TPC 40: Live from Düsseldorf

A discussion on what’s going on with privacy laws in the US and in post-Brexit Britain and a look at Amazon’s latest push to spy on our living rooms.

Welcome to the first episode of The Private Citizen from my new home in Düsseldorf! To mark the occasion, I’ve decided to stream the recording of this episode live on Twitch – a video on demand version of the stream is available on YouTube. This is something I might do more of in the future, depending on me being able to get it organised.

On today’s episode, I want to catch up with two privacy-related topics that came up while I was moving: The ongoing efforts for GDPR-like legislation in the US and post-Brexit Britain and Amazon’s renewed push to get into your living room. Let’s dive right into the meat of the matter.

Status Quo of Privacy Laws Outside the EU

In the US, a federal privacy law seems more unrealistic then ever.

It didn’t take long for everyone to agree on one thing: the US needs a single data privacy law. In the modern internet world, no company can avoid international commerce, and even if they somehow manage to do that, they can’t avoid inter-state commerce. Since a huge number of people are online and exchanging information in an almost seamless fashion, it makes sense to have a single nationwide law to cover it all rather than a “patchwork of state laws”.

As usual, things have split largely down party lines. To simplify: Democrats think American citizens should have the right to their own personal data, including telling companies what they can gather and whether they can sell it; Republicans believe companies should have the data because it’s worth money and money is good.

So far, roughly GDPR-equivalent data protection laws only exist in a single state: California.

The elephant in the room, of course, was California Attorney General, Xavier Becerra. California has created somewhat of a problem for everyone by passing the California Consumer Privacy Act (CCPA) which finally came into force earlier this year.

Becerra was good enough not to point out that the law was only passed because Californian voters were going to force through their own data privacy legislation through the ballot box regardless, having grown fed up of constant stasis in Sacramento thanks to the lobbying power of tech giants. Becerra also failed to mention the efforts to undermine the CCPA, and the fact that his own office’s approach is under fire again by Californian voters who aren’t happy with how he’s applying – or, rather, not applying – the law, and have threatened to pass a stronger version.

In Washington, Becerra is under pressure from the other side of the spectrum: those who don’t want data privacy legislation to actually give people data privacy, or at least not at the expense of companies.

It has also been suggested to let the FTC handle the issue.

The pitch of former FTC chair under President George W Bush, William Kovacic, was to give the FTC additional power to deal with privacy issues, and to go State Rights with everything else. The federal government could come up with a “framework” onto which states mapped their own rules and laws. But even under that bare bones approach, Kovacic noted that it would take a long time and “cost a lot” to pull in “economists, attorneys, technologists, socialists” and he suggested that they all get paid extra – 20 per cent more than normal the normal civil service pay scale – and that Congress provide an extra billion dollars a year to the FTC to oversee it all.

So, yeah, everyone agrees we need a federal privacy law as soon as possible. And after today’s hearing, everybody knows why it’s not going to happen.

Meanwhile in Europe, the UK’s version of the GDPR is threatening to become a playball of the political quagmire around Brexit. As part of the Brexit negotiations, the EU will have to decide on equivalency between the GDPR and privacy laws in the UK (see episode 5 of this podcast). Equivalency would mean the UK is treated roughly like any other GDPR country. If the EU decides against treating laws in the UK as equivalent to the GDPR, export of data would be restricted or even forbidden, depending on further specific EU-wide regulations or a similar solution to the defunct Privacy Shield agreement with the US.

It was once almost a foregone conclusion that the UK would comply with EU data protection law enshrined in GDPR after the Brexit transition agreement ends on 31 December 2020. But recent reports about the EU’s reaction to the UK’s “National Data Strategy” have cast some doubt on that assumption.

The strategy was published in early September, it is a consultation document that runs for 12 weeks and centres on how the UK can “improve data use and control across the public and private sectors”. According to The Guardian, EU sources have expressed concern over the UK government’s game plan, adding to existing worries over the UK’s approach at the end of the transition period. The EU’s focus was on the strategy’s commitment to remove “legal barriers (real and perceived)” to data use, the issue of sharing data across borders, and the proposed “radical transformation” of government data use.

Other factors that may have a bearing on the EU’s decision could be the UK’s move to allow ministers to change data protection rules without going through Parliament, as set out in a written answer from Prime Minister Boris Johnson in February, according to Chris Pounder, director of data compliance training firm Amberhawk. Pounder also pointed out that EU officials looking for safeguards will not be reassured by the possibility that the UK could depart the European Convention on Human Rights, article 8 of which deals with rights around data.

Should the EU and the UK fail to make a deal, there could still be some strong arguments for adequacy in that the UK’s Information Commissioner’s Office has historically been one of the most active members of the EU’s regulatory community and helped draft the guidance around GDPR. Of the legal reason for blocking an adequacy decision, government surveillance of personal data and the rules governing the transfer of data to another jurisdiction would be the most important.

It has been suggested however, that the EU wil just let this issue slide, because it is relatively unimportant compared to other issues at play in the wider Brexit negotiations.

