In the digital age, it’s hard to know which data about ourselves is really ours. Who is allowed to have data on your internet use? Your shopping habits? What about data on your body, your voting record or how furniture is laid out in your home?
It may surprise you that various companies and government agencies around the U.S. may already have that data, even if you never consented to give it to them.
For Alex Alben, this is a huge problem. Alben is a privacy advocate and he’s Washington state’s first-ever chief privacy officer. It’s his job to try and protect the personal data and the privacy of citizens in Washington, and by extension, around the country.
We speak with Alben on this episode of the GeekWire Podcast to learn about how our personal data ends up in the hands of unfamiliar people, as well as what citizens and organizations can do to help protect privacy.
Alben travels a lot for work, and while not everyone is worried about data privacy, he says lots of people are acutely aware of the problem. The recent Equifax breach, where hackers stole the personal data of 143 million Americans, is putting even more of a spotlight on the topic.
“Everywhere I go, people are freaked out about privacy. They feel the government is spying on them. They feel that corporations are profiling them and they feel they have no control,” Alben said.
“And we need to do our best to actually not patronize people and say, ‘Oh, it’s not a problem,’ because frankly, it is a problem, and we have reached a level of both surveillance and profiling of individuals that is unprecedented,” he said.
Think of Amazon’s intricate details of a customer’s shopping habits. That data could tell the company roughly how old someone is, where they live, how much money they make, if they have a family or a pet or a car, maybe even if they have food allergies or any other particular health condition.
Imagine how much someone could learn if they combined that information with data on the person’s internet browsing habits or data from their internet-connected devices that detailed the physical space inside their home.
Alben says personal data mining is one of the Wild Wests of the tech world. There are very few regulations and restrictions, and there is no national law that lays out a person’s privacy rights or rights to their own data. The Internet of Things is a particularly worrisome area because it is so new.
“It’s like driving cars if we had never developed a speed limit for cars in the United States,” he said. “You would say, ‘That’s crazy. We need to have some regulation here because it’s a safety issue.’ But that’s analogous to where we are now with the Internet of Things.”
For now, Alben and others around the country are working to put those guardrails in place. And in the meantime, he says, always clear your cookies.
Listen to our conversation with Alben above, download the episode as an MP3 and keep reading for an edited transcript of the full conversation.
Todd Bishop: Just as a starter, give folks a sense for what your job is — because, as I said, you’re the first in Washington state and you’re one of only a handful around the country.
Alex Alben: I think there may be three or four other chief privacy officers at the state government level, so it’s very much a pioneering job. And as you mentioned it’s the first time we have had a chief privacy officer in the state of Washington. It’s an opportunity to create and define the job, which makes it a very exciting job, and I learn as I go. There are many people in the state who are interested in digital privacy. The legislature has some members who feel very strongly that we need to do more to protect privacy. And then I work for the 50 different state agencies, each of which has a different mission and each of which is collecting and processing data about people in Washington state, and I try to work with them to really develop some best practices around what they do.
TB: So for a lot of folks out there — maybe speaking for myself — I go around and I think “Gosh, I’m basically spending my privacy to get things in return for free online.” What’s the state of the citizenry when it comes to privacy, when you talk with constituents out there? What do you hear and how do you incorporate that into your work?
Alben: I do travel quite a bit around the state, from Clarkston, Wash., to Colfax, and everywhere I go people are freaked out about privacy. They feel the government is spying on them. They feel that corporations are profiling them and they feel they have no control. So that’s the environment that we work in in the privacy world. And we need to do our best to actually not patronize people and say, “Oh, it’s not a problem,” because frankly, it is a problem, and we have reached a level of both surveillance and profiling of individuals that is unprecedented.
So we can’t say it’s not a problem, but we can say, “This is what’s happening. And from a consumer education point of view, this is what you can do to protect yourself.” Now, very sophisticated people already know how to protect themselves and they will use products such as Tor or Signal. They know what encryption is. They can cover their footprints and limit their profile. That’s not my audience. My audience are the 7 million people in the state of Washington who actually don’t know a lot about what’s happening when they go online and they care a lot about control of their data, both what the state knows about them and what corporations within the state know about them.
TB: So let’s talk about what the state knows first, because that obviously is something you can have direct control over, through policy. When you look at Washington state’s collection of data about citizens in the state, what does the state know? What does the state do with it? And then to what extent are you regulating that through your work?
Alben: My office works with the CIO (chief information officer) of the state and also the CISO, the chief information security officer. We can look at state agencies and say: How can we minimize the data we’re collecting about you? We need to collect some data. For example, you have a driver’s license. The state needs to be able to contact you and know who you are. That information, though, goes into a database and the state sets some rules around that data. Can we sell that data? Can we share it with other law enforcement agencies? Should we share it with private corporations? And the legislature sets policy around that. So to the extent that we can develop some more privacy-respectful practices, we’re trying to do that.
One of the examples: In the last session, the legislature passed two laws regarding biometric identifiers: both the biometrics, such as a fingerprint or DNA, that the state collects from you and the rules around that; and also the biometrics that a corporation, such as Facebook or an online company, might be collecting about you. The principle for both of those is the same and the principle is that you need to have consent around the collection of that biometric identifier and then the state or the corporation can only use that biometric identifier in a manner that’s consistent with what we collected it for.
So for example, if we did an enhanced driver’s license and that has facial recognition in a photograph — that’s a biometric identifier. We’ll use that information for purposes of identifying you. That’s fair. But we won’t sell that information to a third party so that they can use those biometrics in a way that you didn’t know, unless we go back to get your consent. That’s actually a pretty major step forward in the privacy world. There’s only two or three other states that even have laws regarding biometrics, and that’s the kind of policy that I think the legislature was wise to adopt and which I would like to advocate for.
TB: There was also the issue of internet service providers and the national rules that changed, and I know there were efforts in the Washington Legislature. The whole idea was that, essentially, changes at the national level allowed internet providers to sell personal information without the permission of the people whose information was being sold. Where does that stand currently?
Alben: Yes, we got into that in the last session. The Federal Communications Commission had proposed a set of rules that basically said that your broadband provider cannot sell your web traffic information — what sites you visit — or your TV viewing information — what television shows you’re watching. Because in most cases, a carrier knows both of those things. That’s a very powerful set of information, if a company knows what you’re watching and what websites you are visiting. The FCC had rules that were going to go into effect and the Trump administration and Congress decided to cancel those rules. This raised the question of whether state governments, such as the state of Washington, can say “Well, federal government, you’re not going to regulate in this area but can a state regulate.” There were bills introduced in our legislature that passed the House of our legislature and they never got to a vote in the Senate. I believe that the votes were there to pass that bill. And basically what that bill says is we are going to really restore the FCC privacy rules that never went into effect. People actually thought they were already in effect.
TB: … and they were being repealed, but in fact, they were being rolled back before they ever took it.
Alben: Exactly. This was part of the Trump administration’s general, “We just wanted to kill all the regulations.” And I actually don’t think they thought very carefully about this, but that doesn’t matter. The rule is important. Now it happens that there are several cities within the state of Washington that have contracts with carriers such as Comcast. And in those contracts, in order to give them the monopoly or the franchise to offer broadband, say “We will not sell user web surfing data.” But we don’t want to rely on that alone, and I think it would be good policy for the state to pass this and depending on how the political chips fall in our state, it might come up again.
TB: Taking a big step back — you said at the very beginning that you talk with citizens out there who are rightfully concerned. What do you say to them? You said they should be concerned — what should they do? What can the state do and what are your big goals along those lines?
Alben: [laughing] We have less than two hours to answer that question? OK. The citizen can take a few approaches, mostly educational. And I’m not going to tell you to read the privacy policy, because who has the time to actually do that across the board for every possible site that you visit? And frankly, even if you read the policy you’re not going to be able to effect change in the law. We call it a contract of adhesion. “You must abide by this policy, consumer, and we don’t give you any choice.” That’s not a way to do business. The way to do business is to get consent. If I’m going to collect data from you and it’s personal data, then I should tell you what I’m collecting and how I’m using it.
