DRAFT: A bad day for a bad bill (early very long draft)

DRAFT! 
Please do not forward!

The initial section has been revised and turned into a separate, much shorter, post.
I’m leaving this here for people who want to see the fuller report.

State lawmakers in Washington want the state to be the gold standard for regulating companies and governments that collect people’s digital data or use facial recognition programs.

— Joseph O’Sullivan, Washington [Senate] Passes Data Privacy Bill as Questions Remain, Feb 19 2020.

We are testifying today as other because while we support the passing of privacy legislation in Washington, we are unable to effectively enforce this bill as currently written.

– Andrea Alegrett of the Attorney General’s Office (AGO) Consumer Protection Division, at the House ITED Committee hearing on the Washington Privacy Act, Feb 21 2020

The Washington State Senate passed SB 6821 46-1 last week, with only Bob Hasegawa voting no. Tech companies like Microsoft and Amazon have spent a huge amount of money lobbying for it — and proposing it to other states as a model. Isn’t it kind of embarassing that the AGO’s office says it’s un-enforceable?

Their analysis is prety straightforward, too:

  • SB 6821 does not include a “per se” clause, saying that any violation of the WPA is also a violation of the Consumer Protection Act.  As a result, “the AGO’s enforcement and investigative authority is severely limited.”
  • The AGO is also concerned that the “broad exceptions that would permit industry to sidestep the very consumer rights and obligations created by this bill” limit their enforcement ability

There are a lot of other problems with the bill as well, including a very bad section on facial recognition and the absence of a “private right of action”.  SB 6281 says that only the AG is allowed to enforce the law; people who are harmed can’t launch lawsuits themselves.  The AGO has strong things to say about both of these as well.

  • Third, our office remains concerned with the facial recognition provision and believes this technology would be better addressed in a separate bill.

  • Finally, as we have stated before, we believe that a Private Right of Action, along with AGO enforcement is the best policy for consumers.

Black Lives Matter Seattle-King County board member’s Livio De La Cruz also had something strong to say about why a private right of action is so important was also quite vivid:

We know what it’s like to have our rights ignored. We want to have the power in our hands.  We want the people to have that power.

Several others who spoke also had strong things to say about private right of action; I’ve briefly summarized below, but it’s really worth watching the video.   And several of us had strong things to about facial recognition as well.

  • Stan Shikuma of the Japanese American Citizen League’s reminded us of the role data abuse played in the the mass incarceration of Japanese Americans and observed “never again is now.”
  • Derek Lum of Interim CDA (an organization focusing on social justice and equity for low income, Asian and Pacific Islanders, immigrant, and refugee communities) similarly said “history shows this will be abused”, citing over-policing of Black communities and post-9/11 targeting of Muslims as well as Japanese internment.
  • In my statement, I talked about Microsoft Researcher Luke Stark’s analogy to plutonium: something so toxic to society’s health that it needs to be strictly regulated.

There are other big problems with the bill, including a very bad pre-emption clause that would overturn City of Seattle’s Broadband Privacy Rule as well as rule out future city and county-level regulation or bans on the use of facial recognition technology.  The two-page fact sheet from  Consumer Federation of America, Privacy Rights Clearinghouse, EPIC Privacy, EFF, and ACLU-WA has lots of details if you’re interested.   Still, even without those details, hopefully by now you’re convinced …

The bill in its current form isn’t anywhere close to a gold standard. In fact, as privacy advocate Deborah Pierce (former Executive Director of PrivacyActivism) said during the hearing, the current bill is more like window dressing.

Fortunately, bills can still get changed even after they pass the Senate.  I was really impressed by the House Innovation, Technology & Economic Development (ITED) Committee during the hearing, with excellent questions from legislators, and very solid staffwork.  With luck, we could still emerge from this with a strong privacy bill that passes the House.  If not, as I’ll discuss in the last section, this is one of those situations where a bad bill is worse than no bill.

In any case, if you’re in Washington, please ask your legislators to oppose SB 6821 in its current form. Our state legislature makes it very easy to give feedback, either on the bill’s web page (make sure to click “Verify District” after you put in your address) or by calling the Legislative Hotline at 1-800-562-6000 (TTY for Hearing Impaired 1-800-635-9993). Take Action Network also makes it easy to contact your legislators, and is a good place to track ongoing action alerts on privacy and other issues.

If you’re not sure what to say, you can keep it simple:

Please oppose SB 6821 in its current form. The State Attorney General’s office says the bill is unenforceable as written. We deserve strong privacy protections.

If you want to say more, here’s a handy chart from the ACLU-WA with four of the bill’s biggest problems.

