even though this may not even though this individual may not have been treated for an STD, there's now a conclusion that this individual was, which is damaging to spices, but still also create a harmful profile of a user. Interesting. So this is pretty real now. You said there's firms out there. It's happening. It's it's happening. And there's amazing new ways of doing this. And they're getting better. The algorithms are using for probabilistic tracking are learning algorithms. So the longer they use them, the better they're gonna get. Fascinating.
Speaker 2
7:54 – 8:19
So another thing that you highlighted beyond this was, the concept of audio beacons. And I read this, I'm like, oh my gosh, audio beacons. Tell us what audio beacons are and how they're being used to even add to this cross device tracking. This stuff is freaky. So most users know, that when they're online and using their desktop computer or laptop, the cookies are being downloaded as they browse the Internet. That's pretty well known. But now, this company is using cookies in a new way. So when you download a cookie,
Speaker 1
8:19 – 9:32
it plays an audio an audio beacon that's like ultra sonic. So you can't hear it. You can't hear it. Your dog hear it? No. I think it's I think it's even above that. Okay. Since sound in the background does not interfere with the with the receipt of these audio beacons. And so it plays this audio sound. And then your phone, if it has an app by one of these companies, it recognizes that code. And now you've linked those two devices. So that's even more accurate than probabilistic tracking, because you don't have to put all this aggregated information into a statistical model. You can just say, oh, these two, we definitely know. Wow. So that's very concerning. And also, there's no user control on that. You the only thing that change the only thing that affects the seat of these audio beacons is distance. There's no background noises that you can make. And they're going this company that's doing it, SilverPush, is now moving into television ads. So when you're watching a television ad or a television commercial, it would play this audio tune that would also then get to your smartphone, your laptop, anything else that's right nearby. And when you think about it, when you watch TV these days, how often often is your phone right there with you and sometimes you're watching and then you're also tweeting or doing something on your phone. I mean, that would be probably fascinating information for marketers. Very fascinating. Where it's like, hey,
Speaker 2
9:32 – 9:57
Brian's watching Game of Thrones again. He's ten seasons behind, but he's doing it and he's tweeting about whatever. So it's just stuff. And it marks when you change a channel during a commercial, so they know what you're getting bored of. So stepping away then from these methods, which are interesting and some a little bit scary. CDT had some pretty clear recommendations, to the FTC in this as they're exploring the issue, which is great. What are kind of those bottom line recommendations,
Speaker 1
9:58 – 10:40
from CDT on this? So ideally, we, of course, want all the groups that are all the companies that are engaging in cross device tracking to incorporate fair information practice principles into their work model. But on the most basic level, we just want a level of user transparency. We wanna know where your information is being sold and what the company's privacy policies are that have your information. We also want some level of a robust out opt out. Right now, there's no way to opt out of this tracking, which is really concerning. So these two things mean that users really can't they have no control of the amount of data that they're giving away and the companies are profiting off of. So I'm guessing that if some people listening to this are probably like, oh, geez, this is a little bit concerning.
Speaker 2
10:41 – 10:49
Is there anything that a user could do right now, you know, general person with four or five connected devices do to kind of limit the amount of
Speaker 1
10:50 – 11:21
cross device tracking that happens? For deterministic tracking, you can just be aware of which companies have your login information and their privacy policies. But for probabilistic tracking, there's not much you can do. You can use some programs that enhance your privacy, such as Tor or Tor Browser. But there's not a Tor Browser. But there's not a lot of controls for all your devices and each of them require very educated and active user, which I think does not describe most of our population and even I'm in privacy advocate and I'm not sure that I would use all these activities because they're so hard to do.
