Serious Privacy

Big tech in a small world (with Tom Kemp)

Paul Breitbarth connects with Tom Kemp on Big Tech, cookies, CPRA, and more. Season 4 Episode 27

Send us a text

In this episode of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal connect with Tom Kemp, a Silicon Valley based author, entrepreneur, investor, and policy advisor. He founded a cybersecurity cloud provider and was one of the drivers behind the campaign to adopt the CPRA in California. And now he has written a book containing big tech that is out later this summer.

Whether we look at the whole range of new legal requirements, from the European Digital Services and Market Acts, to the US state privacy laws, to regulatory enforcement decisions and discussions about breaking up some of the very large online platforms, big tech is under fire.

And our guest today has a view on these issues and is not shy to share it. We discuss the overcollection and weaponization of our most sensitive data, problematic ways Big Tech uses AI to process and act upon our data, and also the stifling of competition and entrepreneurship due to Big Tech's dominant market positions. He also discusses some practical matters such as how to block trackers on your personal devices along with a history of the CPRA.


If you have comments or questions, find us on LinkedIn and IG @seriousprivacy, and on Blue Sky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Please note that this transcript is mostly automated and for accuracy, you should listen to the audio.

[00:00:00] Paul Breitbarth: This is not a quiet year in privacy when you are a big tech company. Whether we look at the whole range of new legal requirements, from the European Digital Services and Market Acts, to the US state privacy laws, to regulatory enforcement decisions and discussions about breaking up some of the very large online platforms, big tech is under fire.

And our guest today has a view on these issues and is not shy to share it. Tom Kemp is a Silicon Valley based author, entrepreneur, investor, and policy advisor. He founded a cybersecurity cloud provider and was one of the drivers behind the campaign to adopt the CPRA in California. And now he has written a book containing big tech that is out later this summer.

In it, he talks about the overcollection and weaponization of our most sensitive data, problematic ways Big Tech uses AI to process and act upon our data, and also the stifling of competition and entrepreneurship due to Big Tech's dominant market positions. All of that and more in today's episode of Serious Privacy.

My name is Paul Breitbart. So I'm very welcome to, to the show. K is not with us today. She had work obligations. so,she leaves the interview to me. but I'm very happy that you could join us today.

[00:01:22] Tom Kemp: Thank you for having me on.

[00:01:24] Paul Breitbarth: K would always want me to ask the unexpected question, even if she is not here. completely random, what's your favorite newspaper?

[00:01:32] Tom Kemp: The New York Times.

[00:01:33] Paul Breitbarth: The New York Times. Very nice, and then probably the weekend editions, right?

[00:01:36] Tom Kemp: You know, I like doing the, the games, and, I don't think they, some of the games are not available on the weekend, like the, crossword mini and all that stuff. So, I've, I've definitely become like a Whirl fan.

[00:01:50] Paul Breitbarth: And you're reading online or in paper?

[00:01:53] Tom Kemp: I do it all online.

[00:01:55] Paul Breitbarth: I'm, I'm very much a fan of the Manchester Guardian.

and if I can get my hands on a paper copy if I'm in the UK or one of those countries, then, also the paper copy, especially in the weekend, is very nice. Just. Sit down with a cup of coffee or a pint and then a very big long newspaper to, to savor.

[00:02:14] Tom Kemp: Sounds like fun.

[00:02:16] Paul Breitbarth: It is. but we're not here to talk about the news, although some of the news actually impacts also, what you are talking and, and, and writing about your new book out at the end of August, containing Big Tech. Why did you write it?

[00:02:31] Tom Kemp: Well, I wanted to create a simple and comprehensive look at the issues concerning big tech that I could give my uncle or, or, or an average politician, and that they could really just get their arms around. Some of the issues associated with big tech without actually having to hand them like 500 articles and say, go at it.

and I also believe that there's, you know, some actual simple solutions to many of the issues associated with some of the big tech companies, which I provide in the book. So I wanted to also just not say, Oh, here are all the problems that. We have with society, our democracy, our economy with, with having such concentration of power with, with five large tech companies.

