RU version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
63% Positive
Analyzed from 5769 words in the discussion.
Trending Topics
#data#flock#ccpa#delete#https#information#law#customers#privacy#camera
Discussion (248 Comments)Read Original on HackerNews
> Flock Safety’s customers own the data and make all decisions around how such data is used and shared.
which seems to directly oppose the CCPA. It's my data, not their customers'.
Again, I didn't really expect this to work. And yet, I'm still disappointed with the path by which it didn't work.
But a reasonable person would say -- the data is stored on Flock servers, not with the camera owners. And Flock would say, just because we sell data storage functionality to camera owners doesn't mean we own the data, anymore than a storage service you rent a space from owns what you put in that space.
But then an even more reasonable person would say: the infrastructure is designed in such a way as to create inadvertent sharing, and the system has vulnerabilities that compromise the data, so Flock has responsibility for setting up the system in such a way that it's basically designed to violate privacy.
And that is the main criticism of Flock. You need to have a more nuanced criticism. It would be really interesting to see this litigated.
[0] https://www.flocksafety.com/blog/flock-safety-does-my-neighb...
So they can't sell the fact that you're at Target at 8:00 p.m. on Thursday to anybody... Nor build profiles to sell to advertisers... And if that's the case that's very similar to cloud storage vendors.
If I access hacker news, and the record of my visit is stored in an AWS S3 bucket, I can't submit to AWS to delete my visitor record, even though the server, network cards, wires, and storage medium are AWS property, it was hacker news' website that generated that record and their responsibility to take my request to delete it.. AWS' stance would rightly be "talk to the website operator for CCPA requests"
The response to this should just be, "Yes, very well, please divulge a complete list of your customers, their contact information, and information about camera locations so I will be able to pursue this per instructions".
When that obviously doesn't work either then we can all agree the law as written is completely useless, and feel great about rewriting it in a way that's calculated for maximum damage to both the vendor and their customers, and collateral damage to the whole panopticon. Or, just spitballing here, we can just skip to the punchline here and do all that anyway
But they wont agree, they find the law very nice in its current form, and have more brib.. ehm, lobying money for it to stay that way.
No we don't, there's a federal law explicitly protecting gun manufacturers from liability for gun crime. https://en.wikipedia.org/wiki/Protection_of_Lawful_Commerce_...
* The right to know about the personal information a business collects about them and how it is used and shared;
* The right to delete personal information collected from them (with some exceptions);
* The right to opt-out of the sale or sharing of their personal information including via the GPC;
This isn't someone incidentally taking pictures of license plates in an otherwise noncommercial setting. It's a company literally created to collect and sell PII. Laws are different for them than for us.
[0]https://oag.ca.gov/privacy/ccpa
You're going to get a lot of cheerleading and support about this in venues like HN and Reddit, because you're narrowcasting to an audience already primed to be hyperconcerned about surveillance technology (I am too). I think you're going to find those attitudes do not in fact generalize to the public at large, and especially not to the legal system.
Best of luck either way. It'll be an interesting experience to write up, and I'm happy to read about the outcome, even if I do think it's highly predictable.
The "my Ring camera" trope is a fun strawman, though.
Now, with you likely not keeping that Ring tied to a business account, how that applies to non-businesses holding PII is a different matter.
But yes, data that can be used to track my movements in my vehicle is certainly a type of personally identifiable information. I'd argue there should be some exemptions for individuals operating on a small scale, which I believe the CCPA has (and if we actually got a US GDPR, that it should have). But also that kind of exception shouldn't apply to a camera jointly operated by and backhauling to Ring.
Personally I feel if you're going to build so turnkey a system to facilitate collection of personal data by your customers at the scale Flock seeks, then at a minimum you should build an equally turnkey method to handle requests like the one you made. It would be a service both to their customers and to consumers at large who wish to exercise their rights under legislation to opt out.
The fundamental reason we ended up in a world where companies just pay lip service to privacy and don't take it seriously is because consumers / voters put up with it. I'm heartened when I see individuals keyed into the issue.
Is there some way to contribute funds toward your legal fees?
In short, Flock is a "service provider" and not the entity doing the recording.
Perhaps you can make a case that they are a "data broker" instead (https://oag.ca.gov/privacy/ccpa#collapse1i), but that is a separate law, and what you are really looking at is a combination of license plate, time and location being collected as data being collected and sold without your consent.
Obviously, I am not a lawyer (and not even US-based), but I like when privacy is respected :)
To the extent that Flock is only storing the data on behalf of their customers, I'd understand they wouldn't be required to delete it. But to the extent that they are indexing it, deriving from it, aggregating it across customers, and sharing it via their platform, it seems they should be required to remove that data from those services.
But then again, I am not a lawyer!
As a suggestion, I saw you have RSS:
https://honeypot.net/feed.xml
I didn't see it mentioned in the main page or About or Archive. Maybe add it to a more visible place?
And that's a good point. I'll look at that when I get home.
But maybe I am unclear on how Flock works.
