But maybe it’s not apathy but a sense of helplessness. Short of total disconnection from the digital world, what can you do?
The Massachusetts Legislature has a few ideas, and they’re pretty good ones. Their proposed data privacy law, passed unanimously by the Senate last fall and expected to pass the House this week, is a Swiss Army knife of privacy protection tools, some of them with teeth.
Here’s my favorite: a flat-out ban on the sale of geolocation data collected by our digital devices.
If I can monitor your location and movements, I can practically write the story of your life. Are you a heavy drinker? A churchgoer? A gambler? Are you into guns? Are you having plastic surgery, or an abortion? Let me follow you around electronically for a couple of weeks and I’ll know.
Our phones capture all this data and often share it with the apps we use. Some apps obviously need to know where we are — Google Maps, for instance. But many others that don’t need this collect it anyway and resell it to advertising companies that pepper us with location-specific ads.
With so many companies tracking us, there are countless opportunities for cybercriminals to steal this data. Last year, a hacker group accessed the files of data broker Gravy Analytics and stole the location records of millions.
But theft isn’t the only menace. In March, 404 Media reported that Immigration and Customs Enforcement has been purchasing location data to track the movements of people suspected of being in the US illegally. So much for needing a subpoena or warrant to spy on people. Instead, Uncle Sam can just write a check.
The data privacy bill would put a stop to this, at least in Massachusetts. Companies could collect our location data for their own uses but would no longer be allowed to sell it. And the law would apply not only to Massachusetts residents but also to those just passing through.
A related provision would require companies to collect only the information they need to deliver the services they offer. So an app that doesn’t need to know where you are can be barred from tracking your location.
Companies would still be free to ask sensitive questions about just about anything —sex, race, religion, mental health, etc. — but only if it relates to the purpose of the app, and only if the user specifically agrees to provide it.
The companies could still sell this non-location data, but again only if the user explicitly agrees to the sale. If a company invents some clever new way to use your sensitive data, once again it would have to get your permission first. And if a user wants to revoke access to his data, companies would have to comply within 15 days.
Companies often say that they “de-identify” our data, storing it without name or address to make it difficult to connect the data to a specific person. But these de-identified files often contain clues, like birth date and zip code. Researchers have proven that this is often enough to “re-identify” an individual.
The proposed bill would forbid companies from doing this. And the companies can sell de-identified data only to companies that promise in writing not to re-identify people.
There’s also a clause aimed at warding off the collection of data from minors. It takes cautious aim at situations in which a company has “actual knowledge” that someone is a minor, but doesn’t require the company to make sure.
It’s easy to understand why. The US Supreme Court has upheld a Texas law that requires porn sites to confirm that visitors are 18 or older. But age-verification laws aimed at less offensive fare have been clobbered in federal courts.
Instead, the Massachusetts proposal seeks to empower parents to step into the breach, letting them demand deletion of their children’s sensitive data.
In all, it’s a pretty good bill, good enough to make me feel almost sorry for the online companies. If it becomes law, there’ll be nearly two dozen states with laws governing online privacy, each of them doing it a little differently. The tech titans might need to erect one of those giant data centers just to comply with so many different laws.
What’s been needed for decades is a federal data privacy law. Maybe Massachusetts can lead the way, again.
In 2013, ours became the first state to require carmakers to provide car owners and independent repair shops with the same digital data that the dealerships got. Within months, the world’s carmakers agreed to follow the same standard nationwide, because applying a separate rule in just one state was too costly.
The same reasoning might finally goad the tech giants toward support of a single national standard for data privacy. If so, it ought to look a lot like the one that’s coming together on Beacon Hill.
Hiawatha Bray can be reached at hiawatha.bray@globe.com. Follow him @GlobeTechLab.
