Surfing

Copyright© Miklos Szegedi – 2020

The new California Consumer Privacy Act took into effect on January 1st 2020. I recently read the fact sheet. I share my opinion. It can be accessed here (link).

I write this post as a consumer, actually. To be honest, I work as a software engineer at a database company, so I have some knowledge about the topic. It is more important on the other hand what consumers would expect under the new umbrella.

I do not have any illusions. Everybody stores my data. There are companies in California, the United States and around the world. There are criminals and secret services that I will never hear back from. CCPA helps to block the source of leakage to me in a legal and professional way. It also makes companies think, how to solve the problem easily. Thumbs up!

What damage could I suffer? Data actually helps in many cases. Cures, new medicine is discovered. I can get relevant direct marketing instead of useless and annoying mass advertisement.

There are three ways I could be harmed. First of all, I can be controlled or manipulated, where to work, what to buy, who to vote for or who to befriend with. This is the most dangerous. CCPA helps me not to show up by being able to delete the information and cut the leakage at the source. It is not perfect. Data may be leaked from a legitimate business through hacks or official disclosures. However, it is better than nothing. If I am manipulated, I feel it. Nobody likes stress and if you are made to do inconvenient things, you will feel stress. You can easily decline anything you do not want, the justice system helps eventually and CCPA is the basic framework. I also have a funny rule, when I feel I am manipulated by machine learning. If I feel an urge to click on a link or buy something, I roll the dice. When you do so, you decrease the profit, the AI can get by controlling your behavior. Eventually it will recognize this as a concrete wall and give up.

The second way is psychological. It is called the anxiety of the uncertain. Those Silicon Valley folks are smart and they are very creative. You release the information but who knows what it will be used for in the future. This is where you can just request it and opt out by CCPA.

The third way is the most interesting one. Companies collect data about you. However, they do not follow you throughout your life. They make a profile. How positive it is, it is not their business anymore. This is very important, when you search for a job on LinkedIn or you get direct advertising. The profile is the data about you and the reliability of their algorithms. It is not you. However, it may affect life changing decisions and it will fail, if it is distorted. This is the biggest advantage of CCPA. You are able to see what they have, and ask for correction or deletion. Even more important, you can request your assessment after a job interview and get valuable feedback.

These are the three benefits I expect from the new legislation. It is not free, is it? As an engineer, I believe it is. Obviously, existing systems do not fully support these new features of deletion, disclosure and control. New systems will have them in their core.

I just quickly thought about how I would expect a company to store the information they have in a customer friendly way. Storage is cheap, data processing is not. I would expect my personal data to be stored separately. If I am strict this should be a separate physical location within California or at least the United States. Eventually, a separate vendor may be responsible for the level zero storage. If my private data is separated, I can easily ask to disclose it without much cost. Data processing is just a cache, a temporary place for the data to use. It is deleted periodically, let’s say every week or when the queries are finished. If I need disclosure, they just give me a copy of this final backup, the level zero. Adding any logs or profiling information may be more expensive. They need to run some queries to connect my personal ids to the logs or other action information about me. However, this becomes useless anyways, if my ids are deleted.

Is it cost effective? It is important because I will pay the price eventually. It is. Service providers will store my information separately. Personal information is not large by design, especially, if the indexes connecting it to other data are rotated frequently. This storage is the real security risk, separation helps them to protect it better. It can easily be disclosed as raw data, even without any UI to save their costs. It can also be deleted easily upon request and any caches will clean up in the short term.

Service providers may even outsource the storage of sensitive information giving opportunities to new businesses, who can do the job at scale. In fact, if a vendor services my information to multiple businesses that just do short term caching, I can quickly request to disable their access. All they need to do is not to store any personal information but repeat the request from storage level zero every time. Theoretically this is easy within the same cloud vendor. One positive side effect of the legislation is that it has a minimum limit, so that it does not harm startups. The other positive side effect is that it does not prescribe too strong documentation requests like GDPR.

Providing the raw data image is very strict already. You get everything with little chance of failure and it already enforces a convenient storage format. This is similar to what OpenID providers do, taking care of passwords and authentication.