Source Code: Your daily look at what matters in tech.
To give you the best possible experience, this site uses cookies. If you continue browsing. you accept our use of cookies. You can review our privacy policy to find out more about the cookies we use.
yesMatt DrangeNone
April 10, 2020
As U.S. tech companies and government agencies rush to use phone location data to fight the spread of COVID-19, they're straddling a volatile line: seeking the benefits that countries across Asia and Europe have reaped by mapping residents' movements and interactions, but without forcing people to divulge intimate details of their whereabouts. This is the challenge — and business opportunity — for firms such as TripleBlind.
The Kansas City-based encryption startup is working to secure vast amounts of user location data collected by Private Kit, an app launched last month by a team of researchers at the Massachusetts Institute of Technology that could be the first large-scale project that enlists people, and their phones, to help trace the spread of coronavirus in the U.S. The effort comes as more than two dozen countries are reportedly deploying cell phone technology to track the spread of the virus.
"We can't do what Singapore and China and others are doing," TripleBlind co-founder Greg Storm said. "Here, we're going to have to make something that will respect people's privacy."
Private Kit, available on both Android and iOS, collects users' GPS data and stores up to a month's worth of it on their phone. When a user tests positive for COVID-19, they can share that data with local health officials as a replacement to the manual "contact tracing" done with paper and pen, in which people recount by memory where they've been. Officials can then use the information to try to identify others who may have come in contact with the person and zero in on geographic hot spots.
Whether the digitization of this process can succeed depends on bureaucratic hurdles as well as a collective trust in the privacy controls that companies such as TripleBlind are safeguarding.
The small company's venture into the center of a public health crisis comes as tech giants tap into their caches of users' location data one after another to analyze the effectiveness of widespread shelter-in-place policies. Facebook unveiled a series of new mapping tools Monday in collaboration with researchers from Carnegie Mellon University, based on user data across the country. Alphabet, meanwhile, is making aggregated location data culled from Google Maps available for download. In both cases, it's the lack of granular information that provides individual anonymity.
Private Kit's goal is more ambitious, and thus its privacy challenge is more fraught. In seeking to thwart the disease's spread but protect trusting users, it must compartmentalize individuals' precise location data while simultaneously avoiding keeping the information in a central place (like a company or government database). The key to the app's success isn't so much what data it collects, but how it stores it.
"We can bring two encrypted objects together and get the answer," Storm said, explaining how the company named itself. "We're blind to the data, the algorithm and the result."
This differs from the approach taken by traditional location data brokers, including those who sell phone-tracking tools to federal law enforcement, whose solution to anonymity is typically to strip out names and other identifying information. As regulators and civil liberties advocates sound alarm bells about the inherent risk of "reidentification" of anonymized location data — if you know where someone lives and where they work, after all, identifying them is simple — encryption technologies are being touted as a solution.
TripleBlind uses what's known as "secure multiparty computation," a form of encryption that enables multiple parties to bring different data points together to analyze them while at the same time not revealing too much information to any one party. As a result, there's no single repository of user data that can be tapped into — or misused. The question is whether this will allow Private Kit to produce actionable information.
In the case of tracking the spread of COVID-19, some experts warn that the GPS data that Private Kit and other contact-tracing apps rely on isn't granular enough to identify instances of possible exposure. While a GPS coordinate can pinpoint a location on a map, it's not precise enough to measure 6 feet between people. Another fundamental challenge is how to reliably measure someone's location indoors, such as in a densely populated apartment building or a hospital where the virus can spread quickly. This has prompted app developers in other countries to use Bluetooth signals instead of traditional GPS data.
More challenging still: for Private Kit to be effective, it must scale up quickly, experts said. Widespread adoption propelled similar efforts in other countries, arming officials with up-to-date information on the spread of the disease while that information still mattered.
'You don't know where you crossed paths'
One built-in feature differentiating Private Kit from other apps is its redaction one of the most concerning location data points: a person's home. Since COVID-19 contact tracing is focused on where people move outside their homes, Private Kit detects and redacts a user's suspected home location based on where they spent the night multiple days in a row. Users also have the option to manually delete individual data points, removing politically sensitive locations such as an abortion clinic or gun store, for example.
For people who haven't downloaded the Private Kit app, but do so once they are tested for COVID-19, there is also an option to import location data from their Facebook or Google Maps apps. Taken together, the information can provide health officials with a composite map of known cases.
The next step is potentially the most powerful, and the one that TripleBlind and the Private Kit team is still figuring out. Once a new coronavirus case is identified, the goal is to pinpoint other users who may have crossed paths with the infected person. The app would check users' location history against known positive cases, helping them decide if they want to get tested themselves — but without providing them enough information to deduce whom they came in contact with.
"You don't know where you crossed paths, just that you have," explained TripleBlind co-founder Riddhiman Das. "The focus of the effort is to allow an individual to determine if they've been exposed."
Threading this needle has proved tricky, Storm said. Public health officials have warned the Private Kit technologists that they cannot alert a user about a potential exposure unless they are certain that the user came close enough to a person with COVID-19 to justify getting tested. Being in the same grocery store, for example, is not enough.
"We're getting enormous pushback from the health care providers on this," Storm said, citing the back and forth with health officials as the primary reason the next stage of functionality for the Private Kit app remains a work in progress. "The architecture around that exposure function needs some good thinking."
Neither Storm nor Das have a background in encryption. What the VC-backed duo do have is experience developing apps, which they say has proven instrumental in recent weeks. They started working with Ramesh Raskar, a computer vision professor at MIT who previously worked at Google X and Facebook, at the end of last year. In late February, when the White House appointed Mike Pence as coronavirus czar, TripleBlind's team brainstormed with Raskar about how to take the same approach to contact tracing that other countries have mandated.
The first draft of the Private Kit app came together in less than a week in early March, Das said, with contributions from a growing team of software engineer volunteers that recently surpassed 600 people. With the app's intellectual property donated to MIT and the formation of a nonprofit entity to maintain it in the works, the team is focused on rolling out different versions of the app across the world, each with its own requirements.
In recent weeks there have been virtual meetings with the World Health Organization and government officials in India, Chile, Italy and Haiti, Storm said. That's in addition to U.S. pilot projects with the Mayo Clinic and hospitals in Rhode Island, Boston and Kansas City. Each presents different security concerns: Officials in India, for example, don't want users to be able to redact location information. And in Haiti, where network connectivity can be an issue, TripleBlind is scaling down the encryption process to require less computing power.
"We're calling it 'decent privacy,' where it takes 10 days to crack the location and time of a person," Das said. He referred to the version being piloted in the U.S. as the "bullet-proof" option.
'They should be publishing things out front'
It's difficult to assess just how bullet-proof TripleBlind's encryption is, however, because the company doesn't make many technical details public. TripleBlind filed a handful of patents last month, Storm said, describing the technology in general terms but declining to provide specific details. (The filings are not yet publicly available.)
This has raised eyebrows in the close-knit cryptography community. Protocol shared TripleBlind's marketing materials and general patent descriptions with six independent cybersecurity experts. They all said that while the general approach and type of encryption made practical sense, it wasn't clear if what TripleBlind offers is unique.
The same can be said for Private Kit, which published a GitHub repository on an MIT website that experts said offers few details of what information is shared by the app with third parties — and when. MIT staff working on the Private Kit app did not respond to requests for comment for this story.
"If you look at the white paper it's extremely vague. It doesn't tell you how they would accomplish anything. It just lists out the goals, which anyone could do after thinking about it for a couple hours," said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation. "If you are trying to pitch something as privacy preserving, and you aren't publishing about how it actually works, that's a red flag. They should be publishing things out front and being like, 'Hey, look at our cool technology.'"
