Privacy & Digital Security
"If you got nothing to hide, why are you complaining about privacy laws?"
Privacy. Not just privacy when it comes to the internet. Don’t get me wrong, making sure naked selfies receive full protection under the law is of extreme importance to me, but this topic goes beyond the realm of the internet to privacy against warrantless surveillance, privacy against baseless searches, privacy of passwords, encryption, and more. Privacy is about keeping our freedoms and unalienable Rights secure and, unless you’ve been living under a rock the last several years, it should be obvious that we need some privacy reforms.
This topic is a bit complicated. Discussion on privacy reforms most always lead into discussions about national security. I want to acknowledge this and at the same time ask you to put the national security aspect aside for the time being. Instead, permit me to focus on privacy and reforms as they relate to matters outside of the far-too-often invoked “national security” clause. This will be difficult because most anything related to privacy ties back to law enforcement. I apologize for this shift of perspective on the subject. If anything, consider my words as an alternate view on the same digital subjects.
Let’s begin with our digital communications, specifically email, text messages, and social media posts. The moment I mention these things and privacy, you should have both the First and Fourth Amendments in mind for they are inexorably linked. Content that we send to each other as expressions of ourselves is usually done in confidence; when you email friends, family, or lovers, you usually do not want those conversations to be made visible to the entire world, searchable through some algorithm. You want to be able to converse in the digital realm the same as you would in the verbal realm: with a modicum of privacy. You want the same legal protections for your digital actions as you do for your non-digital actions. Anything less would be an erosion of First and Fourth Amendment rights.
Which is why we need to tackle the problem of surveillance in schools. It’s becoming increasingly popular in school systems prior to college to monitor all student activity- both in and out of school. Those activities then are subject to school “validation.” I use the term validation here to mean “appropriateness,” as in schools desire their students to behave the same in class and out of class. And honestly? It’s none of the school’s damn business what a kid says on Facebook or Twitter on a Saturday night to their friends. Maybe it’s foul language, or expressing dislike for a class, or whining about how Sally became the prom queen even though she’s dating a trumpet player from a rival school. Like, O. M. G., for realz. We all said and did the darnedest things when we were growing up, sometimes very stupid things. We don’t need the specter of school looming over us from age 5 to 18, 24 hours a day, 7 days a week, 365 days a year.
California is a good example of the problem. Back in 2013, the Glendale Unified School District north of Los Angeles signed a deal with a startup, Geo Listening, that searches social media posts dealing with key words and phrases like depression, bullying, hate speech, etc.1 The company then, as I understand it, passed a daily report to school officials on actionable items in their findings. It was a blanket review of over 13,000 student social media accounts. The company said that no privacy is violated because the content is "public."2
Three reasons come to mind for why that statement is false. First, students- especially teenagers- are not the brightest and most aware human beings on the planet. If you ask the average 13 year old a big existential life question and ask the average 22 year old the same thing, those years of experience usually add up, letting the 22 year old answer more completely with a much more expanded awareness of themselves and the world around them. When I was 13, I did some stupid stuff online (blessed 2400 kbps dial-up internet) and offline. It’s all part of a kid’s need to feel out their place in the universe, to test limits, to learn for themselves how and why things are, to experience freedom and all that comes with it. This means making mistakes and being really freaking dumb, sometimes. We need to ensure some measure of privacy from the world at large there. As such, blanket monitoring of thousands of students for what they say and do online is not the way to go about that.
Second, we have no understanding of how that content is gathered in the first place. We know there are programmatic ways in which such data can be gathered and viewed, but we also know that there is no way, as of right now, to differentiate students from non-students in this blanket surveillance program. If I visit the northern LA region and tweet “Got some bomb hot chocolate near Glendale High School,” would my content be swept up in this search because I had the words “bomb” and “Glendale High School” in the tweet? I’m clearly not a student and my tweet is clearly not a matter of danger or security, yet it’s most likely being systematically gathered by software for review. The lack of specific targeting is a problem, here.
This brings us the third reason I consider that statement to be false: data retention and data security. There is no clear indication how long any data capturing by the system will be retained. Does it get purged when a student graduates? Are there safeguards to prevent that data from being leaked? Is content anonymized at any point? We don’t know and the company, as far as I’m aware, has not disclosed any of that.
