Last month, California Governor Gavin Newsom signed the Delete Act into law. The Delete Act aims to enhance the consumers privacy rights already enacted through the California Consumer Privacy Act.
I spent some time chatting with Dan Draper, CEO, and founder of CipherStash – a data security company that utilizes groundbreaking searchable encryption technology – about this topic. Dan is a lifelong coder and self-taught cryptographer passionate about ensuring consumers have the knowledge and power to protect their personal data.
Gary Drenik: How does California’s Delete Act aim to protect consumer data privacy?
Dan Draper: The Delete Act aims to improve consumer privacy by reducing the volume of personal data accessible to service providers. The hope is that data breaches may also become less likely by reducing or eliminating targets attractive to attackers.
Drenik: What will this “deletion” look like in practice? How would consumers ensure that all their data is actually deleted? Are there any possible risks to consumer data during the deletion process?
Draper: Under the act, an individual can submit a deletion request to the California Privacy Protection Agency (CPPA) which will be distributed to data brokers. Each broker must then delete any data they hold on the individual as well as forward that same request on to any service providers who consume the broker’s data. Additionally, the broker must check for and delete any new data captured every 45 days.
Consumers will be able to view statistics and independent audits on the deletion process on any registered broker’s website. However, it isn’t clear if consumers will be provided confirmation that the data has been deleted.
In practice, it may be difficult to know for certain if a consumer’s data has been completely deleted. In most organizations, data spreads alarmingly easily with copies stored everywhere from data warehouses to Excel spreadsheets. When speaking with the data team at a small bank, recently, I found out that they had over 850 separate databases. That’s a lot of places to check when deleting data!
This problem is amplified for brokers where data is redistributed to consuming service providers, each with multiple data storage locations, many hundreds or thousands of employees and their own data security policies. Independent audits may go some way to ensuring every copy of a user’s data is deleted but unless strong and sophisticated data governance techniques are applied, it is likely that a lot of it will get missed.
The data deletion process itself may actually increase the risk to consumer data if not managed correctly. Because brokers will be required to delete data every 45 days, they will need to maintain records of what to delete which itself is information pertaining to the consumer. While techniques like hashing or tokenization could be used, small text variations like spelling mistakes or different representations (e.g., “Dan” vs “Daniel”) can make these approaches unreliable.
Ironically, the CPPA will become a sort of data broker itself. It will store and disseminate information about the users who have requested deletion, sensitive information supporting the legitimacy of those requests as well the lists of brokers with whom deletion has been sought.
Drenik: Is there a difference between data privacy and data security?
Draper: The two are connected but privacy and security are quite different things. Privacy concerns the rights of individuals and their personal information while security concentrates on how data, personal or otherwise is protected. When an individual provides personal information to a corporation, custody of that information is transferred to the authorized personnel entrusted with its safekeeping.
This is largely unavoidable in a digitally connected world. The provision of at least some data is necessary for the delivery of most services: purchasing goods online requires payment and shipping information, a visit to the doctor will record sensitive medical data, and an online lender will require the details of your financial situation.
However, when an organization uses personal data in ways other than its original purpose, shares it with parties other than the intended custodian, or fails to properly enforce data security, privacy violation is often the result.
Drenik: Will this law prevent cyberattacks on companies that house significant amounts of consumer data?
Draper: It’s doubtful that the Delete Act will prevent cyberattacks on companies that house significant amounts of consumer data. For one, unless every consumer requests to have their data deleted, brokers will still have large volumes of it in their systems and will continue to be the target of attacks. According to a recent Prosper Insights & Analytics Survey, ¼ of Californian’s have not taken any steps to protect their data.
This is despite 63.3% of Californians saying they didn’t like advertisers using it to target them.
Many data brokers also serve important and legitimate use-cases which may be weakened by data deletion. One such example is credit reporting agencies who provide credit file information to financial institutions and lenders. This information is commonly used to detect identity theft and without it consumers may be left vulnerable. Of course, not all brokers are so well intentioned but a broad-brush approach to data deletion may gloss over important nuances which may not be apparent to the consumer.
While more scrutiny of broker organizations and a reduction in the volume of data stored will reduce the risk a little, it is unlikely to have a significant effect on data security. Major improvements will only come through investment in contemporary, resilient, and evidence-based security programs like those incorporating strict access control and data focused technologies like encryption-in-use.
A motivated attacker could conceivably use the deletion request system to their advantage. Suppose the attacker has obtained enough information (perhaps through an organization not registered as a broker) about an individual to attempt opening a line of credit in their name. He knows that such an attempt will trigger a credit check notification to a reporting agency and thus the victim may be able to stop the attempt. So, he uses the information he has stolen to forge a deletion request to the CPPA, requesting the deletion of all data relating to the victim held by any credit reporting agencies. Now he can execute the fraud with little risk of being caught.
Such an attack is merely a thought experiment, but it highlights some of the “sharp edges” that might result from the implementation of the Act.
Drenik: Why should consumers be concerned about the number of companies that have their data? What issues could it cause for them if they choose not to request the deletion of their data?
Draper: While personalized product experiences made possible by the data service providers hold on you are convenient, there are significant downsides as well, ranging from inconvenient to downright dangerous.
Advertisers use psychological manipulation so that you are more likely to buy their products or make risky financial decisions. The algorithms that power these ad platforms are fiendishly clever but rely on your information to work.
Information provided by brokers is often used when you apply for insurance or financial products which can affect fees, levels of cover or even whether you are eligible for a product at all. In severe cases, individuals with poor credit ratings may find it difficult to rent a home or obtain a mobile phone which can lead to severe financial hardship and even homelessness.
The more of your data that’s out there, the more likely you are to become a victim of a data breach. Scammers use your data to steal your identity or access your finances. Victims have even been targeted by hate groups with personal information used in extreme ways. “Swatting,” where a victim is falsely reported for a serious crime such as a bomb threat or terrorist act, can lead to legal consequences and extreme physical danger.
Drenik: Thank you Dan, for your time and your insights into the Delete Act, data privacy, and the impact this new law will have on consumers. It will be interesting to see what kind of impact this new law has on the issue of consumer privacy regulation and data protection nationwide.
Read the full article here