I guess it could also be a joke about syphilitic dementia.

Someone really needs to create Monopsony, the board game in which everyone plays a competing government contractor!

Up until this moment, I had completely forgotten that this is a real product that exists.

Thanks.

There’s a huge misconception about what IRBs in the US actually do: it’s not a complete ethics review! And it only applies in very narrow circumstances.

Federal elections aren’t changeable without amending the constitution.

Sure, again, it’s great that they did this!

It’s just not a complete solution and people need to be cognizant of that.

I’ve been avoiding posting drafts online until it was actually published (honestly have no idea when, we submitted the final draft in October).

Send me an email, I’m happy to share it privately.

Don’t get me wrong, it’s great that CPPA is doing this! But a more complete solution needs to involve allowing consumers to prevent nonconsensual data collection/sharing from ever starting.

The burden in all of this also shouldn’t be on consumers.

10/10

My point here is that many of the data brokers trafficking in consumer data are not registered in California, many are fly-by-night operations, and frankly, aren’t paragons of integrity.

Asking—only the ones known about—to delete data post hoc is closing the barn door after the horse has left.

9/

I explained to the IRB that it would therefore be highly misleading to tell people they can delete their data by using these services. This was persuasive. (They relented and allowed us to name the actual data brokers and include specific links to their individual deletion request instructions).

8/

Many of these services list all of the data brokers to which they’ll send deletion requests. I observed that there wasn’t a single service that I could find that included all of the data brokers that we actually acquired data from.

7/

As a compromise, IRB suggested we instead offer to pay for subscriptions to bulk deletion services. Many of these exist; they claim to send deletion requests to multiple data brokers on a subscriber’s behalf.

I entertained this idea and spent a few days evaluating half a dozen such services.

6/

However, I felt it was important to tell people that because we wanted to include links for them to request those data brokers delete their data, if they so chose. (This is a right that’s existed under CCPA since enactment.)

I also wanted to ask people if they planned to exercise that right.

5/

Getting IRB approval for the survey took 6 months, not because the IRB was concerned with any harm to humans, but because they were worried if we told people the names of the data brokers selling their data, the data brokers might [baselessly] sue the university.

4/

We were able to reidentify 97% of the individuals in the dataset (showing it’s not anonymous).

None of that required IRB approval (i.e., humans weren’t the subject of the experiment).

Emailing the reidentified humans to ask about their recollections of consenting to these sales, however, did.

3/

Colleagues and I recently completed a study (to be published in the next few months in the Yale Journal of Law and Technology) in which we evaluated data brokers’ claims: we acquired several million rows from data brokers selling data they claimed to be anonymous and collected with consent.

2/