I use these reasons- data retention, data security, widespread gathering, and reasonable expectations of privacy- as the fundamentals for privacy and digital security reforms we need in this country. Unfortunately, these reasons are also incredibly vague, leaving much room for interpretation while also making it very difficult to set “bright line” tests that can be done to determine violations. Additionally, a conflict of interest occurs within these reasons as technology moves towards “big data.” “Big data” is the marketing buzzword today, comparable to “Search Engine Optimization” from several years prior. The very definition of big data is to collect and analyze everything under the sun to better understand whatever it is you wish to understand. You collect as many haystacks as you can before you go needle hunting. While I do think the big data trend will change over the next few years due to its current buzzword status and businesses coming to see that they really don’t have the manpower, money, and/or intelligence to understand all these details they’re collecting, it is still a current cultural phenomenon that needs to be taken into consideration.
As of right now, the United States has no mandatory data retention laws that I’m aware of outside of those relating to government investigations.3 A few attempts have been made in the last eight years to require some data retention for internet service providers, all of which were thankfully defeated either in committee or via vote.4 The moment we as a nation require mandatory data retention of all network traffic in this country is the day our freedom dies. To require such retention would be ridiculously costly from a hardware, software, and manpower standpoint. It would also open up avenues for abuse by those holding the data as well as from local, state, and/or federal officials, and other entities possessing less than good intentions. I would see this policy maintained, ensuring that no government or government agency- federal, state, or local can require a network provider or business to preserve digital records in perpetuity.
For content that is maintained by businesses or network providers that need data for legitimate purposes, data security takes a leading role in shaping what and how that data is stored. You might be aware of data breaches at various businesses around the country in recent years. Home Depot, Target, Staples, Neiman Marcus, JP Morgan Chase, and Sony were some of the more notable system breaches, all within the last two years.5 Tens of millions of data pieces concerning names, addresses, credit card numbers, social security numbers, and more have been dropped onto the Black Market through breaches relating to data security. Thus, I’m of the opinion that a digital security standard- even a de minimis one- is needed.
My “day job” before embarking on this campaign was that of a computer programmer. I did both online and offline development, wearing different hats as needed. Sometimes I needed to write HTML/CSS, sometime Java, sometimes C#, sometimes SQL, sometimes it involved PCI compliance, sometimes there were firewall and router configurations. I consider myself a very good generalizer but no expert in any one particular area. However, in all the years of work I did, one thing was constant: companies tend to treat data security as an afterthought. If that firewall is too expensive, they’ll decide against it. Likewise, if updated software is too expensive, they’ll continue using the old stuff. Do you know how many companies don’t have a method for patching their computer systems regularly? A lot. Do you know how many companies don’t encrypt credit card data or passwords or social security numbers in their databases? A lot. And why don’t they? Because it will cost too much, delay project launch, or both. Remember what I said about America's capitalism and the notion of maximizing shareholder value. Executives tend to think that operating expenses such as these don’t help that goal. They view the ROI on, say, 10% cost increase on a project compared to a few percent chance of a security breach and decide their data should be alright.
Which is sad, because companies need to know that in this digital age such security measures, measures to keep consumer information safe, are now part of the cost of doing business. Add it in there with the need to buy paper, pens, pencils, and candy. Being a business in the digital world now comes with additional security “costs.” Just like bank vaults and safety deposit boxes have had physical security “costs” as part of their business, so too does network and data management have a “cost” as part of doing digital business. And I say this full well knowing that opponents of mine will call this proposal “government overreach” because I, as would-be President, would see implemented certain rules and regulations for how a business needs to operate. "How dare government tell a company what they should or shouldn’t do," these opponents will shout to whatever media outlet is willing to listen.
If you can honestly say that and then say it’s perfectly acceptable for a business to store name, address, and credit card information of users in a text file that’s not password protected on a public web server because they didn’t want to pay for a payment gateway to handle online orders… well, good for you for sticking to your principles. But you’re also stupid.
Not only are you stupid for thinking such a business practice would be acceptable, but you’re stupid because such a business practice is very much not PCI compliant. PCI DSS is the Payment Card Industry Data Security Standard, an information security standard for anyone handling certain branded credit cards like Visa, MasterCard, and American Express. It serves to increase security and reduce fraud because stolen data is a problem and credit card companies really dislike paying for fraudulent purchases. PCI DSS has a list of 12 requirements for compliance. None of these are legally required by a business at the federal level, but failure to comply could result in a business losing their ability to process certain credit cards. So while it’s not legally required, it’s still a good idea.
