{"id":4061,"date":"2022-09-06T22:42:00","date_gmt":"2022-09-06T22:42:00","guid":{"rendered":"https:\/\/2024.thenexus.today\/index.php\/2022\/09\/06\/adppa-with-a-queer-lens\/"},"modified":"2022-09-06T22:42:00","modified_gmt":"2022-09-06T22:42:00","slug":"adppa-with-a-queer-lens","status":"publish","type":"post","link":"https:\/\/2024.thenexus.today\/index.php\/2022\/09\/06\/adppa-with-a-queer-lens\/","title":{"rendered":"Stress-testing privacy legislation with a queer lens"},"content":{"rendered":"

Last updated: November 18. \u00a0See Updates<\/a> at the end for a change log.<\/em><\/p>\n

The best way for any federal or state legislature to assure all consumers\u2019 privacy is protected online is to stress-test their laws against the harsh and worsening realities of queer experiences. If a law can protect queer interests, it will ensure that all consumers are maximally protected. <\/p>\n

\u2013 Hiding OUT: A Case for Queer Experiences Informing Data Privacy Laws<\/a>, Antoine Prince Albert III on Public Knowledge<\/p><\/blockquote>\n

Civil rights groups and privacy advocates are very justifiably excited about the inclusion of civil rights protections in the proposed American Data Privacy and Protection Act (ADPPA). \u00a0Getting strong bipartisan support for the principle that privacy rights are civil rights is hugely important \u2013 and the fact that privacy legislation with a civil rights focus has advanced from committee (on a 53-2 vote!) is a significant milestone.<\/p>\n

But as Professor Daniel Solove says in \u00a0Further Thoughts on ADPPA, the Federal Comprehensive Privacy Bill<\/a>, \u00a0“many parts of privacy laws have pretty-sounding rhetoric but ultimately are not any deeper.” \u00a0How deep are the protections in the current version of the ADPPA?<\/p>\n

So I decided to take Antoine Prince Albert III’s excellent suggestion and stress-test ADPPA through a queer lens. \u00a0It turned out to be a very interesting exercise.<\/p>\n

Ten stress tests<\/h2>\n

Here are ten stress tests of how well ADPPA protects the interests of LGBTAIQ2S+ people.* \u00a0The first seven come from Hiding OUT<\/a>‘s “Queering Ya Privacy” section, with some minor restructuring and wording changes; the last three focus on some specific hot spots in the ADPPA debate so far. <\/p>\n

This isn’t meant to be definitive; there are a lot of other possible stress tests, and I’d love to hear what others come up with. \u00a0 But I haven’t seen much other discussion of this, and it’s an important topic, so hopefully this will spark additional discussion.<\/p>\n

Each test is phrased as questions. I\u2019ve included a emoji to reflect how I think the current version of ADPPA responds to the questions.<\/p>\n

\u2705 <\/strong>yes<\/strong>! <\/strong>ADPPA passes the test<\/em>
\u2753 <\/strong>I\u2019m not sure or it’s complex<\/em>
\u274c <\/strong>no.<\/strong> \u00a0ADPPA does not currently pass the test<\/em> \u00a0<\/p>\n

    \n
  1. \u274c <\/strong>Does ADPPA protect private media, personal correspondence, informational data, and metadata by default?<\/li>\n
  2. \u274c Does ADPPA protect sensitive data like a romantic video, an emotional voice note, or an online private message threads?<\/li>\n
  3. \u274c Does ADPPA protect information about people\u2019s communications patterns?<\/li>\n
  4. \u2705 Does ADPPA contain heightened protection of individuals\u2019 account or device log-in credentials, activities over time and across third-party websites or services?<\/li>\n
  5. \u2753 Does ADPPA contain heightened protection information about television, cable or streaming service subscriptions, preferences, and usage?<\/li>\n
  6. \u2753 Does ADPPA tightly secure health and genetic information?<\/li>\n
  7. \u2753 Does ADPPA include intentionally inclusive civil rights protections?<\/li>\n
  8. \u274c Does ADPPA tightly secure location data that could put LGBTAIQ2S+ people at risk?<\/li>\n
  9. \u274c Does ADPPA protect pregnant LGBTAIQ2S+ people in states that have criminalized abortion?<\/li>\n
  10. \u274c Does ADPPA allow pro-LGBTAIQ2S+ cities and states to protect residents by passing stronger protections?<\/li>\n<\/ol>\n

    If your first thought is “yikes, this is not good, we should do something about it,” feel free to skip ahead to Time for an Intervention<\/strong><\/em>.<\/p>\n

    Otherwise, read on for the details. \u00a0<\/p>\n

    \u274c Does ADPPA protect private media, personal correspondence, informational data, and metadata by default?<\/strong><\/h3>\n

    This is an easy and unambiguous one: no. \u00a0ADPPA only protects sensitive data by default. Data that reveals sexual orientation, gender identity or experession, or sex is not considered sensitive \u2013 so isn\u2019t protected by default. \u00a0As Albert says, \u201cSafeguarding data that facially connects people to nontraditional sexual orientations or activities is paramount.\u201d<\/p>\n

