I’ve had an idea for a privacy law (or policy) that would directly target various privacy invading practices of many companies. The law targets a set of default practices that I’ve observed at several companies which to me are simply basic security failures. I remember one company I worked at had an employee who routinely scanned people’s files looking for juicy bits of information he could view. Other companies have been routinely caught allowing employees completely unfettered access to the accounts of loved ones, ex-girlfriends, and even users with restraining orders against the employee. In addition to this, when caught, these companies feign surprise that this even happens when everyone knows it was probably touted as a perk to employees.
There’s a host of problems that come from companies having complete access to any account they want and there being no way for an account holder to see them. What I propose is a set of policies that put this information in the hands of consumers and then let consumers choose. This set of policies constructs an access log viewable by consumers, and informs them of which companies can view their accounts. The goal is with this information consumers will choose companies that provide better access controls.
Any credentials collecting user interface has to prominently display which companies’ employees could view the credentials or the account.
When I use my phone and access my email, I know that my credentials are not given to my target server. Take an iPhone as the primary example. When I give it the credentials to a private IMAP account, I just know that Apple is collecting these credentials and scanning my email. I know every company is doing this. Users of a login screen have no idea who is seeing the credentials, if those credentials are stored, and who at what companies can see their account after they log in.
To solve the problem, simply display prominently which companies employees can see the account and credentials. Let’s say for example that the mail app on an iPhone proxies my email through an Apple server. The message would then be:
“These credentials accessible to employees of Google and Apple.”
“These credentials accessible to employees of Google.”
This means that you now know that an employee at Google has the ability to look up your Wifi password, drive a car near your house, and log into your network to packet sniff your data.
Every company has to provide a user interface where an account holder can view the names of each person who has accessed their account, which company that person works for, and the reason for the access.
In the early days of Facebook there were rumors, since confirmed, that employees were stalking members they wanted to date without those members’ knowledge. This eventually led to other repeated privacy affronts until the FTC sued Facebook over them and eventually settled with them. Apparently Google, Twitter, Uber, and nearly every company that has accounts has this same problem. They always allow their employees unrestricted access until they get their ass sued off over it.
Interestingly enough, none of the settlements provide consumers with what they actually deserve which is an ability to see who at the company is snooping on them. If privacy is important, then it stands to reason that knowing who is potentially violating it is an important part of managing your personal security. This will stop stalkers from snooping on ex-girlfriends, employees from snooping on their enemies’ emails, or just basic voyerism that shouldn’t exist in the first place.
However, this part of the policy goes one step further by listing every person and the company they work for. This means if Google gives Ogilvy And Mather access to the traffic data of a million people, then Google has to list all of the Ogilvy employees who viewed that information.
Every company has to provide a statement as to how many people and companies can access an account and under what circumstances they are allowed to access it.
This would be required as part of the user interface that shows recent accesses to an account, and as link or expanded view on the credentials statement during logins. This is simply an estimate of the number of employees, what companies, and how easily they can access that account. If Apple is storing the credentials of my Gmail account, then Apple has to list on my account that both employees of Apple and Google can view my email, how many employees can, and what it takes for them to access it. If only two employees can access my email at Apple, and they need special permission, then I’ll know that. However, if every employee at Apple and Google can read me email without a password, then I’d know that too.
An account holder can provide the names of employees they refuse access to their account, and if those employees gain access the company is fined for every access.
Consumers have a right to explicitly name employees they refuse to have access to their account. This could be for anyone who has to use Google products, but knows that an abusive ex-husband works there, a stalker, or just about any employee they flat out don’t like. The company has to explicitly restrict access to this person, and has to immediately notify the user if they ever gain access.
Once a month, the company must email any account holders who have had a change in their access activity.
This is simply a means of making sure the company is telling the consumers when their account is being accessed. Companies love hiding information from consumers, burying the information in the bottom bowels of privacy statements and footnotes. As long as no employees are routinely accessing consumer information the company won’t have to do much. However, if there’s rampant privacy invasions by employees of users then the users will know about it they can do something about it.
All agents of a company must be identified as such when interacting with any account holder.
A final piece of the puzzle is that employees at a company have to be identified as such when interacting with users. The reason for this is it closes the loop on privacy violations and stalking concerns since an employee could be talking with a user, but also using private information to manipulate them and harass them. However, if you see an employee marked as such talking to you, then you know to immediately go look at your access log and see if they’ve been stalking you.
There’s an additional benefit in that it prevents companies from secretly manipulating their users by pretending to not be agents of the company. The scenario I envision here is where a marketing firm is given access to a large number of users, and then sets up fake users to manipulate their opinion of products. If an agent of a company is talking to me and I see they are labeled as an agent of the company I know they might be shilling.
Clearly there is no way we’ll ever get law enforcement to agree to any of the above. I’d say that accesses by law enforcement should be disclosed to the user after any investigations are over, but right, like any of that would happen. Because of this there would need to be provisions that access of a user’s account under the direction of a warrant does not need to be listed to the consumer, but it does need to be logged for later investigations.
This policy could also be extended to other sectors such as Health Care, Government, Universities, and any organization that stores information on another person. If a random doctor is looking at my medical records then I should know about it. If someone from the IRS is looking at my medical history I should know about that. If a professor is checking out my university enrollment records I should know about it.
However, those organizations are going to be fairly reluctant to enact and kind of policy whereby a user can see who is looking at their information.
A small concern would be for employee privacy. If an employee is just doing regular maintenance on my account, at my request, then do I have a right to see their full name? On one side you could throw back the usual defense of, “If they have nothing to hide, then why are they worried about it?” However, I would say that as long as there’s enough information for a consumer to see different people and to question who is accessing their account, then it’d be allowed to hide employee last names or use employee codes. A proposal could be “John T.” as one way to list the name, or “John T. #213434, Google”.
Is this possible? Hell yes it’s possible. There’s nothing radical or onerous about what’s proposed. It’s actually just good security practice at any company to restrict access to accounts. All this does is provide consumers with the information they need to control who has access to their information. Give the consumers information and they will make choices based on what they feel is comfortable. On a technical level though, none of this is crazy hard.
Would it work though? I doubt it. If I were honest, I would say that privacy and security have been so fully eroded in internet culture that even when given this information consumers wouldn’t care. The only time they’d care is if it were an insane amount of abuse that was super obvious. Other than that, I think all the employees at Apple viewing Google email is something that the average consumer just sadly shrugs and accepts. But, it’s worth at least giving them the information they need to make decisions so that at least it’s by their own lack of choice, and not just because they assume a lie is the reality.
Will it ever happen? Aahahahahahahahahahahahaha. Hells no. You seriously think any company today wants to admit that they’ve got employees snooping on users and selling their information to subsidiaries, law enforcement, and marketing companies? You seriously think they want to implement any kind of this? I’m just proposing a total fantasy here, and the chance that some company will have the ethics necessary to do this is incredibly low. If a law like this were even proposed you would see a cash tsunami rain down on Washington DC like it was a Thai fishing village.
I just thought I’d write it up anyway, in case somebody is working on this right now.