“The deal is a political deal, not one about data protection. If the EU wants a deal, it will fudge the decision for the ‘adequacy’ of UK data law,” Pounder claimed. Ultimately, the strength of that fudge might only be tested if someone is prepared to bring a case, as with Austrian privacy activist Max Schrems, he said. The Schrems case has just seen the European Court of Justice strike down the so-called Privacy Shield data protection arrangements between the political bloc and the US.

The UK’s strategy may be guided behind the scenes by the Prime Minister’s chief advisor, Dominic Cummings, a divisive figure pushing for a radical “pro-tech” economy who sees GDPR as a hindrance to that cause. It might not help that he was held in contempt of Parliament for refusing to appear before a committee investigating data breaches during his role in the Vote Leave Brexit referendum campaign.

Amazon Wants to Know What’s Happening in Your Living Room

In episode 13 of the podcast I discussed the problems with Amazon’s Ring video doorbell and its neighbourhood surveillance network. Now it seems, Amazon wants to extend this surveillance into your living room with a flying indoor drone. This revelation comes as part of an excellent analysis on The Register which looks at Amazon’s latest push into private homes – which roughly mirrors a similar try from Google to tap into hotel rooms (see episode 39).

You may not want one, but the idea of your own miniature security drone taking off when it senses someone trying to break into your house and doing a tour inside your property, relaying hi-res video to your phone, is so fantastically sci-fi that it’s hard to imagine it will soon be a real product. But it will, according to Amazon: the Ring Always Home Cam will cost a very reasonable $250 and be available in 2021.

And they’re introducing a Ring Car Alarm that will detect if your car is broken into or if you’re in a crash and dial-in video and alerts.

Amazon is also continuing to push its own smarthome devices.

Rather than the usual hockey pucks, the next generation of the Amazon Echo will be little fuzzy round microphones and will have better sound, additional AI that will recognize your voice, and there’ll be a cute version that looks like a panda or tiger that will read to your kids. Then there’s a new Wi-Fi router that will mesh with others and form a new, secure network for all your devices.

I wonder why they assume my existing network isn’t secure? It’s certainly secure from Amazon knowing about what’s going on there.

It’ll make people’s lives easier but it will also give Amazon the same insights as the actual manufacturer of the product, and encourage that maker to become increasingly reliant on Amazon. Put its product in your car and it knows where you are and where you go. Use its new CarePlus service – which ostensibly does a great thing: enables you to see the Alexa responses in a different household so you do things like keep track on elderly relatives – and you give Amazon a map of your closest connections.

Buy the cool automatic drone and you hand Amazon a looking glass into your entire home. How long after your discussion about the ageing red couch in the lounge will Alexa start making suggestions for replacements? It’s available now and can be delivered on Thursday if you buy through your Amazon Prime account now.

And the brutal part of it is that most people will find this kind of service incredibly useful. Everyone will benefit, and Amazon will then use the market control and money to produce yet more cool gadgets to tie everyone into its system even more. Everything will be great. Just so long as you leave Amazon in charge.

Of course, this isn’t about your security at all. Or about making your life easier. It’s about giving Amazon all-encompassing Google-like knowledge about all of our lives.

You may have noticed that Amazon has managed to pretty much dominate the entire online shopping market. Amazon is now trying to do the same with your home. In this case, the Amazon website/app will – the tech titan hopes – be replaced by its relatively new network called Sidewalk. Sidewalk is a wonderful, clever thing – it takes a small amount of your Wi-Fi network bandwidth and uses it to share data with other Sidewalk devices. It is its own Internet of Things network, and all the new gadgets just announced will incorporate it. The old ones will get it through software upgrades.

Amazon’s Sidewalk is proprietary, and uses Bluetooth Low Energy over short distances, and 900MHz LoRa bands and other frequencies over longer ranges. Crucially, while at the same time working on a new industry smart-home standard with Apple, Google et al, Amazon ruthlessly exploited a hole in the current situation to gain platform control.

Case in point: Amazon is all about your privacy. As long as it doesn’t affect what Amazon can see.

Amazon has also done a very smart thing: it has come out forcefully on the issues of privacy and security. The network will be locked down, and none of your information will be shared. Except, that is, with Amazon. Amazon won’t know the full details – unlike creepy Google – but it doesn’t need to. It will take exactly the data it needs to gain a full understanding of the many small segments of the overall market in a way no one else will be able to. And then it will beat anyone in its way in each segment into submission.

Producer Feedback

I’ve received many well wishes for the move to Düsseldorf. Thanks to everyone who sent me a message! The move has gone as well as can be expected and as you can see (or hear) I’m back to work. Keep the feedback coming!

If you have thoughts on the topics discussed in this or previous episodes, please feel free to contact me.

Toss a Coin to Your Podcaster

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

You can also support the show by sending money to via PayPal, if you prefer.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and research and are credited as such above, I’m thankful to Raúl Cabezalí, who composed and recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon or PayPal and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Butterbeans, Mark Holland, Steve Hoos, Shelby Cruver, Kai Siers, Vlad, Jackie Plage, 1i11g, Philip Klostermann, Fadi Mansour, Jaroslav Lichtblau, ikn, Matt Jelliman, Joe Poser, Dirk Dede, David Potter, Dave Umrysh, Mika, Martin, Vytautas Sadauskas, RikyM, drivezero, S.J., Jonathan Edwards, Barry Williams, Silviu Vulcan and Richard Gilson.