Speaker 2
11:21 – 12:50
That's a good point. Well, clearly this is an issue that's gonna continue to be important and continue to involve, especially as more and more of our devices are connected as you mentioned. So thanks for being on top of this, Katie. It's a good thing CDT's involved and hearing on it or workshop on it. November 16. So that's coming up. So it's certainly something to follow. Thanks so much Katie. Thank you. Recently, the Court of Justice of the European Union ruled the safe harbor agreement between the EU and US invalid. The ruling jolted the tech sector and businesses on both side of the Atlantic, creating considerable uncertainty around the laws governing flow of commercial data. So why was the agreement struck down? It's far more of a symbolic but resounding response to the revelations about the US government's surveillance practices. CDT's president, Nuala O'Connor, is here today to talk about what the ruling means and what is next for both companies and EU US relations. Welcome, Nuala. It's about time we had you on Tech Talk, It's good to be here. I love our Tech Talks. I mean, how could we have done this for, what, like, two months now and you haven't even been on it? Because we have so many brilliant people. We're just working our way through the world. There you go. It's certainly not your busy schedule. So so prior to CDT, you worked in both the government and global corporate settings on a number of privacy issues, government access to data, and also cross border data flows. So to say you are, like, a true expert in this is an understatement. Can you tell us what this ruling truly means?
Speaker 0
12:50 – 16:36
So first of all, you're right, Brian. The staff laughed when they heard me go on ad nauseam about this this, decision, and then I felt a little sad. I really went into mourning. It brought back a lot of memories of trying to resolve these kinds of deals when I was in the government and comply with them when I was in the private sector. And I know a lot of the people who were in the room, in the actual room when safe harbor was negotiated. And I will say first of all that I have always said that the safe harbor is a creaky political vehicle that was not going to withstand the test of time. I wish I had blogged about that. So I had proof of saying that, but so many people have heard me say that. We'll take your word for it. They all know it's true. I've always been a little disparaging about Safe Harbor because at GE, we were a BCR company, and I'll talk more about that in a minute. But we were the first global multinational to be approved to use the binding corporate rule mechanism as a data transfer vehicle. And so we disdained the safe harbor a little bit. But, you know, all that being said, I'm not happy this happened. As as much as it's I'm happy for the the important signal you as you mentioned that it sends about our surveillance practices, it actually disrupts cross border commercial data flows far more than it does any damage to the government data flows. So what this means in practice is the European laws around data protection are different than the American laws around data protection. That is not to say one is better or one is worse. I can make I can argue that point all day long, but rather to say that in order to comply with getting in, personal data out of Europe, companies need to have a legal basis for that transfer. There are lots of legitimate legal bases articulated in the data protection laws of Europe, but then you've got to have a compliance mechanism or a legal structure for your company to get the data out. It could be for something as simple as paying your employees, providing them the goods and services they're buying, doing other kinds of transactions, but any of personal data, name, address, other unique identifiers. So it's not just tech companies. You know, like a lot of people think. It's pretty much any company. This it is a miss, a mistake to think that this only affects tech companies. Now do tech companies, kind of kind of inordinately, apply for safe harbor certification? Yes. Probably because they are doing very fast large Sure. Datasets moving across The Atlantic. But it's really any company that needs to move data about customers, employees, vendors, partners, back and forth, and it includes European companies that have subsidiaries in America. So it actually works both ways. What it means is the court has said that safe harbor is not an adequate vehicle. Adequacy is the determination that the European direct, data protection directors make about a particular company or vehicle for transfer. And they have said it's not adequate because of the very real looming fear at least that all of that data will end up in the hands of the federal government. And so Meaning the US federal government. The US federal government. Exactly. That's of course a very good point, Brian, because it's also handing ending up in the hands of European governments. Anyone who's gone into a hotel in Europe knows that the first thing they do is ask for your passport. They're not asking to look at your pretty picture. They're asking for the data in your passport. It's good because my passport picture is awful. So Yeah. Actually, I don't really like mine either. I was pregnant. My hair is is horrible anyway. But that's a whole another conversation. So they're asking for that data to share it with their local law enforcement agency and then in turn with Europol or Interpol or whoever, whichever poll it happens to be that day. And so there's data sharing in all seriousness. There's data sharing from companies to governments on both sides of the Atlantic. For any government in the Western society to point the finger at any other is is really a bit of schadenfreude. Yes, we're we're a lot clearer on what The United States is doing in the days post Snowden.
