DPI16_Banner_300x250 WITH COPY

Fred H. Cate

Predicting security and privacy challenges 10 years ahead is a daunting task, and one almost certainly doomed to failure. So I thought it might be more useful - as well as safer - to identify six issues proving problematic today, and that I believe are going to be even more vexing in the future.

1. Changing Fraud/Security Threats

I and others have argued that the current firestorm over identity theft and the role that information security breaches play in it is overblown and misfocused. But whatever the case today, there is mounting evidence that identity theft is evolving in ways that will make it more challenging and more threatening in the future.

For example, we appear to be witnessing an evolution of attack strategies that suggests the involvement of sophisticated fraud rings. A number of recent frauds reflect key similarities - i.e., common addresses, phone numbers, targets and strategies -that cause law enforcement officials to believe they are orchestrated by well-organized and financed perpetrators.

More significantly, we are witnessing the emergence of new and harder-to-detect frauds. Phishing attacks are growing rapidly in both frequency and effectiveness. As of December 2005, seven in 10 Internet users say they have been fooled by phishing messages.
"Spear phishing," which relies on contextual information to target fraudulent messages based on characteristics of specific Internet users, is proving even more effective. In one Indiana University study, the percentage of recipients of a phishing message persuaded to provide their account name and password increased from 16 percent to 72 percent when the researchers made it appear that the fraudulent message originated from a Facebook friend.

In addition, evidence is emerging of a new type of identity fraud: synthetic identity fraud. Rather than making fraudulent use of an existing credit card or bank account, or opening a new fraudulent account in the name of an unsuspecting victim, synthetic identity theft involves creating an entirely new identity. Many of our current efforts at solutions to fraud and identity theft focus on individuals (i.e., free credit reports, breach notices, dispute resolution procedures, fraud alerts). We know that individuals aren't taking advantage of these today, but they will be even less effective in the future because synthetic identity theft may not show up on anyone's credit card statement or credit report. In fact, it may not be visible for years, as thieves develop credit records for the new identities they have created.

2. Location Information

A second area of growing concern is the location information generated by cell phones, RFID tags, On-Star and other auto-based computers, and the myriad other emerging technologies that provide increasingly precise information about the user's location.

The issue is not just the risks of such information, but how to deal with privacy issues (especially if based on notice and choice) in contexts where there may be no screen, no contract, and potentially no contact with information users.

3. Information Aggregation

A third critical issue is the whole field of information aggregation and the industry of data aggregators that supports it. Data aggregation is vital for verifying consumer identity, accurately matching data with people, target marketing, and other valuable activities. The government also has identified data aggregation (and data mining) as key to anti-terrorism and anti-crime efforts. I suspect that data aggregation services will continue to grow for all of these purposes, and especially as a critical foundation for identity authentication and verification.

But data aggregation has long been a subject of controversy. Public reaction to many government proposals to use aggregated data for security purposes has been swift and critical. It challenges our traditional approach to privacy regulation, because of the difficulty (if not impossibility) of a data aggregator providing notice or an opportunity for consent to a consumer with which it has no direct relationship. As the demand for services based on aggregated data grows, our inability to manage the issues those services present today will only lead to greater controversy in the future.

4. Global Data Flows/Outsourcing

We currently use national (or even state or local) law to deal with increasingly global information flows. While the issues this raises are not new, powerful information technologies, global networks, and the multinational commerce, outsourcing and information sharing they have made possible already are causing new and more frequent conflicts among divergent national approaches to privacy and information management.

We have seen this demonstrated by the Article 25 European Union Data Protection Directive; the legal wrangling over transferring Passenger Name Records across borders for immigration, infectious disease control and anti-terrorism purposes; restrictions in British Columbia, Ontario and most recently Nova Scotia, on transferring personal data to the U.S.; and the growing political debate in the U.S. and Europe about outsourcing personal information to India and elsewhere.

These issues are critical and they only are going to become more acute as business processes and laws catch up with the increasingly global economy to require the retention and consolidation of more personal information across national borders. Consider, for example, the impact on multinational companies of the requirements of the new U.S. electronic discovery rules that take effect this month and require companies to retain and search electronic documents - wherever located - that may be relevant to anticipated or ongoing litigation.

