Categories
California Data Storage General Data Protection Regulation (GDPR) Law and Legislation privacy Science and Technology Uncategorized

What’s the Price of Getting Your Data? More Data

The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.

“This is a nightmare future where I can’t request my data from a creepy shadow credit bureau without putting on a smile for them, and it’s completely insane,” Jack Phelps, a software engineer in New York City, said in an email.

“It just seems wrong that we have to give up even more personal information,” wrote another reader, Barbara Clancy, a retired professor of neuroscience in Arkansas.

That’s the unpleasant reality: To get your personal data, you may have to give up more personal data. It seems awful at first. Alistair Barr of Bloomberg called it “the new privacy circle of hell.”

But there’s a good reason for this. Companies don’t want to give your data away to the wrong person, which has happened in the past. In 2018, Amazon sent 1,700 audio files of a customer talking to his Alexa to a stranger.

The right to have access to personal data is enshrined in the new California Consumer Privacy Act. The law is modeled in part on privacy regulations in Europe, known as the General Data Protection Regulation, or G.D.P.R. Soon after Europe’s law went into effect, in May 2018, a hacker gained access to the Spotify account of Jean Yang, a tech executive, and successfully filed a data request to download her home address, credit card information and a history of the music she had listened to.

Since then, two groups of researchers have demonstrated that it’s possible to fool the systems created to comply with G.D.P.R. to get someone else’s personal information.

One of the researchers, James Pavur, 24, a doctoral student at Oxford University, filed data requests on behalf of his research partner and wife, Casey Knerr, at 150 companies using information that was easily found for her online, such as her mailing address, email address and phone number. To make the requests, he created an email address that was a variation on Ms. Knerr’s name. A quarter of the companies sent him her file.

“I got her Social Security number, high school grades, a good chunk of information about her credit card,” Mr. Pavur said. “A threat intelligence company sent me all her user names and passwords that had been leaked.”

Mariano Di Martino and Pieter Robyns, computer science researchers at Hasselt University in Belgium, had the same success rate when they approached 55 financial, entertainment and news companies. They requested each other’s data, using more advanced techniques than those of Mr. Pavur, such as photoshopping each other’s government ID. In one case, Mr. Di Martino received the data file of a complete stranger whose name was similar to that of Mr. Robyns.

Both sets of researchers thought the new law giving the right to data was worthwhile. But they said companies needed to improve their security practices to avoid compromising customers’ privacy further.

“Companies are rushing to solutions that lead to insecure practices,” Mr. Robyns said.

Companies employ different techniques for verifying identity. Many simply ask for a photo of a driver’s license. Retail Equation, a company that decides whether a consumer can make returns at retailers like Best Buy and Victoria’s Secret, asks only for a name and driver’s license number.

The wide array of companies now required to hand over data, from Baskin Robbins to The New York Times, have varying levels of security expertise and experience in providing data to consumers.

Companies such as Apple, Amazon and Twitter can ask users to verify their identity by logging into their platforms. All three give a heads-up via email after data is requested, which can help warn people if a hacker got access to their account. An Apple spokesman said that after a request is made, the company uses additional methods to verify the person’s identity, though the company said it couldn’t disclose those methods for security reasons.

If consumers can’t verify their identity by logging into an existing account, Mr. Di Martino and Mr. Robyns recommend that companies email them, call them or ask them for information that only they should know, such as the invoice number on a recent bill.

“Regulators need to think more about the unintended consequences of empowering individuals to access and delete their data,” said Steve Kirkham, who worked on Airbnb’s trust and safety team for five years, before founding Berbix in 2018. “We want to prevent fraudulent requests and let the good ones go through.”

It is on regulators’ minds. The California law requires businesses to “verify the identity of the consumer making the request to a reasonable degree of certainty” and to have a more stringent verification process for “sensitive or valuable personal information.”

Mr. Kirkham said Berbix requested the first selfie to test whether a person’s face matched their ID; the second selfie, with a smile or some other facial expression, ensures that someone isn’t simply holding a photo up to the camera. Mr. Kirkham said Berbix ultimately deleted the data collected within seven days to a year, depending on the retention period requested by the company that hires the firm. (Sift deletes its data after two weeks.)

“It’s a new threat vector companies should consider,” said Blake Brannon, vice president of product at OneTrust, another company that helps businesses comply with the new data privacy laws. OneTrust offers the 4,500 organizations using its service the option to create several levels of identity verification, such as sending a token to someone’s phone or verifying ownership of an email address.

“If I’m requesting something simple or lightweight, the verification is minimal, versus a deletion request,” Mr. Brannon said. “That will require more levels of verification.”

Mr. Kirkham of Berbix said the verification process discouraged some people from making the data request at all.

“A lot of people don’t want to give more information,” Mr. Kirkham said. “Their assumption is that you will do something nefarious with it.”

He added: “But that’s the irony here. We require additional information from people to protect them. We want to make sure you are who you say you are.”

Categories
California Freelancing, Self-Employment and Independent Contracting Labor and Jobs Law and Legislation Layoffs and Job Reductions Lyft Inc National Press Photographers Assn Uber Technologies Inc Uncategorized Vox Media Inc

California Wanted to Protect Uber Drivers. Now It May Hurt Freelancers.

SAN FRANCISCO — Gloria Rivera likes the freedom of freelance.

She moved to San Diego from Peru in 2005 and has a bustling career as an interpreter and translator for doctors, courts and conferences.

Now, as a new California law governing freelancers is set to take effect on Wednesday, her clients are wary. They are asking for more paperwork. Some services are hitting pause on hiring Californians at all.

“Everyone’s scared in California,” Ms. Rivera, 42, said. “Who’s going to hire me as an employee for three assignments a month?”

The new law, Assembly Bill 5, will radically reshape freelance work in California. Prompted in part by frustration with the treatment of workers by companies like the ride-hailing behemoths Uber and Lyft, the bill was created to extend workplace legal protections to roughly one million people in the state.

On Monday, Uber and Postmates filed a lawsuit in federal court in California seeking to block the law from being enforced against them. But the suit is unlikely to stop the law from going into effect in other professions.

Those other industries include a wide variety of freelance workers, such as writers, translators, strippers and clergy. Many said they were now discovering that the law could make earning a living much more difficult.

The idea behind the law, signed in September, is that many workers are misclassified as contractors so companies can save money. Unlike contractors, employees are protected by minimum-wage and overtime rules and are entitled to workers’ compensation and unemployment insurance. Their employers pay half their payroll taxes for Social Security and Medicare.

A.B. 5 codified and extended the reach of a 2018 State Supreme Court ruling that said workers must be classified as employees if the work they did was a regular part of the company’s business. Under the ruling, a plumber who fixes a leak at a store may be a legitimate contractor. But workers who sew dresses at home using cloth and patterns provided by the manufacturer are likely to be employees.

The new law also means a company must treat workers as employees if it controls how they do their work, or if the workers don’t run independent businesses in the same line of work that they do for the company. A plumber who worked only at the store would most likely be deemed an employee.

The law has a host of so-called carve-outs. It exempts certain white-collar workers like doctors and accountants, but it extends legal protections to tens of thousands of low-paid workers in fields like construction, janitorial services and hairstyling.

But complexities cropped up quickly. For example, marketers and grant writers were exempted, but journalists were not.

So a weekly columnist for a newspaper must now be considered an employee, since under the new law a freelance writer can publish only 35 so-called submissions a year with a publication. (A video and a text article on the same event would count as one.) The intention was to require newspapers to put these workers on staff. The result in some cases has been layoffs.

Vox Media cut more than 200 California freelancers, citing the new law. The transcription service Rev told its freelancers that it would be leaving California.

Emma Gallegos, 34, has been freelancing while saving money to start a local news website, Hwy 99, covering her hometown, Bakersfield, located in California’s agricultural heartland. She recently took a copy-editing test to get a significant contract that would help pay her bills. Afterward, the potential client emailed her, apologizing and explaining that it would not be able to hire her because she lived in California.

“There aren’t many full-time writing jobs in Bakersfield, so these kinds of remote editing contracts are important for me,” said Ms. Gallegos. “I just feel really frustrated and like I’m getting set back from my goals.”

Proponents of the new law argue that many companies are playing on worker anxieties and that many of the arrangements that employers are abandoning were illegal even before A.B. 5.

“A lot of these employers are sending out these fear-mongering emails,” said Assemblywoman Lorena Gonzalez of San Diego, the bill’s author. “I guess in this day and age of Twitter, that’s an easy thing to do — create a kind of mass hysteria.”

