Rob's Notes 22: Data Brokers are (Allegedly) Awful and also Terrible

And other privacy and safety news this week

I first worked on privacy as a research analyst at Jupiter Research over 20 years ago. I was writing a landscape report about online privacy, and the book “How to be Invisible” by JJ Luna made a big impression on me. My biggest takeaway from the book even in the early 2000s, was that using many conveniences we take for granted like credit cards and mobile phones was probably incompatible with keeping one’s data and identity private. And of course it’s gotten a lot worse since then. Especially with the proliferation of data brokers amidst relatively weak US privacy laws. 

The latter came into sharp focus this past week with the horrific murder of Minnesota House Speaker Rep. Melissa Hortman and her husband. The gunman also critically wounded Sen. John Hoffman and his wife after locating their home addresses. Investigators recovered a notebook listing more than 45 public officials plus eleven popular “people-search” sites (including Spokeo, Intelius and TruePeopleSearch amongst others), suggesting commercial data-broker dossiers may have helped plan the attacks.   

My thoughts are with the families of the Minnesota lawmakers; and this is a stark reminder that privacy is not theoretical. And that data brokers advertising, buying and selling information about Americans is more than just an “ick”.  The case has renewed calls for the seeming-mirage of a federal privacy law, and focused attention once again on the Delete Act, championed by Senator Wyden and Rep. Lori Trahan, which would let Americans issue a single opt-out to all registered data brokers and impose tougher oversight on the industry.

I’m not sure the will is there for putting the FTC at the center of managing a single “delete-my-data” portal and a perpetual “do-not-track” list; and I have a lot of implementation questions… but that said, it’s a helluva lot better than the current sad state of affairs.  

In other news of varying seriousness: 

Vermont enacts the nation’s second (after California) Age-Appropriate Design Code Act:

Signed by Governor Phil Scott, S. 69 requires any online service “reasonably likely” to be used by minors aged 2-17 (even if they’re only 2 % of users) to switch on high-privacy defaults, curb midnight-to-6 a.m. push notifications, minimise data collection, explain recommendation algorithms, and delete age-verification data once an age range is set. The statute takes effect January 1 2027 and empowers both the Vermont Attorney General and private plaintiffs to sue for noncompliance.

Asana’s AI side-car springs a data leak surprise:

Work-management giant Asana admitted that its new Model Context Protocol had a logic flaw that let customers peek into other companies’ projects, comments and file names for weeks. Roughly 1,000 paying orgs got the “whoops” email, and the MCP server was yanked offline while engineers re-stitched the tenant walls.

Barbie meets ChatGPT:

Mattel’s freshly announced partnership with OpenAI (somewhat short on details) promises dolls and Hot Wheels that talk back using generative AI. Child-safety advocates are already waving the red flag, pointing to the hacked “Hello Barbie” fiasco of 2015 and warning that always-listening toys could harvest kids’ voices or nudge behavior in creepy ways. Let’s wait and see with this one - anyone who has paid any attention to the various legal troubles in this category will know to be careful. I’m sure they will make sure this one is perfectly buttoned up at launch.

Source: ChatGPT 4o