The problem with the old model — let’s say the old web model — is that it very rapidly accelerated over the last 10 years with big data and with data analytics. Those technologies allowed companies to build highly complex profiles of individuals in ways that no one really completely understands. For example, in the election. There is a company that collects the entire voter file of the United States. Everybody who’s registered to vote, so over 150 million people. Their voting pattern, which is how often they voted. They don’t know who you voted for, but how often and where actually gives a pretty good indication sometimes of who you are voting for. They then combine that voter list with other databases — databases of who buys cars, databases of where you shop. And it turns out that these companies have over 4,000 data points about every American on that list. That boggles my mind, that a company would have a database that they legitimately collected which has over 4,000 data points about me. So that when I visit a website, such as ESPN.com, they just don’t know it is browser X that’s coming to the site from somewhere within the state of Washington. They know “Oh, this person owns a Volvo, and this person uses this phone company and this person has traveled over these cities.”
So that’s what people are not aware of, and we need to actually both do consumer education — such as this show — to give people a more sophisticated idea about the data that’s out there about them. And then to give them maybe some practical tools about how they can limit data collection, for example. Why don’t we just wipe out our cookies after a web session? Those cookies that are set by every site that you visit, every page that you click on, every link that you click on is building a valuable treasure trove for those companies to data mine. And if you want to limit the extent of data mining, wipe out your cookies.
TB: What other practical tips can you give folks?
Alben: On the state level, I’m really encouraging state agencies simply to collect less data about people in the olden days — let’s say the 1990s, when we actually kept paper records in file cabinets — it really behooves the state agency to collect as much data as we could about a person. It wasn’t easy to get information from people unless they were visiting an office or they mailed a letter to you. Now we can have much better communication with individuals through the phone or through e-mail. The state does need to collect everything about someone to render a specific service. If we want to issue a hunting license or a fishing license, we can just say, “Where are you going to fish and when and what’s your name?” We don’t need to also collect your social security number. That’s the kind of practice that I want to institute across the state.
TB: But does that limit the things that the state can do to the benefit of the citizens, in much the same way that companies might argue, “Hey, I need to know all those things to provide you a better service”? I’m arguing on the other side of the coin, there.
Alben: I’m a privacy advocate. … Collect the data that we need to render a service. One of the things that we did start pretty soon after I came into this job is to analyze how we could scale the job. One person or the two or three people I work with are now going to scale across 50 state agencies. How do you do that? One strategy is that we could create some tools to put in the hands of people who work in state agencies, from Fish and Wildlife to Health and Human Services, and have those people actually implement better privacy practices.
We created a web-based application called Privacy Modeling and it’s on the privacy.wa.gov website. This is a web application that enables someone who works in the state agency, but frankly, state or local government or actually just an interested citizen, to say: What is that type of information we want to collect to render a service? And there’s over 40 different kinds. It could be your driver’s license, it could be a biometric identifier, it could be your social security number. So identify the type of personal information you want to put into your service, then say: How do you want to use it? And there’s five or six ways you could use that. You could simply store it or you could go share it or sell it to others. You indicate that and then you press a button and it comes up with a results page which says “these are the laws, both federal law and in Washington state, that apply to this situation.”
So a situation where I want to collect someone’s birthday and gender and use that to sell that it will give you the applicable laws. Actually, one of the first things I found out in the job was no one knows what the privacy laws are of the country, and we shouldn’t expect them to know what the privacy laws are. So this is sort of a super specialized privacy search engine and it can be used by anybody. State agencies have told me that it’s very valuable and hopefully it will demystify the whole space of what is your privacy right.
TB: So for people who missed that, that is privacy.wa.gov. So that’s a really great tool to check out.
Alben: And then the link is simply to the application, which is called Privacy Modeling. We were funded from the Hewlett Foundation to do this work, so I don’t want to give an impression that we were using taxpayer money for this experiment. But I think that it’s been a valuable experiment, and other states have asked me whether they can do a similar application.
TB: So that’s used by citizens to understand the law or is it used by companies to understand what they can do with the data?
Alben: Both. It’s used by staff people in government to know what they can do, what the laws are that apply. For example, it could be perfectly innocuous to use somebody’s date of birth or in a certain context it might actually be illegal to use somebody’s date of birth. But we should know what the laws are that have been passed over the years, both on the federal level and on the state level. We didn’t do city statutes because it really started getting into the weeds in terms of the number of things we could research.