What I propose is the incorporation of PCI DSS into federal law. Three states that I’m aware of have incorporated these or similarly stringent data standards into law: Minnesota, Nevada, and Washington.6 I propose making this a national standard where all businesses processing card information be required to be PCI compliant on a yearly basis. Even small businesses- the level 4 ones as described in the PCI DSS. Those businesses may not individually account for much in the grand total of card transactions, but when added together, these millions of level 4 merchants add up to more than 25% of all card transactions. Furthermore, at least on Visa’s side, more than 80% of compromises identified are level 4 merchants.7 It’s easy to understand why, because level 4 merchants have no mandatory compliance requests. They have recommended compliance surveys and network scans, but nothing mandatory. A level 4 merchant may go years without being validated for compliance.
Furthermore, I would like to see PCI DSS-like requirements extend towards any set of personally identifiable information not publically available such as social security number, drivers license, passport numbers, etc- most anything described in section 1028 of Title 18 of the US Code as being used for identification, at the very least. These should also be protected via firewalls, data encryption, and limited physical access. Storing social security numbers in an excel spreadsheet on your office network or passing it around via email should not be happening in today’s technological world.
The problem with that solution, however, is enforcement. Setting up more government agencies to check up on such businesses is inefficient and costly. We also don’t have any requirements for notifying a 3rd party that such information is being collected. If a company requires your social security number for some reason, they do not need to notify the Social Security Administration that they are collecting it. Because of this, such breaches of personally identifiable information at a business cannot be punished with removal of service like payment card providers can do for failed PCI compliance. Likewise, checkups on companies to make sure they’re being smart about security cannot be done either.
Thus I suggest we find a way to make it economically worth making such data secure. Whether this be through heavy fines or mandatory fraud protection, there has to be some solution we as a nation can come up with to keep our data more secure. Most every state has data breach notification laws, but notifying you that your information may have been taken doesn’t help stop your information from being taken. Under regulation 201 CMR 17.00 of Massachusetts General Law, companies or individuals that store or use PII about a state resident must develop a written plan that’s regularly audited to protect that information. I feel that can be a good base for a federal standard. Not only should it be a federal requirement to disclose potential data breaches, but we could use a national standard for data security. Basic stuff like firewalls and encryption, moving everything towards HTTPS traffic, mandatory WHOIS privacy protection on domain registrations, and encouraging system upgrades and patches. Not only will it be safer for businesses, but it will be good for the economy in creating plenty of new tech jobs and put money back in circulation.
Let me pause for a moment and say that I’m aware of the issues with these suggestions and national security.
Now consider data retention. Data security and data retention go hand-in-hand. The longer you hold on to digital data, obviously the more time is available to circumvent protocols for access, making security an important issue. Data retention, however, also ties into privacy issues. When you capture a lot of data on individuals and then hold it for lengthy periods of time, you have the potential to eliminate a person’s right to privacy by essentially storing all their actions taken, giving you the ability to discern patterns and potentially know things about the individual they may not want to share. This is the exact opposite of what privacy involves. If you follow someone on the street, marking down their every action, every stop, every purchase, every time they glanced at another person, every time they made a call, sent an email, or anything like that, you would seriously be violating that person’s right to privacy. Plus, you’d be a creepy stalker.
Data retention has two main advocates. The first is everyone involved in security- governments, military, local law enforcement, etc. That’s because they believe the more data you capture and the longer you hold on to it, the safer you are.
The second advocacy source relates to groups associated with intellectual property enforcement. This includes the music industry and recording industry. You might recall my speech on IP reforms that this country desperately needs where I gave examples of greed, overreach, and abuses by groups who seemingly don’t give a damn what rights they trample on as long as they can make a buck. It’s these same groups that push for data retention laws in here America and all over the world. To them, the problem of piracy is so ubiquitous, so dangerous to their business model that they’re willing to sacrifice most anything to be able to track it. If they could, the RIAA and MPAA would love to have every bit of internet traffic filter through them to have any content they deem infringing not only removed from the digital world but also sent to them along with your name, address, and net worth for an impending lawsuit or quick hit settlement letter for thousands of dollars.
Notice what I said there: any content they deem infringing. That right there is one of the biggest problems with data retention. When you give all data to any group- government, private industry, etc- you risk creating situations for abuse from people with the data who feel they can use it however they want, for whatever they perceive to be good or bad.