    \u274c Does ADPPA protect sensitive data like a romantic video, an emotional voice note, or an online private message threads?<\/strong><\/h3>\n

    The previous version of ADPPA would have been a yes on this. \u00a0Videos, voice notes, private message threads are all considered sensitive data in ADPPA. \u00a0So are Albert\u2019s other examples including background data and metadata like calendar events, address book contacts and contact notes, and phone logs.<\/p>\n

    Unfortunately, the latest version added a major exception: much of this information is not <\/em>considered sensitive if it\u2019s on employer-issued machines. \u00a0Work-related discussions may include very sensitive data; and many queer people blur the boundaries between work machines and personal business.<\/p>\n

    \u274c Does ADPPA protect information about people\u2019s communications patterns?<\/strong><\/h3>\n

    No. \u00a0For one thing, communications patterns employer-issued machines are not protected. \u00a0And as EFF noted in their June comments<\/a> on the discussion draft, ADPPA\u2019s definition of sensitive data should be expanded to include familial and social relationships.<\/p>\n

    \u2705 Does ADPPA contain heightened protection of individuals\u2019 account or device log-in credentials, activities over time and across third-party websites or services?<\/strong><\/h3>\n

    Yes, ADPPA treats these all as sensitive data.<\/p>\n

    \u2753Does ADPPA contain heightened protection information about television, cable or streaming service subscriptions, preferences, and usage?<\/strong><\/h3>\n

    I think so but the language just changed in the last version and I haven \u2018t seen any analyses of it yet so am not sure.<\/p>\n

    \u2753Does ADPPA tightly secure health and genetic information?<\/strong><\/h3>\n

    ADPPA considers both health and genetic information as sensitive data but there are some significant exceptions so the answer here is not straightforward.<\/p>\n

    One big potential loophole is that “de-identified” data is completely exempted from the ADPPA. \u00a0I put air quotes around \u201cde-identified\u201d because it is almost always easy to re-identify people. \u00a0Indeed, as HIPAA and the Leak of \u201cDeidentified\u201d EHR Data<\/a> in the New England Medical Journal discusses, HIPAA’s exception for “de-identified” health data has allowed “massive troves of digital health data to traverse the medical\u2013industrial complex unmonitored and unregulated.” \u00a0There\u2019s been a lot of discussion of \u201cde-identified\u201d location data under ADPPA (and we\u2019ll mention it too in the next section), but as far as I know there hasn\u2019t been any discussion of \u201cde-identified\u201d health data as a potential loophole.<\/p>\n

    Also, ADPPA\u2019s data minimization rules have exceptions allowing data to be used without consent for internal research and public interest research. \u00a0A bipartisan amendment in the latest version, described in terms of making it easier to do clinical research, changed the public interest research language. I haven\u2019t yet seen a discussion of whether it opened up some loopholes but it seems worth looking at.<\/p>\n

    \u2753 Does ADPPA include intentionally inclusive <\/em>civil rights protections?<\/strong><\/h3>\n

    At first it seems like this is a clear “no”. The list of protected classes in ADPPA’s anti-discrimination language (\u00a7207(c)) does not mention sexual orientation, gender identity, or gender expression.<\/p>\n

    But it’s more complex than that. \u00a0The Supreme Court’s 2020 Bostock ruling found that “on the basis of sex” includes discrimination on the basis of sexual orientation or gender identity, meaning that they’re implied by the current language in ADPPA as well. \u00a0Then again, just last month, a judge in Tennessee issued an injuction blocking the Department of Education from Title IX protections to transgender and gay employees\/students. \u00a0So the law is potentially unsettled. \u00a0<\/p>\n

    On the one hand, as Albert says, queer people cannot rely on \u201cinterpretive generosity.\u201d \u00a0On the other hand, I don’t know the political landscape around this issue; it could be that there’s some reason that it’s actually better to rely on the current language. \u00a0So I’m going to leave this as a \u2753 for now in hopes until it’s clear what LGBTAIQ2S+ organizations and activists think is the right answer.<\/p>\n

    \u274c Does ADPPA tightly secure location data that could put LGBTAIQ2S+ people at risk?<\/strong><\/h3>\n

    “Precise geolocation data” (\u00a72(24)) is considered sensitive data under ADPPA so it seems like the answer to this should be yes. \u00a0But there\u2019s a big caveat here: a lot of data that you and I might think of as precise location data isn’t <\/em>considered “precise geolocation data” under ADPPA.<\/p>\n

    For example, Californians for Consumer Privacy notes that<\/a> location data inferred from a surveillance camera or a photo taken in a gay bar aren\u2019t considered sensitive data \u2013 meaning it can be shared without consent.<\/p>\n

    And remember just last year when \u201cde-identified\u201d data from gay dating app data Grindr was apparently sold off and linked to a Catholic priest<\/a>, who then resigned from his job? \u00a0ADPPA completely exempts \u201cde-identified\u201d data. \u00a0Sen. Ron Wyden, who\u2019s usually right about stuff like this, has flagged this as a major loophole.<\/p>\n

    \u274c Does ADPPA protect pregnant LGBTAIQ2S+ people in states that have criminalized abortion?<\/strong><\/h3>\n

    Probably not.<\/p>\n