Tag Archives: privacy

Commit Traffic Crimes in 50 States…Well, 7

How does California know whether an arrested intoxicated person has a drunk driving conviction in, say, Oklahoma?

Or better still, how does Oklahoma know whether a licensed driver also has a driver’s license in, say, California?

Answer: they don’t. Because privacy.

The American Association of Motor Vehicle Administrators (AAMVA) provides participating states with a system (S2S) to check such things.

“State-to-State (S2S) Verification Service is a means for a state to electronically check with all other participating states to determine if the applicant currently holds a driver license or identification card in another state. The platform that supports S2S, the State Pointer Exchange Services (SPEXS) was successfully implemented in July 2015. Participation in S2S does not commit a state to be in compliance with the federal REAL ID Act. However, if a state chooses to be REAL ID compliant, the Department of Homeland Security generally looks for S2S to be part of their compliance plan.”

Not all states participate. As it turns out, neither California nor Oklahoma are part of S2S. Oklahoma is slated to join, but this may not happen.

“Oklahoma lawmakers have asked the state Supreme Court to immediately block the transfer of driver’s license and identification card data to a national interstate data exchange run by the American Association of Motor Vehicle Administrators (AAMVA).

“The lawmakers argue that the planned transmission exceeds statutory authority, violates state privacy protections, and collapses a key distinction that Oklahoma law makes between REAL ID-compliant and noncompliant credentials.”

Based upon past history, it’s no surprise that some in Oklahoma oppose big guvmint and AAMVA S2S participation.

But why has California opted out of S2S?

Basically, the privacy of Social Security Numbers. The state doesn’t to share this personally identifiable information willy nilly.

(As an aside, take a moment to think about how a state in enforcing the privacy of Social Security Numbers, which are assigned at the federal level. And also think about how Social Security Numbers are NOT supposed to be a national ID number. The mind boggles.)

So what do the other states do if someone claims to have a California driver’s license, but California won’t confirm this because of privacy concerns? Here’s what Tennessee does.

“All states and jurisdictions in the United States participate in S2S, except for California, Connecticut, Illinois, Kentucky, Nevada, Oklahoma, and West Virginia. New or returning Tennessee residents transferring from these nine states must obtain a Motor Vehicle Record (MVR) from their former state. The MVR be issued within 30 days of applying for a Tennessee license or ID.”

Good to know if I ever move out of California.

For Californians, Happy Data Privacy Week

(I wrote THIS one in 2026.)

CalPrivacy, also known as the California Privacy Protection Agency, is marking the whole danged Data Privacy WEEK with a very Californian term.

Drop.

Now when Californians use the term “drop,” it’s usually used in the earthquake-related phrase “drop, cover, and hold on.”

But in the privacy world, DROP stands for “Delete Request and Opt-out Platform.”

“DROP lets you send a single request to over 500 registered data brokers.”

Which makes no difference to the UNREGISTERED people who sell your data, but it’s something I guess.

Happy Data Privacy Day

From UC Davis in 2024:

“Data Privacy Day is marked each year on January 28….Data Privacy Day began in the United States and Canada in January of 2008 as an extension of its European counterpart. In Europe, Data Protection Day commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty on privacy and data protection.”

According to the Council of Europe:

“This Convention is the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data.

“In addition to providing guarantees in relation to the collection and processing of personal data, it outlaws the processing of “sensitive” data on a person’s race, politics, health, religion, sexual life, criminal record, etc., in the absence of proper legal safeguards. The Convention also enshrines the individual’s right to know that information is stored on him or her and, if necessary, to have it corrected.”

The full (English) text is here (PDF).

A lot has happened since 1981, but it all had to start somewhere.

(An aside: I wrote this post on Saturday, November 8, 2025. On that date I asked Google Gemini when the next biometric-related holiday was, and this is what came up.)

This is Why You Should Avoid Acronyms

So an article came across my eyes that begins with the words “Minnesota DHS.”

The full title? “Minnesota DHS Reports Access-Related Data Breach.”

Now anyone reading that article over the weekend was probably very confused, since the death of Alex Pretti isn’t exactly a DATA breach.

And, of course, Minnesota doesn’t have a “department of homeland security.”

It does, however, have a Department of Human Services…and THAT was what was breached.

“A single user inappropriately accessed private data within the Minnesota Department of Human Services (DHS) ecosystem, potentially impacting 303,965 individuals, officials report.”

This was not a hack per se, but a case in which a legitimate person accessed something they shouldn’t have accessed. Certainly a breach, and the person’s access was terminated.