Washington deserves stronger protections than the Washington Privacy Act, 2SSB 6281

______________________________

The rest of this article is a draft of a much longer piece.  If you’re interested in the legislation or the topic, there’s a lot of good stuff here; but it’s still somewhat rough.   Feedback welcome!

Background

Back in 2019, there were two different bills known as the Washington Privacy Act. For a brief timke, there was a very good Washington Privacy Act, with strong protections for consumers. But the Senate actually wound up passing what I think of as the “bad” Washington Privacy Act, a version largely shaped by Microsoft and Amazon with help from the advertising industry. Fortunately, even though the big corporations spent record amounts lobbying, the legislature eventually killed the “bad” bill. Its sponsor Guy Palumbo resigned from his seat and went back to work at Amazon as a lobbyist.

The “bad” version resurfaced with some changes for the 2020 session, as bill number SB6281, sponsored by Reuven Carlyle. The House ITED Committee worked on a “good” version as well, HB2742, but it never made it to the floor.  SB6821 passed the Senate last week.  Now, it moves back to the House.

The first stop in the House is ITED again, where it can be amended and modified.  Once it gets out of the committee, the House as a whole will then vote.  If a modified version passes the House, it goes back to the Senate and then … but let’s not get ahead of ourselves.

The February 21 hearing was the only chance for the public to weigh in on SB 6821 in the House ITED committee before their (closed) Executive Session.  Unsurprisingly, there was a packed room — enough that they had to set up an overflow room.   Good times!

The hearing

The hearing was one of the best I’ve been to in a long time.  The video is available online and very much worth watching.  It started with a very effective “side-by-side” comparison of SB 6281 and HR 2742 by committee staff member Yelena Baker. SB 2681 has a lot more exemptions than HR 2742, narrows the scope of the HR2742s broad opt-out requirements, and is weaker in many other ways. See, this is why I call it the “bad” Washington Privacy Act.

Senator Carlyle was the first speaker, with two minutes to speak just like everybody else testifying. I very much agreed with his observation that we’re at a time where there’s a dramatic desire for meaningful improvements in consumer privacy legislation.

The first panel of witnesses all opposed the bill. I’ve already mentioned highlights from Stan Shikuma’s and Livio De La Cruz’ testimony. De La Cruz also noted that we’re in the golden age of income inequality — and of corruption. What are legislators doing to protect our rights? Larry Behrendt, representing several Indivisible groups, also focused on the lack of a private right of civil action, noting “If we’re serious about the rule of law, we must be serious about enforcement.”

Next, two people spoke more positively about the bill.  Jaclyn Greenberg from the Washington State Hospital Association lauded the two pages of exemptions in the Bill’s section 4 as “clear and precise” coordination with the existing federal laws. Of course, not everybody sees this as a good thing — these are the same exceptions that the AGO would later point out made the bill unenforceable. So a different way of looking at this is that the federal laws provide a floor (a very low bar in many cases) on privacy protections; by leaving all this data out of scope, SB 6821 gives corporations free rein with no recourse for consumers.

James McMahan from the Association of Sheriffs and Police Chiefs also generally liked the bill, although suggested that the facial regulation section should be adjusted so that law enforcement could more easily get at this information without a warrant in more circumstances. Again, opinions differ on whether this would be a step in the right direction.

Compare and contrast ..

There was a similar dynamic on the next two panels

Derek Lum of Interim CDA, an organization focusing on social justice and equity for low income, Asian and Pacific Islanders, immigrant, and refugee communities, opposed the bill, focusing on the facial recognition aspects. He echoed Stan Shikuma’s point, saying “history shows this will be abused”, and over-policing of Black communities, and post-9/11 targeting of Muslims as well as Japanese internment.

Eli Goss of OneAmerica, the largest immigrant and refugee advocacy organization in Washington State. also opposed the bill highlighting facial recognition risk, the pre-emption of local laws, the lack of a private right of action, as well as limits on fines. [SB 6821 limits fines to a maximum of $7,500 per violation, as opposed to HB 2742’s $50,000.  For comparison, the maximum under Europe’s GDPR is $21,000,000.]

But Michael Schutzler, CEO of the Washington Tech Industry Alliance, and Ryan Harkins, Director of State Government Affairs at Microsoft, both thought bill was great. The representative from the Washington Land Title Association (whose name I missed) was also largely positive, although did have a couple of points he thought needed to be clarified.

The legislators had some good questions here, for example drilling down on wither title companies were monetizing personal data even if not selling.  The WLTA couldn’t speak to how common this was in the industry, and wasn’t sure about his own company, but did mention databases that are leased by various companies which sounds like monetization to me.