Any success Private Kit has in the coming months could reflect well on TripleBlind's commercial business efforts, something its founders don't shy away from. The company had planned to raise a series A round of funding this year, but pushed that off to focus on gaining traction through coronavirus applications. "We are essentially doing it as a humanitarian project," Das said. "To show that you can do this while preserving privacy and helping with the pandemic. And to showcase our technical skills."
Eventually, TripleBlind wants to apply the same approach it's bringing to contact tracing to other sensitive data projects in the health care and financial services industries. "We're trying to take the friction out of interacting algorithms and data," Storm said. "Anywhere with privacy regulations — HIPAA, California's Consumer Privacy Act , and the GDPR in Europe — we're making it easier to do business."
Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.
Dan Bogdanov, a leading multiparty computation encryption expert who has worked on DARPA research projects with the U.S. Defense Department and is now at the security firm Cybernetica in Estonia, stressed that encryption is only part of the puzzle in such projects. Safeguards must be built into how the data is accessed and stored by end users, such as health care providers in the case of Private Kit.
"There's a risk anytime you have a technology but try and whitewash it with a good cause," Bogdanov said. "My desire would be that once the crisis has passed, if companies have built anything that infringes on people's privacy, they should tear down that infrastructure. But can we be certain that happens?"
Matt Drange
Matt Drange is a former senior reporter at Protocol. Matt previously covered money and power in Silicon Valley for The Information, Forbes magazine, and The Center for Investigative Reporting. He's received numerous journalism awards and in 2019 was named the best young business journalist in the country by the Society for Advancing Business Editing and Writing. Reach Matt at mdrange@protocol.com or via encrypted phone/text at 626-233-1063.
People
Making the economy work for Black entrepreneurs
Funding for Black-owned startups needs to grow. That's just the start.
"There is no quick fix to close the racial wealth and opportunity gaps, but there are many ways companies can help," said Mastercard's Michael Froman.
Photo: DigitalVision/Getty Images
February 26, 2021
Michael Froman serves as vice chairman and president, Strategic Growth for Mastercard. He and his team drive inclusive growth efforts and partner across public and private sectors to address major societal and economic issues. From 2013 to 2017, Mike served as the U.S. trade representative, President Barack Obama’s principal adviser and negotiator on international trade and investment issues. He is a distinguished fellow of the Council on Foreign Relations and a member of the board of directors of The Walt Disney Company.
February 26, 2021
Michael Froman is the vice chairman and president of Strategic Growth for Mastercard.
When Tanya Van Court's daughter shared her 9th birthday wish list — a bike and an investment account — Tanya had a moment of inspiration. She wondered whether helping more kids get excited about saving for goals and learning simple financial principles could help them build a pathway to financial security. With a goal of reaching every kid in America, she founded Goalsetter, a savings and financial literacy app for kids. Last month, Tanya brought in backers including NBA stars Kevin Durant and Chris Paul, raising $3.9 million in seed funding.
<p>
Reaching this milestone is a testament to Tanya's perseverance and resilience as she, like many other Black women founders, struggle to find institutional investors. Our financial system is simply not set up to help Black entrepreneurs launch a business. Most new businesses are initially funded from savings and home equity, but the persistent racial wealth gap in our country places Black would-be entrepreneurs at a dramatic disadvantage since many don't have those assets available. On top of that, of the approximately $625 billion in venture capital invested since 2015, only around $15 billion went to Black and Latinx founders; that's just 2.4% of funding. For Black women founders specifically, the numbers plunge to 0.27% of funding over the past <a href="https://www.projectdiane.com/" rel="noopener noreferrer" target="_blank">two years</a>.
</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>
This is not an issue that will resolve itself; we need to be deliberate about opening doors and bringing down barriers, not just to solve for one Black or minority-owned business at a time, but to rebuild a system that gives everyone a chance. Capitalism has lifted millions of people out of poverty and improved their quality of life, but it has also left many behind. As we now rebuild our national economy, we need to ensure future growth is inclusive, and that small businesses — the backbone of our economy — recover in a way that lifts up promising Black-owned startups at every point in their journey.
</p><p>
There is no quick fix to close the racial wealth and opportunity gaps, but there are many ways companies can help. Here are four insights we've learned from years of working with startups and community organizations.
</p><p>
<strong>Invest in the network.</strong> Startups like Oakland-based <a href="https://www.mycnote.com/" rel="noopener noreferrer" target="_blank">CNote</a> are working to channel capital to underserved micro and small businesses through a vast network of Black-owned banks, minority credit unions and community development financial institutions that have direct access to many local communities. However, these market innovators are hampered by complex governance requirements that Fortune 200 companies have to put in place before they will do business. We need to make it easier for new players like CNote to pass procurement hurdles and get into the pipeline so they can grow. By helping them on the back end, it opens them up to partnering with large corporates from all across the country.
</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>
<strong>Open up access to markets.</strong> For those Black-owned businesses that do secure a first round of funding, their growth trajectory often slows when it comes to entering new markets. A startup's ability to scale increases exponentially when larger companies with trusted relationships not only make introductions to its partners but also offer the startup's services as part of a proposed solution to customers. This is an approach that has helped <a href="https://mocafi.com/about/" rel="noopener noreferrer" target="_blank">MoCaFi</a>, a New York-based, Black-owned startup that offers banking services to lower- and moderate-income communities, to start working with local city leaders in new markets. This work can be mutually beneficial for corporations: The ability to deliver effective support to underserved communities increases when the right partners with the right solutions are brought to the table.
</p><p>
<strong>Digitizing access to capital.</strong> Black entrepreneurs are being denied or given smaller bank loans nearly <a href="https://www.federalreserve.gov/publications/2017-september-availability-of-credit-to-small-businesses.htm" rel="noopener noreferrer" target="_blank">twice the rate of</a> their white peers — 54% compared to 30%, respectively. Microfinance institutions and CDFIs have stepped in to fill this void, supporting applications for those previously denied loans. However, the demand exceeds the resources and tools available, and getting funds to those who need it urgently can be challenging. New digital tools can be transformative in this situation if we could accelerate access for these organizations. Many rely on slow paper-based processes, but through the digitization of both applications and distribution of loans, CDFIs like the <a href="https://crfusa.com/" rel="noopener noreferrer" target="_blank">Community Reinvestment Fund</a> and micro-finance institutions like <a href="https://www.grameenamerica.org/" rel="noopener noreferrer" target="_blank">Grameen America</a> have been able to process requests faster, more securely and for more businesses, throughout the pandemic.
</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>
<strong>Going all in. </strong>Finally, one of the most important lessons we've learned is that the programs and partnerships used to tackle these issues can't be just for a moment in time or a single intervention. For maximum impact, companies need to be all in with the full breadth of their assets — funding, product pilots, supplier practices, consulting services, data insights — as this is how to drive a catalytic impact and create a more sustainable, inclusive digital economy.
</p><p>
As more businesses, CEOs, corporate treasurers and venture capitalists join in this effort, we can collectively help bridge that wealth and opportunity gap. Startups can't scale up if they aren't given that first chance.
</p><p>
As we are reminded during this Black History Month, the problems of racial economic disparity have existed for too long, and although the challenge seems daunting, we are confident that with perseverance we can successfully build a more just and equitable economy. Our early progress matters, and we should make every effort to build on the first steps by coming together across sectors and organizations so that amazing ideas like Tanya's are embraced from the outset.
