Posted by Taylor Armerding on Friday, January 26th, 2018
It’s been called Data Privacy Day since it was launched in 2008 to commemorate the signing of Convention 108—the first legally binding international treaty dealing with privacy and data protection—on Jan. 28, 1981.
But you could make a pretty solid case that a decade later, this year’s observance, on Sunday, ought to be called Lack of Privacy Day. That’s even with the looming implementation in May of the General Data Protection Regulation (GDPR) by the European Union—a move toward privacy protections explained in detail by Synopsys security consultant Stephen Gardner in a blog post earlier this month.
The reality is that even in the United States—perhaps especially in the United States—ever more expansive data collection by retailers, marketers, financial institutions, government, and the dozens to hundreds of devices and apps used by individual consumers makes strengthening privacy protections an increasingly steep uphill climb.
Every day millions more devices are added to the Internet of Things (IoT), which is morphing into the Internet of Everything (IoE). And they all collect data on users.
In 2008, there were a piddling 10 billion IoT devices. Now, conservative estimates are around 25 billion, and the forecast is for more than 75 billion by 2025.
It’s not just the number of things either. It’s the variety. Ten years ago, not many toasters, refrigerators, thermostats, fitness trackers, or cars were essentially spying on their users.
True, data were being collected in retail stores through everything from loyalty cards to surveillance cameras, but nothing close to the scale of today. How ironic is it that a week before Data Privacy Day, retail giant Amazon—perhaps the largest single data vacuum in the world—launched its brand-new cashless grocery store in Seattle, where shoppers have a fabulous “frictionless” shopping experience: no waiting in checkout lines, no hunting for wallets. But with ubiquitous cameras and sensors, the store knows (apologies, Sting) every step you take, every move you make, and everything you take off the shelves.
It’s all sold as the ultimate in convenience, of course. “The number one problem for people is time poverty,” Dilip Kumar, vice president of technology for Amazon Go, told the Washington Post on the store’s opening day in Seattle. “People want good food fast, and they want it to be convenient.”
Indeed, big data collection does provide multiple kinds of convenience: advertisements focused on what you actually want to buy, smart cars that can call for an ambulance if you’re in an accident, wearable and implantable devices that can monitor your health and notify your doctor if something goes wrong.
But it also erodes privacy. When people generate thousands of data points every day—where they go, who they communicate with, what they read and write, what they buy, what they eat, what they watch, how much they exercise, how much they sleep, and more—they are vulnerable to exposure in ways unimaginable less than a generation ago.
And all that granular information in the hands of marketers, financial institutions, employers, and government can affect everything from relationships to getting a job, qualifying for a loan, or even getting on a plane.
Add to that the recent renewal of Section 702 of the Foreign Intelligence Surveillance Act (FISA), which privacy advocates contend allows warrantless surveillance of American citizens, and it sounds like a day to promote data privacy is getting swamped by the relentless erosion of it.
Susan Grant, director of consumer protection at the Consumer Federation of America, said that while progress on privacy is indeed visible in Europe, “in the United States, we seem to be falling further and further behind. I would say we’re even going backwards.”
Grant pointed to Federal Communications Commission (FCC) broadband privacy rules that were repealed by Congress in March 2017, saying, “Internet service providers are aggressively attempting to stop states from enacting legislation to provide the same privacy protections.”
But amid all that, some advocates insist there is still room for optimism. “Technology is always going to outpace law,” said Joseph Jerome, policy counsel at the Center for Democracy & Technology, “but we should see how things shake out with GDPR and the ePrivacy Regulation (also imposed by the EU and requiring consent for cookies, among other things), which will hit the IoT hard.
“Access and portability rights, alongside rights to explanation, have a lot of potential to increase user control and awareness of what’s going on with information.”
And Russ Schrader, interim director of the National Cyber Security Alliance (NCSA), which has run Data Privacy Day since 2011, noted that the GDPR applies not just to organizations located in the EU but to any that do business there.
“To move data in and out of the EU, a business must be as protective as the EU law—called an ‘adequacy’ finding by the EU authorities,” he said. This principle leads other countries to adopt similar approaches to continue to do business in the EU.
“As a result, the EU approach to human rights is gaining ground much faster.”
Still, the deck remains heavily stacked in the data collectors’ favor. Hardly anyone has the time to read terms of service (ToS) that, as Grant put it, are expressed in lengthy, dense, “obtuse legalese.”
“And the information that they are given doesn’t adequately explain what’s going to be done with their data and the ramifications of that,” she said.
Indeed, as anyone who has downloaded an app knows, if you don’t click “agree” to the ToS, you don’t get to use the app. What kind of choice is that?
“Consumers naturally want to use products and services that provide them with convenience, entertainment, and other benefits,” Grant said. “But to do so, they’re usually required to give up their privacy, and they have little recourse if it’s used in ways they don’t like or if their data are not sufficiently safeguarded.”
Jerome agreed that the power still lies too much with the data collectors. “ToS and privacy policies can be deployed like weapons against users,” he said, “and they can be easily changed. We cannot expect people to read these things. I read privacy policies and terms of service for a living, and I rarely feel like they answer all of my questions.”
But, he added, companies such as Apple, Google, and Facebook have all “rolled out decent privacy features.”
And even with a stacked deck, there are things consumers can and should do. Schrader offered a brief list:
And as the GDPR illustrates, government has a role to play as well. While the United States doesn’t have anything directly comparable yet, Schrader noted that there are several laws that protect consumer information: HIPAA (Health Insurance Portability and Accountability Act) for medical data, the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA) for financial privacy, and the Children’s Online Privacy Protection Act (COPPA) for younger children.
Also, while it has been 6 years since the Obama administration published what it termed a Consumer Privacy Bill of Rights (CPBR), and that proposal never became legislation, Schrader said it could still be useful.
“It established a framework and certain baseline practices for privacy that can provide a roadmap for industry and legislation,” he said.
Get the latest AppSec news and trends sent directly to you.