This is the fourth post in a multi-part series about how the information security community needs to engage with the government to shape laws which will affect the industry. You can see the first, second, and third posts here.
The President’s State of the Union addressed the need for increased cybersecurity investment, new laws, and even the issue of privacy for ourselves and our children. Since then, we’ve continued to see privacy-related headlines. Concerns about government surveillance have never been far from the minds of activists living and working in less free and democratic regimes. The spectre of an outspoken Edward Snowden remains over us, and his revelations remind those in the United States to be concerned about our government's violations of privacy.
These concerns about government intrusions have been fed by changes in China’s so-called Great Firewall policies, regime change in Saudi Arabia, and the growing activity of foreign governments in their own forms of domestic spying. Most recently the United Kingdom’s GCHQ was found to be illegally spying on British citizens. MIT published a study showing shortly after the President's speech that traditional ideas about anonymity and privacy are unrealistic in an era of big data and widely available information. A few years ago, Target used data mining to predict a young woman’s pregnancy, a practice that was viewed as being correct as well as wildly intrusive of her family’s privacy.
We can fear and anticipate the future where such invasions of perceived privacy are both widespread and intrusive. Under the current privacy climate, corporations in the United States can use the data consumers give them in almost any way they like. There are relatively few limitations on how the information they collect can be used. Perhaps worse, while they need to publish an accurate privacy policy, there have been a few cases of big companies punished for violating their own privacy policies. And there is nothing stopping companies from changing their privacy policies and having the changes apply to data collected beforehand.
People often point to the European privacy regime as a more humane policy. But the last year has shown it can lead to its own absurdities and issues. The so-called “right to be forgotten” is neither an absolute right, nor a real capability of the Internet. True, Google has been asked to remove a great many links to articles about people wishing to be forgotten, but the original news stories are still available. The removal requests apply only to Google's search results, and other, less used, search engines don't have to comply with this right to be forgotten. Europe has merely made it harder to find out about someone.
Technically the European regime makes it illegal for a security hiring manager to see if a prospective hire was ever convicted of hacking. Hiring such hackers is widely considered a practice best avoided. I’ve talked with security leaders who use Google on every prospective hire.
So what should we in the US do with privacy laws and regulation? Our rules and regulations should be tightened to do four things:
- Prevent the harmful use of private information – to deny jobs, benefits, health care, access to education & information, loans & rates, or insurance.
- Limit sharing of information across organizations to well-defined purposes clearly stated in company privacy policies.
- Establish a regime for requiring and managing privacy policies with sufficient transparency to make it easier to identify and prosecute misuse of information.
- Force companies toward more explicit opt-in of the use of private information to provide personalized experiences.
As always those interested in these issues should get involved–follow organizations tracking and commenting on these issues–such as EFF, EPIC, and Privacy Rights Clearinghouse–even if you do not agree with everything they do. Your privacy rights require your involvement and interest–speak and write about your desires to those informing the next level of changes and direction.