dataprivacy

The Making of a Myth: Big Tech, Billionaires, and the Wild West

/ Washington Journal of Law, Technology & Arts / Leave a comment
Photo by Trace Hudson on Pexels.com

By: Sofia Ellington

When former Amazon CEO, and current billionaire, Jeff Bezos and his girlfriend Lauren Sanchez appeared on the cover of Vogue in November 2023, social media was on fire, incredulous over the cover that seemed to exaggerate the tech billionaire’s biceps. Less ablaze was discussion about the setting for the photoshoot: Bezos’s ranch in West Texas. Dressed like Hollywood cowboys, Bezos and Sanchez harkened back to imagery of American film icons such as John Wayne and Clint Eastwood. While the glitzy couple may seem to be a far cry from the national icon that has come to represent rugged individualism, personal freedom, and self reliance, I argue that the choice to exhibit Bezos as a modern cowboy reveals a salient truth about the status of billionaire tech tycoons and the businesses they champion: just like the American cowboy, the law has aided in making the myth of the genius tech billionaire. Both myths demand a harder look.  

The myth of the western cowboy plays on false myths of life on the range. The archetype of heroism and self-reliance is more accurately characterized as a life sustained by government subsidy and lack of oversight. The myth of the genius tech billionaire has captured the American imagination in much the same way as the cowboy. Distrust of government overreach and spending as well as lack of resources for life’s essential building blocks like housing, school, and healthcare leads to semi-reliance on the ultrawealthy’s philanthropic escapades and leave us in awe of their romanticized entrepreneurial genius. Behind the myth are exploitative practices that implicate anti-competitive practices and concerns over consumer exploitation. 

First, we must understand the cowboy archetype. Look no further than country music for imagery of the romanticized cowboy. In his 1993 hit, “Should’ve Been a Cowboy,” the late Toby Keith croons longingly, “Go west young man, haven’t you been told? / California’s full of whiskey, women and gold.” Drawing on the promise of manifest destiny, the cowboy archetype is full of imagery of young, brave men going West to an empty landscape full of opportunity, independence and a chance to strike it rich off the plentiful natural resources. In reality, the land in the West was never unoccupied because it had been the homeland of Native Tribe’s since time immemorial, and the seemingly endless supply of natural resources was a delicate environmental balance easily disrupted by exploitation

Initially, Federal laws encouraged early western homesteaders to settle by offering 160 acres of federal land for only the cost of an initial filing fee. Along with those 160 acres, ranchers and homesteaders were able to claim water rights and graze their cattle on public lands at no cost. The sense of ownership over public western lands increased, and some cattle ranchers began to erect barbed wire enclosures to keep out other competing users of the land, along with other tactics that created a hostile atmosphere that helped keep competition away. 

After a long period of little federal oversight, the increasing enclosure of public land and environmental concerns over grazing practices spurred Congress to act. In 1885 they passed the Unlawful Enclosures Act and then Taylor Grazing Act in 1934. The U.S. Supreme Court’s 1895 decision in Camfield v. United States, made clear that private landowners could not make exclusive use of public lands and resources, holding a Nevada cattle rancher had violated the Unlawful Inclosures act after he fenced off nearly 20,000 acres. Additionally, the dust bowl in the midwest warned of the environmental consequences of overgrazing. The Taylor Grazing Act purported to curb future damage to the lands through establishing grazing districts and requiring grazing fees to be paid to the Bureau of Land Management. Congress must take similar legislative action to respond to the growing tech industry to help control the power that tech companies, and their billionaires, have on the economy and their consumers. 

Like a rancher’s exploitation of public lands to the determinant of other users, big tech has been able to harvest invaluable information and record breaking profits from a resource they never had to pay for: your data. Additionally, the escapades of once worshiped tech tycoons such as Bezos, Sam Bankman-Fried, Mark Zuckerberg, Elizabeth Holmes, and Elon Musk make even the biggest sycophants take pause.

