By: Dan McSwain
Tomorrow we’re testifying on US privacy reform to the Senate Judiciary Committee. Tom Lee, an engineer by background who now runs Public Policy at Mapbox, will present to members of the committee.
Tune in to the live testimony and Q&A at 10 a.m. ET Tuesday, March 12th
We will be joined by representatives from the private and public sector. Tom’s prepared testimony was just submitted this morning. Read it in full below.
We’re in the business of selling maps, not information about the people using them. Tom’s testimony will share how we work to minimize the information we collect, anonymize what we do collect, and require customers to let users opt out.
Privacy regulations must fit companies of all sizes and protect customers of all backgrounds. We’re honored to include these perspectives in our testimony.
Follow @mapbox for live coverage from the Senate Dirksen office building on Tuesday. Read more about how you can build privacy into your applications using Mapbox.
GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation
March 12, 2019
Dirksen 226 Senate Office Building
Panel I
Mr. Will DeVries
Senior Privacy Counsel
Google, Inc.
Mountain View, CA
Mr. Alastair MacTaggart
Chairman
Californians for Consumer Privacy
Sacramento, CA
Mr. David Hoffman
Director of Security Policy and Global Privacy Officer
Intel
Santa Clara, CA
Mr. Gabriel Weinberg
CEO and Founder
DuckDuckGo
Paoli, PA
Mr. Tom Lee
Policy Lead
Mapbox
Washington, DC
Panel II
Ms. Roslyn Layton
Visiting Scholar
American Enterprise Institute
Washington, DC
Ms. Michelle Richardson
Director
Privacy and Data Project
Center for Democracy and Technology
Washington, DC
Professor Jane Bambauer
Professor of Law
University of Arizona James E. Rogers College of Law
Tucson, AZ
Testimony of Thomas Lee (Mapbox) before the Senate Judiciary Committee:
Chairman Graham, Ranking Member Feinstein, and members of the committee, thank you for the opportunity to appear before you. My name is Tom Lee. I’m an engineer by training and I now lead policy at Mapbox. Today I’d like to talk about how our company approaches privacy, and how privacy reform should approach smaller companies like ours.
We make maps. Our customers are developers. From weather forecasts to messaging tools to major news sites, you’ve probably used our maps. In total, we serve over 520 million monthly active users.
Our users benefit from our maps, and we benefit from their use. By collecting GPS data we make our maps more accurate, detect traffic jams, and give better directions. We built these features knowing that we had a responsibility to put user privacy first. We work to minimize the information we collect. We anonymize what we do collect. We require customers to let users opt out. We encrypt data in transit and at rest. We apply strong access control policies. And we only use the data to make our products better. We’re in the business of selling maps, not information about the individuals using them.
Our success proves that you can build a valuable business and protect user privacy at the same time. We are glad to see growing attention to this issue from lawmakers in this body, in state legislatures, and around the world. We think it’s time for some rules of the road — common-sense ethical standards for anyone that asks users to trust them with personal data.
New regulations inevitably carry costs and risks, especially for smaller businesses like ours, which aren’t among the names we’re all used to seeing in headlines about privacy. I’d like to highlight some issues that deserve attention as you consider how to craft reform without harming competitiveness or innovation.
First, the burden imposed by a proliferation of varying privacy standards is real. Our small but mighty legal team has to handle customer contracts, patents, employee policies, vendor agreements, and scores of other issues. Proceeding through the GDPR compliance process cost us hundreds of hours of effort initially, and continues to introduce additional time and complexity as we negotiate deals with customers. Startups can not afford to multiply that cost by dozens of additional jurisdictions — especially if some of those future regulatory regimes prove to be in conflict with one another.
We believe that our nation’s privacy laws should be strong and that they should be unified: we favor a single national standard. Avoiding a patchwork of state rules will not only help smaller businesses like ours, but will give Americans assurances that don’t change when they cross a state border.
Second, a jumble of state privacy laws risks creating loopholes, oversights, and errors. It’s easy to see why when you consider how much of the conversation on privacy has focused on the tech giants whose apps are used directly by billions of end users. The California Consumer Privacy Act (CCPA) is a good example of a law that contains many good ideas, but fails to fully imagine businesses like Mapbox. Some of our customers run vehicle delivery fleets, and they use our technology to monitor how efficiently those deliveries are being made. Under the CCPA, the drivers in those fleets could request data about their employers’ operations, even if they’ve since left to work for a competitor. Exposing trade secrets isn’t what the CCPA intended, and we’re hopeful that this problem can be fixed. But we worry that similar oversights will be inevitable if state laws proliferate in the absence of a clear federal standard.
Third, poorly-designed reform could entrench big business and harm smaller companies. Unlike some of our competitors, we don’t own a major mobile operating system. We collect anonymous data when people use maps in our customers’ apps. The platform owners can collect data at a much lower level than this. Reform that fails to adequately protect secure and ethical data collection like ours risks creating uncertainty among our customers and a chilling effect. If that happens, the accuracy of our maps and driving directions will suffer. That would make it much harder to compete with those platform owners.
Finally, some well-meaning reforms could put users at greater risk by forcing the collection of more user data. Data export and deletion requirements, in particular, often fail to envision businesses like ours. We rarely have a direct relationship with end users. We don’t know their names, emails, phone numbers or other personal details. All we collect is anonymized data; and metadata like IP addresses, which are part of any internet request. But many privacy reform efforts, including the CCPA and GDPR, name IP addresses as personal information, and include data export and deletion provisions. This combination opens the possibility of requests filed by identity thieves, vandals, and abusers. To reliably detect illegitimate requests we might need to collect much more personal information about users, putting us and them at greater risk. It would be ironic if privacy reform led to more collection of personal data rather than less.
I know some of these concerns are technical and specific. I mention these details only to make a larger point. We agree that Americans deserve stronger privacy guarantees. But the details are critically important, and it will be easy to get them wrong. This work needs to be pursued in a unified and careful manner, in a way that minimizes the opportunities for mistakes. Businesses subject to new rules will deserve detailed guidance about how to comply, and the people depending on those rules will deserve a system with the flexibility to respond to new problems in the future.
We think the work of privacy reform can bring real benefits to Americans, and we’re eager to do whatever we can to support it. I thank you for the opportunity to appear before you today, and look forward to any questions you might have.
Dan McSwain - VP Brand Marketing - Mapbox | LinkedIn
Testifying to the Senate Judiciary Committee on Privacy was originally published in Points of interest on Medium, where people are continuing the conversation by highlighting and responding to this story.