I actually wanted to say, look, there's, there's ways that we can address the majority of the issues. And then finally, there's been so much stuff that's been happening over the last year or so, the whole generative AI revolution, we've got tick tock, we have new laws coming online, especially in the US.

And there's a lot of activity happening in Europe with DSA, DMA, the AI act is going to be coming online and probably in a year or so. and. These things have not been covered in past books, so I wanted to write a fresh and up to date look at Big Tech as well.

[00:03:59] Paul Breitbarth: I mean, in, in the introduction, I mentioned a few of the topics that, that you are discussion, that, that you are discussing in the book over collecting and weaponizing, sensitive data, dominant market positions. Indeed, the intransparency about the training of AI, of generative AI, and scraping the internet, basically.

Those are a lot of big issues to discuss in a single book. I think each of them could be a book in themselves. how do you go about?

[00:04:28] Tom Kemp: Yeah, you know, I didn't want to inundate people with, you know, the minutiae of this. I wanted to tell a story in which the dots are connected. And you're absolutely right. I mean, we're in a situation in which we have five large tech monopolies that are some of the most powerful corporations the world has ever seen.

They have amazing reach. For example, Google has 4 billion users. That's half the earth's population, but they're mainly unregulated and in my opinion are now causing serious threats to our society and our democracy. And so what I wanted to do was identify the problems with big tech, connect the dots and provide straightforward solutions and the problems Include the data over collection that is now increasingly being weaponized against us and the reality is that past monopolies like standard or were powerful but they did not know everything about us and then this data is increasingly being fed into a systems

that process the data make the products.

Basically more addictive. I mean, that's one of the main reasons, especially if you look at a company like tick tock, it's about keeping people on the platform. Obviously, you know, meta is trying to do the same thing. And then finally, the final dot that's connected is that their monopoly position actually exasperates the prior two issues of the over collection of data and the use of AI for exploitive reasons.

So you just can't really ignore the fact that, there's some anti competitive there, undertones, there's monopoly positions. And so you really also have to take a look at the antitrust issues, which obviously Europe is doing, but also the U. S. Is increasingly taking a look at as well.

[00:06:17] Paul Breitbarth: Do you think, for example, when it comes to antitrust, that Europe and the U.

S. are doing enough, or have we been asleep for too long?

[00:06:26] Tom Kemp: I think historically we've been, both sides of the pond have been asleep. and if you look at the tech companies, they've made, collectively over 600, acquisitions. And for the most part, none of them have been challenged. and you know, if you step back, if you look at least in the U S the last major antitrust.

Challenge that occurred was with the DOJ and Microsoft banning Microsoft from requiring that Internet Explorer be the only browser and no third parties OEMs hardware providers could offer or put forth as a default another browser and when that pressure was put on Microsoft it actually Thank you.

Opened up, things for companies such as Google to come out with their services, et cetera. So if we were in a world in which we could only use Internet Explorer, it probably wouldn't be as a healthy environment. And if you, in fact, even go back further, in the US when, AT& T was broken up, it actually caused a telecommunications revolution to occur.

And so people, you know, are, you know, Potentially worried about cooking the golden goose, so to speak, but we actually have a track record, in which when we put more guardrails, we break up the concentration of power, in that it's really, we have five companies that dominate 10 core digital markets in our economy, with incredible concentration of power, but in the past when, when we've actually broken up that power, it's, And caused significant amount of innovation, job creation, et cetera.

So it actually can be a very good thing. and as I said before, that the fact that we have such concentration of power exasperates the situation with privacy. and some of the concerns with AI, because we basically have companies that are really too big to care, right? That they're not getting any competitive threats to make their products more secure, or add more privacy or other consumer protection, related, capabilities.

[00:08:39] Paul Breitbarth: So

I think I hear between the lines that you say we should start breaking some of these companies up.

if we, if we were to do that, what would happen in your view with the data? Which each of the parts of the company get all of the data? Would they get none of the data? Would it all be destroyed?

Should they start from scratch?

[00:09:00] Tom Kemp: Well, let's take a look at a real world example. It's Microsoft's ad tech business. and, 17 U. S. states are suing Microsoft from an antitrust perspective. the, the U. S. federal government is suing, and just within the last month or two, the European Union is suing Google, and specifically recommending that,Google's ad tech business be broken up because the fundamental issue and the problem is that they're providing all aspects of the marketplace.

