Would need to have in place to get there. We try to help policymakers get ahead of the curve. Host who funds itif . Guest we have whole set of funders from corporate donors, foundations and individuals support a think tank. We work on a lot of different issues so we get support from those that are interested, everything from ip issues to biotech. Host for our purposes on the communicators is it fair to say large Silicon Valley companies are part of your funding operation, google, apple, facebook of the world . Guest absolutely. These companies were early supporters because theyre interested in this idea of how do we proceed quickly with innovation. Host you also run, you are the director of itif center for data innovation, which is what . Guest we have Research Center focused on issues around data. For a long time policymakers realize they had a few different levers and government. They could tax things. They could spend money. They could regulate things. Part was to say you could say how do you think about you collect and use data with the government. He should have smart policy to drive different parts of goals you might have. If you want to see goals for cancer, cures for cancer, Strategic Policy around data. Host do you find that agencies are well staffed when it comes to Data Protection and data officers . Guest we are getting there. There. One of the first issues are center focused on was the open Government Data act which we been working on for five years. Finally just passed this year. Part of the open Government Data act requires all federal agencies to have in place a cheap date officer. They had a requirement for doing this by july and reporting out to omb with a selected august 2. When i last checked this, there were about four agencies that still had not done but most of them had and thats significant amount of progress. You have agencies paying attention to what data they are releasing but also to what data they collect and how they manage it through the entire lifecycle. Host so the purpose of the open the Government Data act is . Guest its to make government gave a payable for use by the public, by corporations, but individuals, for innovation and other purposes. It is also required agencies to be strategic and how they manage it. Host the other half of that is the data they collect. Guest thats right. Host what are they collecting about us, what do federal agencies know about it . Guest the open data company act applies to all Government Data whether it is the weather data, corporate data or individual data. If its individual data, personally identifiable, theyre likely not going to be releasing it but they are going to track it. Different agencies do different things. Some collect everything from Health Information on veterans to Educational Data about individuals who are applying for grants, to information about commercial transactions that still personally identifiable information in there. Host do you believe and maybe this is a remote question that doesnt matter, but should those agencies be allowed to share data between themselves, such as the tsa sharing with Social Security, et cetera . Or should it be stovepipe information . Guest theres certain data we do want to protect and keep confidential. So, for example, one of the reasons people generally are trusting fire i arrested with of the might not like it is a no the irs isnt going to take the data and turn over to the department of justice, just to start some fishing expedition. Some of those privacy safeguards are important. That said, we do see a lot of problems with stove piping in government. So, for example, theres about half a dozen or more statistical agencies in the United States that are trying to figure out how the economy is working, and to some basic questions about that. Those agencies are able to share data. The end of up with different answers. They are not able to combine the data for better analyses. They face significant challenges. Thats a problem because its wasting Government Resources and taxpayer dollars and its grading less optimal outcomes. One of the of the challenges in this space are Government Agencies are starting to think about how can we get data from the private sector. Sometimes the private sector has much better data and how can we use that data in helpful ways but still treat this data either confidentially or treat it confidentially but still share it across some agencies for very specific purposes . Host what you think the issues are the people would be concerned about of the government gating data thats currently held by a private entity . Guest a lot of people have rightful concerns about government intrusion into the personal lives. Weve had very strong privacy safeguards in the privacy act that protects what government can do in that space. That said, as we enter this new era of much more private sector data collection, theres a question of can we do more . Let me give you a concrete example. You have a company like adp that does a lot of Data Processing for payroll across america. Theyre going to know every time the Company Submits their payroll what the state of the economy is. Vacancy whats changed from the weeks before. Vacancy if there are fewer workers out there. They can see these types of changes in realtime. Thats information that can be useful for policymakers as they are trying to respond to a potential downturn in the economy or respond when to thinking that what should the Monetary Policy b. Its a very legitimate question to say, can we