Ms. Gonzalez, a progressive Democrat, has in recent weeks become a fierce Twitter presence pushing back at critics, sometimes with profanity.

When asked about some of Ms. Gonzalez’s tweets, a spokeswoman said by email: “The assemblywoman is incredibly angry at an economic system that has caused a permanent underclass in her community of working men and women who are constantly being squeezed by corporate greed.”

Ms. Gonzalez has said the problems facing companies that rely on freelancers preceded the new law.

SB Nation, the sports website owned by Vox Media, which cited A.B. 5 as the reason it recently let go about 200 freelancers, was already sued by freelancers before the law changed. In one lawsuit, freelancers claimed that they worked as many as 40 hours a week but earned less than $150 a month.

A spokeswoman for Vox Media declined to comment but cited a post from SB Nation’s executive director in which he said the change was also “part of a business and staffing strategy that we have been exploring over the past two years.”

Even in situations where the new law might hurt workers, Ms. Gonzalez said, the reality is more nuanced than opponents let on. She pointed out that some media outlets, including SB Nation and The Los Angeles Times, were hiring more employees because of the new law.

While acknowledging concerns among journalists, Ms. Gonzalez attributed the media angst over the law partly to journalistic ethics: Those who lose their jobs feel free to complain loudly. But those who may benefit from the law by becoming employees, she said, “think it’s not appropriate to be engaged in something that affects them, that they have a conflict.”

Some freelancers said the new law would force them to change the way they worked. And some said they preferred or needed their flexible schedules. Many companies limit their employees’ flexibility for practical reasons, though there is nothing that requires them to impose a rigid schedule.

Nancy Depper, a copy editor and proofreader in Oakland, has multiple sclerosis. So “setting my own hours makes life infinitely better for all the reasons,” she said. She said she had lost a set of contracts for 2020 worth $120,000.

“I’ve barely had time to process the information,” Ms. Depper, 53, said. “I don’t know what my options are going forward.”

The National Press Photographers Association, which represents photographers who could lose freelance work because of the law, has filed a lawsuit challenging A.B. 5.

“Photographers and writers are stuck between the rock of dwindling to nonexistent employment opportunities and the hard place of A.B. 5,” said Mickey H. Osterreicher, general counsel for the association.

The politics of the bill were messy. There was significant support on the left for regulating Uber and Lyft, which use incentives to encourage drivers to work when and where the companies need them while avoiding any of the protections offered by employment. Ms. Gonzalez focused partly on those companies.

But many of those who could end up losing freelance work consider themselves progressives, so it has been confusing to find themselves disagreeing with a progressive lawmaker over a union-backed law.

Vanessa McGrady, a writer in Los Angeles who runs a feminist clothing brand, planned to volunteer for Senator Elizabeth Warren’s presidential campaign next year. But then Ms. Warren endorsed A.B. 5. Now Ms. McGrady, who is anxious about how the law will affect her career, is conflicted.

“I feel so strongly that workers need protection,” Ms. McGrady said. “But this bill is killing cockroaches with a cannon.”

Strip-club owners up in arms about the law’s effect on their industry may have little recourse because courts have found that many clubs misclassified dancers even under older rules in a number of states. But freelance strippers in California who earn money from streaming services that pipe their performances onto customers’ computers and mobile devices may now find that these online platforms refuse to work with them for fear of being held in violation of the law.

Steve Smith, a spokesman for the California Labor Federation, which advised lawmakers on A.B. 5, conceded that the law was somewhat ambiguous in this area and that the State Legislature should clarify issues like this in the coming years.

“There are going to be unintended consequences with a law like this,” he said. “We want to do everything we can to make sure we’re addressing the right problems and not having any adverse effects on workers.”

Nellie Bowles reported from San Francisco and Noam Scheiber from Evanston, Ill. Marc Tracy contributed reporting from New York.

Categories
California Car Services and Livery Cabs Delivery Services Freelancing, Self-Employment and Independent Contracting Labor and Jobs Law and Legislation Lyft Inc Mobile Applications Postmates Inc Suits and Litigation (Civil) Uber Technologies Inc Uncategorized Wages and Salaries

Uber and Postmates File Suit to Block California Freelancer Law

Uber and Postmates filed a lawsuit in federal court in California on Monday, seeking an injunction to prevent the state’s landmark freelancer law from taking effect against them on Jan. 1 as scheduled.

