In this interconnected, digital world, there are going to be opportunities for hackers to engage in cyber assaults both in the private sector and the public sector. Now, our first order of business is making sure that we do everything to harden sites and prevent those kinds of attacks from taking place ... But even as we get better, the hackers are going to get better, too. Some of them are going to be state actors; some of them are going to be non-state actors. All of them are going to be sophisticated and many of them can do some damage.
President Barack Obama during his 2015 SOTU address
Privacy had a big moment last week. While much of the nation tuned in, President Barack Obama put it on the same stage he put other national priorities: competitive education for youth, strong trade with Asia, middle-class economics and, yes ... privacy. He used the word three times, twice more than last year.
That 15-minutes-of-fame followed the president's cameo at the Federal Trade Commission (FTC) earlier this month where he announced he'd be pushing legislation on cybersecurity and privacy, including a national breach notification standard and a much-discussed-but-not-yet-public Consumer Privacy Bill of Rights.
While privacy pros are thumbs-up happy that Obama's pushing privacy, they've got mixed reviews on what he's getting right and what, of that, is likely to ever go anywhere. After all, this is a lame-duck Democratic president hoping to push his agenda through a Republican-dominated House and Senate. DLA Piper's Jim Halpert calls the proposals the "beginning of conversations with the Republicans on Capitol Hill."
It's unknown whether the the conversation will be of collect or toll-free length.
Obama's cybersecurity bill proposal would encourage the private sector to share appropriate cyber-threat information with the government. In exchange, companies that share threat data would be receive liability protection, but they would have to restrict the kind of personal information they keep on consumers in order to qualify. The disclosure rules would be developed by the Department of Homeland Security and the Office of the Attorney General in conjunction with the Privacy and Civil Liberties Oversight Board. The proposal also calls for a federal statute on breach notification that would standardize the varying rules across 47 states today.
Howard Schmidt was Obama's cybersecurity coordinator until he retired last May. He was behind the administration's cybersecurity legislation of 2011, which he said was developed after consulting many privacy advocates. But since then, he said, headlines and the resulting climate of fear in the U.S. means the "needle may have flipped" the other way—the public swaying more toward stopping threats than guarding rights.
"I think things have gotten worse" since 2011, he said, citing the Snowden revelations, the terrorist attacks in Paris and the beheading of U.S. citizens at the hands of ISIS. "I don't know that we've had enough substantive discussion on what is the best balance."
It may be that the right people aren't seated at the table right now, Schmidt said. For the bill to be highly considerate of privacy rights, groups like the Center for Democracy and Technology (CDT), the Electronic Frontier Foundation and the ACLU are "the core people that have to be around the table and probably haven't been there enough," he said, adding that the chief information and security officers need to be sitting right next to them. How this is executed in the end will be important, and privacy and information-security go hand in hand.
"You also need people that understand the matrix, what's out there, what we're really missing by not having certain information. Look at all the bad things that have happened, including the Sony hack," he said. "If we're so good at collecting information, why didn't we see this coming? Something's not happening. We're over-collecting and not focusing or not using the tools right."
But Halpert disagrees, however, that privacy isn't being considered enough. He thinks the bill leans further toward privacy advocates than the middle of the road, in fact, and wonders if the House and Senate will have a palate for that. The Senate, he said, has the same problem over and over with bills like this: too many committees claiming jurisdiction, no consensus and an inability to compromise.
Schmidt thinks Obama's cybersecurity proposal should include criminal laws with enhanced penalties for crimes impacting critical infrastructure—something the 2011 proposal called for—and he thinks computers should be added as part of the Racketeer Influenced and Corrupt Organizations Act, which allows criminal penalties for leaders of a criminal act and not just the actors. That way, it's not just someone who speaks code that gets nailed to the cross; it's the ringleaders and their posse, too.
"Organized crime is very heavily involved in hacking and ID theft and credit card fraud, and that's the bottom line," he said.
ID theft is something Pam Dixon knows a lot about. Specifically, medical ID theft, an on-the-rise crime Dixon said is rampant in California that can, very literally, kill a person.
Dixon, who runs the World Privacy Forum, was the advocacy force behind California's 2008 passage of a medical breach data bill that sees victims notified of their data breaches quickly, sometimes within days. It would be preempted by Obama's federal breach notification bill.
"So instead of protecting privacy, that bill is actually threatening victims of medical ID theft," she said. She'd rather see a bill like the HITECH Act, she said, which created a nice floor for states to regulate on top of, as needed.
"States need the ability to respond to specific problems in their world," she said. "And we have a very specific problem in our state."
Halpert is skeptical the data breach component will go anywhere, anyhow.
"This is an issue that's been kicked around Capitol Hill for 10 straight years," he said, noting it's always faced too many committees claiming jurisdiction and too little consensus. "We've seen this movie before, and it never has an ending."
The CDT's Nuala O'Connor, CIPP/US, CIPP/G, however, sees a different problem: Where's the provision on government surveillance?
O'Connor wants any cyber bill to include "significant and permanent surveillance reform," and she's encouraged by "strong libertarian" voices on both sides of the aisle who she thinks want to see government intrusion curtailed.
"We think that the ubiquitous collection of personal information by the government, particularly when that data is provided in the context of a commercial transaction ... creates a lasting and incredibly damaging chilling effect on individual freedom," she said.
No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids.
President Obama during his 2015 SOTU speech
Obama's student privacy bill, the Student Digital Privacy Act, has been described as being modeled after California's student privacy bill, though the actual text hasn't been released. Of the recent proposals, it's the bill most predict will move in Congress. If passed, it would prevent companies from selling student data to third parties for noneducational purposes and from engaging in targeted advertising to students.