</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p>
Keep Reading
Show less
Michael Froman serves as vice chairman and president, Strategic Growth for Mastercard. He and his team drive inclusive growth efforts and partner across public and private sectors to address major societal and economic issues. From 2013 to 2017, Mike served as the U.S. trade representative, President Barack Obama’s principal adviser and negotiator on international trade and investment issues. He is a distinguished fellow of the Council on Foreign Relations and a member of the board of directors of The Walt Disney Company.
Sponsored Content
Building better relationships in the age of all-remote work
How Stripe, Xero and ModSquad work with external partners and customers in Slack channels to build stronger, lasting relationships.
Image: Original by Damian Zaleski
February 21, 2021
February 8, 2021
Every business leader knows you can learn the most about your customers and partners by meeting them face-to-face. But in the wake of Covid-19, the kinds of conversations that were taking place over coffee, meals and in company halls are now relegated to video conferences—which can be less effective for nurturing relationships—and email.
Email inboxes, with hard-to-search threads and siloed messages, not only slow down communication but are also an easy target for scammers. Earlier this year, Google reported more than 18 million daily malware and phishing emails related to Covid-19 scams in just one week and more than 240 million daily spam messages.
<p>To keep the lines of communication wide open in this new reality, organizations are adopting new cloud solutions at a rate CIOs expected to see years from now. In fact, 79% of CIOs agree that the pandemic will force their organizations to digitally transform faster than planned, according to <a href="https://slack.com/blog/transformation/people-partners-systems-slack" rel="noopener noreferrer" target="_blank">J.P. Morgan</a>. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>But executive leaders know it takes more than just adopting a communication platform or software bundle to build relationships remotely. You have to find the <em>right</em> solution that meets both your internal and external collaboration needs. That's why competitive businesses today are turning to Slack, the <a href="https://slack.com/features/channels" rel="noopener noreferrer" target="_blank">channel-based messaging platform, </a>to close communication gaps with partners and customers in the age of remote work. Companies can securely collaborate with external parties using <a href="https://slack.com/help/articles/360017938993-What-is-a-channel" rel="noopener noreferrer" target="_blank">Slack channels</a>, a single place to share files and messages, in the same <a href="https://slack.com/resources/using-slack/setting-up-a-shared-channel" rel="noopener noreferrer" target="_blank">Slack workspace</a> through <a href="http://slack.com/connect" rel="noopener noreferrer" target="_blank">Slack Connect</a>.</p><p>With Slack Connect, organizations can build stronger customer and partner relationships through real-time communication. And unlike email—which leaves users open to the risk of spam and phishing—companies and external parties receive communications only from <a href="https://slackhq.com/introducing-new-layers-of-enterprise-grade-security" rel="noopener noreferrer" target="_blank">verified members in Slack channels</a>. Plus, Slack workspace administrators can maintain control over data and monitor external access. </p><p>Here's a closer look at how teams at Stripe, Xero and ModSquad are using Slack Connect to engage customers, prospects and partners in real-time and close deals faster. </p><h4>Stripe: Expediting sales deals while building lasting relationships with customers</h4><p><a href="https://stripe.com/" rel="noopener noreferrer" target="_blank">Stripe</a> is an online payment provider with a mission to support e-commerce. The Stripe sales team works with early-stage startups all the way through global Fortune 500 companies, and uses Slack Connect to engage with customers, keep communication organized and teams in sync, and jump on sales opportunities.</p><p>Jeanne DeWitt Grosser, head of Americas revenue and growth at Stripe, says communicating with prospective customers in Slack has been instrumental in maintaining engagement and closing deals.</p><p class="pull-quote">"Historically, the gold standard of a deep relationship in sales was getting the person on text," says DeWitt Grosser. "Now the gold standard is getting them into a Slack channel."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>Usually at the beginning of a sale, DeWitt Grosser explains, reps used to double down on communication using the "law of 2x." Essentially, you start with a meeting and then follow up a week later. But this strategy no longer makes the cut: A lot could change in a week, and Slack is more in line with the tempo of the digital workplace. </p><p>"In Slack channels, the dialogue with the prospect happens in real time, as opposed to the next time you align your schedules," DeWitt Grosser says. "This kind of personal, persistent connection grows customer loyalty and retention."</p><p>Often sales reps have to communicate with a variety of departments to seal the deal. Instead of emailing them separately and creating silos, Stripe's account executives and solution architects set up a Slack channel with key customer stakeholders, like developers, the head of payments and a finance representative. </p><p>"When you need to move quickly, email is not the right format: It's more formal and responses take longer," says James Dyett, Stripe's head of global product sales and payments optimizations. "Slack has super powers. It's a much better experience." </p><h4>Xero: Working with external partners like they're on the same team</h4><p>If the pandemic has taught us one thing, it's that relationships matter. Whether it's launching a marketing campaign with a partner or hiring contractors to complete a specific project, we can't—and shouldn't—try to do everything ourselves. <br><br>When it comes to nurturing partnerships in the midst of the pandemic, <a href="https://www.xero.com/" rel="noopener noreferrer" target="_blank">Xero</a>, a cloud-based accounting software company, affirms that working in Slack Connect has been a game changer. Justine Wallendorf, New Zealand partner marketing manager at Xero, says Slack Connect helped her team launch a joint online marketing campaign with partners, <a href="https://www.figured.com/en-us/figured-xero" rel="noopener noreferrer" target="_blank">Figured</a> and <a href="http://paysauce" rel="noopener noreferrer" target="_blank">Paysauce</a>. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>The three companies were offering a complete software solution for farmers looking to manage their business digitally. By coming together in one Slack channel, #xero-partners, the sales and marketing teams across all three businesses could connect and ensure alignment on: </p><ul class="ee-ul"><li>Immediate universal access to all campaign details</li><li>Consistent messaging across sales enablement deliverables, such as one pagers and slide decks</li><li>Quick feedback and turnaround times for deliverables</li><li>Clear leadership signoffs</li></ul><p class="pull-quote">"Working in Slack Connect guaranteed that everyone was beating the same drum and speaking the same language, positioning our partnership as best as possible in the market," Wallendorf says.</p><h4>ModSquad: Winning customer loyalty with exceptional customer support</h4><p>With so much uncertainty in the world, efficient and reliable customer support is akin to a safe harbor in a storm. That's why Slack customer, <a href="https://modsquad.com/" rel="noopener noreferrer" target="_blank">ModSquad</a> has its support teams troubleshoot customer issues in real time with Slack Connect.</p><p>As a customer experience outsourcer, ModSquad knows good customer service. Each day, ModSquad's global crew of experts—the Mods—help their customers engage with their audiences online through customer support, content moderation, community management and social media. </p><p>ModSquad works with its clients in Slack Connect to set up service level agreements and incorporate support dashboards. With the <a href="https://slack.com/apps/A0108APQFQC-geckoboard" rel="noopener noreferrer" target="_blank">Geckoboard Slack integration</a>, ModSquad monitors clients' incoming calls and chats—without ever leaving Slack. Whenever the team sees an uptick in activity or service impacting issues, they can quickly alert clients and internal teams for quick resolution. The team also relies on a <a href="https://slack.com/apps/A9WFQ3M0B-zendesk" rel="noopener noreferrer" target="_blank">Zendesk Slack integration</a> to track service desk tickets, troubleshoot and resolve issues.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p><p>According to Steve Henry, senior vice president, client services at ModSquad, Slack channels also help build a culture of transparent communication and trust with clients.</p><p>"Establishing trust with our clients is very important, and Slack provides a crucial component for all of our efforts" Henry says. "With Slack, we can provide world-class support solutions and improvements for our clients, driving efficiencies while growing their business in the process."</p><h4>In an all-remote world, Slack Connect builds strong partnerships</h4><p>Slack Connect is available for <a href="https://slack.com/pricing/paid-vs-free" rel="noopener noreferrer" target="_blank">all paid plans</a>. If you're already a customer but new to Slack Connect, feel free to <a href="http://slack.com/contact" rel="noopener noreferrer" target="_blank">reach out</a> or learn more on <a href="https://slack.com/resources/using-slack/setting-up-a-shared-channel" rel="noopener noreferrer" target="_blank">how to get started</a>. And if you want to see how others are using Slack Connect to work with external partners, check out a few of our recent <a href="https://slack.com/blog/collections/slack-connect-shared-channels-shared-success" rel="noopener noreferrer" target="_blank">customer stories</a>. </p>
Keep Reading
Show less
People
Citizen’s plan to keep people safe (and beat COVID-19) with an app
Citizen CEO Andrew Frame talks privacy, safety, coronavirus and the future of the neighborhood watch.