Most importantly, the approach of using national trade barriers and bilateral agreements to address these concerns is unlikely to prove a useful model for the future.

5. National Security/Law Enforcement

The fifth privacy/security issue that I believe will dominate debate for the next decade concerns how the government should use personal information to enhance national security and what limits law should place on that use.

Following the terrorist attacks of September 11, 2001, we have witnessed a significant escalation in government intrusions into personal privacy and considerable erosion in the legal protection for privacy and the government's respect for privacy, all justified on the basis that it is necessary to protect national security and secure critical infrastructure.

These developments, and the apparent threats to national security, have contributed to undermining rational policymaking. In one three-month period, for example, Congress enacted legislation both prohibiting and requiring data mining to fight terrorism. Yet we still have no consensus on whether data mining to prevent terrorism is legal, effective, or consistent with American values concerning privacy.

Similarly, the government's intense interest in accessing personal data for national security and law enforcement purposes has brought the U.S. into increasing conflict with Canada, European nations and other allies. It also has highlighted the volume of personal data available in the private sector and the absence of any legal constraints on the government accessing those data.

It is difficult to imagine a more pervasive or critical set of issues. The stakes could hardly be higher: on the one hand the prevention of terrorist attacks; on the other, the erosion of the most fundamental privacy rights and the other civil liberties that necessarily depend on them.

6. Accountability

The final privacy/security issue that I would highlight is the question of accountability. This is really a cross-cutting issue that has been raised by many existing privacy and security controversies: whatever the rules protecting privacy and security, how do we ensure accountability?

Despite the prevalence of this issue, I don't think we are moving any closer to resolving it. Users of personal information - whether in the public or private sectors - frankly are not very interested in meaningful, third-party accountability. And many of the accountability tools we have seen to date - class action lawsuits, pile-on investigations by federal and state regulators, statutory penalties where no tangible harm has occurred and wide-ranging data protection commissioner inquiries - are so costly and unrelated to meaningful privacy or security protection that it is not hard to understand that reluctance.

The absence of rational, effective accountability systems undermines privacy and consumer confidence.


Resolving these issues will not be easy. Privacy and security laws in the U.S. vary widely, create different rules for the same data held in different sectors, conflict across state lines and are overseen by a dizzying array of federal and state agencies. It makes little sense today, and will make even less sense as technological and other developments make the collection and use of data more integrated and seamless to consumers.

Until we make better sense out of our privacy and security framework, and the key legal principles that undergird it, we have little hope of addressing the more vexing issues on the horizon.

Creating a more rational framework will require moving beyond the notice and choice approach which we currently appear to be so enamored. We know that very few people read notices of exercise choice over how their information is used. A privacy system based on notice and choice isn't likely to work any better in the future, especially in the face of new technologies and applications that make information collection and sharing easier, essential and more invisible to the consumer.

Rather than clinging to notice and choice, or expanding it (as we seem determined to do by adopting consumer notices as a measure to deal with security breaches), it is time that we recognize that privacy requires more effective protection. We don't use notice and choice in other areas of consumer protection. You can't choose to be defrauded or to be the target of bait and switch sales practices. We will never make a serious step toward addressing the critical privacy and security issues outlined above until we let go of our reliance on notice and choice.

Finally, we must be aware of the shifting nature of privacy norms. Privacy and security must always be considered in the context of other values and consumer desires (i.e., convenience, safety, affordability, etc.). The balance among these competing interests is always in flux and our approach to protecting privacy and security must take that into account.

But we also must be aware of the risks of getting used to less privacy and security, especially in the public sector. As many people have noted throughout history, privacy is easy to give up, but hard to reclaim.

Fred H. Cate is a Distinguished Professor and Director of the Center for Applied Cybersecurity Research at Indiana University, and a Senior Policy Advisor in the Center for Information Policy Leadership at Hunton & Williams. He may be reached by email.This article is excerpted from his remarks on Security and Privacy Challenges in the Coming Tech-ade at the Federal Trade Commission hearings, "Protecting Consumers in the Next Tech-ade."


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»