The action underlines how high the stakes are for Uber and Postmates with the new California law, called Assembly Bill 5. The law could potentially threaten their businesses because under it, workers must be classified as employees rather than contractors under certain conditions, such as if a company controls how they do their work or if the work is a regular part of the company’s business.

Most employment experts have said the new law will require Uber and its rival, Lyft, along with delivery services like Postmates, to classify their drivers in California as employees. That could add 20 to 30 percent to Uber’s and Lyft’s labor costs and lead to many hundreds of millions of dollars in additional expenses a year, if not more.

As employees, drivers would be protected by minimum wage and overtime rules and would be eligible for workers’ compensation and unemployment insurance. The companies would have to pay half of their payroll taxes for Medicare and Social Security.

Postmates said it was seeking to delay the law from taking effect to gain time to figure out a compromise so that its workers would not be classified as full-time employees. Postmates and Uber argued in their complaint that California’s State Legislature had exempted certain industries while denying an exemption to what are known as “gig work” companies on essentially irrational grounds.

The suit is unlikely to stop the law from taking effect against workers outside the gig companies. A federal judge will decide whether to grant a preliminary injunction blocking the law from being enforced against the gig companies, which could later turn into a permanent injunction.

Uber said in a statement that it was bringing a legal challenge against the new law “on the basis of lack of equal protection and due process under both federal and state law.” The ride-hailing company declined to comment further.

Postmates said, “This lawsuit is an effort to preserve on-demand work opportunities,” added that it was urging state lawmakers, organized labor and Gov. Gavin Newsom to negotiate a compromise.

But Assemblywoman Lorena Gonzalez of San Diego, the bill’s author, said in a statement that “Uber is in court bizarrely trying to say A.B. 5 is unconstitutional.” She added, “The one clear thing we know about Uber is they will do anything to try to exempt themselves from state regulations that make us all safer and their driver employees self-sufficient.”

Uber and Lyft both said in documents they filed in anticipation of their public offerings in 2019 that having to classify drivers as employees could significantly hurt their financial performance. Both companies’ stocks have dropped since they went public this year.

California legislators passed the new law in September and it was signed into law. Uber, one of the main targets of the legislation, had previously declared that it did not plan to reclassify its drivers as employees and that it thought its drivers could retain their independent status even under the new law. Uber and Lyft have both also announced that they would each kick in $30 million for a state ballot initiative to essentially exempt their drivers from the new law.

In addition to Uber and Postmates, two workers — one who drives using Uber and another who delivers food through the Postmates app — also joined the lawsuit.

Categories
California Computers and the Internet Data-Mining and Database Marketing e-commerce Law and Legislation Mobile Applications privacy Uncategorized

What Does California’s New Data Privacy Law Mean? Nobody Agrees

Millions of people in California are now seeing notices on many of the apps and websites they use. “Do Not Sell My Personal Information,” the notices may say, or just “Do Not Sell My Info.”

But what those messages mean depends on which company you ask.

Stopping the sale of personal data is just one of the new rights that people in California may exercise under a state privacy law that takes effect on Wednesday. Yet many of the new requirements are so novel that some companies disagree about how to comply with them.

Even now, privacy and security experts from different companies are debating compliance issues over private messaging channels like Slack.

The provision about selling data, for example, applies to companies that exchange the data for money or other compensation. Evite, an online invitation service that discloses some customer information for advertising purposes, said it would give people a chance to opt out if they do not want their data shared with third parties. By contrast, Indeed, a job search engine that shares users’ résumés and other information, posted a notice saying that people seeking to opt out “will be asked to delete their account.”

Image
Credit…Jeenah Moon for The New York Times

The issue of selling consumer data is so fraught that many companies are unwilling to discuss it publicly. Oracle, which has sold consumer information collected by dozens of third-party data brokers, declined to answer questions. T-Mobile, which has sold its customers’ location details, said it would comply with the law but refused to provide details.

“Companies have different interpretations, and depending on which lawyer they are using, they’re going to get different advice,” said Kabir Barday, the chief executive of OneTrust, a privacy management software service that has worked with more than 4,000 companies to prepare for the law. “I’ll call it a religious war.”

The new law has national implications because many companies, like Microsoft, say they will apply their changes to all users in the United States rather than give Californians special treatment. Federal privacy bills that could override the state’s law are stalled in Congress.