Citizen added COVID-19 tracking to its app over the summer — but its bigger plans got derailed.
Photo: Citizen
February 24, 2021
David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.
February 24, 2021
Citizen is an app built on the idea that transparency is a good thing. It's the place users — more than 7 million of them, in 28 cities with many more to come soon — can find out when there's a crime, a protest or an incident of any kind nearby. (Just yesterday, it alerted me, along with 17,900 residents of Washington, D.C., that it was about to get very windy. It did indeed get windy.) Users can stream or upload video of what's going on, locals can chat about the latest incidents and everyone's a little safer at the end of the day knowing what's happening in their city.
At least, that's how CEO Andrew Frame sees it. Critics of Citizen say the app is creating hordes of voyeurs, incentivizing people to run into dangerous situations just to grab a video, and encouraging racial profiling and other problematic behaviors all under the guise of whatever "safety" means. They say the app promotes paranoia, alerting users to things that they don't actually need to know about. (That the app was originally called "Vigilante" doesn't help its case.)
<p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>Above all, Citizen raises questions: When does safety trump privacy? What are people willing to give up or risk in order to keep themselves and their loved ones safe? What does "safety" even mean in an increasingly digital world?</p><p>Frame joined the <a href="https://www.podpage.com/sourcecode/" target="_blank">Source Code podcast</a> to discuss all that and more. He talked about the app's history, what it means to promote safety above all else, how his company tried — and failed — to fight COVID-19 long before other tech companies got involved and what it means to be a good Citizen citizen.</p><div class="rm-embed embed-media"><iframe frameborder="no" height="200px" scrolling="no" seamless="" src="https://player.simplecast.com/1cb18adc-4514-4097-b9a5-3c9a5c2e5408?dark=true" width="100%"></iframe></div><p><em>The following excerpts from our conversation have been lightly edited for length and clarity.</em><br></p><p><strong>Citizen has had sort of a windy history, so maybe go all the way back to the beginning of the product and the company. What was the thing you were trying to build when you started out building it?</strong></p><p>I wanted to build something that was consumer [facing], because that's where my passion lies. And I feel like that's the only thing I'm sort of good at. It had to be mobile first, network-effect driven, with a very noble mission so that once the network effect activates, hopefully, it becomes the gift that keeps on giving. </p><p>As soon as I identified wanting to build a safety product, the question was, how do you get to market with a product that keeps people safe? There was a moment where I was sitting outside, and I was just thinking about, what is the Trojan horse to build a safety system? And it just dawned on me: I think all of us remember playing with police scanners, and listening to police. It's this incredible data stream that is filled with people in need of help. And it was just this closed system that had open access for listening. When a fire hits a building, nobody knows except the fire department. Why don't the 1,000 people inside of the building know that their building is on fire? The information is right there, transmitted right through the walls of that building. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>And so it just instantly hit me: Let's open this system, create a trusted shared safety system where police and civilians and everybody has access to the same information. There are so many great byproducts of creating this open, shared system, one of which is you get the people out of the burning building. You get the kidnapped kid back because you got the whole neighborhood engaged. You eliminate police brutality, because now you've built what I call "conditional transparency." It's not a radical transparency. It's a conditional transparency, meaning the transparency hits once a kid is missing. It doesn't mean there's overhead planes surveilling, there's no surveillance state in this. It's simply transparency when it is urgently needed. And that was kind of the genesis of this thing.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p><strong>I'm getting ahead of myself here, but you kind of already got into what over the years has been complicated in how people think about Citizen. The reason to not tell the people in the building that there's a fire is that you don't want to cause a panic, right? And the reason to not tell people in the neighborhood is that you don't want them running toward the fire, because some people will run toward a fire.</strong> </p><p><strong>All the pushback I've ever seen about Citizen has basically been about that fundamental question. Is it productive to have all of this information given to everyone all the time? At some point, do you just have to decide that, on balance, you believe it is?</strong></p><p>You know, there would be no innovation if people were just fixated on worst-case scenarios. On any product, we can think about worst-case scenarios. And of course, there are valid reasons. But it's not going to stop you from building something great. </p><p>Just take Uber, right? I was taught not to hitchhike, that'd be a very dangerous thing. And if we were all in a room thinking about what happens when you just allow people to hitchhike with their neighbors, and build it as a global platform? People would say, "Oh, my gosh, that's the worst idea of all time."</p><p><strong>A lot of people did say that about Uber!</strong> </p><p>Yeah. So you know, it's just so easy to just fixate on the worst-case scenario. This is no longer an idea. This is something that is prevalent across 28 cities, we have ZIP codes, where 60[%], 70[%], 80% of the entire ZIP code are active Citizen users. We don't have those stories. Believe me, I was also terrified of this. At the beginning, it gave me and the team a huge amount of anxiety, because we also thought about the worst-case scenario. But we also thought about the best-case scenario, which is why we built this and why we're scaling. And it far exceeds the unfounded fear of some of these worst-case scenarios.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p><p><strong>I feel like COVID has become kind of a bigger part of Citizen than I would have expected. Rewinding to the early days of the pandemic, was it obvious to you that Citizen needed to be part of this, needed to help be the solution here?</strong></p><p>At first, everybody in the company wanted to pitch COVID ideas. It wasn't until we realized just the architectural model of contact tracing — a very simple idea of just enabling Bluetooth and allowing everybody's Bluetooth radio to say hello to each other as you come in close physical contact — that it was like, OK, wait a sec, we already have distribution. We had 30% of New York City on the app back in March. </p><p>We just went, "Oh, my goodness, we have the safety platform, all we have to do is ask these 30% of New Yorkers to turn on Bluetooth." Suddenly, we have the largest and most dense contact-tracing system in any big city in the world, in ground zero, which was New York at the time. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="5">
</div>