The bill is needed, according to Elana Zeide, a privacy research fellow at New York University, because schools are really grappling with these issues. They're faced with basic data security risks that they're not really equipped to handle, from unauthorized access to their systems to employee error or intentional hacking.
Third parties introduce an entirely new layer of danger, and most schools outsource a variety of services to third-party vendors, from who's operating the cafeteria to managing student databases. And there aren't hard-and-fast national rules on that. What if the third party wants to sell the student data? Or what if the teacher decides to download an app that requires some student data?
Privacy pros seem to agree this bill has the best chance at succeeding since it's arguably the most bipartisan initiative announced; there are lots of Americans, on both sides of the aisle, who've got kids, and everyone wants their kid, their niece, their best friend's kid, to stay safe.
Zeide feels good about it as long as it does in fact follow California's lead in a key area: While the Family Educational Rights and Privacy Act (FERPA) requires the school to be the overseer of its third-party vendor, which can be difficult depending on a school's lack of resources or tech know-how, this bill would regulate the operators instead.
"That was one of the big important shifts in the California bill was that it regulated third parties directly," Zeide said.
While there hasn't been significant outcry publicly from the educational app-development or service-provider world, it seems inevitable that the industry would worry about the way new rules would affect their product development or business models. The Software and Information Industry Association published comments late last year that it "remains concerned about overly prescriptive and prohibitive state laws that do not recognize varied and innovative educational practices and could create a digital learning ceiling in the name of safeguarding student information." The same could ostensibly apply to national laws.
Following California's lead on that isn't enough, Dixon said.
"We have to have FERPA reform as well," she said. "Educational privacy reform has to be re-crafted from root to branch."
Dixon said if the bill is mirrored after California's student privacy bill, we're in big trouble.
"The California bill didn't touch the problem in FERPA," she said. "If we get school privacy reform that looks like California's, it will have left a gaping hole that anyone can walk through," she said.
That's because FERPA's major flaw is a loophole within its student directory information system which allows access to third parties. The information in the student directory can include such private information as a student's name, address telephone number and date and place of birth, and it's up-for-grabs to third parties, potentially data brokers creating profiles of students for whatever purposes, without consent.
"We've had a decade-long approach to privacy that's focused on 'Let's close down marketing,' but that just doesn't address the real problems anymore," she said. The real problems are far greater than what kinds of ads kids see; it's "deep student and parent profiling."
Zeide's got some concerns of her own as well, like about the ways the bill would allow schools to use the student data they collect. There's value in the research that can be done given such information, despite recent examples like the now-defunct inBloom.
"It's undermining some of the collective benefits we could all get from that," she said.
As promised, our intelligence agencies have worked hard, with the recommendations of privacy advocates, to increase transparency and build more safeguards against potential abuse. And next month, we'll issue a report on how we're keeping our promise to keep our country safe while strengthening privacy.
President Barack Obama during his SOTU 2015
Consumer Privacy Bill of Rights
In 2012, the Obama administration released a bill of rights that would apply to any individual's personal data, including in the aggregate. The White House bill’s provisions included granting consumers the right to exercise control over the data companies collect from them and how it’s used; the right to easily understandable and accessible information about privacy and security practices; the right to data access and to correct inaccurate data; the right to reasonable limits on the amount of data companies collect on them, and for companies to be held accountable by enforcement authorities in the case they don’t adhere.
For this iteration, the administration consulted with stakeholders and says it will soon unveil a new draft.
“We’ve identified some basic principles to both protect personal privacy and ensure industry can keep innovating,” Obama said at the FTC earlier this month.
Halpert said it's important that the administration raise the issue again and he expects to see legislators introduce bills based on it, but this one's going to be a marathon and not a sprint.
"This is a longer conversation," he said. "Not that it's a bad idea. I think it's a good idea. But it takes a while for ideas like this to move forward."
Dixon doesn't think it's as good an idea.
"In any of the proposals, I have not seen anything on data broker opt-out," she said. "And that includes consumer privacy bill of rights legislation. And unless it addresses the national data broker opt-out, it's not doing its job to address the most pressing privacy problem we have."
What happens when you put the emphasis on the wrong target? People get hurt.
"I just told several hundred victims of domestic violence that there's no single way to get off of data broker lists, and you'll have to spend a week doing it," Dixon said. That didn't get a great reaction.
It's about people, in the end.
"We get so many calls," she said. "No one ever calls me and says, 'I don't like this ad I saw.' But people call and say, 'How do I get my information off of these sites?'"
Jon Potter of the Application Developers Alliance was part of the National Telecommunications and Information Administration multi-stakeholder effort that convened in 2013 in hopes of drafting a legally enforceable mobile app consumer privacy bill.
He says the app developer community understands that for quality control, product development and to simply understand what your users like and don't like, data collection and analysis is critical and shouldn't be inhibited. At the same time, the alliance certainly promotes that developers have integrity when it comes their consumers—transparency is key, he said.
"We think consumer interests and industry's interests are perfectly aligned in this regard," he said, adding that consumers understand the benefit data analysis provides and want the kinds of things innovation brings.
But it's finding the balance that's going to be tough.
It's going to be an upstream battle getting any of the proposals turned into law, Halpert said.
"Legislation in Washington is the art of compromise, and there's been relatively little compromise over the past six or seven years on privacy issues," he said. "I don't know whether there will be an appetite for compromise this time around. But ... these issues now are very, very important. And Congress needs to address them in some way."
If you want to comment on this post, you need to login.