In addition to the criminal proceedings some tech entrepreneurs are facing, the big tech business model is going through an antitrust reckoning thanks to the Federal Trade Commission (FTC) launching lawsuits against Amazon, Google, and Apple, to name a few, for alleged tactics that disadvantaged their rivals leading to illegal monopolies that hurt consumers. Policy on emerging technology has long prioritized the economic and social benefits of a connected world. That has left guidance on how to hold tech companies and their billionaires accountable for how they exploit user data, like early rangeland policies, severely lacking

Many of the provisions in the U.S. data privacy framework only minimally restrict businesses and allow for the maintenance of the status quo. Unlike Europe’s comprehensive privacy law, General Data Protection Regulation (GDPR), the United States only has a conglomeration of laws that target specific types of data. For example, the Health Insurance Portability and Accountability Act (HIPAA) does not protect your private health information broadly, it only protects communication between you and your health care provider, or other similar “covered entities.” Additionally, the Gramm-Leach-Bliley Act (GLBA) requires that financial services like loan or investment service explain how they share data and requires an opt out option, but does not restrict how the data is used. The FTC is also empowered to go after companies that violate their own privacy policy by, for example, deceiving users as to the protection their products offer. Other federal laws such as the Fair Credit Reporting Act, The Family Education Rights and Privacy Act, and the Electronic Communications Privacy Act help to fill in the universe of federal U.S. data privacy. Your state’s laws may also offer additional protections

In addition to frustration with a lack of coordinated data protections that tech companies regularly exploit, public blowback on lack of taxes on the ultra-wealthy and reports that billionaires became richer during the pandemic has invigorated popular distaste for billionaires and an interest in holding their companies accountable. A slew of recent lawsuits have aimed at section 230 of the Communications Decency Act, which immunizes tech companies from liability related to content posted by their users. The U.S. Supreme court however, in both Twitter, Inc. v. Taamneh and Gonzalez v. Google, have balked at holding the tech giants liable when their algorithms promote problematic content, allegedly “aiding and abetting” terrorism.  Given the intense scrutiny that billionaires and big tech have been under recently, it is no surprise that Bezos tried to invoke the beloved American cowboy fantasies of freedom from federal oversight, independence, and self-reliance on the cover of Vogue. The irony is that by invoking the myth of the cowboy, Bezos’ cosplay underscored the need for more government oversight and regulation. Just as the practices of fencing off public land and overgrazing lead to more government oversight of ranch life, public frustration with the exploits of big tech are coming to a tipping point which suggest that a breakthrough is imminent. Just last month the FTC moved to ban data brokers from selling geolocation information for “sensitive data locations” such as visits to correctional facilities or reproductive health clinics. While big tech has had the tendency to divide and isolate, it has also provided the tools for a more connected public that has the potential to collaborate in order to protect against the disastrous consequences of unchecked exploitation of public resources.

Consumer Digital Privacy 101: Simple Steps for a Safer Digital Life

/ Washington Journal of Law, Technology & Arts / Leave a comment
Photo by Burst on Pexels.com

By: Perla Khattar *

In an era characterized by ubiquitous data collection and increasingly sophisticated digital technologies, privacy has emerged as a crucial concern for consumers worldwide. As personal information becomes more vulnerable to exploitation, the importance of privacy management cannot be overstated. While regulatory measures and institutional safeguards such as privacy by design play an essential role in protecting user data, the responsibility of safeguarding privacy ultimately rests in the hands of individuals themselves in the absence of effective regulation.

While it is evident that comprehensive legal frameworks and industry practices are necessary to ensure the responsible handling of personal data, the limitations of such measures have become increasingly apparent. The pace of technological advancement often outstrips the capacity of regulations to keep up, leaving gaps in protection. Moreover, the sheer volume of data generated and the diversity of platforms and services utilized by individuals make it challenging for regulations to cover every aspect of privacy. This blog post aims to provide practical tips to help consumers establish new habits and make small changes to enhance their privacy protection.