</div></p><p>Unfortunately, we never got the approval to launch it. </p><p><strong>What happened?</strong> </p><p>It's a complicated story. Apple and Google had their own plans. We came forward with this architecture, and we needed help. We needed allies. We needed Apple, we needed Google, we needed the government. </p><p>We created a product that integrated at-home testing and contact tracing. Because we knew those were the two tactics on how to manage this here in the U.S. Our ask was basically, a) obviously we need to get it in the App Store; b) we wanted the government to pay for all that at-home testing for the U.S. Labcorp was working on their at-home test kit. And basically, you could just ship a test kit to anybody that asks for it within 24 hours, saliva sample, they send it back, and the result is delivered in the app. So it'll say, "You're negative for COVID." </p><p>Keep in mind, this is back in March that we had this. We built prototypes and everything inside the company, we were taking tests and getting the results in the app. Now, if you are positive, it would automatically inform all of the people that your Bluetooth recently saw that "you have had a potential exposure to COVID." Those people would then be offered a free test that would show up the next day. You can imagine if we partnered with Amazon on the logistics side, where Amazon is trucking these. It's like OK, tech, come together and let's go, like, what can we do about COVID? There was zero government support. None whatsoever. We needed them to pay for the tests. It'd be great if Amazon did the logistics. But we called it the "testing-tracing flywheel." And this is, again, back in March, people had never even heard of contact tracing.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="6">
</div>
</div></p><p>We didn't get the support. We didn't get the alliances, we were on our own on this one. And the government, there was a Contact Tracing Task Force, we were selected as the app to provide contact tracing to America, before [the task force] was suddenly just disbanded and dissolved and just went away one day.</p><p><strong>My question was going to be, wouldn't this be a useful time to do things like partner with local governments, but you're saying you did, and then it fell apart?</strong></p><p>Well, there was no official partnership. But we were told that this was by far the best system for America. And there were just a bunch of meetings that didn't really go anywhere. And then suddenly, you know, they put a bunch of great technology entrepreneurs on the task force, who we knew! We knew all these people, and it was great. Sometimes government needs entrepreneurs to step up and solve problems. And in this case, it seemed like something was going to happen, but then it was just instantly disbanded with no plan. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="7">
</div>
</div></p><p><strong>Looking back now with almost a year of hindsight, was there anything else you could have done? Should you have just pushed through and said, "We'll figure something else out, screw all the rest of you?"</strong></p><p>No, we couldn't, we didn't have approval from the app stores. Right now, innovation is no longer open. You have to go through the app stores, and they will decide if your innovation can reach the world. This is not how it was, pre-mobile. With the internet, you can build anything you want. And you have an open, uncensored, unfiltered internet. And with app stores, you don't. You must get through the process.</p><p><strong>This is actually sort of a perfect example of the kind of tension we were talking about earlier. You have an obvious societal good. No one is going to argue that curbing the spread of COVID-19 is not a good thing. We're all on the same page about that. But then, and this is what I think we spent maybe six months too long debating, you have all of the privacy implications of that. What does it mean that there's now a system that knows that not only do I have COVID, but who gave it to me and where they got it from? Were those the kinds of debates that you were having, even back in March? Was that the holdup?</strong></p><p>That actually annoyed me, because I just don't think that COVID was this mass privacy thing. All of the data was protected, nobody would know. But most likely, just through the social interaction, like people, every person that has COVID has told me. It's not like, "Oh, my gosh, this person has COVID. Nobody can know." </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="8">
</div>
</div></p><p>And we didn't expose the name. We did expose the location. There was a big fight even with the app stores, because we thought that the location was super relevant. Why? Because it protects more people. If you went to a superspreader dinner, it should say, here's the time and place you got COVID. We can say Friday night, 8 p.m., here's the location. We're not going to tell you who, but you're like, "Oh, that was the birthday party." What's the next step? Tell everybody at the birthday party that there was an exposure there, because not everybody has the contact tracer. </p><p>This was about beating COVID. I just think that there was this red herring around privacy that stopped everything. Privacy became the fundamental discussion, when it's like, OK, we won on the privacy side, but how are we doing as a nation now? Printing trillions of dollars, small businesses all going out of business. What mattered more: this privacy thing that seems to be extremely unfounded and a red herring, or beating COVID?</p><p><strong>That's the big existential question around all of this, right? And it goes back to what you were saying before about best- and worst-case scenarios. There's just always going to be a tension between privacy and safety, right? Even as we talk about things like encryption, there's always going to be that tension. And at some point, all you can do is pick a side and be clear about which side you've picked.</strong></p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="9">
</div>
</div></p><p>Yeah. I mean, you've got to use judgment. And this is really where mission comes in. What is this privacy preservation that we're even talking about? I mean, the amount of tracking going on by Big Tech is thousands of times more privacy-invading than the COVID thing we were talking about. </p><p>The fact that we just got so sucked up talking about privacy preservation being the only issue, when in the meantime, COVID is spreading rapidly and just destroying families and small businesses and American restaurants that'll never come back. I think that the focus was on the wrong area.</p>
Keep Reading
Show less
David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.
Transforming 2021
Blockchain, QR codes and your phone: the race to build vaccine passports
Digital verification systems could give people the freedom to work and travel. Here's how they could actually happen.
One day, you might not need to carry that physical passport around, either.
Photo: CommonPass
February 23, 2021
Mike Murphy ( @mcwm) is the director of special projects at Protocol, focusing on the industries being rapidly upended by technology and the companies disrupting incumbents. Previously, Mike was the technology editor at Quartz, where he frequently wrote on robotics, artificial intelligence, and consumer electronics.
February 23, 2021
There will come a time, hopefully in the near future, when you'll feel comfortable getting on a plane again. You might even stop at the lounge at the airport, head to the regional office when you land and maybe even see a concert that evening. This seemingly distant reality will depend upon vaccine rollouts continuing on schedule, an open-sourced digital verification system and, amazingly, the blockchain.
Several countries around the world have begun to prepare for what comes after vaccinations. Swaths of the population will be vaccinated before others, but that hasn't stopped industries decimated by the pandemic from pioneering ways to get some people back to work and play. One of the most promising efforts is the idea of a "vaccine passport," which would allow individuals to show proof that they've been vaccinated against COVID-19 in a way that could be verified by businesses to allow them to travel, work or relax in public without a great fear of spreading the virus.