There was also some discussion about the absence of a private right of action in the bill. The witnesses were concerned that a private right of action could lead to frivolous lawsuits, although when pressed didn’t seem to have any information about how frequent enforcement of any kind was in jurisdictions that have strong privacy laws. I can’t remember whether it was the Microsoft or the WTIA representative, but somebody suggested that since the exceptions were so complicated, and since Washington State has such good a good AGs office, it was better to leave enforcement to the experts. In retrospect, they probably should found out what experts in the AGOs what thought about the private right of action before saying this.

I too have thoughts

My turn to speak! After introducing myself (making sure to mention that I used to be a Researcher and General Manager at Microsoft!), I got to the point quickly.

This is a really bad bill, especially for people from marginalized communities.  Others today are telling you lots of reasons why. Please listen to them.

I also encouraged the legislators to read the excellent short fact sheet from a coaltion of consumer, privacy, and civil liberties organizations including Consumer Federation of America, Privacy Rights Clearinghouse, EPIC Privacy, EFF, and ACLU-WA.

The main part of my testimony focused on interaction between facial recognition laws and preemption, a topic Eli Goss had already gotten a question about.  I started with Luke Stark’s analogy that facial recognition is like plutonium: highly toxic to the health of society, so needing to be tightly regulated for its positive uses.  I also highlighted the wave of cities and counties limiting and even banning facial recognition — including San Francisco, Somerville, and Oakland.  As written, SB 6821 would prohibit these local ordinances in Washington State, as well as rolling back current protections like Seattle’s Broadband Privacy Rule.

But I didn’t want legislators to think that just removing the facial recognition section (as several others had also recommended) and changing the preemption section from a ceiling to a floor was enough. There are plenty of other problems with the bill as well. So I reminded them that the bill had lots of other problems, and ended with

SB 6281 in its current form, or amended with some half-measure “compromise” that fails to protect our privacy and our rights, is worse than no bill at all.

Deborah Pierce followed me, and after her “window dressing” summary went on to highlight the need to strength prohibitions on secondary uses of data (such as data brokers) and discuss the problems with an opt-out model when people don’t actually know the data’s being collected.  Then Jevan Hutson of UW Law School suggested that Washington State deserved a privacy law that challenges business models built on data extraction and exploitation.  He also described how the bill as written gave companies an excuse to avoid any request to delete info from DNA databases by saying they needed to retain it for retention for product development.

The opposition continued on the next panel, with Jennifer Lee of ACLU-WA challenging legislators to get out of their comfort zones, and highlighting that organizations representing immigrant communities, people of color, and LGBTQ+ people are all opposing the bill. Maureen Mahoney of Consumer Reports did not take a position on the bill, but urged the committee to incorporate stronger protections from the “good” House version, for example strong clauses about de-identified data. And Joseph Jerome of Common Sense Media made some excellent points about surveillance of teenagers … which this bill not do anything to stop.

A strong statement from the AG’s Office

All this wound up setting the stage for the Angela Alegrett’s blockbuster testimony of the AGO’s analysis. One more time, in case you missed it before:

We are testifying today as other because while we support the passing of privacy legislation in Washington, we are unable to effectively enforce this bill as currently written.

The AGO also has concerns with the facial recognition provision and suggested it would be better addressed in a separate bill. This analysis struck a point that others hadn’t yet explicitly mentioned:

Further, the Consumer Protection Division, along with our Civil Rights Division, are concerned that giving license to “controllers” to enroll images of consumers whom they deem “reasonably suspicious” without their consent, is a recipe for racial profiling.

First, “reasonable suspicion” is not defined in the statute. And second, the harm that an individual may face as a result of misidentification by the technology is too high of a risk to warrant the inclusion of this provision.

Yeah really.

The testimony continued after that, with some mostly positive feedback from Washington Bankers Association and Washington Food Industry Association followed by strong criticism from Larry Shannon from the Washington State Association for Justice also discussing the importance of the private right of action and noting that “there is no right without a remedy”. A journalist whose name I missed brought up some concerns that the bill would open up avenues for legal attacks on journalists … on the one hand, it shouldn’t, but on the other hand so much of it is worded so sloppily that I could believe there’s an unintended problem here, and it seems like a good thing for committee members to look for as they revise.

Oh, and a couple of guys from the Association of National Advertisers and Network Advertising Initiative talked about how any restrictions would be a threat to the advertising industry (charities advertise too, you know — think of the children)! This is the same position that ANA and NAI always take on regulation, but at least this time it was blatantly obvious that they were basically arguing for unenforceable regulations and against giving consumers any real power.