Case in point, Kymberly Pine, formerly of the Hawaii House of Representatives. Back in 2012, not too long ago, she put forth a bill for her state that would require anyone who provides internet access to keep a detailed dossier on every website everyone who uses their service visits, with each site tied to the user’s name.8 This would include all family members, all businesses offering free wifi, all public institutions, and more. The bill also didn’t care about any security standards on the retained data and didn’t forbid service providers from selling that data. And, from what I understand, the reason behind this bill was because Mrs. Pine apparently had a tiff with a disgruntled web designer.9 In other words, because someone in office felt slighted by someone else online, they thought this to be a viable solution. You know, to track every site everyone visits online.
I cannot stress this point enough: no matter how bad things may be in the digital world, no matter how annoying or obnoxious or dangerous the internet may be, it is never, ever acceptable to destroy the right to privacy that we hold so dearly here in this nation.
Data retention is ripe for abuse precisely because of the volume of information being stored and who stores it. Private companies holding data, government holding data, and more creates supply, and with supply comes demand, and with demand comes desire for easy access. Imagine if a private company created automated license plate reading software and then put cameras up all over your town. They then store all that data- your license plate along with the GPS location of where you were and at what time- into their massive database. Now imagine if they kept that data forever.
You really don’t have to imagine all that, because it’s happening right now. It’s real and it’s scary, with billions of lines of data and hundreds of millions of new records added each week.10 To make matters worse, access to that data is being used outside of law enforcement. Private citizens and companies can request access to the data for what I’m guessing are "legitimate reasons." No warrant, no judicial oversight. If anyone out there thinks long term tracking of billions of records of location data for non-criminal citizens without a warrant is not a violation of privacy, please let me know through social media.
This kind of data retention to be ripe for abuse. It could be used to track distrustful family members, it could be used by government officials to track private citizens or even other government officials. They could even setup a shell company to avoid tying such investigations back to themselves. None of this is currently illegal. But it should be. Or, at the very least, curtailed tremendously, even if it does destroy the business model of automated license plate reader companies. If your business model relies on violating the privacy rights of Americans, your business model sucks and I have no problem watching it get crushed in the name of protecting our liberties and freedoms.
Companies that collect that kind of data and hold onto it forever make use of the argument that such data is public. They claim states treat a license plate, for example, as public data. As such, any attempt to curtail its collection and use goes against this fact because those attempts would be saying that public data really isn’t public.11 But if we follow this line of logic, then most everything we do outside of home and work is public. Walking down the street, talking on the phone in the mall, visiting shops in the mall, what restaurants we go to, what we eat at those restaurants, and more is all public in that it’s witnessed by outside individuals. So why don’t we just create databases for everything? We can install facial recognition software and cameras every 10 feet and just snap away. That would provide us with tons of data that could be retained forever. You know, just in case.
Logically that makes sense. But it leaves out an important part of the argument. When we go out, we become public to a degree, for sure. People can see us and overhear us. However, this is all incidental; seeing a friend across the street is very different than following 5 steps behind that friend every moment they leave the house, watching them get gas, pick up the kids, and have a stare-down with those delicious, unhealthy cookies in the grocery store- all of which are "public" activities we engage in. Witnessing any one of those in a random encounter is perfectly alright and acceptable, I think we’d all agree with that. You cannot control randomness, chance, and chaos after all. But when we eliminate that by tracking unnecessarily and retaining the data, you create control. America is about freedom, not control and monitoring.
What I propose as a legislative conversation starter is the following. Any data collection relating to public activities without a warrant and not associated with any current criminal investigation should be held for no more than two weeks before being expunged. And when I say expunged, I’m not talking about moving the data to another non-searchable location, but rather the "DELETE FROM TABLE" SQL query type expunge from live data locations, staging data locations, and any and all data backups. This would apply to personally identifiable information and any information that can be linked to PII. This would not apply to the typical marketing and advertising efforts used by companies to better understand their consumers. I’m not of the mindset that Google Analytics needs to be made illegal. That type of anonymized data for marketing purposes and to help companies understand their own audience is important. Giving away access to that data is not, which is why I’m also proposing changes to company privacy policies.