They're, they're providing the, the capabilities for the advertisers and the publishers, et cetera. So using a. Sports analogy, I'm going to use an American baseball analogy. They're the pitcher, the hitter, and the umpire. And,

and there've been a lot of examples recently of ad fraud, in which that there's been overcharging, of the advertisers.

And clearly the publishers are not not getting a better cut as well because that's money being siphoned off to Google. So it's pretty universally agreed upon by regulators that owning all aspects of a marketplace is not healthy. And you can also apply that to Amazon from an e commerce perspective.

They own the marketplace and what they do is they sit back

and they see what Products are, are popular and lo and behold, and critics will say that they come out with knockoffs, these Amazon basics. And so they get the advantage of, of seeing the fruits of the labor of, companies that are, are coming out with products and they can pick and choose what's, what's best, the best, and then basically do copies and, The they don't have to pay the same fees to amazon because it is amazon and it's their own products etc and the last example is if you look at the mobile platforms their app stores that they charge mobile app providers 30% if a sale occurs.

They don't have to pay that. So if they come out with an app that does an ebook or an audio book, et cetera, they don't have to pay that 30% tax being Apple or Google, while someone like Spotify does as well. So, not even thinking or talking about the data, et cetera. It's just that. It's an unfair situation in which they own the marketplaces, but they also participate in the market and they don't have to pay the 30% fees.

They don't have to pay the transaction taxes, et cetera. They're able to self preference their own applications, put them at the top of the searches that are done in Amazon or, or the app stores, et cetera. and that's just not fundamentally fair.

[00:11:54] Paul Breitbarth: hmm. And then when it comes to, for example, the, the App Store, the counter argument is that, yeah, but we also take care of the infrastructure and we take care of the, the, the security and we make sure that the platform stays intact and that it's usable and user friendly and, that you should pay for that.

And of course, if we develop something ourselves, then that is already taken care of. Is that not also in part a fair argument? Thank you.

[00:12:20] Tom Kemp: Well first of all if you actually look at the facts that in the case of apple to maintain and look at apps that are being submitted it cost apple a couple hundred million dollars a year but the revenue that they generate from it is at least twenty thirty forty billion dollars so when they're they're only spending a couple hundred million dollars for something that's generating thirty forty so that's the first thing is it's not like they're losing money, doing this to ensure it.

They're, they're making gobs of money. So that's the, the, the, the first reaction right there. The second reaction is, excuse me, that they are able to look at the data of what's being sold. And then be able to basically get free market research and they are then able to come out with knockout products.

They don't actually have to pay the same in the tax that a third party has to do. Furthermore, they limit the ability for mobile app providers to contact the customers directly. and and so there's no way that there's the same thing with Amazon as well. so. They desegregate, so they also control the customer communication as well.

[00:13:43] Paul Breitbarth: so in your, in your book, which is not out yet, I haven’t read it, of course, but, I will, but according to, what I've seen about the book, every chapter also ends with, what you call a roadmap for change.

and I'm not going to ask you to, to give away everything that's in the book, but can you maybe, maybe share one of your proposals to improve the whole situation, with big tech for us?

[00:14:06] Tom Kemp: Yeah, I mean, so first of all, I do provide recommendations for consumers what they can do. And the consumer recommendations really have to do with limiting third party tracking, turning on ATT, which is the app tracking transparency in iOS. Blocking third party cookies on their, their PC, like by installing a privacy badger, and then an Android using the, like DuckDuckGo for, the similar capabilities that you get on, iOS with AT& T in terms of blocking the third party trackers.

And so the, the suggestions I have for consumers are really about. limiting the amount of data that's beat, that they exhaust, shrinking the data footprint. from a policy perspective, obviously Europe has the gold standard with GDPR. We, we have the California Privacy Rights Act, which amended the California Consumer Privacy Act here in California.

We're now up to 10 states, soon to be 12 states. So I actually give specific recommendations of what should be in a federal privacy bill. But I think really the big suggestion that I have is that from a policy perspective. We really need, opt out signals, the ability to have the equivalent or, or actually have global privacy control, because the fundamental we issue, and I saw this in Europe as well, and we have this in the U.