There were a handful of other witnesses as well; apologies to those I missed — and apologies as well if I made any mistakes summarizing, please let me know and I’ll be happy to correct them.   The meeting ended with Ranking Member Norma Smith reading a letter from consumer, privacy and civil liberties organizations into the record.

Next steps and closing thoughts

The House ITED committee will be discussing the bill in Executive Session sometime in their next few meetings. I was extremely impressed by the committee’s knowledge and passion for privacy during the hearing. Chairman Zack Huggins running a very effective session, and there were some really probing questions from Shelley Kloba, Debra Entenman, and my own representative Vandana Slatter as well as Ranking Member Norma Smith. I think they got the message loud and clear that this bill is not yet at the gold standard level; and their earlier work on HB 2742 points to a lot of ways to improve the bill. Hopefully they’ll take the opportunity to craft something that really *is* a gold standard, and the House as a whole will send it to the Senate. Time will tell.

Something I’ve heard from several people is that they think even a weak bill, with incremental steps, is better than no bill.  I certainly get this; it’s frustrating that after 15+ months of working on this, we still haven’t gotten anywhere.  Still, I strongly disagree, for several reasons.

  • Some of what’s in these bills are steps in the wrong direction — for example, Section 14 (non-preemption) of SB 6281, which would as written eliminate the City of Seattle’s broadband privacy rule.  Similarly, the interactions between Section 14 and Section 17’s extremely week facial recognition regulation would make it impossible for cities and counties to pass stronger restrictions on facial recognition as is currently being discussed by the Port of Seattle).
  • It’s very difficult to change laws like this once they are passed.  When lawmakers pass a bill like this, they naturally talk about how well they’ve protected the citizens of the state.  That makes it much harder to find the political will to do clean up the mistakes — especially in the teeth of the ferocious lobbying businesses are putting in opposing anything stronger.
  • Finally, at the national level, Microsoft and the advertising industry have been pushing this extremely weak bill as a model for other states to adopt. Passing it as it is (or with minor improvements) gives them more ammunition in other states. Strengthening it substantially, or rejecting it if it can’t be strengthened, sends a clear message that Washingtonians want more.

It’ll be interesting to see how the discussion goes over the next several weeks.   There’s also a companion bill, Senator Joe Nguyen’s SB 6820, specifically on government use of facial recognition.  Immigrant rights organizations such as WAISN and civil liberties organizations such as the ACLU have also criticized SB 6820 as being much too weak (for example it doesn’t include a moratorium on law enforcement use of face recognition), so we’ll see how that hearing goes.

I talked briefly with Rep. Slatter about SB 6820 on Friday, and she made the great point that advocates of a moratorium often phrase it in terms of the accuracy and bias issues with facial recognition software. Those are huge issues of course, but moratorium advocates shouldn’t stop there — even if those are eventually addressed, facial recognition will still be plutonium.  Veena Dubal has some good things to say about this in San Francisco was right to ban facial recognition. Surveillance is a real danger:

Based on my years of working as a civil rights advocate and attorney representing Muslim Americans in the aftermath of September 11th, I recognize that the debate’s singular focus on the technology is a red herring. Even in an imaginary future where algorithmic discrimination does not exist, facial recognition software simply cannot de-bias the practice and impact of state surveillance. In fact, the public emphasis on curable algorithmic inaccuracies leaves the concerns that motivated the San Francisco ban historically and politically decontextualized.

More positively, though, Dubal notes that the SF facial recognition ordinance passed due to “the sustained advocacy of an intersectional grassroots coalition driven not just by concerns about hi-tech dystopia, but by a long record of overbroad surveillance and its deleterious impacts on economically and politically marginalized communities.”   The SB 6281 hearing similarly featured intersectional perspectives from grassroots groups, many of whom brought up the long record of these technologies impact on marginalized groups, and I think we’ve got a great opportunity to build on similar coalition work that’s already happened here on this and other issues.

So overall, I’m optimistic that we’ll either see some strong privacy legislation this year in Washington State — or once again kill the weak, corporate-backed, alternative.  Stay tuned for more!

But first, if you haven’t done it already … please ask your legislators to oppose SB 6821 in its current form. Our state legislature makes it very easy to give feedback, either on the bill’s web page (make sure to click “Verify District” after you put in your address) or by calling the Legislative Hotline at 1-800-562-6000 (TTY for Hearing Impaired 1-800-635-9993). Take Action Network also makes it easy to contact your legislators, and is a good place to track ongoing action alerts on privacy and other issues.