<p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>But building a system that everyone agrees with — and can access — is no small task. There are several companies working on competing projects to verify vaccinations. But beyond that, there are more than a few hurdles that could prevent vaccine passports from succeeding, from antiquated medical records systems to interoperability issues and privacy concerns. Here's how they could actually succeed. </p><h3>Competing projects, similar standards</h3><p>Pretty much since the first blockchain white paper, people have been looking for perfect examples of where a distributed, immutable ledger could be valuable. There's obviously the push to use it for currencies, and companies have tried to use it for things like tracking <a href="https://www.protocol.com/ibm-blockchain-supply-produce-coffee" target="_self">food production</a> and <a href="https://www.govtech.com/products/Blockchain-Voting-Debate-Heats-Up-After-Historic-Election.html" rel="noopener noreferrer" target="_blank">voting</a>, but there are few use cases that have truly taken off, at least so far. "We've been working on this since 2014; we never thought that health care would be the kind of the use case that we take this mainstream," Jamie Smith, the senior director of business development at Evernym, a company focused on using the blockchain as a basis for verifying identities, told Protocol. </p><p>Smith said Evernym had been discussing its concepts with automakers, retailers, telcos, governments, loyalty companies and banks prior to the pandemic. One of those companies was IAG, the airline group that owns British Airways, which had been interested in the idea of contactless travel based on a single identity credential that follows you from the airport check-in to your gate. With the pandemic, that morphed into thinking about ways to verify that passengers have had negative COVID tests, and eventually, that they've received a vaccine. "From our perspective, it was a really easy lift to see," Smith said. "We're doing contactless travel, and we just added verifiable credentials for test results."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>It's a similar genesis for IBM's Digital Health Pass initiative, which leader Eric Piscini said started about two years ago as a way to store people's entire health records in a safe, accessible platform. It also relies on the blockchain for its immutable record of proof, and both Evernym and IBM are part of an open-standards group called the Good Health Pass Collaborative, which aims to bring private credentialed vaccine records to business and people around the world. Companies are working on their own implementations of the standards, but Evernym's Smith said the data is meant to be portable from one passport to another. </p><p>Most of the companies working on passports say their systems are private by design, especially given that they're mainly working off the same open standards. In most cases, the health information only ever remains on a user's phone, but where it asks to verify that the user's information meets a system's standards — such as whether this person has had two COVID vaccines and should be allowed into an office — that information is recorded on a blockchain. "You can, using blockchain technologies, verify that someone has been tested recently, without having access to the underlying data," Piscini said. "I don't know any other technology where you can do that."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>Similarly, the nonprofit Commons Project's CommonPass, backed by the likes of Oracle, Microsoft and Salesforce, started out as a project to bring an analog to Apple Health for Android. JP Pollak, a senior researcher at Cornell and founder of the Commons Project, first launched CommonHealth to bring the sort of data and insights that Apple Health offers to iPhone owners to Android users. Last summer, the group started building an app that could take health data and privately share it with others — in that case, it was to help truckers stuck at the borders in <a href="https://www.newtimes.co.rw/opinions/digital-technology-re-opening-africa" rel="noopener noreferrer" target="_blank">East African countries</a> who couldn't easily prove they'd taken COVID tests. This morphed into vaccine credentialing, with the group now working to pull together the various data streams needed to get a project like this off the ground. </p><p>"Health care institutions, EMR vendors, retail pharmacies, state vaccine registries, all issuing people a digital verifiable credential of their vaccination record that they could then use in the app of their choice, to be able to get access to various kinds of services," Pollak said. CommonPass is also working with the Mayo Clinic, as well as Epic Systems and Cerner, two of the largest EMR vendors. </p><h3>Something for everyone </h3><p>With so many competing efforts to become the world's digital vaccine passport, it might seem that the country is heading for some sort of VHS versus Betamax format war for proving everyone has had COVID vaccines. But given that so many of the efforts are using the same standards, and in many cases, looking to embed their tech in someone else's app rather than their own, the race might be less about the best tech winning, and more about various approaches working in different situations. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p><p>"The intent is not to be the only company; we don't want to be the proprietary platform that everybody has to use because they have no choice," IBM's Piscini said. "That's not who we are right now: That's the IBM from 30 years ago, not the IBM of today."</p><p>For IBM, though, the selling point is that the company already works with so many other massive companies. Why look elsewhere for a vaccine passport solution if your airline booking system is already powered by IBM? "We believe our network is going to be more valuable than any other because of our scale and our ability to integrate the platform with CRM systems, building systems or stadium systems — we can do that every day," Piscini said.</p><p class="shortcode-media shortcode-media-rebelmouse-image">
<img type="lazy-image" data-runner-src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8yNTY2NTc3NS9vcmlnaW4uanBnIiwiZXhwaXJlc19hdCI6MTYyMTM1MjYyM30._ykxxCyx3_wDbZrYgCcmK0QT2Ue1tZFdP5pf60kOmPU/img.jpg?width=980" id="c81c9" class="rm-shortcode" data-rm-shortcode-id="3967636652192acfdaad341861263bc8" data-rm-shortcode-name="rebelmouse-image">
<small class="image-media media-caption" placeholder="Add Photo Caption...">IATA's digital passport app.</small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">Photo: IATA</small></p><p>For other companies, it's about securing new partnerships with major players in the hopes of finding that scale. Evernym, for example, is working with International Air Transport Association, the airline industry's trade association, on an air travel-specific app called Travel Pass. IATA is working with airlines and local governments to ensure it has the latest requirements to feed the app's rules engine. "It will say, 'Hey, you're flying JFK to Heathrow, you need a PCR test 48 hours in advance before you can land,'" Evernym's Smith said. "And of course, those policy changes are changing every day." Qatar, Emirates and Etihad Airways are all <a href="https://simpleflying.com/qatar-iata-travel-pass-launch/" rel="noopener noreferrer" target="_blank">expected</a> to start trialing the app in the next few weeks.<br></p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="5">
</div>
</div></p><p>In other instances, the technology will live inside other companies' existing apps; why make someone download yet another app and add another hurdle to compliance? Instead, the experience will be rather like adding a loyalty account or TSA PreCheck number when booking a flight. Airlines and other venues restricting access will require uploading negative test results or vaccine records using one of these services. "You're going to be using the United or the Delta app, and they'll be using our solution or somebody else's, but you will do it via their app," IATA's Travel Pass lead, Alan Murray Hayden, told Protocol.</p><p>The World Health Organization is also working on its own offering, and recently convened the <a href="https://www.who.int/groups/smart-vaccination-certificate-working-group" rel="noopener noreferrer" target="_blank">Smart Vaccination Certificate Working Group</a>. It's built upon the WHO's nearly century-old notion of the "yellow card" vaccination record, which first was used to document that travelers had been inoculated against diseases such as cholera and yellow fever. Evernym Chief Trust Officer Drummond Reed is part of the working group; he said there should be more to share in the coming months. </p><h3>What could go wrong?</h3><p>It's entirely possible that as more people start to get vaccinated, vaccine passports start to become the norm. You walk to work — still masked, of course — scan a QR code reader in the lobby, and are let in. You go out for lunch, and your loyalty card app has a discount for in-store shoppers verifying they're vaccinated. Your concert ticket is also tied to health pass information that you shared earlier in the day with Ticketmaster. But there are more than a few hurdles ahead of the companies rushing to turn these concepts into realities. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="6">
</div>
</div></p><p>First off, there's the … reality … of the real world that any digital system has to contend with. For anyone without access to the internet, digital vaccine credentials will prove difficult to acquire, though all the companies Protocol spoke with said they would offer a paper-based QR code for people who don't have smartphones. But there's also the issue of having to corral so many different stakeholders into one system, especially when some health care providers are still reliant on antiquated database systems or <a href="https://www.protocol.com/manuals/health-care-revolution/electronic-health-records-after-coronavirus" target="_self">even paper records</a>. "The amount of inefficiency in the system is tremendous," IBM's Piscini said. </p><p>But in the U.S. at least, all vaccinators are required to report COVID-19 vaccines to their state. Piscini said that even for people who just received a paper copy of their vaccine records, systems like IBM's can likely link up to the state's immunization registry and allow people to import records to a vaccine passport.</p><p class="shortcode-media shortcode-media-rebelmouse-image">
<img type="lazy-image" data-runner-src="https://assets.rebelmouse.io/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbWFnZSI6Imh0dHBzOi8vYXNzZXRzLnJibC5tcy8yNTY2NTc4My9vcmlnaW4ucG5nIiwiZXhwaXJlc19hdCI6MTYzNzg3MTM2M30.RZtqR7F_FuXK1S24V6jVaqUZ0xOSG-gCwj00xU3fxcM/img.png?width=980" id="b0bd3" class="rm-shortcode" data-rm-shortcode-id="11d8002d92c0cd6ef39b12fc7b8dccf8" data-rm-shortcode-name="rebelmouse-image">
<small class="image-media media-caption" placeholder="Add Photo Caption...">How CommonPass's app shows your records. </small><small class="image-media media-photo-credit" placeholder="Add Photo Credit...">Image: CommonPass</small></p><p>And states are willing to help out, Pollak said, adding that CommonPass has started working with Hawaii to roll out its offering for would-be tourists. "We're seeing a lot of state governments stepping up and doing a really good job with this," Pollak said. "It would be surprising if there wasn't a coordinated federal effort very soon." That being said, while <a href="https://www.cbc.ca/news/canada/north/iceland-covid-passports-canada-1.5904828" rel="noopener noreferrer" target="_blank">many countries around</a> the world are committing to working on vaccine passports, getting a straight answer out of the U.S. government on what it's doing has proven difficult. The State Department, which maintains America's traditional, analogue passports, referred me to Homeland Security, which referred me to the White House. The acting director and chief of staff of the White House's Office of Science and Technology Policy, Kei Koizumi, told Protocol that "OSTP can't discuss projects we are working on before they are publicly announced."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="7">
</div>
</div></p><p>But even with systems in place at a federal level, there's still a fair amount of education that needs to happen before people will trust systems like these. "There's a substantial gap in understanding and knowledge of how these systems work, and people's views, in terms of who should get access to which data," Pollak said. </p><p>"We assume there's a Facebook Borg in the sky, monitoring every interaction," Smith said. "The emergence of verifiable credentials breaks down that mental model, where actually it becomes more like decentralized bits of paper that I can carry around, and no one's to know that I've been sharing this information."</p><p>"Our belief is that if you do the right thing, from a platform point of view, protecting your privacy, and giving you control and access to the platform to everybody who wants to use it," Piscini said. "I think those are very basic things that allow the core of the platform that we build to generate adoption by the individuals."</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="8">
</div>
</div></p><p>Even with a system that works, there may still be holdouts to this potential new normal. "Some people are saying, 'I will never get vaccinated,'" Piscini said, "and I don't know if the airlines are going to say, 'Well, maybe you will never fly again.'"</p>
Keep Reading
Show less
Mike Murphy ( @mcwm) is the director of special projects at Protocol, focusing on the industries being rapidly upended by technology and the companies disrupting incumbents. Previously, Mike was the technology editor at Quartz, where he frequently wrote on robotics, artificial intelligence, and consumer electronics.
