“We don’t search Google; Google searches us,” so says trailblazing Harvard Professor Shoshana Zuboff in her game-changing book, “The Age of Surveillance Capitalism.” The full scope of the personal information collected by many online companies is just beginning to dawn on society; this personal information is then used to target us with advertisements and to impact and shape our behavior in other ways. The same information is often sold to third parties who had nothing to do with, and no relation to, the original interaction or transaction the person performed online. Indeed, there are companies that have built their entire business model around collecting our personal data. Everything from our age, zip code, income levels, gender, friends, shopping and viewing habits, location, and more is collected and analyzed – and then monetized. And the dense legalese in the privacy terms and conditions that people agree to when they click “OK” is woefully inadequate — because almost no one reads them. And even if you did read them, it is difficult to understand the ramifications. Frankly, these are not “privacy” policies; they are “surveillance” policies.
This radical new business model has led to a number of chilling outcomes. One case that comes immediately to mind is Cambridge Analytica and its harvesting of the personal data of millions of people. As you may remember, in the 2010s, personal data belonging to Facebook users was collected without their consent by British consulting firm Cambridge Analytica. This was all done through an app called “This Is Your Digital Life.” The app consisted of a series of questions to build psychological profiles of users and also collected the personal data of the users’ Facebook friends via Facebook’s Open Graph platform. All told up to 87 million Facebook profiles were compromised. Cambridge Analytica then used the data to provide assistance to the 2016 presidential campaigns of Ted Cruz and Donald Trump. As for Facebook’s role, it issued a series of apologies for the data harvesting, its CEO Mark Zuckerberg was called to testify in front of Congress and the company was fined by the Federal Trade Commission.
A less reported but equally problematic story concerned Uber’s data breach that went unreported for almost a year. As some of you may remember, in late 2016, a group of hackers stole the personal data of 57 million Uber users. Among the most sensitive data, the hackers managed to steal some 600,000 odd driver’s license numbers of drivers. But instead of alerting its users or drivers, Uber paid off the hackers and received promises all the information would be destroyed. Finally, after covering it up for over a year Uber’s CEO finally revealed the breach, causing all 50 states Attorneys General to file suit for Uber’s breach of privacy. The company settled these claims for over $148 million. Perhaps more chilling, we also know that Uber has used personal information improperly to do opposition research on journalists who have criticized the company.
These egregious cases only expose the worst of what this technology has done. In countless intrusions, our privacy is chipped away at one click at a time. Technology moves much faster than the ability of policymakers to keep up – you can write computer code a lot faster than you can write the law. Of course, technology has many benefits, but public policy is far behind in protecting consumers.
In response to this unprecedented technological upheaval, I have filed legislation including H. 136, An Act relative to data privacy, and H. 142, An Act establishing the Massachusetts information privacy act.
An Act relative to data privacy focuses on the privacy issues inherent in the wide use of computers. Companies that collect our personal data, called Data Aggregators, will be prohibited from collecting, using, or sharing any personal data unless strictly necessary to carry out carefully tailored permissible purposes. This legislation also would create a new agency to oversee data privacy for Massachusetts residents and offers powers to the agency to enforce these new laws on behalf of citizens. In addition, this legislation establishes a fund for victims of privacy abuse and ensures employment protections for whistleblowers.
In addition, I am advancing another important piece of legislation, H. 142 The Massachusetts Information Privacy Act. a bill that includes privacy and civil rights protections for people in Massachusetts. First, it protects people from the unwelcome collection, use, and monetization of personal information. Second, it provides special protection to our most sensitive personal information, including location and biometric data. This proposal also makes it unlawful for companies to use personal information to discriminate against them. Critically, it ensures accountability by establishing a new Massachusetts Information Privacy Commission with the authority to investigate, enforce, and create privacy regulations. The bill also includes a “private right of action”, giving ordinary people the right to sue companies that violate the law.
Our personal data online is big business. The time is now to provide rules of the road to rein in the power of tech companies. While technology has made our lives easier and more interesting in certain ways, in other ways it has pernicious impacts. We can and will do something about it.
YouTube presentations by Shoshana Zuboff: What Is Surveillance Capitalism? (3 min watch): https://www.youtube.com/watch?v=fwNYjshqZ10
In a nutshell: Surveillance Capitalism and Democracy (18 min watch): https://www.youtube.com/watch?v=5AvtUrHxg8A
Cyber Law Monitor article “Is it Time to Rethink Notice and Choice as a Fair Information Privacy Practice?”: https://www.cyberlawmonitor.com/2019/02/13/is-it-time-to-rethink-notice-and-choice-as-a-fair-information-privacy-practice/
ACLU Fact sheet on The Massachusetts Information Privacy act: