I am a software engineer who is very concerned about online privacy, and I wanted to join the discussion with another policy that differs a bit from the rest because of my background.
This policy tries to strike the balance between the openness and free-ness of the internet while protecting personal information from being abused while still providing a way for services like
- Wikipedia
- OpenSecrets
- Stripe
- Amazon
to still exist, while preventing things like
- Data brokers
- Personal anecdote: Despite keeping personal details online to a minimum for the past decade, I recently found out that half a dozen data brokers knew of my entire family (including relationships), among many other private details, and all of this information was public for anyone to search and view.
- Invasive analytics
- Fingerprinting / identification
TL;DR
To summarize the below, this policy idea essentially aims to protect data online by preventing services from using our data for anything but the functionality of the services weâre using, and makes it unlawful for services to share data with other services or companies without receiving user consent.
Definitions
- âobscureâ is defined as âAnything not well-known of an individualâ
- (The law would likely need to go a step further as to describe what âwell-knownâ means, but you get the idea)
- âprivate informationâ is defined as âAny âobscureâ information or public records about an individual, not including public records of government officialsâ
- âpersonal detailsâ is defined as âAny âprivate informationâ, any information generated or saved by the individual, or information generated based on the individualâs activity.â
- âthird-partyâ is defined as âan individual, party, organization, technology, or âseparate serviceââ
- âseparate serviceâ is defined as âtechnology that is not fundamental to the primary functions of the serviceâ
- (This is more specific so that services like Google Maps donât have to ask for your consent to triangulate your location with GPS satellites or store your information in an external database, for example)
Section 1: Purpose and Scope
This Act aims to protect the âpersonal detailsâ of U.S citizens using online services.
Section 2: Permissible Use of âPersonal Detailsâ
Online or electronic services are authorized to use, store, or keep a history of âpersonal detailsâ
- A) ONLY for the functionality of the service that the user that is associated with the âpersonal detailsâ has personally and directly utilized.
- B) ONLY for the âthird-partiesâ that have access to the âpersonal detailsâ to provide functionality for the service that the user personally and directly utilized.
(This allows services to store your data directly or send it to other services like Stripe only if that provides more functionality to the service that you are using, such as payment processing and financial reports)
Section 3: Consent for Sharing âPersonal Detailsâ with âThird-Partiesâ
Sharing âpersonal detailsâ with a âthird-partyâ shall be unlawful UNLESS the user has explicitly consented to sharing their âpersonal detailsâ with this âthird-partyâ
Section 4: Conditions for Obtaining Consent
Consent can only be given through a form where the request to consent for each service is individually, clearly, and prominently displayed and can be agreed to individually.
The request to consent must
- describe the reason(s) that the data would be shared with the âthird-partyâ both technically and in laymanâs terms
- describe what kinds of âpersonal detailsâ would be shared with the âthird-partyâ
(these âkindsâ should probably be enumerated in law so that services have to be specific)
Section 5: Right to Continue Using the Service without Consent
The user must be allowed to continue to use the service if they have not consented to sharing âpersonal detailsâ with a specific âthird-partyâ when it is not necessary for the primary functions of the service.
Section 6: Right to Remove Consent
The user must be able to view what âthird-partiesâ they have consented to share data with and remove that consent.
Section 7: Right to be Forgotten
The user must be able to request that their âpersonal detailsâ be deleted entirely. When the request has been made, the âpersonal detailsâ for that user must be deleted without unnecessary delay, not exceeding 1 month.
If it is not possible to delete all of the âpersonal detailsâ without damaging the service or the business, as many of the âpersonal detailsâ as possible must be deleted and the rest must be anonymized.
Effects
- Section 2 of this Act shall not take effect until 5 years after it is enacted
- Sections 3-7 of this Act shall not take effect until 7 years after it is enacted
(This is gives us software engineers time to make these heavy changes)
In Summary
This, in effect, would quarantine every service you use even when owned by the same organization and prevent your data from being shared between them without your explicit authorization, and would force online services and data centers to delete information they have about you if you are not using their service and havenât consented to give them your information.
- Severely limits and quarantines the power of analytics software
- No more data brokers
- No more tracking across the web
- No more mining
- No more NSA data centers storing information about U.S citizens (
)
Thoughts?
good luck! Love your post!