Speaker 2
16:37 – 17:15
But the reality is this is a global issue and it needs global solutions and it needs government to government solutions, not just government to company solutions. So let's go back to businesses a little bit. You mentioned BCRs. We try to avoid acronyms on the show, but you did spell it out for us. Finding corporate rules, is that what it is? You got it. What are businesses doing right now? It seems like they probably are scrambling to figure it out if they weren't already doing that. You know, what are the options out there for businesses that still need to do business in in this new environment? And that is the big, that is the $24,000 question and why every law firm we've talked to is, you know, giving webinars about what their compliance models are. Really simply put, when the data protection directive was passed in late nineties, early two thousands,
Speaker 0
17:17 – 20:40
the three vehicles kind of popped up as ways for companies to comply. The first is safe harbor which is a negotiated, not a treaty, but an agreement between the US government and the European Union that says, companies that sign up for this deal and sign up to be regulated or investigated if if there's a problem by the Federal Trade Commission are deemed to be adequate and therefore can transfer this data. The other two options, there are three options for companies to consider. The other two are model contracts which are very prescribed, very clear, you know, very very long contracts that say, I agree, I company x agree to all of these provisions when dealing with data of European citizens. And then the third are are newer but still now ten year old or more, models structure called the binding corporate rule. And a binding corporate rule is essentially a privacy policy policy and an internal compliance structure in a company that is reviewed at great length by the data protection direct, administrator or agency in the country in which the company has its largest subsidiary or largest number of employees. The greatest nexus is what the the standard is. And so companies doing business on both sides Atlantic and transferring personal data about individuals. Again, this is scoped to be about your personal information, name, address, social security number, any kind of unique identifier that could be used to find you in the real world. Have to choose one of these compliance vehicles and have to sign up and get it done. All have different kinds of ways of and and levels of complexity. At Safe Harbor, you might argue is the simplest because you review what the standards are. You kinda self declare that you you're good at it. That you give the FTC the enforcement authority should something go wrong. Model contracts require a lot more legal writing and research and and reading. And BCRs require a fairly, you know, full scale compliance program. But if you're doing safe harbor right, I would argue you're not far off off your your other kinds of of, compliance mechanisms as well. The knock on on safe harbor versus BCRs has been that only big companies can handle a BCR program. I don't agree with that anymore. I think that the standards are so clear and good companies are are so much more sophisticated about compliance than they were fifteen years ago, that the difference is not that great. But here's the really bad news. This decision really will have a profound and lasting impact on companies doing any of those things. Because the issue in the case was not that safe harbor in and of itself is a bad program, but rather that once the data ends up here, that there is unfettered access by the National Security Agency and other law enforcement and counterterrorism agencies. That's what the ruling means. It doesn't it certainly doesn't mean that Facebook is a bad company on this issue. It doesn't mean even that Safe Harbor was a terrible program. It means that the European courts found that there was too much of a risk of their citizens' data ending up in the hands of the US federal government without a legitimate law enforcement or national security predicate and without the kinds of constructs or protections seen under European law, like the idea of proportionality that it's the right amount of data necessary to the question at hand or that there's redress or access or kind of transparency that is desirable. Now can we argue that the Europeans don't also do that for their own citizens? Sure. I mean, we can get into that kind of tit for tat. And and I can argue again both sides of that of of that of that debate.
Speaker 2
20:40 – 21:12
The the bigger question is, what are we gonna do to fix this? Yeah. That's where it's gonna ask. So let's say, it's a big symbolic blow. And if it's really not doing anything to change government intelligence by any means or practices at least, what is it? I mean, what does The US need to do? What does the EU need to do to create a place where, you know, people aren't always saying, well, we can't turn data now because it's just gonna hand up end up in the hands of the NSA. So here's the surprising thing I will say. I think The US has actually made more progress, perhaps because they've been exposed in their own sins by Snowden and others.
Speaker 0
21:13 – 25:39
But they the passage of USA Freedom, which CDT had a very big hand in and I'm gonna, you know, toot our horn on that one a little bit. And then that the recent passage by the House of the Judicial Redress Act, which would provide more, rights to to non US persons under our laws for transparency and and accountability around the data that's in the hands of the government. And I think there's been a lot of thinking. Do I think we've gone far enough yet? No. But I think that we are definitely on a path that if we stay true to, we will see better equilibrium in our relationship to our government about our own data. I would encourage folks around the world to be having the same conversations and that's what we will stand for and we will push for in our global advocacy in the years ahead. And again, we are not an organization that naively says there should be no national security. There should be no law enforcement. That is not our stance. We real recognize there are real risks in the world and that counterterrorism and law enforcement are global initiatives. But that ultimately, in the digital world, the individual has rights and and retains some sense of dignity in their own data and some rights to control where it goes and who sees it and what it is it's gonna be used for. And the core principles of data protection on both sides of the Atlantic actually really come out of the same time in the early seventies with the OECD guidelines and the the HEW guidelines and the the a time when thinking on both sides of The Atlantic was very similar and with the advent of large scale, large mainframe computers and the potential for ubiquitous data and collection and large datasets to be created. And the need to the the the real feeling that people need to have a right to control their own data and how it's used. That's not to say that there is no legitimate government use. That's also not to say there's no legitimate corporate use, but that people need to understand what the bargain is when they're dealing with the commercial setting. They need to understand what their government knows or has access to in the in the government setting and that there should be a pretty bright line between those two data sets. And that's what the Snowden revelations really spoke to was the bleeding and the blurring of the lines between the private sector and the government and that there's a sense in some quarters that government should have free free and open access to data that is on the Internet or that is shared by you simply because you chose to share it on Facebook or Twitter or LinkedIn or wherever. That is, I think, incredibly flawed and incredibly dangerous thinking that just because I engage in in a digital life that the government should have access to my data. No. The presumption has always been in US law that there has to be some level of suspicion. There has to be some ongoing investigation, some legal predicate. We need to get back to those core basics. I think the Supreme Court is going exactly in the right direction on this, so I have great hope. In the short term though, you asked about what are we gonna do next. Mhmm. The folks at Commerce are working on and are doing, I think, really great, work around the idea of a safe harbor too. I think they've made great progress, on bringing in the voices of law enforcement, national security into the dialogue. I've always described this having been in some of those conversations in the government as a Mars Venus conversation. Right? You've got your law enforcement folks and your counterterrorism folks who are really looking at, you know, the world through their lens. You've got your data protection folks who are speaking literally and figuratively a different language even in the same country. You've got to get both sides of both of those groups on both sides of the Atlantic talking to each other and preferably all in the same room. So they can hear and see the the counter veiling arguments and needs and belief systems. And what what I found having experienced some of those is law enforcement on both sides get, you know, actually have more in common with each other than they do with their own citizens of the same country who are working on data protection and and, you know, and and vice versa. So you make all sorts of strange bedfellows and all sorts of strange friends. But at the end of the day, I I think we all share a common belief. We want our our our systems of government to be strong. We want them to be limited. We want our our citizens to be safe. And we want a digital world where the free flow of information does not strike fear in our citizens' hearts, but rather encourages innovation and technological growth and greater speech and greater collaboration and connectivity. I I do think there that folks in the last decade have just just been bedazzled by, oh, the technology can do that, so let's make it do that. Or, oh, we can get that data, so let's go ahead and get it. We've gotta really get to a pay a place of a greater equilibrium and greater government restraint on data and technology.
Speaker 2
25:39 – 26:19
Well, I have no more questions. I mean, you covered it all right there. You even went through questions I was going to ask without knowing. So that's amazing. This is why we need to have Nulan every week. So I'm gonna thank you so much for joining Tech Talk. That was spectacular. And hopefully, we'll have you on again very, very soon. Thank you, Brian. That's it for this week's CDT Tech Talk. I'm Brian Waslowski. You can find more information about today's topic at www.cdt.org. And as always, tweet us any questions you have or topics you'd like us to cover to at send them tech. Thanks for listening.