These tips do not provide foolproof protection against sophisticated threats, but adopting privacy-conscious habits can bolster individual privacy resilience and help mitigate risks. The primary objective of this blog is to equip individuals with beginner-level tips for privacy management. This newfound awareness can help individuals make informed decisions about how their personal information is collected, used, and shared, and can prevent them from falling victim to scams or other forms of exploitation. By being aware of their data privacy rights, consumers can also hold companies and organizations accountable for how they handle their personal information, and can help to promote a culture of greater transparency and accountability in the handling of sensitive data. This blog aims to bridge the gap between theoretical privacy principles and practical implementation, empowering everyday consumers to navigate the digital landscape with greater confidence and privacy consciousness.

1.     Understanding The Alphabet Empire

It is widely believed that Google has engaged in shady privacy practices in the past. For example, the company has been criticized for collecting and using biometric personal information from its users without their knowledge or consent. Some have also criticized Google for not being transparent enough about its data collection and usage practices, and for not providing users with adequate control over their personal information. Overall, there is a perception that Google does not prioritize the privacy of its users, and that it is more focused on maximizing its own profits.

An Alternative to Google Docs

Google servers can see everything that is typed in the Google documents, simply because consumer’s work and data is not end-to-end encrypted. Google isn’t particularly transparent about what it is doing with the collected data, but it is assumed that the company is scanning and analyzing the contents for marketing purposes.

However, consumers wishing to collaborate in real time on documents can do so privately: platforms like Cryptpad and Skiff are similar to Google docs but are end-to-end encrypted, making it impossible for the company to access your work in progress. 

Search Data Collection

Google keeps a database on every single user, where every search query is added. Then, specific information is extrapolated like location, medical concerns or political views, and sexual preferences for marketing. Google collects everything users search for, and everything they decide not to search for: the moment the user types in the search bar, and gets suggestions for common questions asked, everything that was typed, regardless of whether the user pushed “enter” or not, is sent to the Google database.

This information is used to be broadcasted to thousands of companies in auctions where advertisers and data brokers are bidding to purchase data. Additionally, Google uses this information to target consumers with specific search results, or even manipulate or sensor results.

To avoid all this, consumers can switch to Startpage, a company that gives users Google search results without any of the trackers, leading to the ability of viewing proxy websites without revealing any personal information.

De-Googling a Phone

First, replace Google applications with an alternative: OSMAnd instead of Google Maps, New Pipe and Odysee instead of Youtube, Brave Browser instead of Chrome. Them, download applications from F-Droid or Aurora to avoid connecting to the Google Play Store. Finally, use an operating system other than Android, such as Graphene or Lineage.

2.     Recognizing The Importance of Virtual Private Networks

Some Virtual Private Networks (“VPN”) record consumer’s unencrypted information and unencrypted internet activity to sell it to third parties. Some other VPNs log consumer’s IP address and activity. Other VPNs demand access to photos, nearby Wi-Fi networks, and nearby Bluetooth devices in order to gather more data on the user.

In fact, 105 of the most popular VPNs are owned by just 24 companies. When searching for a VPN, consumers should look for products with no logging or low logging guarantees with paramount encryption, and choose the jurisdiction they’re connecting to carefully: in Switzerland, for example, the government can’t compel VPN providers to log IP addresses.

Here are some private VPNs that do not sell any information and that protect user’s information from Internet Service Providers: The Freedom of the Press Foundation’s shortlist includes Mullvad and ProtonVpn.

3.     Switching Browsers and Search Engines

Browsers and search engines often collect personal information from consumers in order to improve their services and provide more personalized experiences. This data can include information such as the consumer’s location, search history, and browsing habits. This data is typically collected through the use of cookies and other tracking technologies, which are small pieces of data that are stored on the consumer’s device and can be accessed by the browser or search engine. This data is often used to target advertising, to improve search results, and to develop new features and services. Overall, the collection of personal data by browsers and search engines can be both beneficial and potentially invasive, depending on how it is used and who has access to it.