Like, say I have an interview in your office and you step out for coffee. I take a picture of the applicant list on your desk. That doesn't make the list of applicants "my data".
If the list is sitting there out in the open, then yes, it does make it your data.
What you own is the image copyright. But the right to copy is only one of the rights at issue.
Under various state laws (California in particular), you might not be entitled to do all the things with that picture that you could do of one that doesn't have my likeness. Privacy laws like the CCPA are one possible carve-out. A "right of publicity" is another.
There's an old saying about property law that "property is a bundle of sticks". The bundle can be subdivided.
https://www.law.cornell.edu/wex/publicity
If they are processing data after being told it was not obtained with consent do they not have any liability?
I have some background in data privacy compliance.
It sounds like they are claiming to be a Service Provider under CCPA, which is similar to a Processor under GDPR. Long story short, a Controller is the one legally responsible for ensuring the rights of the data subject, and a service provider/processor is a "dumb pipe" for a Controller that does what they're told. So IF they are actually a Service Provider, they're correct that the legal responsibility for CCPA belongs to their customers and not them.
That's a big IF, though.
Being a Processor/Service Providor means trade-offs. The data you collect isn't yours, you're not allowed to benefit from it. If Flock aggregates data from one customer and sells that aggregate to a different customer, they're no longer just a service provider. They're using data for their own purposes, and cannot claim to be "just" a service provider.
Which, hilariously, means that under GDPR, you only need to contact the web site, and they have to go talk to their 1207 partners that value your privacy to fulfill your request (I'm sure that in practice they'll say "sorry it's all 'anonymous' so we can't" or "we can't be sure that it's you even though you provided the identifier from your cookies"). I'm really disappointed that NOYB hasn't started going after web sites like that - that's quickly put a damper on the whole web surveillance economy.
https://www.courthousenews.com/california-drivers-accuse-flo...
Of course, the word "owner" is almost rage baiting on their part.
I might have to do that.
https://leginfo.legislature.ca.gov/faces/codes_displayText.x...
The enforcement provisions are rather bleak as well and afford no opportunity to directly bring a case against the agency that operates the system but instead just the individual who misuses it.
I think one of the more direct attacks would be going after jurisdictions that chronically have officers misusing the system. I think you're going to have to create precedent in this way to foment actual change.
Just because data is about you, that doesn't mean it is your data.
"Personal information is information that identifies, relates to, or could reasonably be linked with you or your household."
and, you do have the rights set forth in the ccpa (know, delete, correct, limit exposure, etc.) regarding that data.
Personally I would really like to see torts for attorneys who willfully promulgate blatantly incorrect legal interpretations - they're effectively providing incorrect legal advice. A non-attorney is likely to believe such advice coming from a member of the Bar, and the net goal is to discourage the target from seeking further legal advice.
Did YC house style change a while back to drop the "(YC xxx)" annotation since so many popular firms particpate / or because it's well known?
E.g. capitalization or one that removes any "How" from the beginning of a title. When I wanted to submit "How Pizza Tycoon simulated traffic on a 25 MHz CPU" I had to edit it after posting or it would have said "Pizza Tycoon simulated traffic on a 25 MHz CPU", which doesn't make any sense.
[0] https://ag.state.mn.us/Data-Privacy/Consumer/
Or vote for/against them, that might work too.
https://theonion.com/american-people-hire-high-powered-lobby...
https://en.wikipedia.org/wiki/United_States_v._Jones_(2012)
Are they "installing a Global Positioning (GPS) tracking device on a vehicle and using the device to monitor the vehicles movement"? No.
Flock seems to leave the data in ownership of the government. They are just providing the service of being custodians for storing and accessing that data.
You probably would get a similar response by submitting your request to Amazon web services or Google cloud or whoever has Flocks data: "sorry, we're just holding the data on behalf of Flock"
In either my example case or your stated case, you would have a very hard time convincing the host business to destroy their customers data without a court order or court case that shows their policy is invalid and they must comply.
Not a lawyer, just noting the parallel.
I do appreciate that Flock's response says that they cannot use the data they've collected for other purposes.. which further reinforces my cloud storage analogy -- the cloud vendor can't look at your data you upload to storage to e.g. build profiles on you/your business.
Would our main check on this be whistleblowers?
> In accordance with its Terms and Conditions, Flock Safety may access, use, preserve and/or disclose the LPR data to law enforcement authorities, government officials, and/or third parties, if legally required to do so or if Flock has a good faith belief that such access, use, preservation or disclosure is reasonably necessary to comply with a legal process, enforce the agreement between Flock and the customer, or detect, prevent or otherwise address security, privacy, fraud or technical issues. Additionally, Flock uses a fraction of LPR images (less than one percent), which are stripped of all metadata and identifying information, solely for the purpose of improving Flock Services through machine learning.
In this document, to which they linked in their reply, it says clearly "address ... privacy ... issues."
Does your case not constitute a privacy issue? I would say so.