TB: As I mentioned at the beginning you came out of the tech industry — you worked early at Starwave, which was a company that will ring a bell for many folks who’ve been around the Seattle area. That’s the Paul Allen-owned company that developed ESPN.com.
Alben: It was one of the first commercial web companies.
TB: What time frame was that?
Alben: I came in ’93, we were launching ESPN I believe in 1995.
TB: There were people who didn’t even know what the internet was or the web was at that time.
Alben: The web was not very sophisticated yet, in terms of the business model, and that ties into privacy. In those days we were struggling to understand, well, are people going to pay for internet? Or is it going to be an advertising-based model? It turned out to be both, in a way, but we didn’t know that. We put out the product. Millions of people started using the product. You could go start the day on the East Coast and then follow the traffic as news or sports scores began to populate the site and it was actually very exciting to see the uptake. And Mike Slade was our CEO and we had a lot of smart people build these first-of-a-kind web services. But we did not do data mining in those days. And in fact, Mike Slade asked me to write a privacy policy for our site and I said, “Great, happy to do it.” And then looked around for other sites that had privacy policies and I found there weren’t very many of them.
TB: So you’ve been looking at this issue for a long time.
Alben: I had to write a good privacy policy — I hope — over 20 years ago, and it was a one-page policy that said we collect this data. We don’t sell it. That was our model.
TB: Oh! Well, that makes it easy.
Alben: That was easy.
TB: That would be the exception today, right?
Alben: That was very easy. That is not the policy of the of the site today. Actually, Starwave was eventually bought by the Walt Disney Corp., and you can find the kernel of my privacy policy in their 25-page policy.
TB: You’re kidding me. Do you recognize a phrase or two?
Alben: There are some sentences that have survived. Maybe it’s “this is what we do with your data,” has survived. But the point is that this tracks the evolution of the internet from almost a broadcast-type medium where information was put out to people and they consumed it — without a lot of knowledge about who the consumer was, in the early days — to now we know who the consumer is we are going to run an auction to sell and add to that individual consumer. And based on that consumer’s behavior not only on our website but on other sites, we will track you and build a very sophisticated profile. That’s the growth of the internet. It’s been a great ride in terms of the number of free services and platforms that are offered to individuals, but that platform is based on data. I believe you could quote Satya Nadella as saying data is the new currency of the internet and you could quote Tim Cook from Apple as saying you are the product. Both are true. But if we are the product, then we have to have some awareness of our privacy rights, even though we don’t have complete control over those rights.
TB: From that era early on we’ve now gotten to the point where it’s not even just about online privacy rights, because you have the group the great example in our backyard of Amazon expanding into the retail world. One of the first things that they announced right when they were closing the Whole Foods acquisition was that they will offer special benefits at Whole Foods to people who use their Amazon Prime account, and so there you have the linking of the digital and the physical worlds. What does that do to all of this?
Alben: It makes life complicated for privacy people. The Internet of Things is the next dimension. It’s the next challenge for privacy. In the old and pre-Internet of Things days, we were worried about what our behavior was online. We were sitting in front of a computer for the most part. Now we have to think about our behavior in physical space — not only when we are outside of our home, because we can be surveilled outside of our home because we are leaving a trail of breadcrumbs through GPS s and other location-based services. But now increasingly inside our home when we engage with devices that are collecting data and then profiling that behavior. I’ll give you a sort of absurd example. We recently bought that vacuum cleaner device, the Roomba. So it goes around your house. That’s great — it picks up a lot of dust. The Roomba also is mapping your home. And the more sophisticated versions of the Roomba are going to sell the data map of what’s in your house to other companies. Now you might not have known that when you purchased the latest version of that device.
TB: Unless you read the privacy policy.
Alben: Unless you actually happened to read a privacy policy. And as I said, very few people are going to do that. The point is that devices that seem pretty innocuous to us and fairly single-function to us, such as a vacuum cleaner or a flashlight — those devices are talking to other devices and they’re internet-connected, and if they are web-connected they can transmit personal information.
