Privacy Insider: July 27, 2021

You see it happen all the time. A person sends a tweet or creates a post with a "hot take" on some issue, and critics descend to rip it to shreds. Sometimes, it's a warranted reaction. If I tweet something controversial, say, "Yankees suck," I can expect that an army of ballcap-wearing fans is going to take the foam finger off their hands and tear me down with statistics about the Yankee's pitching roster or wins over the Red Sox. Sometimes, more often than feels acceptable, the critiques devolve to personal insults about the user.

It can be tricky to live a "very online" life in a world where everyone is an armchair expert and feels entitled to say whatever they think in that fleeting reactive moment, broadcasting it to the world.

But particularly troubling is the trend I see every day in which users, encouraged by a sense of anonymity, hurl insults at women. Seemingly disproportionately.

In my case, I have choices. At least some. During COVID's lockdown period here in Washington, D.C., I grew increasingly depressed at watching some of my friends apparently thrive during a time when I couldn't. Clustered together in "pods" with their children and partners, their smiley-eyed pictures of homemade dinners and family board games only added to my feelings of isolation. I was sitting in a studio apartment, alone, for months. And it was mentally excruciating. So I exercised my ability to not be there anymore. I deleted Instagram from my phone and haven't been on the site in months.

But for many of us, myself included, logging off entirely isn't an option. In my role at Osano (and at my former gig), much of my job depends on online visibility. I'm responsible for distributing information to help our readership solve their privacy problems or stay on top of developments in the regulatory space. I've got to put myself out there and interact with thousands of Twitter, Facebook and LinkedIn users daily.

Because I spend so much time refreshing my social media feeds, I see much of the yucky stuff. You've seen it too, right? And not just over the innocuous posts about sports teams. Almost daily, I see someone post information about a topic in which they have significant expertise and training, and before long, someone responds with something snarky, telling them just how wrong they are.

It's one thing to have a healthy debate about the issue at hand. No one posting to social media expects 100% agreement. But what I don't think we should expect, or accept, are the utter takedowns.

The impetus for this blog post was an incident a couple of weeks back, in which a woman I've known for a decade and who has extensive expertise in privacy and data protection posted an article to Twitter on Apple's Exposure Notification. A user with 51,000 followers responded, "Lady, I don't know how, when, or why you decided to hold yourself out as someone knowledgeable about issues of personal and data privacy ... but you have demonstrated a clear lack of understanding in that realm. Please reconsider your assessment technology." It was retweeted 13 times and "liked" many more than that.

But privacy and information-security experts, both women and men, also responded with wide condemnation, first pointing out that it was an inappropriate comment to make. Second, that the woman involved has a clearly demonstrated history of expertise in the field. And third, that the use of the word "lady" aimed to be diminishing.

One user tweeted back, "The best time to delete this tweet was before sending it. Second best time is now." Many called for an apology. Many called for the responder to read her bio before accusing her of being professionally inept.

The hostility exemplified wasn't even near the most egregious incidents I see on Twitter or Facebook every single day. I'm sure you've seen the vitriolic responses to women wearing a hijab in their profile pictures or who identify as queer or gay in their bios.

It's long been known that infosec lacks diversity both in gender and race. More than that, many report the infosec community is hostile to women, and that's the reason we don't see higher numbers in the field. In fairness, there has been a push by advocates and some companies to remedy that gap, though many would argue it hasn't been a hard enough push.

I think this is worth talking about. We know even from stories about online bullying among kids how harmful it can be. And while adolescents are arguably more fragile at that stage in development, we're all susceptible to feeling embarrassed and small when someone publicly insinuates (or outright says) that you're an imposter.

If, as modern-day professionals, we need to connect online constantly, how can we operate in a space that doesn't adversely impact our mental health? What strategies can we ourselves — and as each others' keepers — employ to keep debates issue-focused and avoid or neutralize personal attacks?

We're going to talk about this and more on our next Twitter Spaces chat. It's important to me that you know that this is not a session for venting frustration or sharing examples of when it happened and to whom. We know this happens every day. Instead, this is about the way forward, and it's an open invitation for women, men and non-binary professionals. If you belong to an underrepresented group, whether based on your sexuality, identity or race, I especially hope you'll join and help me steer the conversation to a solution-focused dialogue that includes everyone. It's essential that those disproportionately impacted by unfair accusations have agency. And, as with any societal shift, it requires allies, too. 

Join us Thursday, July 29, at 1 p.m. Pacific, 4 p.m. Eastern. Important: You must join from your phone using the Twitter app (desktop doesn't work properly). But you can join as a listener or a speaker, whatever you prefer. I’d love to hear your thoughts. 

Enjoy reading, and I'll see you next week! 

Dutch data protection authority fines TikTok over privacy policy

On July 22, the Netherlands' Data Protection Authority said it had fined TikTok 750,000 euros ($885,000) for not providing a privacy policy in Dutch, the Associated Press reports. Citing the number of children who use the video-sharing app, the agency said that by not offering a Dutch-language privacy statement, "TikTok failed to provide an adequate explanation of how the app collects, processes and uses personal data." TikTok has objected to the fine. 
Read Story

CCPA enforcement isn't just about breaches; it's cookies, too

Digiday reports on the California Attorney General's recent stream of enforcement letters to advertisers, social media sites and data brokers. "It is clear that California Consumer Privacy Act enforcement is not just about data breaches," the report states. "It's about cookies and tracking technologies — including analytics trackers. And the penalties for violations could be steep." 
Read Story

Venmo makes privacy changes, but do they go far enough?

Popular mobile payment company Venmo has designed its app, Ars Technica reports, but the "announcement is worth a closer look." Owned by PayPal, the platform has shut down its public-by-default global social feed, where it published user transactions from all over the world. "It's an important step forward resolving one of the most prominent privacy issues in the world of apps, but the work isn't finished yet," the report states. 
Read Story

The ultimate guide to data discovery (take two)

Data mapping, or "data discovery," can feel like a daunting task. When you imagine the trails of data stretching for proverbial miles even at small companies, trying to figure out where it all leads can feel like an arduous task. In this "Ultimate guide to data discovery," learn where to start. It'll be the essential groundwork for when there's, inevitably, a data breach and regulators come calling or when a customer makes a data-subject access request (DSAR). Last week, I gave you a bad link to this story, apologies. Access it here instead, for real this time.
Read Story

Engineer's corner: How Osano adopted a blockchain database to solve our scalability problem

This blog aims to illustrate pain points we've run into at various stages of development. We hope to help engineers and product folks overcome similar obstacles by explaining how we overcome our own. In this first installment, Osano's head of IT discusses a common problem at any company, whether an early-stage company or a more mature stage: scalability. 
Read Story

What is HIPAA, anyway? 

As the Los Angeles Times reports, the HIPAA (the Health Insurance Portability and Accountability Act of 1996) has been in the headlines lately. U.S. Rep Marjorie Taylor Greene, R-Georgia, recently told a reporter asking if she was vaccinated against COVID that the question was a violation of her HIPAA rights. It wasn't. This primer explains what HIPAA is and what it is not. 
Read Story