Businesses & Your Data

  1. Users should have destructive control over their data. Meaning they should be able to permanently remove non-critical data collected by companies online.

  2. Companies handling personal data should be required to implement “Best efforts“ security standards.

  3. In order to directly share data with other companies the company sharing the data should get explicit individual consent for each instance of data sharing.

  4. People should be guaranteed a legal “reasonable expectation of privacy” even when data is shared with a third party.

  5. An ISP may only collect data as necessary to maintain operations effectively. (e.g. IP address logs)


Government & Your Data

  1. A password of any sort, no matter how simple or insecure, must be legally equivalent to that of a locked door to a personal residence.

    1. Even if the information is not encrypted, if the data requires a password to access through its normal use, there is a reasonable expectation of privacy. 

    2. Poor implementation of security does not waive a reasonable expectation of privacy.

  2. No algorithm, formula, or process should be used to predict or infer future behavior from past activity, data, or records.

  3. No algorithm, formula, or process should be used to reconstruct or fabricate missing data, or records; with the exception of physical processes used to recover deleted or overwritten data from physical storage devices.

  4. As machine learning algorithms become more accurate at predicting inner thoughts law enforcement must be more restricted in their use to prevent what is essentially self-incrimination. Personal data and devices must be understood to be in some limited sense an extension of the self and assumed to be private. 

  5. Any search of broad public surveillance systems must be to locate specific, named individuals with active warrants. Any information incidentally collected about others must be automatically blurred and/or distorted immediately, and irrevocably destroyed within 30 days. 

  6. Facial Recognition & licence plate tracking tools must be limited to the identification of known individuals, and must not passively collect data on individuals without a warrant. (e.g. it must not be used to identify everyone in a crowd)