Following experts from the book, Cyber Privacy, written by the author published in early this month
by April Falcon Doss
When people and data-driven technologies intersect, the picture that emerges is a complex tangle of economic innovation, societal benefits, and damaging impacts on individual autonomy. At each intersection, data-thirsty apps and devices collide with the bundle of attributes that we commonly call “privacy.” That single word serves as shorthand for a wide range of social values and individual prerogatives, such as the ability to control who knows what information about us and to limit intrusions into the solitude of our lives. Privacy certainly encompasses these things, but it also implies a great deal more. Privacy is intrinsic to individual dignity and our sense of personhood, to our ability to live as unique beings. Privacy allows us to test our ideas, to live without undue scrutiny. It lets us choose our relationships, overcome our pasts and direct our future, and change our minds and our behavior over time.
Data-driven technologies threaten to undermine all that. These are the technologies that lie at the heart of government surveillance, political manipulation, microtargeted commercial advertising, and the intrusive use of data by anyone seeking to exert power over others, including schools and employers, neighborhood associations, and even the intimate partners in our lives.
Understanding the risks that arise at these intersections is a challenge that grows more pressing every day. It’s virtually impossible to live in modern society without leaving a digital footprint. Around 224 million Americans had a smartphone in 2018.1 That’s four out of every five American adults, up from just a third of Americans in 2011.2 Some 64 percent of Americans have online accounts involving health, financial, or other sensitive data.3 Nearly two-thirds of Americans have experienced some sort of data theft. Most Americans doubt the ability of the government or the private sector—and social media sites in particular—to protect their information. Roughly half of Americans think their personal data is less secure than it was five years ago.
But what can we do about it? Most Americans aren’t taking basic steps to protect their information—and many aren’t sure that they know what steps to take. Advertisers know what we’re interested in and where we are; our social media profiles are hijacked to funnel political propaganda into our feeds; our employers have access to our health, wellness, and genetic information; and the very products and services—like cell phones and webmail—that we rely on for everyday life have become the basis for the most comprehensive corporate surveillance network the world has ever seen. Even when our data has been anonymized—when our names, addresses, and other identifying information have been stripped off—it’s often possible for it to be “re-identified” through sophisticated computer analysis.
The urgency in understanding these issues is real. They’re being covered by leading newspapers like the New York Times and Washington Post. They’re entrenched in pop culture, from the ubiquitous hacker in modern movie scripts to recent documentaries like The Great Hack. The constant barrage of new developments in data privacy outpaces any one person’s ability to keep up.
By taking a very human look across the intricate web of data to identify patterns and trends, however, we can take note of the major obstacles, and offer a road map that will help individuals navigate the privacy terrain. There are more privacy-protective routes that might be less efficient; more regulated routes that might involve extra costs and paying tolls; or routes that are congested with new kinds of data but that bring us within easy reach of all of the conveniences of modern life. Mapping the privacy landscape, as we’ll do in this book, can help us choose our preferred solutions and figure out possible pathways to get there.
I’ve worked on issues relating to data, technology, and privacy for nearly twenty years. In 2003, when I started at the National Security Agency, “cybersecurity” was a niche topic, the focus of IT professionals who still mostly referred to “information assurance” when describing their role in keeping computerized information safe. “Privacy” operated in a separate realm. Although a handful of privacy-related laws required organizations to keep some kinds of information free from prying eyes, many of those laws had been written with an eye toward analog systems. Legislators focused on the kinds of data that could be created and captured by regulated industries—like health care, financial services, or education—and laws often centered around information that wasn’t of a fundamentally new type, but rather the kind that had previously been created on paper and now was stored in computers as a convenience or an afterthought. Much of the data collected about individuals was information that people could reasonably anticipate: we knew, for example, that doctors created notes from our visits, that workplaces kept personnel files, that the phone company whose switching system we relied on to communicate also, for its own business purposes, made a record of the numbers we called.
By 2016, when I left NSA, all that had changed. Smartphones, social media platforms, and ever-advancing digital technology had expanded the scope of information available about us, prompted the rise of whole new industries, and reshaped our interactions with information and with the people around us. The precision mapping applications on our phones track our movements in real time. Unbidden, they send us pop-up notifications suggesting the best route to a destination we haven’t even searched where an algorithm predicts we will want to go. This is all based on the detailed records that have already been captured about our habits—where we go and when—over time. We unlock our phones and tag our friends on social media using sophisticated facial recognition software that identifies us in low lighting, from different angles, under varying conditions, and in wide-ranging contexts. We share video clips with our neighbors from the livestream on our front porch, which are also shared, sometimes without our knowledge, with the local police. We have digital assistants in our kitchens and our bedrooms, on our desks at work and in the classroom, all waiting to hear our next command—and recording our conversations in the meantime.
Moving from NSA into the private sector expanded the aperture of privacy and technology issues my work focused on. As the chair of the cybersecurity and privacy practice at a large law firm, I saw firsthand how changes in technology were creating as much uncertainty for businesses as for individuals: new types of data were being generated, and new techniques for manipulating that information were creating exciting new business opportunities; they also created new risks to individual privacy. The laws and policies that might have provided guidance on these issues simply weren’t keeping up. Older privacy laws were often hard to implement or had been rendered obsolete in the digital age. New laws often imposed significant costs on businesses, but frequently without creating meaningful privacy benefits for individuals. And despite an abundance of laws, old and new, there were frequently gaps that left consumers and companies unsure precisely what their rights and obligations entailed.