But nobody died.

Offboarding: What Else Happens When You Stop Doing Business with Bredemarket?

My 2024 offboarding post discussed the short-term aspects of how Bredemarket wraps up business with its clients. But it didn’t cover the long-term aspects.

What I didn’t say in 2024

You’ll recall my description of the end of a particular contract.

In 2023 I signed a contract with a client in which I would bill them at an hourly rate. This was a short-term contract, but it was subsequently renewed.

Recently the client chose not to renew the contract for another extended period.

But there’s one thing I didn’t say.

The client (whom I’ll call Client 1) failed to tell me that it wasn’t renewing my contract. In fact, in my last discussion with the client, I did not perceive that it wasn’t planning to renew.

Surprise! In fact, I learned of the non-renewal from a third party, not the client itself.

Of course, the client had every right to choose not to renew without advance notice.

But read on.

What happened in 2025

Contrast that with my relationship with two other existing clients, both of whom contacted me personally and let me know that they weren’t renewing my contract.

Both took the time to explain why they were not renewing. Nothing to do with my performance, but having to do with internal issues at each company (which I am not at liberty to discuss).

I went through the aforementioned data scrub process with both clients, and my obligation to both was done.

But read on.

Two little twists

Add these facts.

  • There was an interesting connection between Client 2 and Client 3. My primary employee contact at Client 2 was previously a consultant at Client 3 until they were let go (again, not because of performance, but because of internal issues).
  • And a little while later, my employee contact at Client 2 was let go from Client 2 themselves (again, internal issues).

The long term

Bredemarket completed its contractual obligations to all three firms: the one that let me go in 2024 (Client 1), and the two that let me go in 2025 (Client 2 and Client 3).

But what happens after that?

It depends.

  • If my employee contact at Client 3 requests help, or if I see something of interest to Client 3, I’ll be more than happy to help or share.
  • If my employee contact formerly of Client 2 requests help, or if I see something of interest to Client 2, I’ll be more than happy to help or share.
  • If I see something of interest that affects Client 2, I may or may not share.
  • If I see something of interest that affects Client 1, I probably won’t share…except to Client 1’s competitors.

Actions, and inactions, have consequences.

And because I neglected to put any Doors references in this post like I did with the last one, I’ll close with this mind-boggling remix.

“Riders On The Storm (Fredwreck Remix).” Snoop Dogg featuring the Doors.

Privacy: What Happens When You Data Scrape FROM the Identity Vendors?

There is a lot of discussion about data scraping, an activity in which Company 1 takes the information publicly posted by Company 2 and incorporates it into its own records.

In the identity world, this takes the form of a company “scraping” the facial images that were publicly posted by a second company, such as a social media company.

I think that we all know of one identity company that is well-known (a euphemism for “notorious”) for scraping facial images from multiple sources. These not only include government-posted mugshots, but also content posted by private social media firms.

Needless to say, the social media companies think that data scraping is completely evil and terrible and identity vendors that do this should be fined and put out of businress. The identity vendor is question has a different view, even stating at one point that it had a (U.S.) First Amendment right to scrape data.

But what happens when someone wants to scrape data FROM an identity company?

A Skagit County court case

404 Media links to a Skagit County, Washington court case that addresses this very issue: in this case, data captured by Flock Safety.

The case is CITY OF SEDRO-WOOLLEY and CITY OF STANWOOD, Washington Municipal Corporations vs. JOSE RODRIGUEZ. The following are findings of fact:

“On April 10, 2025, Defendant, Jose Rodriguez made a Public Records Request to the Snohomish Police Department. He requested all of the city’s Flock cameras pictures and data logs between 5 pm and 6 pm on March 30, 2025.”

This particular record does not indicate WHY Rodriguez made this request, but 404 Media provided a clarification from Rodriguez himself.

“I wanted the records to see if they would release them to me, in hopes that if they were public records it would raise awareness to all the communities that have the Flock cameras that they may be public record and could be used by stalkers, or burglars scoping out a house, or other ways someone with bad intentions may use them. My goal was to try getting these cameras taken down by the cities that put them up.”

The City of Stanwood (don’t know its relation to Snohomish) answered Rodriguez in part:

“Stanwood PD is not the holder of the records you’re seeking; you may be able to request the records at FlockSafety.com.”

Incidentally, this is a common issue with identity databases using vendor softwares; who owns the data? I’ve addressed this before regarding the Milwaukee Police Department.

