Individual reflections by Kristy Chen and Yue Cao (scroll below).
By Kristy Chen
Cornell Tech
The Great Regulatory Dodge
The privacy issues about the way big tech companies handling users' personal information have not been news. Over the years, there’s been an ongoing and mounting concern about how tech giants like Google, Facebook, and Amazon misuse and sell users’ data for profits. The dark pattern of data manipulation is described in an old expression regarding digital product usage - “If you’re not paying, you become the product.” Inadequate protection of personal data not only harms individual consumers but also exacerbates unfair competition and further amplifies wealth inequality.
In the Digital Life Research (DLI) Seminar on April 15th, Salome shared her research work on how businesses ‘dodge’ the law and fail to protect users' private information for their economic benefits. As a research fellow at the DLI and at NYU's Information Law Institute, Salome's research has always focused on the intersection between law and technology. She started the talk with an overview of the regulatory dodge and a thorough case study on health tech products, followed by explanations of why these dodging behaviors matter legally and conceptually.
In essence, the regulatory dodge is a study of how digital technology firms leverage the design of both technology and privacy law to circumvent laws in spirit or letter. The circumvention raises issues about unfair competition and concerns over consumer norms.
Case Study: fertility tracking apps dodging health privacy law
Salome first presented a case study about health apps to illustrate how these healthtech companies failed to comply with health privacy law. Health privacy law is part of the Health Insurance Portability and Accountability Act (HIPAA), and by definition, it protects all the information that of a patient, including health status and healthcare payment information. It regulates the use and disclosure of a patient's Protected Health Information (PHI) by covered entities. Salome pointed out that entities covered in this context comprise healthcare providers, health insurers, and medical service providers. These entities are required to adopt some measures to safeguard users' PHI.
However, healthtech companies are not subject to HIPAA as they are considered non-covered entities, and therefore, compliance with the health privacy law is voluntary. Users of fertility tracking apps, for instance, have suffered from this vulnerability of health information. Apps like Flo and Glow, as Salome discussed, have collected an extensive amount of health information to provide users with more accurate period and ovulation predictions. Even though this information is usually sensitive, they enjoy nearly no protection in the hands of the healtech companies. Glow successfully dodge the healthy privacy law by claiming that they would not profit from users' personal information and yet may share personal data as necessary to present targeted ads - an absurdly contradictory statement.
HIPAA is a great example of scoping or definitional dodge as it regulates the custodians of the data as opposed to the type of data. According to Salome, this is an outcome of architecturally operating from an assumption that sensitive information largely resides with healthcare providers and insurance companies. HIPAA creates a loophole that allows fertility apps to conveniently generate two tracks of data flows: HIPAA compliant for employee wellness program while the other HIPAA uncompliant for individual customers.
Why do companies dodge?
It is straightforward why tech companies engage in this dodging behavior: data monetization. Salome shared a statistic that 81% of health apps are transmitting data to third parties for advertising and marketing purposes. This data is quite intimate that includes information like running routes and sleep patterns. Another significant factor is that privacy law is simply so minimal. Tech companies could easily obtain user consent to bypass legal troubles. For instance, under General Data Protection Regulation (GDPR), Facebook successfully brought facial recognition back to the EU on the legal basis of proactively asking users to consent to facial data collection.
Why do dodges matter?
Dodging activities create an unfair competitive advantage for companies that deliberately look to circumvent the privacy law, which in some way contributes to the unprecedented concentration of global wealth and power. Extensive data extraction essentially is a foundation of the business model of those well-known tech giants. The more powerful they become by manipulating users' data, the more they can exert their social and political influence. Therefore, Salome believes that attention to dodge is necessary and helps prevent future dodge. With a clear analysis of how the current law is bypassed, we will be able to suppress the malpractice through regulatory reform.
A valuable lesson learned from Salome's research is that the law should focus on flows, regulating the flows of information but not the people who do the collection. Also, the law should embody our expectations around how health information will be handled and protected.
By Yue Cao
Cornell Tech
Coming soon!