Policy
Here are Big Tech’s biggest threats from states
The states are moving much quicker than Congress on privacy, taxes and content moderation.
Virginia is expected to be the second state to pass a comprehensive privacy law.
Photo: Ron Cogswell/Flickr
February 19, 2021
Emily Birnbaum ( @birnbaum_e) is a tech policy reporter with Protocol. Her coverage focuses on the U.S. government's attempts to regulate one of the most powerful industries in the world, with a focus on antitrust, privacy and politics. Previously, she worked as a tech policy reporter with The Hill after spending several months as a breaking news reporter. She is a Bethesda, Maryland native and proud Kenyon College alumna.
February 19, 2021
When critics say that Virginia's new privacy bill is "industry-approved," they're not totally wrong, said David Marsden, the state senator who has been working for months to shepherd the law through the state legislature.
It was an Amazon lobbyist who originally presented Marsden with the text of the bill, which hews closely to the failed Washington Privacy Act, versions of which have been pushed by Microsoft across the country.
<p>"Amazon gave us the first cut of a draft to look at that was based on other work," Marsden said. </p><p>An Amazon spokesperson called the text a "starting point." "It was an example of strong legislation and, like many other stakeholders, we consulted with the Senator as he refined his bill," the spokesperson said. </p><p>Marsden and Virginia delegate Cliff Hayes held meetings with other large tech companies, including Microsoft; financial institutions, including Capital One; and non-profit groups and small businesses, who all wanted desperately to have a hand in shaping the legislation. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="1">
</div>
</div></p><p>But Marsden said he didn't hear much from consumer advocacy groups. That is, until this week, when it became clear that Virginia Gov. Ralph Northam <a href="https://www.rollcall.com/2021/02/16/virginia-set-to-become-second-state-to-pass-data-privacy-law/#:~:text=Gov.%20Ralph%20Northam%20expected%20to,and%20exempts%20many%20small%20businesses&text=Virginia%20is%20set%20to%20become,to%20pass%20data%20privacy%20legislation.&text=The%20law%20would%20exempt%20health,collected%20for%20assessing%20credit%20worthiness." rel="noopener noreferrer" target="_blank">intends to sign the legislation</a> after it passes the Virginia General Assembly, and a barrage of organizations including the U.S. Public Interest Research Group and Electronic Frontier Foundation came out aggressively against the bill, calling it "<a href="https://uspirg.org/resources/usp/group-letter-opposing-weak-industry-backed-privacy-bill-virginia" rel="noopener noreferrer" target="_blank">weak</a>" in a flurry of letters and public statements. </p><p>Marsden concedes there's some truth to their concerns. "If it has a business focus to it, it's because the folks who put it together, they're the ones who showed up," he said. </p><p>Ed Mierzwinski, a senior director at the U.S. Public Interest Research Group, said he and other national consumer and privacy groups didn't find out about this bill until a few weeks ago. Mierzwinski said the groups sent a letter to Marsden and other lawmakers on Feb. 4 raising concerns with the bill. "We're disappointed that he didn't reach back to us," Mierzwinski said.</p><p>The showdown in Virginia is only the latest battle in the influence war between Big Tech and their critics playing out in states across the country. Players on all sides are seeking to push their agenda on privacy, taxes, content moderation and AI through unpredictable and malleable state legislatures, with less-resourced advocacy groups fighting to keep up with tech giants' expansive lobbying efforts. All of it is happening in the void of any federal action from Congress.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="2">
</div>
</div></p><p>"Now, when I talk to state lawmakers or state staff members and say, 'Hey, it's a really bad idea to have a state patchwork of laws,' I just hear silence from them because they're like, 'Well, Congress still hasn't done anything,'" said Billy Easley, a senior tech policy analyst with Koch-backed Americans for Prosperity, which advocates against state-level legislation on privacy and speech. </p><p>As the Virginia case highlights, it's hard to predict where the next serious legislation will emerge. But Protocol compiled a list of the tech-related state efforts to watch most closely this year. </p><h3>The Washington Privacy Act </h3><p>Washington's tech-friendly privacy legislation has <a href="https://www.govtech.com/policy/Why-Did-Washington-States-Privacy-Legislation-Collapse.html" rel="noopener noreferrer" target="_blank">failed to pass</a> for the past two years amid disagreements over whether individuals should be allowed to sue tech companies for privacy violations and whether the bill should address concerns around facial recognition technology. But its supporters are more gung-ho than ever that this could be the year that Washington finally pushes through the privacy bill, which has spawned copycats across the country.</p><p>Washington State Sen. Reuven Carlyle <a href="https://www.geekwire.com/2021/washington-state-finally-pass-data-privacy-laws-bill-backed-tech-industry/#:~:text=The%20Washington%20Privacy%20Act%20grants,personal%20data%20under%20the%20legislation." rel="noopener noreferrer" target="_blank">told Geekwire</a> last month that he believes the bill has a substantially higher chance of passing following years of negotiations with tech companies, consumer groups and discussions with the Washington attorney general's office.</p><p>"Washington is absolutely there," said Tom Foulkes, who leads state policy for BSA, also known as The Software Alliance, which has been working on the Washington legislation.</p><p>The Washington Privacy Act would give consumers the right to access, correct and delete data that companies hold on them, while opting out of particular forms of data collection and sale. It does not include the right for individuals to sue companies. Instead, it grants that authority to the attorney general. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="3">
</div>
</div></p><p>Tech companies including Microsoft and Amazon have made it clear that they would prefer Washington's model over California's complex approach, which includes the right for individuals to sue over data breaches, if they have to choose. But the companies are still pushing for federal privacy legislation. </p><h3>New York privacy legislation</h3><p>The New York legislature can be hard to predict as it's very dependent on which bills congressional leadership and the governor will get behind their proposals. But this year's legislative session <a href="https://www.jdsupra.com/legalnews/new-york-legislature-introduces-ccpa-6501577/" rel="noopener noreferrer" target="_blank">started off with a flurry</a> of privacy and <a href="https://www.technologylawdispatch.com/2021/01/privacy-data-protection/new-york-proposes-a-new-biometric-privacy-act/" rel="noopener noreferrer" target="_blank">biometrics-related legislation</a> from the House and Senate, and Gov. Andrew Cuomo is proposing a comprehensive law to provide New Yorkers with "<a href="https://www.governor.ny.gov/news/governor-cuomo-announces-proposal-safeguard-data-security-rights-part-2021-state-state" rel="noopener noreferrer" target="_blank">transparency and control</a>" over their personal data.</p><p>"New Yorkers appreciate the value and convenience that technology has afforded their lives, but progress does not need to come at the expense of basic privacy," Cuomo <a href="https://www.governor.ny.gov/news/governor-cuomo-announces-proposal-safeguard-data-security-rights-part-2021-state-state" rel="noopener noreferrer" target="_blank">said in a statement</a>. "New York will act to pass a strong privacy law that safeguards New [Yorkers'] personal information and continues to encourage innovation."</p><p>The <a href="https://www.law.com/newyorklawjournal/2020/09/02/inside-the-proposed-new-york-privacy-act/" rel="noopener noreferrer" target="_blank">New York Privacy Act</a>, which was set aside last year as the legislature focused on COVID-19, appears poised to make a comeback. It would create extensive new requirements for businesses to obtain consumers' consent before processing their data. It also includes a private right of action, which tech companies lobby aggressively against.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="4">