continue to have the long established protections of how we want to treat citizens while recognizing that the government doesnt always have the best data and maybe sometimes we need to go to the private sector for that . Host on a different note, and perhaps a darker note, should equifax a company like equifax allowed to share their data with the federal government . Some people would be very uncomfortable with that. Guest equifax is i think an example of a company that sat a lot of challenges and a lot of americans are probably upset with them. Probably a lot of americans didnt know that company a year or two ago and then they get this announcement that old hasnt been this massive data breach but they are us by company that never heard of. Thats a problem. Its a problem for a lot of reasons. One, a lot of what we rely on for companies to have good data practices is market behavior and market, you know, companies basically respond to the market. If im unhappy when theres a target data breach i can no longer shop at target. If im unhappy if theres an Equifax Breach, theres not a lot i can do about that. Thats a significant problem. There are Certain Companies that are collecting data about individuals where consumers dont have a significant amount of control because they dont have direct commercial relationship with them. Theres a legitimate question to ask about what kind of government oversight is appropriate and even when that baby should be available to the government or anyone else. Host what does the company like equifax currently know about us . Guest they are trying to collect data on peoples Credit History. They will collect personally identifiable information, where you live, Social Security number, credit card history, any loans you take an outcome any mortgages youve had, that kind of information. They will compile it in a large database and make it available to other companies that are looking to assess your credit. Host in other words, they are selling our information. Guest they are monetizing it, which is i guess the reason i would be hesitant to use the word selling, when most people think itself to talk about selling your car, at the end f the transaction if i sold my car i dont have a car anymore and you have that car. When these companies are monetizing the data as i said, they are not turning that data over to somebody else. They are just giving you an answer about this. They are saying this person has good credit or this person is a high risk for a low risk. They are not necessarily sharing that banking information with the other entity. Host is it a good system . Guest there are parts of it that work really well, right. The parts that work well is we get credit. Its very easy to go and open a new line of credit. Easy to go buy a car from a dealer because you can have this information thats available to you. We also have some pretty good protections in place with the fair credit reporting act, if theres one information. We can get correction made to it. I think the problem we have in this space, theres a few, one is that each state sets their own laws around some of these requirements about things like credit freezes. There are mechanisms in place to make this world safer. You can freeze your credit. You can unlock it. In some states thats expensive to do. Thats a problem. Basically you have to pay these companies to secure your information. I think that system is fundamentally wrong and should be changed and that something we need to change either statebystate or get a federal law that would fix it. Host we americans tend to be trusting people in the sense until were not, and then when a breach like the Equifax Breach happens or the recent capital one breach happened, we get a little antsy about our personal information being out there, dont we . Guest i think we do. Host is there a a solution . Is it a fine . Is it new legislation . I mean, where do we go . Guest what we have now is working and people are getting increasingly fed up with the announcements of heres another data breach. Sometimes there is no penalty at all, as we saw with the Equifax Breach. There was an announcement that you could get ten years of free Credit History monitoring or free credit monitoring or you could get 125. It turned out it asked that 125. 80 what else asks, theres only a small pot of money and you might end up with five dollars or something less. I dont think the system is working today. Theres ways to change it. One way we can change it is by looking at what people are going after. The reason theres all these data breaches is because attackers are going after certain types of information. The valuable information on things like Social Security numbers. That is only valuable because you can use it to commit fraud. The question we can ask is telling make that data less valuable . One thing we could do is we could make it so its illegal to use Social Security numbers front edification and verification purposes outside of Social Security. This is something the Social Security numbers were never intended to do. For a long time it says on the card this is not for identification purposes. They stopped printing that but that something that could be done. Thats something that could be a requirement that nobody could ever open an and get using a sl security number. You have to prove your identity through other means. Another thing we could do, and if we did that just to be clear, the recent breaking into all these, stephen this information would go away. You dont have a