S., is that we have cookie fatigue, that every time we visit a website, We have to say, do you accept the cookies, et cetera, or if not, then you're given this dark pattern of having to kind of configure each and every type of cookie, et cetera, and the average consumer, this is just too hard for them. And so we really need to have global support for the global privacy control this opt out signal.

So instead of us having to go to every website and say, yes, you know, reject cookies or accept cookies, et cetera, we should be able to set the signal at our browser and our mobile device. And that would really help with what I call first party data with, with entities that we have a direct relationship that we could say, please do not sell or share my data.

Okay, but there's still a fundamental issue that there are entities that are called data brokers that we don't have a direct relationship with. And so my other suggestion just to make privacy much more simple for consumers that we should put forth in terms of regulations and rules is that we need the ability to be able to do a global delete from data brokers to just to go to one place, say, here's my name, my email address, my mailing address.

Go boom and it deletes all the data that's been collected from you permanently from data brokers. And so you really need to have the ability to make it much more simple for consumers to get the benefits of privacy. Otherwise, it's a whack a mole with all the cookies and having cookie fatigue. Or you have these third parties that people are completely oblivious to that are collecting mass amounts of information.

And so, part of my guidance is, is that policymakers, you can come up with all these fancy privacy laws, but if it's not easy, For consumers to be able to exercise their privacy rights, then the same problems, occur.

[00:17:42] Paul Breitbarth: So who should be in the lead when it comes to enforcement on these issues? Should that be the us given that these are American companies?

Should it be the European Union given the legislative standards, could it be any government authority from anywhere around the world? What's your perspective there?

[00:18:01] Tom Kemp: Well, I, I certainly, like and appreciate what's happening in Europe. I mean, we have the Brussels effect. And the, the reality is, is that, you know, privacy was in the, United Nations, declaration. of human rights. and Europe coming out of World War II adopted it. and so privacy is quote unquote built into your constitution.

The, the word privacy is not in the U. S. Constitution, but is, it was added to California's, Constitution, 70s. And California has led the way. in consumer protection. It's called the California effect. first started with auto emissions and now it extends into privacy. so the good news is, is that, first Europe because of the sensitivities about protecting the individual and their privacy.

I'm a native from World War Two, and it's seen fruition with the GDPR, DSA, DMA, AI Act in California. We've seen it with CCPA and CPRA and the age appropriate design code, etc. And so I like how... both Europe and California act as kind of the laboratories for experimentation. But yes, eventually it does have to happen at the U.

S. federal level. It's a shame and it's embarrassing that the United States does not have a federal privacy law. But so at the end of the day, we do have to have The guardrails being put up and it's frankly, the last major pieces of privacy related legislation were more, you know, industry or, or specific, which was HIPAA and Gramm Leach Bliley.

But those only. deal with specific, sectors of the economy, financial services, and health care. It, it's not a horizontal, you know, piece of legislation, and, and we do need that as well. So, I do think that, that, that we should have experimentation occurring, that, that in the end, it, it eventually gets adopted at the U.

S. level, but unfortunately we haven't had that happen.

[00:20:18] Paul Breitbarth: Yeah, I think I agree with you that in the end the U. S.

should be in the lead, also because I would want to avoid that Europe once again gets blamed for being protective of our own internal market, at the detriment of U. S. companies. That's what we've heard, of course, also following the data transfer decisions when it comes to TRAMS 1 the annulment first of Safe Harbor, then of,the privacy shield, we now have the data privacy framework in force.

but also there, there is the continuous discussion. The European union wants to impose their standards on the world. doesn't care for a free market economy. They want to make sure that their companies can, can do business as well, in other jurisdictions, because look at our standards, but I think the discussion is much more fundamental than that.

And I think I hear something similar, coming from you.

[00:21:08] Tom Kemp: Yeah, no, I mean, it's interesting that just very recently, I mean, this literally days ago, you know, we had the framework announcement that really kind of represents version three of the privacy shield. and immediately. You know, Shrem said, Hey, we're going to take this to the European court of justice, and, he'll probably win again as well.

