Digital Identity and Privacy Challenges
Is technology giving us the digital rope to hang ourselves?
As the United States enters the third decade of the 21st century, our nation faces growing and rapidly evolving threats to our information technology, infrastructure, networks and data. Indeed, the ever-present threat of cyber attacks is one of the most significant challenges we face, impacting economic, political, societal and national security concerns. This ever-present threat touches every corner of our economy and every level of our government, from municipalities and school districts to state election databases to the Internal Revenue Service, Office of Personnel Management and the Defense Department.
Growing investments in security technology are designed and implemented to guard the confidentiality, integrity and availability of information, yet we read about high-profile cyber attacks and massive data breaches week after week. These breaches cost our economy billions of dollars annually and undermine trust in our institutions and leadership. Efforts continue across the federal government to change this dynamic and lock down our computers and our data.
Less attention has been focused on a different but related issue: the collection, creation, processing, sharing and use of sensitive information, including personal data. Left unchecked and unregulated, the ubiquitous collection of sensitive data from more diverse sources may also have a negative impact on economic, political, societal and national security concerns. Indeed, a focus on the confidentiality, integrity and availability of data without an equal emphasis on the reasons the data is collected in the first place and how it’s used could have catastrophic results for our democracy and democratic institutions.
Today, personal data often is not collected directly from the individual but, rather, from a diverse range of sources without the individual’s awareness of its origination and subsequent uses. This includes the growing deployment of cameras, microphones and other sensors in our cities and communities. Sensors, artificial intelligence, machine learning and advanced analytics are now mainstays of our digital environment. In a world of artificial intelligence, the systems themselves create new knowledge and make decisions that impact people. The uses of data range from mundane to beneficial to potentially harmful.
We need only look across the Pacific at the scale and scope of the developing surveillance state in China to see where the pervasive collection of personal data could lead. Beijing leverages personal data about every detail of an individual’s personal and professional life to assess loyalty to the government, limit assembly and the exchange of ideas, and maintain control. New applications of machine learning even generate “loyalty scores” the way our credit system generates credit scores.
The ever-increasing collection of personal data by the commercial sector and the subsequent processing of that data is part of the complex set of issues that must be addressed in the United States. Data collected by the private sector often is transferred to the public sector for a wide range of uses even if laws would have prohibited a particular agency from collecting the data directly. The collection of precise location information over time is shared from mobile devices along with the apps we use, the websites we visit, the articles we read, the goods and services we purchase and the individuals we communicate with.
As digital technology does not respect national borders, the personal data of Americans finds its way to our adversaries and industrial competitors. Seemingly insignificant sets of personal data, when combined with other data sets, reveals an alarmingly sensitive profile of not just individuals but the American workforce, the federal workforce and societal trends. The mosaic effect can enable an entity, even an adversary, to track patterns, predict outcomes, and perhaps most alarmingly, identify anomalies that may implicate intelligence initiatives or national security concerns. In short, in the absence of regulation and a thoughtful strategy we are collecting, creating and exposing far too much personal data without assessing the risks or contemplating the adverse consequences to individuals, commercial actors, long-term prosperity and national security.
Many tech companies today can predict our behavior with alarming accuracy and influence our decisions. The authors are concerned that Google, Amazon, Facebook, Apple and other platforms predict our behavior and alter our online experiences to produce commercially advantageous outcomes for them. We believe that most people share our concern although the asymmetry of information makes these commercial practices difficult to understand. Regardless of how one feels about data processing by corporate America, everyone should be concerned if a foreign government is predicting our behavior, restricting our choice and influencing our decisions.
These intrusive applications support technology and telecom products that include smartphones, tablets, PCs, smart TVs, connected vehicles, voice automated assistants and/or any connected product supported by the Android OS, Apple iOS or Microsoft Windows 10 OS. Aside from being preinstalled into connected products, these intrusive applications are also distributed through third-party application stores that include Google Play, Apple App Store and Microsoft App Store. Often without realizing it, the app stores hosted by Google, Apple and Microsoft are actively distributing Chinese and Russian surveillance and data mining technology that can be used to threaten U.S. citizens, national security and our economy.
These intrusive and harmful applications can even launch attacks on networks, including critical infrastructure, according to a Vision Times article. Confidential and protected personal or employment information is acquired, used, shared, aggregated, stored and sold by all operating systems and application developers posing huge privacy, cybersecurity, civil liberty and safety threats to the end user, especially those who use their devices for employment purposes.
An unexpected strength of the Internet is the ability to largely remain anonymous. As the infamous New Yorker cartoon stated, “On the Internet, nobody knows you’re a dog.” Anonymity provides a way to view merchandise without being asked to buy anything, to openly and freely express opinions on endless topics without being judged in the physical world, to have an online persona that is not associated with a user’s real name and location, and to remain relatively safe from a physical perspective regardless of their online behavior. Most online users feel that they are anonymous if they don’t reveal their name or location in what they post in their profiles or in what they say in social media. It would seem that the inherent anonymity of the Internet would protect users from surveillance capitalism, but it doesn’t. Cookies, access to user locations via GPS, cross-communication between applications and other technical tools bypass perceived anonymity and provide enough technical information to accurately pinpoint an individual and successfully identify him or her.
In a world of changing privacy laws and regulations, identity theft and online anonymity, protecting our personal data from misuse by corporations for financial gain or by governments—both foreign and domestic—is one of the major challenges that we all face. Managing personal data digital identity is a constantly moving target that aligns with all lines of effort outlined in the U.S. National Defense Strategy. Our adversaries and competitors understand this well and have expanded their attack surface.
Additionally, privacy advocates and other groups are concerned about the legality of the overall surveillance and data mining business practices that pose a significant threat to the U.S. government, businesses and our citizens.
Col. Arthur Friedman, USAR (Ret.), is an identity strategist detailed to the Defense Information Systems Agency from the National Security Agency. Brig. Gen. Gregory Touhill, USAF (Ret.), is president AppGate Federal Group. They lead a recently created Digital Identity and Privacy subcommittee of AFCEA’s Cyber Committee. The subcommittee, in coordination with the AFCEA Cyber Committee, is a volunteer group of public and private sector information technology professionals that oversee AFCEA’s outreach and help ensure open lines of communication between government and industry. The subcommittee also is committed to helping prepare the future workforce face these new cyber challenges.
Digital identity and privacy challenges are at the top of the list of international cyber issues threatening societal fabrics, national security and national prosperity. As such, the subcommittee has organized a panel for the December 2020 TechNet Cyber conference that will address thought-provoking topics to include the need for a national comprehensive strategy and policy addressing the collection and use of personal data by both the private and public sectors. The subtitle of this article, inspired by one of its subcommittee members, Maj. Gen. Joseph Brendler, USA (Ret.), refers to a quote from Vladimir Lenin that “Capitalists will sell us the rope with which we will hang them.” Without appropriate safeguards, today’s digital technologies may become this rope.
Contributors to the panel and this article include Bill Baz, Radiant Logic; Maj. Gen. Brendler, Brendler Consulting; Rex M. Lee, My Smart Privacy; Marc Sachs, Pattern Computer; and Tim Schmoyer, The MITRE Corporation.