General Idea

A browser is comparable to a car that takes consumers to their destination. Famous examples of browsers are: Chrome, Brave, and Firefox. A search engine, however, is comparable to the map that lets consumers arrive to the final destination, because search engines index all the sites on the internet. Famous examples of search engines are: Google Search, Bing, Yahoo.

Some companies have both a browser and a search engine: Brave has Brave browser and Brave Search Engine. DuckDuckGo which is a popular search engine now has a browser.

Consumers are free to choose which search engine to use in their browser URL bar: someone that uses Chrome, might set their search engine to Google. More private options for browsers and search engines include Brave Browser in combination with Brave Search.

Choosing the Best Browser

Brave has great built in privacy, built-in ad blocker and it prevents websites from fingerprinting the machine; these securities are also enabled by default.

Firefox is great for users wanting to customize their settings, because it has great extensions like the Facebook container that stops Facebook from tracking consumers. However, users wishing to use Firefox need to configure the privacy settings to their linking, as it is not a default in the product.

Tor is the ultimate private browser since it bounces the traffic off the browser to different nodes before reaching the final destination so that no single node knows both who originated the traffic and the final destination. However, although Tor is the go-to browser for anonymity, it makes browsing significantly slower.

Bounce Tracking and Debouncing

Sometimes, before taking consumers to a specific website, computers will bounce the user to several tracking websites before reaching the needed destination. This is because companies are getting sneaky in the way they track consumers.

When consumers are loading a website, they can sometimes see different URLs appearing on the bottom left of the page. Before being taken to the intended website, users are being bounced through tracking websites that collect personal information. This phenomenon is called bounce tracking.

Stopping this can be done in two ways: First, debouncing: some websites can learn which websites consumers are intending to visit, and therefore can skip over all the tracking websites, taking users straight to their destination. Brave has the only version that ships in the browser. Second, unlinkable bouncing: some websites will visit these tracking domains in a throw-away profile to decrease what the tracking site can learn about the consumer.

Browser Plugins

Browser plugins are pretty dangerous because they are able to capture passwords, credit card details, track browsing, insert advertisements and redirect traffic. Even an extension that does only minor things like checking for discounts, may require access to everything users do in browsers to function. Companies that provide browser plugins are not necessarily spying on users, but they can actually do so if they decide to. Sometimes these extensions are sold to shady companies, or hijacked by hackers.

The solution is to avoid installing plugins, and to delete the ones that are not in use. And if consumers decide to use one, they should absolutely trust the company before using the plugin and check for the permissions that are being granted. If a company doesn’t need access to everything a consumer is doing, then permissions need to be restricted to the strict necessary.

4.     Adopting Better Password Safety

Password safety is extremely important for protecting privacy. This is because a strong password is often the first line of defense against cyber-attacks. If a hacker is able to guess or gain access to a person’s password, they can potentially gain access to that person’s sensitive information, such as financial information, personal documents, and more. Furthermore, if a person uses the same password for multiple accounts, a hacker who gains access to one password can potentially gain access to all of that person’s accounts, which can be even more devastating. Therefore, it is crucial for people to use strong, unique passwords for each of their accounts, and to regularly update those passwords to ensure the continued protection of their privacy.

Shady Password Managers

Most commercial password managers have key loggers that are used to scan what consumers type. Therefore, password managers need to be reputable, ideally open source or be checked by third party audits. All passwords should be encrypted on the device itself, and encrypted at rest so that the service provider can never get access to consumer’s passwords.

Password Configuration

Simple passwords like “password” or “12345678” are one of the easiest ways to get a consumer’s account hacked. Passwords should be unique and randomly generated, with a different password for every account.

