shift change 01-17-2024
Welcome to your shift change, reports from the off-going watch to the oncoming on anything interesting in privacy, security, or intelligence.
1. If you are a business hoping to pass-the-cost of privacy harms to your insurer after collecting biometric information without the consent of the people you are collecting from: hope is an unreliable strategy.
Illinois’s BIPA, which I’ve highlighted before, requires a company that wants to collect your biometric information (a broad, consumer friendly standard under BIPA) to get your consent. If they don’t, and you find out, and you contact a lawyer, you can sue for damages. And the Illinois Supreme Court has said each incident of violation can be a fine. Money/fines add up quick. But where does insurance come in? Well, transferring the risk of the financial impact of the harm to the insurance company may not work for you.
Once you sue, the company may decide, through whatever arcane/opaque risk management calculation it comes up with, to pay out a settlement. Some of that pay out may actually come from the company, but the bulk is likely from an insurance policy held by the company that (now in this hypothetical) has violated a state law by collecting biometric data without your consent. But wait, if the company violated a state law, does the insurance company contractually have to pay the claim against that policy based on the act (non-consensual collection) that is the basis for the insurance claim?
An Illinois appeals court says no, shifting the financial burden of the bad act back to the actor, not the insurer. Illinois law does not require an insurer to cover an act that violates state law.
The federal Seventh Circuit Court of Appeals now hears a case with a similar pattern, and if that case conflicts with the Illinois appellate court, off to the Illinois Supreme Court this will have to go. State and federal courts can find themselves interpreting each others’ laws by a variety of mechanisms, but ultimately BIPA is Illinois law and only the Illinois Supreme Court can say what it means.
My suggestion: stop collecting without consent. And if consent is hard, and it increases friction and costs money, boo-hoo.
2. FTC claims victory over X-Mode, X-Mode changes name and probably little else.
Last week news broke the FTC had reached a settlement with X-Mode, who now go by Outlogic, over Outlogic/X-Mode’s selling location data it collected, because X-Mode/Outlogic is a data hoarder for-profit. The heft of the news was the FTC forcing X-Mode/Outlogic to delete the underlying location data.
Here’s X-Mode’s response:
Outlogic, for its part, offered a drastically different take, denying any wrongdoing and vowing that the FTC order would “not require any significant changes” to its practices or products. While the company is potentially downplaying the cost to its business, it is certainly true that any ripples from the settlement will be imperceptible to consumers and Outlogic's industry at large—one which profits by selling Americans' secrets to spy agencies, police, and the US military, helping the government to dodge the supervision of the courts and all its pesky warrant requirements.
Holding X-Mode, or whatever they want to be called so we all forget this happened, accountable for the unfair and deceptive practice, and taking away the fruit of those practices, is good. But X-Mode is confident it won’t have to change much because while it has experienced the baleful attention of a regulator, the regulator cannot regulate the breadth of the industry, and so industry practices that individually can be punished, rarely see collective change absent…well, more.
As a society we should treat data hoarders like…well, regular hoarders and try to encourage those data hoarders to develop healthier pursuits. Not too mention the national security risk of these data hoards.
3. Utilities are the cyber frontline, read this great article from the San Diego Union-Tribune on what that experience is like for San Diego Gas & Electric.
Sandworm gets a shout-out, because this, this, this, and this.
The article cites Russia, China, and vaguely “in the Middle East” as the source of much of SDG&E’s concern, which aligns enough with CISA’s big 4 nation-state actors: Russia, China, Iran, and North Korea.
4. The Markup’s next-up recommendation: stop letting TikTok see or use your contacts.
## The shift change is a collection of timely stories of interest in the security, privacy, and intelligence worlds. Thanks for reading, and feel free to reach out to will@signaltonoise.fyi for any questions, comments, or thoughts on items you’d like to see highlighted.