tax on date if the date is invaluable in more. Something else we could do is also fix what happened after the data breach. Right now you get this offer of free credit monitoring. Ive had probably five to six offers a free credit monitoring. I dont need more free credit monitoring. In fact, there are services now that offer free credit monitoring. Capital one in fact, offers a Free Credit Monitoring Service before the hack. When they say theyre giving you free credit pirating afterthefact, they are not doing anything different. And veterans he goes of any change of policy, veterans asf october will have free credit monitoring. No one needs, actually no one needs more free credit monitoring. What we need are other things. One recommendation i have is after a data breach instead of offering free credit monitoring, consumers are offered a whole menu of options they can pick something. For example, they might get a free year of a Password Management Service so they can have better password management. They might get a secure token so that when they want to log into an account they have better security, multifactor authentication. They might be able to get a secure electronic id, and we can create a whole new market for Security Services that right now doesnt exist because people rightly dont want to spend money in this space and is not a market into people are willing to do that. If we start making it whenever theres a data breach we take one big step forward in securing americans on my identities, that would meet with getting closer to something more secure each time instead of this situation were in now where we have a new data breach, people rolled her eyes, we wait six months for the next one. Host mr. Castro, we talked to kate mancini on this program at cbc. Just new book out called kingdom of lies. Its about hacking, and the way she writes, it doesnt sound like our sitting kind are little password in our personal computers is really a very good defense. Guest its true, absolutely, and one of the things that is i think shocking to a lot of people is that for their security, for logging into the bank account, thats often less secure and what theyre using for the email. I know a lot of people use to backpack identification for the email. They get a notice on the phone and have to prove itself before theyre locked in. When the log into the bank its just typing in password 123 and they are in. Thats a huge problem. Thats where i think we can start making progress by making it so that consumers have more of these options. Setting requirements in some of these regulated industries, for example, banks, if a Financial Institution need to be moving much faster towards better security. Host when you see and read about what happened capital one, were you surprised at the scenario . Guest well, the actual attack that happened, were still getting all the details, but it seemed like it was, to put it bluntly, a configuration error on their into. They made a mistake that was a mistake that couldve been caught and it was a mistake. Mistakes happen, right . Thats not an excuse but at the end of the day these types of things to happen. It shouldnt have. They shouldve that better oversight but it did. What was interesting to me but capital one is they were doing a lot of things right. For example, they had a bug program which one the best Things Companies can do which is been actively say well pay anyone to find a problem with our system. You find a system, let us know and theres money in it for you. We want to encourage people to bring that to us. That helped them into tracking down this particular problem and resolving it. They were doing other things that were right. They did not outdated systems. They had moved forward. They have done a lot of things right. They had a really big mistake and so thats why theres a lot of i think analysis that will have to go into that particular want to see what room. The are other companies that never invested in security and thats why they are not doing, they didnt get things right. Capital one probably did a reasonable amount of investment. They just make mistakes, and that something that consumers are also going to have to recognize. These size of data breaches will continue to happen. The question is what we do about the data so it is less valuable when it does. Host what your background . Guest Information Security. Ive always been arrested in these types of issues for a while. I recognize you need to have policymakers understand these issues very well, too, otherwise you dont always end up with good outcomes for consumers. Host are the threats and sophistication of the attacks and our Protection Systems growing exponentially . Guest i dont know if i to exponentially but they are definitely going. The sophistication of these attacks show that the attackers are using significant resources and they are very complex. A lot of these really involved significant amount of dedication to find the problem and to exploit it. But the problem is its really easy what once you find that wt into a system and to get all that data, to start making a lot of money off of it. On these kind of black markets we can sell peoples identity and self credit cards thats also part of the problem. We need to have really good cyber law, enforcement of these types of crimes to make it so if you commit these crimes you actually go to jail. You have a lot of foreign attackers were getting away with these things are easily, and thats a problem. Capital one happen to be someone who