Read on Twitter
Pleased to share my testimony to @SenateCommerce on the use of #BigData for #COVID19. Read: https://bit.ly/2y4zPml . I focus on explaining the commercial ecosystem for #locationdata. Policymakers must understand what's out there to have proper skepticism about its usefulness. 1/x
There is more than just carriers/CSLI and GPS - wide variety in both signaling mechanisms (Bluetooth, MAC, Wi-Fi) and entities with access (apps, SDK partners, mobile OS's). High variability in both accuracy AND precision - and I explain the difference. 2/x
(Apps/SDK partners are an interesting case - the reality is that they have the potential to be *extremely* accurate and precise - sometimes within centimeters, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6832486/ - but in practice they often aren't, low quality bidstream data, etc.). 3/
Aggregate insights based on #locationdata can be very powerful with the right safeguards. We observe this in Google's release of trends by county, applying differential privacy: https://www.google.com/covid19-map/ . Likely high accuracy and precision & reveals nothing about individuals. 4/
Looking at all of this data, @futureofprivacy experts RECOMMEND: (1) Follow the needs of public health experts. It's critical that companies not offer up whatever data they have - let experts say what is needed. This includes (2) working with established academic partners. 5/
(3) Govts must be transparent abt personal data collected, how it will be processed, & for what clear, specific, defined purposes. Avoid "security theater" & disconnects in interpretations of legal authority we saw after 9/11. ( @peterswire's must-read: https://www.lawfareblog.com/security-privacy-and-coronavirus-lessons-911) 6/
(4) Apply (or mandate) privacy enhancing technologies (PETs) in advance of the core legal principles of data minimization and Privacy by Design - from the US #FIPPs and #GDPR. A recent review of PETs: https://royalsociety.org/-/media/policy/projects/privacy-enhancing-technologies/privacy-enhancing-technologies-report.pdf 7/
(5) Apply existing privacy risk assessment tools. Risk assessments are well-established in US law (FTC consent decrees, NIST, fedl agencies) - use them! See an example in @futureofprivacy's recent Open Data Risk Assessment for Seattle https://fpf.org/wp-content/uploads/2018/01/FPF-Open-Data-Risk-Assessment-for-City-of-Seattle.pdf. 8/
Finally... (6) Purpose limitation should be a guiding light: companies and governments must have an exit strategy established up front to avoid "emergency" measures becoming the long-term norm. 9/
Like other witnesses, I also noted in this testimony the importance of comprehensive privacy legislation. This whole discussion is about highly sensitive health and location data, most of which is not subject to any federal privacy laws... and more importantly: 10/
An ideal federal privacy law protects privacy *and* establishes the ground rules for sharing data ethically & responsibly in a crisis. The EU has been able to respond so rapidly because they have a legal framework - in contrast US companies are left with uncertainty. 11/
Wrapping this up - very grateful to @SenateCommerce for convening this paper hearing, hoping it continues the momentum of the Chair and Ranking Member's work towards consensus on privacy legislation, and looking forward to questions. 12/12