With a good and trusted password manager, users can remember only one secure master password and the application will randomly generate and store all the rest of them to make sure that inevitable data breaches don’t put all your accounts at risk.

Two-Factor Authentication

Consumers should always add two-factor authentication whenever possible, whether its required or not, because it makes a huge difference when it comes to protecting accounts.

Wherever supported, it is best to use a security key like the YubiKey. The text option might be easier, but it is less safe because hackers are notorious for performing “SIM Swaps” where they get the code routed to their device instead of the consumer’s. The authenticator applications like Okta are better than text, but the problem with authenticator applications is that it’s easier to steal the private key off the phone than off the YubiKey.

5.     Outsmarting Wi-Fi

When Wi-Fi is tuned on, the phone is constantly sending Wi-Fi probe requests, which are basically little packets of information that contain details about the phone. This information is broadcasted publicly for anyone to see. Essentially, the phone is going around announcing to any nearby Wi-Fi network that the phone exists.

Turning the Wi-Fi off when not in use is a great idea. But pressing the turn off Wi-Fi button doesn’t always mean that the action was successfully executed. If consumers have an android and they turn off their Wi-Fi, they won’t be connecting to a Wi-Fi network anymore, but their phone will still send out Wi-Fi probe requests. An additional step would be to switch off the “Wi-Fi scanning” in the settings. And on iOS, consumers can’t just toggle Wi-Fi off in the control center, it has to be done in the settings.

Final Thoughts

While it may be tempting to dismiss these beginner privacy tips as insignificant in the grand scheme of things, they actually possess the power to usher in a more sophisticated approach to privacy. True, they may not completely revolutionize consumers’ lives overnight, but they provide a solid foundation for living a privacy-conscious existence in today’s digital landscape.

By implementing these tips, consumers take proactive steps towards protecting their personal information, maintaining control over their digital footprint, and mitigating the risks associated with online vulnerabilities. Each small action, such as using a password manager, or encrypting communications contributes to a larger framework of privacy-conscious behavior. In the face of growing privacy concerns, it is crucial to remember that change begins at an individual level in the absence of legislation. By embracing these beginner privacy tips, consumers actively participate in a larger movement towards a privacy-conscious society, where our personal information remains secure and our digital lives remain private.

*Perla Khattar is an Attorney at the Beirut Bar Association & J.S.D. Candidate 2027, Notre Dame Law School.

The Fourth Amendment’s Third-Party Exposure Doctrine in the New Age of Data

/ Washington Journal of Law, Technology & Arts / Leave a comment
Photo by Markus Spiske on Pexels.com

By: Kyle Kennedy

The Fourth Amendment protects US citizens from unreasonable searches and seizures by creating an administrative barrier between citizens and investigating authorities. In addition to the Fourth Amendment, the lack of government resources also serves to protect individual privacy because investigative authorities can neither afford nor validate surveillance of citizens past a certain cost-benefit tradeoff. Together, the intended effect of these protections is to sufficiently guard against invasions of citizen’s privacy by government authorities in pursuit of evidence. However, the interaction of modern-day technology and the increased availability of data as a result of the Third-Party Exposure Doctrine leaves US citizen’s personal information exposed to the government in unprecedented ways.

The Supreme Court has held that the Fourth Amendment provides protections to citizens based on a reasonable expectation of privacy. However, the Third-Party Exposure Doctrine states that information willingly revealed to third parties is not subject to Fourth Amendment protections. As an example, in U.S. v. Miller, the Supreme Court held that there is no reasonable expectation of privacy for information shared in bank records. However, in the landmark case of Carpenter v. United States, the Supreme Court limited the Third-Party Exposure Doctrine by holding that collecting seven days worth of cell phone location information was a violation of the Fourth Amendment. However, it is worth noting that the holding in Carpenter was cabined to its facts, therefore leaving significant questions about the application of the Third-Party Exposure Doctrine to consumer data and electronic records unanswered.  