TB: So let me put on my millennial hat, which means I have to go back a couple of decades to pretend. So what? Who cares? These companies know all this stuff about me? I’m not doing anything wrong. Why should I care that they know everything I do or that they can map out my house and figure out that I placed that vegetable from Whole Foods on my counter because my vacuum cleaner knows. Who cares?
Alben: This is the almost existential philosophical debate we’re having now between the beauty of convenience versus the danger of losing privacy, and I will even say losing freedom. There has to be a happy medium. No one wants all convenience and give up all of their privacy. And even millennials, people in community colleges that I’ve heard from — they don’t believe that they want to give up all of their privacy. And in fact, when they are the victims of identity theft or the victims of stalking, they care a lot about privacy. So there has to be some sort of awareness that by giving out all of this data willy-nilly, you are making yourself much more vulnerable to things that you don’t want to happen, such as identity theft.
On the other hand, there’s amazing convenience. I love the Echo Dot product from Amazon. It lets me play “Jeopardy,” and even win every once in awhile. That kind of convenience didn’t happen before that product came into my home, which I invited knowingly into my home. And yet I want to be able to control the way my “Jeopardy” answers are used. I really do. And all of this data is super interesting to anybody who’s collecting it and analyzing it. So the phase of the Internet of Things is going to present this challenge of: how do we control and protect ourselves in physical space? And then there’s a very serious side to IoT, which are medical devices. Things that are implanted in our bodies, maybe for purposes of regulating diabetes or a pacemaker. And if these are internet-connected devices, then they can be hacked. And so we need to have extra levels of security around these devices.
And the fact is there’s no regulation right now. We are using devices — it’s like driving cars if we had never developed a speed limit for cars in the United States. Can you imagine hundreds of millions of people driving and no state having any speed limits? You would say, “That’s crazy. We need to have some regulation here because it’s a safety issue.” But that’s analogous to where we are now with the Internet of Things. We have hundreds of millions of Americans using these IoT devices that are collecting data about this, about us, and we have no regulation. So that is a very sticky problem because we want to enable the technology. We want to enable the convenience. We want to promote the benefits that these devices bring into our lives, and yet we want to have reasonable control over our privacy.
TB: We’ve been talking about the current state of privacy and the fact that a lot of people don’t know these giant profiles are being developed about them. It seems like it’s only going to get more and more because we’re talking about the move from the online world to the physical world, but then you’ve got the whole virtual reality and augmented reality. Our whole lives are essentially becoming digitized. I heard Ray Kurzweil speak a while back and he talks about nanobots on the neocortex where we’re essentially going to become hybrid computers inside ourselves. So what’s this going to look like in 10 years?
Alben: I don’t have a crystal ball but I can only remark on the amazing rate of change that we have seen since those of us who were involved in starting early web companies in the 1990s, to the growth of the internet through e-commerce that we’ve all experienced in the last 10 years, particularly in the Seattle area. And now we’re going to be into a new frontier of artificial intelligence and machine learning. The fear factor is that machines will be making decisions for us. I’m sure that there are some very practical reasons to have that done. And yet we don’t want machines to be making major decisions that affect our privacy and our safety.
A really interesting legal question has come up recently and that is: Can machines make contracts between themselves? You can negotiate a contract as a human being. You’d have another human being, presumably, and you’d come to terms. But can two robots make a contract? And would a court say that that contract is actually a binding contract? Because that is what is happening actually in the computing universe now that is running major platforms of commerce and industry in the supply chain. It would not be possible for human beings to be running that kind of sophisticated operation. For me, that does raise the specter that personal information that is out there is going to be traded by robots and a robot is only as good as the human presumably behind it. This is not science fiction anymore. This is an area where we have to say, we need to have some principles around what can be traded and what can’t be traded.
And the Europeans are way ahead of us. The Europeans now are adopting something called the General Data Protection Regulation. It’s going to go into effect in May of 2018. It is a much more privacy-respectful regime. It is a much more consent based-regime. And it’s going to govern the data of citizens of the European Union. So an American company that operates in Europe or uses that data is going to need to comply with the European law. I wonder how long we can have two different regimes, because the Atlantic Ocean is a fiction if you’re a web-based application. It’s just a node somewhere. The challenge is how are companies going to navigate both operating in Europe and operating in the United States. Are you going to keep two sets of books for everything? I’m really not sure that’s possible.