Any company that gives access to a third party along with any third party that gives access to another third party and so on must let website, web app, and mobile app users know what information is being collected outside of anonymized Google Analytics-type data and also what third parties are given access to that data. I would like to see a liability chain here to ensure that everyone managing private consumer information is being responsible with it. This is on top of the data security standards I would like to see implemented as well. Most sites already have detailed privacy policies relating to what info they collect and how third parties may have access to it for marketing purposes. I just want to see that strengthened.
To be clear, the data that gets sent my every computer in order to connect and consume web content is fine as is. The moment you start asking for user information- whether it be for ecommerce purchases, contact forms, contests, marketing promotions, etc- is the moment I would see more clear and more strict privacy policies enacted.
In the event that a company transfers your data, I want to see mandatory notifications to users that their data was transferred along with why and to whom- via email or via prominent messaging on the digital site or digital application doing to transfer. If they sell your data to another company, users need to be notified as such. If they give your data to the government, outside of certain security-related restrictions, I would like to see users notified of this as well. As it stands, companies that are victim of a cyberattack are required to notify users their info may have been compromised. When they purposefully give it to others, they are not required to notify you in any way. This makes no sense and needs to be changed.
Because at the end of the data, America, we deserve privacy. Privacy is a critical aspect of freedom. It liberates us from feelings of being judged, of concern over what others might think. It keeps us safe when others cannot easily discover our daily habits. It frees us from worry over who might be watching. It prevents abuse, keeping those who would seek to control others from being able to use such information for personal gain. Companies may not like this freedom if it has the potential to cut into their profits or makes advertising more difficult because they do not have a single unified profile of all of my online activities, but you know what? Tough luck. Businesses have survived millennia before technology and they will survive millennia after it. Potential and possibility does not mean something should be done, especially in the tech world. This is why we have a Bill of Rights on top of our unalienable Rights; they are protections from our forefathers, ideals of freedom vague enough to cover many areas yet specific enough to be effective. Americans want their privacy, and I want to give it to them.12
(3) As I understand it, the Stored Communications Act (an extension of the Electronic Communications Privacy Act of 1986) requires providers to preserve stored data for up to 180 days on government request.
(4) The Internet Safety Act of 2009 was a piece of legislation introduced by Republicans that would required all ISPs and operators of wifi hotspots (hotels, coffee shops, even families with open wifi) to keep records of all users for two years. Theoretically this is done to aid police investigations. Two years later, the Protecting Children from Internet Pornographers Act of 2011 was introduced requiring internet traffic data to be held as a way to crack down on child pornography. While the intent may be good (child pornography is an absolutely abhorrent and heinous crime), the vagueness of the proposed legislation would have yielded far worse unintended consequences. I realize that saying anything is worse than child pornography is incredibly mind boggling, however when you consider possible attempts at curbing child pornography against mandatory storage and tracking of all internet users- IP address, person holding the account, date/time stamp for every URL loaded, device it was loaded on, and GPS data of said device- it is easy to see a Big Brother surveillance state emerge. Such a cost to liberty is too much, in my opinion.
(5) See The Big Data Breaches of 2014.
(6) Minnesota enacted H.F. 1758 back in 2007. It prohibits storing card security code data, PIN verification codes, or full contents of any track of magnetic stripe data after authorization of the transaction. Nevada in 2009 required anyone accepting a payment card in the state to comply with the most recent version of the PCI DSS. Washington State in 2010 removes liability from businesses who maintain yearly PCI DSS compliance. See Minnesota Session Laws H.F. 1758, Nevada Revised Statutes Chapter 603A §215, and Washington Revised Code §19.255.020.
(7) See Level 4 Merchant Compliance Program. When you add up thousands of single locations with poor and/or outdated security implementations, security issues become a real threat to consumers.
(8) See Hawaiian Politician Wants To Track Everyone Online Because Someone Doesn’t Like Her... Backs Down After Public Backlash It should be noted that Representative Pine later backed down after the public got word and felt it to be a horrible idea (rightly so in my opinion).
(9) When searching Google for “Hawaii representative kymberly pine,” one of the top results I got was http://www.kympineisacrook.com/. This is likely the website that she was none too happy with.
(12) See Yes, Internet: Your citizens still want their anonymity. The article cites a Pew Research Center study on demographics more likely to use strategies to make themselves less visible in the online world. Vast majorities of poll responders felt privacy was still important, especially concerning email contents, where they access the internet from, and what websites they browse.