is here in the United States but thats not always how it plays out. Host that said, in a digital world, borders on monday, i do not . Guest they are and thats a huge problem and one of the reasons these are international issues, global issues. We need to move away from this idea that we can secure just the United States are just u. S. Consumers, just u. S. Businesses. If you want to address Information Security and these data issues, its a global problem and we need to be think about Global Solutions as well. Its not enough to think were going to have this relative security where the u. S. Will be safe and we will be able to take them our adversaries. We need to be think about raising all those scenarios. Host in a recent article on your website, Information Technology innovation foundation, who coauthored an article, the cost of an unnecessarily stringent federal data privacy law. Just one of the Key Takeaways i want you to expand on this if you want. Federal legislation mirroring key provisions of the European Unions general Data Protection regulation, or californias Consumer Protection act, could cost the u. S. Economy approximately 122 billion a year, or 483 per use adult. Guest yea. So right now were in the midst of this huge conversation about willie have new federal data privacy legislation . Is being brought about the fact by one, your pastor law and people are saying shibley copy them . California passed a law that might set the rules for the kenai state. The question is are we going to look to europe and copy them or are we going to california set the rules of the road or do Something Different . The challenge in this space is its very costly to do, it can be very costly to do data privacy. It doesnt mean we shouldnt do it. Made we should be strategic about how we do it. The point of the report we put out was to start teasing apart the different components of what we could do do in legislation d talk about where the value add is are different once and have we can construct something that provide significant protections to consumers, but keeps the price down. The problem with europe is they move forward with Data Protection regulation and first of all the dont have the same Silicon Valley that the United States has. They were not interested in keeping costs down on companies and keeping cost and on consumers. A just wanted maybe the best privacy money could buy where money was no cost. I think in u. S. We need to be thinking about how can we get diversey regulation at a good value . Not any cost. When you think about these terms and any cost, you end up lowering consumer welfare. What we want to see is consumers comes out had because they have Better Privacy but they still have access to Innovative Products and services and they are not cut off from all of the things they like using today. Host what did you mean you said Lower Consumer welfare . Guest if you look at some of these proposals, they would fundamentally change the way the internet ecosystem works today, which is that we see a lot of ads in exchange for free services. If you change that, then one of those is youll see even more ads because these ads will be worth less because they wont be targeted. Or you have to start paying for more services. You might paying a nominal fee for your email service. You might start paying for more video free services. You might pay more for apps to download. If you start asking consumers in surveys questions about privacy, if you ask them in general, would you like for privacy . We all say yes. Across the board Everyone Wants for privacy as we should given this in private. But then you ask how much are you willing to pay for privacy . You see the answers very a lot pick some people have a lot of money, really care about privacy. They spent 100 a month and some do. Some buy services today. But the vast majority of Consumers Want to see some kind of tradeoff in this space. They want more privacy, but they dont want to pay that much for it. Maybe theyre willing to pay a little bit more. Maybe they are willing to see a couple more ads but they dont want to see a significant shift in whats been done today. They want to see a shift on issues like data breach but when you talk about the types of ads on line, those people are pretty okay with that. Host algorithms come into play at this point, dont they . Guest 50. A lot of discussions about algorithms and the transparency of algorithms and what kind of oversight exists in this space. This is where i think, this is an emerging area. Some of it is old. Weve had debate about algorithms about 20 years ago when there were questions about the old systems use for flights, questions about how do you decide which comes up first . The one that comes up first is one of the travel agents are going to book. There were a lot of discussion about those issues. She we got into some of those debates and now its again in different contexts. Host how is it coming up . Guest one relates to things like facial recognition, and questions about how i could these algorithms are, how much insight we have into different types of algorithms, especially that use artificial intelligence. How do we know if they are working correctly . How can we explain the decisions that are made by them . How much transparency that is to consumers, and what do we do when algorithms are very accurate we dont know why . And how do we manage that kind of tradeoff . That something that ends up being context specific. In some cases accuracy is paramount. If im going to the