And, so we're going to go back into this whack a mole. situation. and so there does need eventually, we need to figure this out, right? in terms of data sovereignty, the, the, the ability to transfer data, et cetera.

[00:21:55] Paul Breitbarth: Yeah. so you mentioned already a few times, the California Privacy Rights Act that, came as a supplement to the California Consumer Privacy Act that only entered into force a couple of years ago.

and you have been one of the big proponents of Proposal 24 when it came on the, on the ballot for the referendum in California some years ago to have it introduced. what was your driver behind that?

[00:22:19] Tom Kemp: Yeah. So California did have the California Consumer Privacy Act or CCPA. and it was really interesting that the, the person behind that, is a gentleman by the name of Alistair McTaggart, and, Alistair has become a good friend of mine, and I worked with him on the Proposition 24 to enhance the CCPA, and what he saw was that once that had passed, that industry was immediately trying to water it down.

So he decided he would want to upgrade the CCPA with the CPRA, and he knew he couldn't get it through the legislature, so he did a ballot measure, which became Prop 24 in the 2020 campaign. And so I joined Allister as a full time volunteer on the campaign. And worked on it for six months or so. And the thinking behind the CPRA was the following.

First of all, make it a floor versus a ceiling, meaning that privacy law cannot be watered down. Right. And he wanted to address the concerns that the tech industry was trying to chip away at the CCPA. And so anything that now passes has to be kind of a super set or add to the privacy. It can't detract from privacy in California.

The second thing is, is that he wanted to have teeth in terms of enforcement. So that's why we now have the California Privacy Protection Agency, which is the first in the U S it actually, once it's fully ramped up, we'll have more staff working on privacy than the FTC will have. in total as well, and so that's equivalent to Europeans, supervising authorities like the Irish, DPC, for example, and, finally, he wanted to make California privacy law more on par with GDPR, so we added some additional privacy rights like the right to correction, et cetera.

And the beautiful thing is, is given the California effect, that was the first state privacy law, and last year we had five states, including California, with the privacy law. We're now up to 10. Texas became the 10th one, Texas of all. places. And then Oregon will be 11th and Delaware will be 12th. Oregon and Delaware.

I don't think they've yet the governors of those states have yet to sign it. so I think the good news is, is that this will put more pressure because businesses And consumers will not want a patchwork or and given the fact that the 12 states will represent about 25% of the U. S. Population that three quarters of the population will say, Hey, what about me?

But there are some big sticking points. The biggest sticking point is preemption, and California does not want that. California wants any federal privacy law to again act as a floor versus a ceiling. because there's a concern that if a federal privacy law comes out, then given how slow the U. S.

federal government is to pass laws, it may take 30 or 40 years, and the technology space is so innovative that you really need the states at the state level for them to kind of really drive, innovation from a regulatory perspective.

[00:25:44] Paul Breitbarth: So,

wasn't it very fast to already change CCPA also in terms of its protections?

I mean, I understand adding the supervisory authority, maybe adding some of GDPR's provisions to what was already adopted, but it was a very quick change after the initial CCPA went into effect. Wouldn't it have made more sense to wait a few years to see how it actually works in practice?

[00:26:10] Tom Kemp: Well, the thought process behind the person behind Prop 24, Alistair McTaggart, was that immediately, the minute that the governor Signed in 2018, the C. C. P. A. And it was going to go in enforcement in, 2020 that industry was really trying to water it down. and so in the 29 2019 cycle, all these. It was being cut back.

It was being beaten down. and, and so he was really concerned about that. And the nice thing about in California, we have this direct democracy. We have this proposition system. and we put it to the voters and 56% of the voters, and it was a record turnout, by the way, in 2020, over 9. 3 million people voted yes for it.

Right. And take into account. That 9. 3 million, people that voted yes for Proposition 24 voted, you know, yes for more privacy that represents that that's greater than the population of 10 to 12 U. S. States combined, right? So it turns out that if you actually put forth privacy measures on the ballot that consumers and citizens are want more privacy, right?