Now some legal talent may be able to parse what the word “holder” means, especially in regard to data hosted in the cloud. Perhaps Stanwood PD was trying to claim that since the records weren’t on site, it wasn’t the “holder.”

Anyway, the defendant subsequently made a similar request to the City of Sedro-Woolley, but for a different date. Sedro-Woolley didn’t provide the images either.

Then it gets weird.

What happened to the data?

“The Flock records sought by Defendant from Stanwood and Sedro-Woolley have been auto-deleted.”

Well how convenient.

And the listed statements of fact also contain the following:

“The contract between Flock and Stanwood sates that all Flock images generated off Flock cameras located in Stanwood are the property of Stanwood.

“The contract between Flock and Sedro-Woolley states that all Flock images generated off Flock cameras located in Sedro-Woolley are the property of Sedro-Woolley.”

The judge’s ruling

Fast forward to November 6, when Judge Elizabeth Neidzwski ruled on the cities’ claim that the Flock camera data was not a public record.

“IT IS HEREBY ORDERED, ADJUDGED AND DECREED that Plaintiff’s motion for Declaratory Judgment that the Flock camera records are not public records is DENIED.”

404 Media noted that the cities argued that they resisted the request to…protect privacy.

“In affidavits filed with the court, police argued that ‘if the public could access the Flock Safety System by making Public Records Act requests, it would allow nefarious actors the ability to track private persons and undermine the effectiveness of the system.’ The judge rejected every single one of these arguments.”

Of course, there are those who argue that the police themselves are the “nefarious actors,” and that they shouldn’t be allowed to track private persons either.

But the parties may take the opposite argument

This is not the only example of conflicting claims over WHO has the right to privacy. In fact, if the police were filming protestors and agitators and wanted the public’s help in identifying them, the police and the protestors would take the opposite arguments in the privacy issue: the police saying the footage SHOULD be released, and the protestors who were filmed saying it SHOULD NOT.

Privacy is in the eye of the beholder.

The California Privacy Folks Have Executed a Cool Rebrand

I previously discussed the alphabet soup that infests California privacy efforts.

“Before launching into these regulatory changes, remember that the CCPA is the California Consumer Privacy Act, while the CPPA is the California Privacy Protection Agency. (There’s also a CPRA, the California Privacy Rights Act.)”

Well, one of the entities, the agency (CPPA), is trying to extricate itself and differentiate and be cool and stuff.

“The California Privacy Protection Agency has chosen the new public-facing name of CalPrivacy. The name underscores the agency’s commitment to operationalizing privacy rights and delivering clear, consumer-friendly guidance to all Californians.”

Like…cool.

The Healthy Otter: When AI Transcriptions are HIPAA Compliant

When I remember to transcribe my meetings, and when I CAN transcribe my meetings, my meeting transcriber of choice happens to be otter.ai. And if I’m talking to a healthcare prospect or client, and when they grant permission to transcribe, the result is HIPAA compliant.

Otter.ai explains the features that provide this:

Getting HIPAA compliant wasn’t just about checking a box – we’ve implemented some serious security upgrades:

  • Better encryption to keep protected health information (PHI) locked down
  • Tighter access controls so only the right people see sensitive data
  • Team training to make sure everyone knows HIPAA inside and out
  • Regular security audits to stay on top of our game

This builds on our existing SOC 2 Type II certification, so you’re getting enterprise-grade security across the board.

HIPAA privacy protections affect you everywhere.

My Thoughts on the Amazon Ring-Flock Safety Partnership

Amazon didn’t get a lot of good news today, and there was another negative news item that people focused on the AWS outage probably missed.

Anthony Kimery of Biometric Update wrote an article entitled “Ring’s partnership with Flock raises privacy alarms.” I offered the following commentary on LinkedIn’s Bredemarket Identity Firm Services page.

Perhaps I’m industry-embedded, but this seems fine to me. Consent appears to be honored everywhere.

“Under the deal, agencies that use Flock’s Nova or FlockOS investigative platforms will soon be able to post Community Requests through Ring’s Neighbors app, asking nearby residents to share doorbell footage relevant to an investigation.

“Each request includes a case ID, time window, and map of the affected area. Ring says participation is voluntary and that residents can choose whether to respond, and agencies cannot see who declines. Users can also disable the feature entirely in their account settings.”

On the other hand, Senator Ron Wyden doesn’t trust Flock at all and says that “abuse of Flock cameras is inevitable.”

Heck, abuse of citizens by the U.S. Senate is inevitable, but citizens aren’t demanding that the Senate cease operations.