The California privacy law applies to businesses that operate in the state, collect personal data for commercial purposes and meet other criteria like generating annual revenue above $25 million. It gives Californians the right to see, delete and stop the sale of the personal details that all kinds of companies — app developers, retailers, restaurant chains — have on them.

“Businesses will have to treat that information more like it’s information that belongs, is owned by and controlled by the consumer,” said Xavier Becerra, the attorney general of California, “rather than data that, because it’s in possession of the company, belongs to the company.”

Some issues, like the practices that qualify as data selling, may be resolved by mid-2020, when Mr. Becerra’s office plans to publish the final rules spelling out how companies must comply with the law. His office issued draft regulations for the law in October. Other issues may become clearer if the attorney general sues companies for violating the privacy law.

For now, even the biggest tech companies have different interpretations of the law, especially over what it means to stop selling or sharing consumers’ personal details.

Google recently introduced a system for its advertising clients that restricts the use of consumer data to business purposes like fraud detection and ad measurement. Google said advertisers might choose to limit the uses of personal information for individual consumers who selected the don’t-sell-my-data-option — or for all users in California.

Facebook, which provides millions of sites with software that tracks users for advertising purposes, is taking a different tack. In a recent blog post, Facebook said that “we do not sell people’s data,” and it encouraged advertisers and sites that used its services “to reach their own decisions on how to best comply with the law.”

Uber responded to Facebook’s notice by offering a new option for its users around the world to opt out of having the ride-hailing service share their data with Facebook for ad targeting purposes.

“Although we do not sell data, we felt like the spirit of the law encompassed this kind of advertising,” said Melanie Ensign, the head of security and privacy communications at Uber.

Evite, the online invitation service, decided in 2018 to stop selling marketing data that grouped its customers by preferences like food enthusiast or alcohol enthusiast. Since then, the company has spent more than $1 million and worked with two firms to help it understand its obligations under the privacy law and set up an automated system to comply, said Perry Evoniuk, the company’s chief technology officer.

Although Evite no longer sells personal information, the site has posted a “do not sell my info” link. Starting Wednesday, Mr. Evoniuk said, that notice will explain to users that Evite shares some user details — under ID codes, not real names — with other companies for advertising purposes. Evite will allow users to make specific choices about sharing that data, he said. Customers will also be able to make general or granular requests to see their data or delete it.

“We took a very aggressive stance,” Mr. Evoniuk said. “It’s beneficial to put mechanisms in place to give people very good control of their data across the board.”

Companies are wrangling with a part in the law that gives Californians the right to see the specific details that companies have compiled on them, like precise location information and facial recognition data. Residents may also obtain the inferences that companies have made about their behavior, attitudes, activities, psychology or predispositions.

Apple, Facebook, Google, Microsoft, Twitter and many other large tech companies already have automated services enabling users to log in and download certain personal data. Amazon said it would introduce a system that allowed all customers of its United States site to request access to their personal information.

But the types and extent of personal data that companies currently make available vary widely.

Apple, for instance, said its privacy portal allowed people whose identities it could verify to see all of the data associated with their Apple IDs — including their App Store activities and AppleCare support history.

Microsoft said its self-service system enabled users to see the most “relevant” personal information associated with their accounts, including their Bing search history and any interest categories the company had assigned them.

Lyft, the ride-hailing company, said it would introduce a tool on Wednesday that allowed users to request and delete their data.

A reporter who requested data from the Apple portal received it more than a week later; the company said its system might need about a week to verify the identity of a person seeking to see his or her data. Microsoft said it was unable to provide a reporter with a list of the categories it uses to classify people’s interests. And Lyft would not say whether it will show riders the ratings that drivers give them after each ride.

Experian Marketing Services, a division of the Experian credit reporting agency that segments consumers into socioeconomic categories like “platinum prosperity” and “tough times,” is staking out a tougher position.

In recent comments filed with Mr. Becerra’s office, Experian objected to the idea that companies would need to disclose “internally generated data about consumers.” Experian did not return emails seeking comment.

The wide variation in companies’ data-disclosure practices may not last. California’s attorney general said the law clearly requires companies to show consumers the personal data that has been compiled about them.

“That consumer, so long as they follow the process, should be given access to their information,” Mr. Becerra said. “It could be detailed information, if a consumer makes a very specific request about a particular type of information that might be stored or dispersed, or it could be a general request: ‘Give me everything you’ve got about me.’”