In addition to the privacy protections afforded by the Fourth Amendment, the Stored Communications Act (SCA) protects against searches of electronically stored information. Under the SCA, the government can access content information of emails that have been unopened and in storage for over 180 days or of email that have been opened and undeleted with a mere administrative subpoena or 2703(d) court order. The SCA provides even less protection to non-content data like account information or metadata. The weak protections this statute provides for electronically stored information demonstrates that the statute does not fit the modern state of technology and data privacy and is clearly outdated.

Given the exponential increase in internet use and data creation in recent years, consumer data has never been as plentifully available as it is today. According to Forbes, Americans send 188 million emails, 18.1 million texts, and 4.5 million Google searches every minute. Further, Americans download 390,030 third-party apps every minute, all of which seek consent from the user to collect their data. Under the landmark Carpenter case, the Fourth Amendment protects against the unwarranted collection of seven days of cell phone records. This precedent could ostensibly be extended to consumer data shared on third-party apps. However, the Supreme Court has so far declined to determine whether a shorter period of data collection would be permissible or whether data consensually shared with third-party apps triggers a lower expectation of privacy than automatically collected cell phone records. 

The SCA does not provide any better answers than the current body of case law. Overall, the SCA tends to create a relatively low administrative hurdle for searches of electronic data.  The SCA categorizing of digital records based on content, whether the records are opened, and the time in storage is an ineffective approach to balancing privacy protections against the government’s investigative need. A wide variety of individual data is not cleanly divided by the SCA’s categories of the content or whether it has been opened or deleted.  Furthermore, the efficacy of providing lower protections to older records is reduced by the government’s need for timely investigative data as well as individual’s continued privacy interest in that older data.

The lack of clear Fourth Amendment (or other statutory) protections for electronic data weakens the barrier of privacy between individuals and the government. This barrier is further weakened by the relatively low cost of investigation through the searching of electronic data and records. For example, advanced saliency algorithms and deep learning techniques allow authorities to process visual data and access information at quicker speeds and lower costs than ever before. These same algorithms and techniques are easily applied to non-visual user data generated by third-party applications. Individuals using third-party applications on their personal devices store messages, locational data, and other consumer data on these platforms which potentially exposes this data to the government under the Third-Party Exposure Doctrine.  Although the majority in Carpenter limited the Third-Party Exposure Doctrine as it relates to cell phone data, it remains unclear what level of privacy the Fourth Amendment provides to data shared with third-party applications. Although Carpenter discussed the pervasive nature of cell phones in everyday life, the Court also specifically mentioned that the cell phone data in that case was tracked and recorded without any affirmative action by the user. Data shared through third-party apps often requires the user’s consent to data collection. It could be argued that the user’s consent is a voluntary exposure to a third party, thus leaving room for a distinguishing argument by the government. While the precise nature of the privacy protections provided by the Fourth Amendment to electronic data are unclear, there is a clear tension between the modern state of technological surveillance and the current rule of law protecting US citizens’ individual information. 

The implications of insufficient protection of consumer data are wide-reaching.  For example, there is serious concern that data from third-party apps tracking menstrual cycles or location data could be used in criminal prosecution in states that have recently instituted abortion bans or restrictions. Given the current political climate, the relative powers of the branches of the federal government, and the slow-moving and unpredictable nature of the Supreme Court, the most ideal path forward would be for Congress to pass new nation-wide privacy protection legislation. There are many advantages to a clearcut, nation-wide framework of law which balances the need for privacy with the need for government investigation while providing technologically relevant protection to personal data. A question for future research would be whether Congress’s scope of power would allow it to regulate the use of consumer data by investigative authorities, specifically at the state level. Assuming the power is within their scope, an act of Congress would provide the most effective solution to closing the gap between modern technology and current law. Absent such congressional action, US citizens will be forced to rely upon the legislating bodies of their individual states to provide increased personal data privacy protections.