Continuing down below, their claim on "Trust Us" about how they employ machine learning would need some proper transparency into how can that be guaranteed.
Wait til you see their "Transparency Portal" which, if my County and neighboring can be used as a sample size, doesn't even name at least 30% of agencies using Flock.
The best source of this information is https://deflock.org/ . FWIW, this is run by a neighbor in Boulder, CO which has been wrestling with the use of these cameras.
And Newsom killed this for some reason
If I see a flash on a speed camera operated by a business on behalf of a police department, your argument states I should be able to use CCPA to force the business to delete my picture and the record of me speeding If I can get the request to them before the police can file with the court and request that data as evidence.
The data belongs to the government, and you can't get around that right by going to business that holds the data and asking them to delete it.
Sounds reasonable to me. If the police want to put up a camera, then the police should put up a camera.
Offloading their legal responsibilities to a third party company is shitty.
We're talking about Flock. A company offering surveillance as a service. Per their website:
>Trusted by over 12,000 public safety customers including cities, towns, counties, and business partners.
If Flock's argument holds then most of the CCPA be circumvented this same way. All it takes is a few entities and clever contract language.
For example, if Flock receives a legitimate request to delete some data, then Flock must forward that request to all their Data Processors (e.g. including AWS/GCP/Cloudflare) and they must delete it as well.
As for "subprocessor" -- it might as well be the case that both sides are subprocessors for each other, nothing wrong with that.
For example: if a bank outsources part of their KYC process to a third party, that’s not something you have to concern yourself with, you only deal with the bank.
It's good to want things, and I get why people want this specific thing, but the logic that says this is a viable demand under current law seems like it would prove way too much.
Does this hold water? I'm reading the CCPA rules now but if anyone knows, it would save me some tedious research.
And what do you know? I got not reply, but the content disappeared in ~48hrs.
Republican community? They love corporate surveillance. Democrat community? They too love corporate surveillance.
There is no "Peoples' Party" that rejects this garbage.
It would be a pity if someone made dense point clouds of these devices.
That doesn't seem correct, even leaving aside the obvious moral issues with that.
Take Cheney's post-911 warrantless wiretapping program. You had Bush's own top DOJ officials threatening to resign over it in 2004, and Jim Risen with a story about it ready to publish in the NYT before the 2004 election. But not only was the White House able to stave off the resignations (IIRC through some tepid FISA oversight of the program), they got NYT editor Bill Keller to scuttle the story on vague national security grounds. (NYT reluctantly published it after the election only because Risen threatened to scoop them in his upcoming book.)
Then in 2008, Obama claimed the need to "look forward, not backward" wrt this and the Iraq War. Plus his admin renewed Bush's subpoena against Risen on another national intelligence story he'd done!
Any effort to hold Cheney or the Bush administration accountable for this would have had to battle both parties at the same time as educating the public on the issue, without the help of and backing of media institutions like the NYT.
I'd be fascinated to hear how anyone in America could seriously make the case that such an indictment could ever be achieved. Even now, decades after the fact when the base of both parties has absolutely nothing but disdain for people like Dick Cheney. But that's just one old example out of many-- current ones obviously are harder since people currently in power tend to be implicated.
By analogy, Google Docs isn't marketed for healthcare use. If you wanted, you could put a bunch of PHI in a Google doc and it wouldn't be their responsibility. They certainly didn't tell you to do that. However, if they marketed Google Docs as a great place to store PHI, yeah, then suddenly they're on the hook for complying with the relevant laws like HIPAA.
(Although in this case Google will sign a HIPAA business associate agreement with you and voluntarily agree to comply. They still don't market it that way, or at least don't predominantly do so.)
> (2) (A) “Personal information” does not include publicly available information [...]
> (B) (i) For purposes of this paragraph, “publicly available” means any of the following:
> (I) Information that is lawfully made available from federal, state, or local government records.
> (II) Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer
If you write the police and ask them to delete all their data about you, that isn't a thing that they do. It shouldn't matter if the police store their data on AWS or their own servers.
Flock is a tool used by the police so it should work the same way.
But that's not what Flock is claiming. They're claiming that they don't even have to consider the request because they don't own the data.
[0] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
[1] https://www.clarip.com/data-privacy/ccpa-erasure-exemptions/
https://i.ibb.co/WWWYznHX/flock-future.png
See also a poster from IBM’s German subsidiary, circa 1934. The approximate translation: “See everything with Hollerith punch cards.”
https://www.clevelandjewishnews.com/opinion/op-eds/new-detai...
I don't like either of those activities, but I think one of them is much worse.
But I'm with you both suck.
Would you ask your local ISP to delete data they provided to Tinder like your IP address? That doesn't make sense to me.
I'm not convinced this is the case. It might be equipment made by them, but does that necessarily mean they were ever even in possession of the data in question?
Would you ask the manufacturer of your oven what you ate for dinner last week? No, you're just using an appliance that they made.
In the case of Flock I don't think we have any evidence of whether Flock themselves ever hold or store any data produced by their devices when operated by a customer.