</div>
</div></p><h3>New York antitrust legislation </h3><p>New York State Sen. Mike Gianaris believes that New York could become the first state to update its antitrust laws to rein in Big Tech this year. Gianaris made a name for himself through strident opposition of Amazon's plans to build a second headquarters in New York — plans the ecommerce juggernaut eventually scrapped.</p><p>After his battle with Amazon, he said he began researching ways to keep the tech giant's "incredibly powerful and unaccountable position from hurting people and other businesses." </p><p>"I had very up-close and personal experience with them," Gianaris said. </p><p>Gianaris' <a href="https://www.nysenate.gov/newsroom/press-releases/michael-gianaris/wake-landmark-federal-hearings-senate-deputy-leader" rel="noopener noreferrer" target="_blank">21st Century Antitrust Act</a>, which was introduced last summer on the heels of the House Judiciary Committee's congressional hearing with the tech CEOs, would allow the state to sue companies for "abusing" their dominance.</p><p>Right now, New York state law requires two parties to conspire to manipulate the market. But many of the monopoly concerns around Big Tech revolve around the companies' efforts to buy up rivals and muscle into new markets.</p><p>Adopting an abuse of dominance standard, he said, "opens the door to a lot more enforcement ability, particularly against Big Tech, which transcends so many different markets." </p><p>Gianaris said his office consulted with Attorney General Letitia James, who has publicly supported the bill, as well as anti-monopoly groups like the American Economic Liberties Project and Zephyr Teachout, a key antitrust advocate. </p><p>He said the tech companies initially ignored his legislation when it came out last year, but as it's become clear that the legislature might have interest in moving it forward, he's heard more pushback from the major tech trade groups. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="5">
</div>
</div></p><h3>Online ad taxes </h3><p>Maryland last week sent shockwaves through the industry when it approved the country's first tax on Big Tech's ad revenue. The law's supporters have claimed that it's an effort to get the tech companies to pay their fair share in taxes, while the companies have <a href="https://internetassociation.org/news/statement-on-gov-hogans-veto-of-the-digital-sales-tax-bill/" rel="noopener noreferrer" target="_blank">threatened</a> that they will ultimately pass the new costs onto Maryland's businesses and individuals buying digital ads. </p><p>"The intentionally equivocal claim that internet companies need to 'pay their fair share' is useful only to politicians pushing a political agenda, not to the development of sound public policy," said Robert Callahan, who heads state government affairs for Internet Association. "It is also detached from reality. The internet industry is providing enormous economic benefits to states like Maryland, whether or not companies are actually headquartered there."</p><p>A group of tech industry trade associations and the U.S. Chamber of Commerce <a href="https://internetassociation.org/news/statement-on-md-digital-ad-tax-litigation/" rel="noopener noreferrer" target="_blank">sued</a> Maryland on Thursday, claiming that the new tax is unconstitutional and violates federal law. </p><p>Other states will watch the litigation in Maryland closely as they weigh whether to move forward with their own digital ad taxes. Lawmakers in Indiana and Connecticut have proposed similar taxes.</p><p>Gianaris, who is also supportive of a New York bill that would impose similar taxes on digital ads, said New York could renew its push if Maryland succeeds. "If their effort gets upheld, we'll move quickly to do the same here in New York," he said. </p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="6">
</div>
</div></p><h3>Florida's privacy and speech bills </h3><p>Florida Gov. Ron DeSantis at a <a href="https://www.tampabay.com/news/florida-politics/2021/01/14/desantis-top-legislative-priority-stopping-censorship-of-conservatives-online/" rel="noopener noreferrer" target="_blank">press conference this month</a> said that taking on Silicon Valley will be "the most important legislative issue that we're going to have to get right this year and next year." He's <a href="https://www.clickorlando.com/news/local/2021/02/15/gov-desantis-offers-new-details-in-plan-to-take-on-big-tech/#//" rel="noopener noreferrer" target="_blank">since laid out</a> a series of proposals, including privacy legislation and a proposal to ban companies from "deplatforming" political candidates. </p><p>While other lawmakers have promoted privacy bills as an effort to protect consumer privacy, DeSantis has explicitly tied his state's privacy legislation to the populist battle against companies including Facebook and Google. "Big Tech platforms have created a surveillance economy, which enriches those platforms by free-riding on consumer data," DeSantis <a href="https://news.bloomberglaw.com/tech-and-telecom-law/florida-governor-backs-data-privacy-bill-akin-to-california-laws" rel="noopener noreferrer" target="_blank">said at another press conference</a> this week. "Worse, Big Tech platforms have made privacy an illusion. The truth is Floridians' most intimate information is collected, analyzed and sold to the highest bidder."</p><p>He has also <a href="https://reason.com/2021/02/04/florida-gov-ron-desantis-wants-100000-fines-for-social-media-companies-that-deplatform-politicians/" rel="noopener noreferrer" target="_blank">proposed legislation</a> to fine social media companies for deplatforming politicians, a clear rebuke over Twitter, Facebook and YouTube's decisions to bar President Trump from their platforms. </p><p>Lawmakers in red states have increasingly proposed legislation aimed at social media's "censorship" of right-wing voices, and that effort has only intensified in the wake of the companies' decision to kick off Trump, Easley said. </p><p>"I think it's least 50 to 50 or 60 to 40 that some of these bills pass," Easley said, pointing to Florida's effort as a prime example. But he predicted that those efforts will get tied up in court as companies argue over the First Amendment and the role of Section 230.</p><p><div class="ad-tag"><div class="ad-place-holder" data-pos="7">
</div>
</div></p>
Keep Reading
Show less
Emily Birnbaum ( @birnbaum_e) is a tech policy reporter with Protocol. Her coverage focuses on the U.S. government's attempts to regulate one of the most powerful industries in the world, with a focus on antitrust, privacy and politics. Previously, she worked as a tech policy reporter with The Hill after spending several months as a breaking news reporter. She is a Bethesda, Maryland native and proud Kenyon College alumna.
Latest Stories
See more
Most Popular
Bulletins
February 26, 2021 16:23 EST
February 26, 2021 13:45 EST
February 25, 2021 17:33 EST
Get Source Code in your inbox
David Pierce's daily analysis of the tech news that matters.