TB: So the European regime could just become the norm?
Alben: I believe we’re going to move to the European regime. I believe that it would be good policy for American lawmakers — and now I am speaking outside of my role as a state official — but I believe it would be good policy for American lawmakers to say, “Isn’t it a better world where we can get consumer consent around how their data is being used?” Not only because it’s more respectful of your privacy but also because if you build that kind of trust between a consumer and a corporation you’ll have a better relationship.
TB: So does this get back to what you were talking about earlier about the contracts of adhesion? Where right now we’re kind of implicitly agreeing to these things without our awareness, under this whole concept you would be fully aware of what was being done with your information what you were consenting to?
Alben: The idea is that you are going to have more consent over how your data is used. If I give you my data because I want to have you render a service to me such as deliver a package to me, that’s great. But if you use that information in a way that I didn’t know about, that’s not great and you, the corporation, has to come back to me and get my consent to use that information in any way. Now, this is a tricky area. It’s not easy to keep bombarding consumers with consent: “Do you consent?” And we’re going to have to feel our way through this space. We already see this a little bit when you go to a site from Europe and it says we collect cookies do you agree to our cookie policy. Frankly I just find that to be annoying. Sure, set a cookie. What am I going to do, not visit the site? But in the long run, we’re going to have to figure out ways to give people meaningful choices about how their data is used, and we are not there yet.
TB: So I know one of the things you’ve talked about is a privacy bill of rights. Is that one of the solutions here?
Alben: I think a privacy bill of rights is a piece of the puzzle, and let me give you a little bit of history here. The United States does not have a privacy law. The United States Constitution does not mention the word privacy, and it certainly didn’t anticipate the digital platforms and the kind of commerce we have today. The Constitution says the citizens should be protected against unreasonable searches and seizures by the government. So the Constitution in and of itself doesn’t give us a lot of guidance over the years. Lawmakers have written very narrow sets of rules over certain kinds of information. We have HIPPA that protects your health care information. We have a law called FERPA that protects student records. Congress has stepped in and created these privacy silos in the law, but we don’t have a general privacy law. And that leads to problems because new technologies are going to be introduced and Congress or a state legislature isn’t going to be able to play catch-up with those technologies, and problems will come up and we don’t have general privacy principle.
My idea — and it’s not an original idea, by any means — but one idea is to create a privacy bill of rights that people know will protect them across the board. This was explored under the Obama administration, but it did not find any traction with the Congress and it kind of sat on the shelf. I’m sort of getting into the mindset that the states need to be more proactive in this area. There’s nothing that says that states can’t regulate privacy or promote privacy. And actually, in the Washington state constitution, we have a privacy clause. In 1889, when they were drafting that constitution, the founders of our state actually thought about privacy. I think they were thinking about it with the new technology of the telegraph in mind, but that’s great. We do have privacy in our papers and that could be updated to mean many more things. It’s not inappropriate for states to be the engines of change in the law and especially when the federal government is not going to act and there are people in our legislature and our governor who want to do the right thing by people and create a better environment for protection of our privacy rights.
TB: Big picture: What would you leave people with on this? What should they know about privacy? What should they do? What’s your key message to folks here in conclusion?
Alben: My message would be we need to open our eyes about the way our data is being used in both the corporate world and in the government world. People got very upset when they found out that the National Security Agency was looking at the metadata of every e-mail and every phone call of every American, clearly exceeding the boundaries of the Patriot Act. People had the right to be upset and it took about 15 years for Congress actually to dial back the national surveillance mechanisms and we’re still not there all the way. We need to bring the same sort of approach to what’s happening to the data that we put out there ourselves and just be careful about exposing ourselves, especially now that we live in this world of biometric identifiers and the Internet of Things. A biometric identifier is unique to you. So if you put it out there and it gets into the wrong hands … very, very, very hard to control the outcome. So we live in a dangerous environment with respect to privacy. I am not someone who says, “Give up hope.:” I think that there are sound policy things that we can do to promote privacy. But it’s going to take a working relationship between citizens and the state and corporations.