And if it goes through the legislature, then the special interests can actually You know, water things down as well. So it was done based on, kind of concern that the ccc p a was being neutered. and that it really, he wanted to kind of set the floor versus put a, ever shrinking ceiling, which was industry was, was doing.

And the good news is, is that we have something in California that, unless it gets preempted by a federal law, really represents the gold standard in the U. S., much like GDPR represents the gold standard, and, we, unlike in Europe, where the, the supervisory authorities are in each country, and, you know, there, there have been concerns about the Irish, DPC, you know, maybe being a little bit more lenient because they've got all the corporate headquarters, the CPPA, the CCCPA.

is the only, you know, privacy protection agency, in California. and so hopefully the, the same type of, pressures won't be put forth on it that sometimes we see happening in Europe.

[00:28:46] Paul Breitbarth: So when you, when you look at the current text of CCPA, CPRA that's now in force, there is no risk anymore of that being watered down again by corporate lobby.

[00:28:58] Tom Kemp: unless, that is correct, unless a federal privacy law passes that preempts California. That basically kind of lowers the, the floor and then makes it a ceiling,

[00:29:13] Paul Breitbarth: And that's the continuous discussion right in the U. S., whether preemption and private right of action should be included in federal legislation, yes or no.

[00:29:21] Tom Kemp: that, that is, those are the two big sticking points. The biggest one is, is preemption, and, you know, whether or not you want the labs to continue to be,the, the states to be labs of democracy, to, to paraphrase,former, Supreme Court Justice Louis Brandeis.

[00:29:37] Paul Breitbarth: former, Supreme Court Justice Louis Brandeis. Well, that's fine. but I

[00:29:50] Tom Kemp: Well, that's fine. but I think what people, it's con, I think people may be slightly confused, which is that, you know, what hasn't been pushed the, the, obviously we, we had a preexisting privacy law that the CCPA, the CPRA amends it. So the regulations. that were put forth in the CCPA still hold number one.

And number two is the CPRA, the actual law itself, is effective and it's within enforcement. It's actually kind of the fine print in the regulations that have been pushed. And, so I'm fine, you know, with, you know, it's, it was a 60, 80 page document. and, you know, that gives businesses more time. We want businesses to do it right, but businesses also shouldn't think that, Oh, I don't even have to worry about California.

I can push that off until mark end of March 2024. No, you actually, for example, the CPRA, as we mentioned before, you know, added the right to correction, right? And so if someone calls you up, in California and says you've got incorrect data, I want to correct it. You just can't say, I don't have to do that because no, no, you still have to, you know, make your best, attempts to as a business to, you know, listen to the consumer and correct that, you know, maybe some of the finer details and the regulations, you don't have to adhere to, but the general principles.

are in for the actual law itself. It is now the law of California and can be enforced. It's the finer print in the regulation of how you go about implementing some aspects as a business of the law has been pushed off. But the core of the law, etcetera. is enforced as well as the prior regulations as well.

So there's been a lot of confusion that there are people said, you don't even have to, don't worry about California. You know, you know, no, no, no. You, you still have to address the current law. You have to address the current CCPA regulations. What you don't have to address are the finer points of the CPR regulations, but the core capabilities that have been added.

You do, such as the right of correction and other aspects, you do have to, acknowledge and, and take into account, even though the, the, and a lot of the stuff doesn't even have corresponding regulations associated with it.

[00:32:21] Paul Breitbarth: of

Tom, this was, this was a very nice conversation. I learned a lot, both on, indeed, your views on, on containing Big Tech, but also on, on California. the book containing Big Tech by Tom Kemp is out August 22nd, wherever you get your books in hardcover and also in audiobook, and I assume at some point there will also be an e book.

coming, for us to read and to buy with these same big tech companies. so, go, go read it. I think it's, it's a fascinating topic, and one that we'll never tire of discussion, discussing, at least not until, big tech is indeed contained. So Tom, thank you very much for joining me this week.

and with this, we conclude another episode of Serious Privacy. If you like us, do follow us on social media. You'll find us at Podcast Privacy on Twitter. You'll find K as Heart of Privacy, myself as Europol B. Join the conversation on LinkedIn under Serious Privacy. And until next week, goodbye. 

People on this episode