doctor and im having an algorithm help diagnose me, oftentimes doctors dont know why they are making decisions, and algorithms often dont either. I personally would rather have an algorithm that is 99 accurate and cant message of explain why, and one that is 80 accurate and can give me the reason. In other contexts, and explanation is necessary. So, for example, when were talking about living in certain context, we want to make sure factors like race or religion have not been used to discriminate against people. We need more insight and transmit. Host theres been a lot of controversy about race in facial recognition. What is your view . Guest whats interesting about that conversation is its been conflating two different technologies for the most part. Theres facial recognition and facial analysis. Facial recognition is a system that can take a picture of your face and compare to your id as a these are the same person. Or take a picture of someones face, scanned through a and find a match or say theres no match. Facial analysis is taking a picture and say this person has a beard, this person smiling on a smiling, this person is male or female. Those types of distinction characteristics. A lot of the research has been on race has actually been on facial analysis, not facial recognition. There has been a few reports that it looked at race on facial recognition. What weve seen is there are differences between demographics, so if youre lightskinned versus dark skinned, theres a difference in accuracy and if youre male versus cmo that can be differences in accuracy, but it depends on the implementation. Some algorithms are worse for black females. Some are worse for black males are white males. Use the performance vary based on these contextual factors factors. People are worried though be used by police in with it will be over police in her minority committee. Very legitimate concerns about debates about the appropriate role of policing. The problem in this space is within a couple of cities move quickly to ban the technology before they even tried to pilot it topic of at how they can sef guardrails to use it effectively. There are many different uses of the technology. People in a think about facial recognition and policing think of this kind of china like realtime pervasive surveillance of security cameras watching you your every move when in reality a lot of uses are Something Like some has come in and theres something kind to identify this person that doesnt have an id on them or they have suspect or witness and theyre trying to match ending. This is something people, Police Officers are doing manually and are doing it very effectively and slowly. This is a way to use technology to speed that up. I dont think most people would have an objection to those instances. Those should be on the table. Then these other more i think sears uses what people have concerns about the privacy implications of pervasive surveillance, thats what we need to have the debate that wn have those debates if you just, if we of cities banning the Technology Without us even sing whats possible. Host vital question. On your twitter feed you identify yourself as procopyright and anti which is sex trafficking act, section 230, right . Guest thats right. So theres a new law that came out recently that create a carveout for section section 2e committee kitchens decency act which basically provides Liability Protection to thirdparty and intermediaries. Some uploads content onto their craigslist, craigslist is a responsible for what is up to the user uploaded it is responsible for this law created a carveout the set if its related to sex trafficking, kind of broadly defined, those platforms can be responsible. As a result of this law you saw across the board basically every internet platform ban anyone who might have any type of relationship to sex work, not sex trafficking necessarily, because it was so broadly defined. The critique among sex workers has been that this significantly hurt them, that instead of being able to that customers, arrange online transactions, now that aa walking streets and subject to attacks and worse. In the past we saw the benefit of Online Platforms and online communities enabling people, empowering individuals and new communities. This particular law i think really took a step back. Its because a lot of groups have been trying to i think make online intermediaries more responsible for the content that users post, and arson cases where thats very appropriate. I think in this case they got it wrong. Host Daniel Castro is Vice President of the Information Technology and innovation foundation. We appreciate you spending a few minutes with us here on the communicators. This communicators and all others are available as podcasts. For 40 years cspan is been providing america unfiltered coverage of congress, the white house, the Supreme Court and Public Policy events from washington, d. C. And around the country so you can make up your own mind. Creative aikido in 1979, cspan is brought to you by your local cable or satellite provider. Cspan, your unfiltered view of government. Next, former congressman beto orourke talk about the recent mass shooting in some town of el paso, texas. He also announced he will continue his run for the democratic president ial nomination in 2020 after temporarily suspending his campaign in the days following the el paso shooting. This is just over 35 minutes. [inaudible conversations] [inaudible conversations]
comparemela.com © 2020. All Rights Reserved.