In 2017, I joined the staff of the United States Senate Select Committee on Intelligence (SSCI) as the Senior Minority Counsel for the Russia Investigation. In that role, I gained an insider’s view of the ways that data privacy intersected with pressing matters of political autonomy, propaganda, and foreign influence, and of the ways that shadowy third parties can use information about us to manipulate our opinions and divide our society. I grew increasingly concerned about the disconnect between the geopolitical magnitude of data’s effects and the extent to which we’re often willing to give up our data in exchange for nothing more than the convenience and enjoyment of free products and services, many of which are presented to us under conditions in which we don’t know precisely where our data will go.
The topic of cyber privacy is evolving so rapidly that one of the greatest challenges in writing this book has been how to tackle the problem of recency: of making sure that the discussion remains fresh, current, and relevant, even while recognizing that no book can take the place of “breaking news.” I have no doubt that, by the time this book is published, some new development in technology or the law will have emerged that isn’t incorporated here. But achieving meaningful cultural awareness and comprehensive solutions to the ways that technology is eroding privacy won’t come from chasing breaking news or from the breathless pursuit of the latest innovation (although I spend a great deal of time on Twitter, providing analysis on these trends as they emerge). Instead, this book aims to provide a thought-provoking overview of the ways that technology is challenging our notions of privacy, while also offering some thoughts about how to strike the right balance as a society: supporting important public safety and national security goals, enabling technology innovation to proceed, and allowing all of us to get our privacy back.
Informed digital citizenship shouldn’t be a heavy lift; no one should have to devote their full time and energy to researching and understanding these issues unless they want to. It’s my hope that this book will demystify the landscape of data-driven technologies so that you can discern which areas you care about the most. That journey starts with cataloging the major categories of personal data and unpacking the many subparts of what “privacy” means.
Are you worried about data collection in the private sector? From big platform providers like Facebook and Google, to the app you just downloaded on your phone, and the smart device you just installed in your home, this book explains the kinds of information that private companies are collecting about you and how they’re sharing and selling it to others, often without your knowledge or deliberate consent. It explains the limits of US laws to govern, prevent, and regulate the actions of those companies and looks at the kinds of new laws being proposed, some of which might give consumers greater control over their data and others that appear to be privacy-protective but are unlikely to have any meaningful effect.
What about those who hold nongovernmental power over you? Employers? Schools? Intimate partners? What kinds of information can they collect about you? How is data being used to predict your employability, your anticipated success in school, or the likelihood that you’ll cost an employer more on the company health insurance plan? Where are they getting this information from? You probably know that prospective colleges and employers look at your public social media posts. But what about tracking and analyzing the data on your fitness watch or reviewing the results of your genetic tests? Or using surveillance cameras to record what you do at work and at school? Many of the ways that personal data is collected and used might come as a surprise.
Is government surveillance your primary concern? This book describes many of the key tools and techniques used for government surveillance in the United States over the years, along with an explanation of the legal framework for those activities and how they’ve been implemented. It also examines the key risks and competing interests for the future and the ways in which lessons from intelligence oversight can be adapted to nongovernmental privacy challenges.
Although much of our focus will be grounded in the United States’ legal framework, there are valuable lessons to be learned from the ways other nations approach privacy. Consequently, this book also examines privacy norms and data practices in key countries around the world. On the privacy-protective end of the continuum, the European model declares privacy to be a fundamental human right, but its regulations often increase costs without resulting in meaningful privacy benefits, and it overlooks some key areas of law—like European government surveillance—in favor of regional economic gains. On the other end of the international data protection spectrum, the world’s most repressive, authoritarian regimes are leveraging new data-driven tools to monitor their citizens, crack down on free speech, and even to shape individual social standing. The international perspectives provide important guideposts for the United States in assessing the costs versus benefits of certain kinds of legislation and drawing lines between legitimate government use of personal data and the overreach that’s clearly possible when personal information is misused in unfettered ways.
Finding the best path to navigate across a landscape of obstacles often means balancing economic growth and innovation, legitimate government purposes, and individual rights and liberties—to name just a few of the sometimes competing interests. In deciding the right balance to strike between those interests, reasonable minds can and do disagree. The goal of this book isn’t to persuade you of any particular political viewpoint or of the importance of any specific approach to restricting—or leaving unregulated—the ways that data affects our daily lives. Naturally, there will be a number of areas in which my own opinions on those matters show through. But my goal is to give you a baseline understanding about key technologies and trends happening right now; a foundational knowledge about the current rules that do and don’t govern those activities; and a framework for thinking about how we can shape laws and policies to reflect changing social norms. This book should help you set a privacy vision and present you with a road map for how we might get there.
April Falcon Doss, a cybersecurity and privacy expert with experience working for the NSA and the US government, explores the most common types of data being collected about individuals today and delve into how it is being used—sometimes against us—by the private sector, the government, and even our employers and schools.