Header Ads

Come on a trip into the new privacy circle of hell

January 09, 2020
Fully Charged
Bloomberg

Hello digital citizens. Alistair here, writing to you from San Francisco about California's new privacy law that kicked in a few days ago. It gives me the right to ask companies to send me my data, tell them to delete it, and prevent them from selling it. I gave it a try, and so far it has been a fiasco. 

In the process of trying to retrieve my data from data broker Acxiom Corp., I handed over more sensitive personal details than I've ever knowingly given to almost any other business.

My privacy travails started at this handy page that lists the websites companies have set up to comply with the California Consumer Privacy Act. I clicked on the Acxiom link, which took me to a form to fill out that included fields for my full name, email, home address, birth month and year. I filled them out and hit "Submit."

Easy, right? Not exactly. I got an automated email from WireWheel, a "privacy software platform" that Acxiom uses to comply with CCPA. A combo Acxiom-WireWheel website asked me to confirm my identity by uploading photos of the front and back of my driver's license and a selfie of my face. Then I had to sign and submit an online affidavit "under penalty of perjury." 

At this point, I checked out WireWheel's privacy policy and realized with Kafkaesque dread that I may now have to submit a CCPA request to this company, too. WireWheel's policy suggests that it has collected almost all the information I just shared with Acxiom, including email, name, address and my signature. It also logged my interaction with the WireWheel platform, including keystrokes, time periods between steps and "similar kinds of information." 
 
Additionally, WireWheel informed me that the driver's license photos and selfies that it collects are passed to other companies, including one called IDology Inc., which processes them. WireWheel says it encrypts these images "as long as they are kept within the platform" and usually keeps them for a few weeks at most. The company also uses cloud providers like Amazon Web Services, Azure and Google Cloud, plus database services such as MongoDB Atlas, as well as cybersecurity providers, logging services, and other similar types of vendors, which also could get access to my information.

"We have contracts in place with these WireWheel suppliers providing that none of these providers can use your data for unrelated purposes, and none of them can sell your data," WireWheel wrote. 

Let's pause for a second to recap the situation. I asked Acxiom to show me the data it had on me and to delete it. Roughly two hours into the process, at least three companies (and possibly 10 or more companies) have access to a photo of me, pictures of my driver's license, my signature, name, email and home address.

Could I just get WireWheel to delete my information? I tried (at least a form exists), but I got a response that said: "There was a problem verifying your request. Try again."

Dan Stoller, a data-privacy reporting whiz over at Bloomberg Law, had a simple explanation for this. Companies like WireWheel are exempt from CCPA opt-out requests because they are service providers under the law (through a trade group, Facebook Inc. and other ad tech companies are also vying to receive this distinction). California citizens have no right to ask a business to stop sharing data with their service providers. But businesses are obligated to tell these service providers to turn over relevant data or delete data if people ask. Some CCPA exemptions apply to this though. Exemptions are a fact of modern digital life. Get used to it. 

Now concerned about IDology, too, I visited their privacy policy page, where I read that the company collects personal data including: names, emails, login names, device information, and more sensitive stuff such as ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric information and physical or mental health information. I was going slightly insane at this point, so I tried to calm myself lest IDology also log that I was going mental.  

Before I clicked on the IDology data-deletion request link, I thought for one panicked moment that it would take me to another WireWheel page, and the circle down into digital data hell would begin again. But it was just a simple form. All I had to do was to share my name, email, home address and a signature, and digital privacy was that much closer. Alistair Barr

If you read one thing

Why should any of us care that our personal information is collected and shared by companies so widely online? One answer: Employees of these businesses can't always be trusted. Amazon.com Inc.'s Ring video doorbell unit has fired at least four workers for improperly seeking access to customer data. This is just one company out of hundreds, and four employees out of millions.
 

And here's what you need to know in global technology news

Zume, a company that promised to replace human pizza chefs with robot pizza chefs, is cutting half its employees. It's also improbably shifting away from making pizza to making packaging. The moves are the latest in a litany of layoffs and restructurings at SoftBank-backed startups. 

It's not all bad news for SoftBank. Sources say South Korean unicorn Coupang is preparing for an IPO as soon as 2021. 

Apple's app sales hit a record of $1.4 billion in the final days of 2019. On Wednesday, the company's stock price also reached a new high.  
 

Like Bloomberg's Fully Charged? Subscribe for unlimited access to trusted, data-based journalism in 120 countries around the world and gain expert analysis from exclusive daily newsletters, The Bloomberg Open and The Bloomberg Close.

Before it's here, it's on the Bloomberg Terminal. Find out more about how the Terminal delivers information and analysis that financial professionals can't find anywhere else. Learn more.
 

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )