Experts Warn of Weaponization of Personal Data
Action is needed to protect individuals and national security.
Massive amounts of sensitive information on U.S. citizens are being collected, created, shared, bought and sold, and in some cases used as a weapon by the country’s adversaries, according to a panel of experts speaking at the AFCEA TechNet Cyber conference, a virtual event held December 1-3.
The information is gathered and sold by companies such as Facebook and Google and the producers of a wide range of applications, programs and technologies.
“If you are not paying for a service, the thing you’re getting is not a product. You are the product. The company that is providing you that thing you call a service is using your interaction with them through that service as a way to collect information about you, and then they sell it to other people willing to pay them for it,” noted Maj. Gen. Joseph Brendler, USA (Ret.), Brendler Consulting, who served with the U.S. Cyber Command before retiring.
The problem started with digital advertising, Brendler adds, with companies selling data about users so that ads can be more precisely targeted.
“They, by knowing more about you, could produce targeted advertising that’s more likely to be effective with you because it achieves some way of activating you in order to get you to make a buy decision about their product,” he explained. “That dynamic is called influence operations, if you put it in military terms, and the weaponization of that technology is exactly what is used by the adversaries of the United States ...in conducting information warfare against the United States,” he explained. “I think what we have here is a dynamic which has started with a purely commercial marketplace producing technologies that can be weaponized and used for the purposes of influencing the people of the United States to do things other than just buy products, such as who you’re going to vote for.”
Adversaries can use personal data to understand how to push emotional buttons and motivate individuals to take action. “It’s the fact that simple dynamics like getting people emotional about a subject will cause them to want to do something about it, be more polarized, aligned with a side and then actually take action,” he said. “So, activating people who are otherwise potentially just observers to a political phenomenon that’s going on is accomplishing an extreme shift toward greater political activism.”
While such manipulation is not always nefarious, it certainly can be, he suggested. “Some of that is a good thing—a peaceful exchange of ideas would be a good thing—but the extent to which it might produce a violent outcome is a really bad thing. Absent the appropriate forms of regulation, we really have an unregulated arms market here.”
Marc Groman, Groman Consulting Group, who has served as a policy advisor within the White House, echoed the retired general’s remarks. “This information, which is now collected and created in volumes we never contemplated, can go to the U.S. government for good reasons and positive research. We never discuss the fact that it also goes to foreign governments in various ways, even to adversaries in various ways,” he said. “That’s not often part of the conversation, but … as we create this data and create this incredibly deep, detailed picture of not just American individuals but of our society, our communities, our culture, there are risks we never talk about with that data moving overseas for other purposes.”
Brig. Gen. Gregory Touhill, USAF (Ret.), president, AppGate Federal Group, who was the nation’s first federal chief information officer, added that the misuse of data is beginning to raise alarms. “People are starting to realize that this collection and aggregation of data and where it’s being consumed is continuing to raise attention in our community and others, and it’s raising alarm in many cases, because that information that is collected by the credit bureaus, those who are doing background investigations, those who are aggregating vast troves of information, that in fact can and is being weaponized against people by nation state actors, cyber criminal groups, and others for nefarious reasons.”
The sheer volume of disinformation and misinformation during recent elections is just one example. Disinformation is deliberate; misinformation is not. Touhill used manure spreading as a metaphor to illustrate the difference. Those who deliberately produce the manure engage in disinformation. Most often, those who spread it are sharing misinformation.
“This has never been more magnified than what we saw during 2020 and the elections with all of the misinformation and disinformation that is out there. As we’ve seen during the election, there was a lot of disinformation being put out, and a lot of folks were passing the manure, all that misinformation, just by hitting share, share, share and weren’t even verifying that information that’s out there,” he declared. “That’s something we all as citizens need to be very cautious about and very sensitive to.”
Touhill also explained it’s a wide array of data being created, collected and shared. “It’s much more than just the textual type of data—imagery, video, audio—all of this is being collected, it’s being digitized, it’s being packaged up, commoditized, and it’s really traded on multiple markets around the world, not just domestically but internationally as well. Everything you can imagine is being digitized,” said Touhill, who also co-chairs the AFCEA Digital Identity and Privacy subcommittee.
And the data is not as anonymous as some may believe. “We have really been deficient in identifying the privacy and the identity requirements of that information because, frankly, with artificial intelligence and some tools that are freely available off the shelf for many people, you can literally take that information, parse it and be able to track it back to the sources in many cases,” Touhill said.
While people have the option of accepting or declining user license agreements, Touhill noted that the agreements are too complex and too comprehensive for many users to understand, meaning most don’t bother to read them. “We are literally, by clicking through the user license agreements, we are signing away a significant portion of our lives, our identities and our privacy to the companies that are out there,” he asserted. “We are, in fact, being bought and sold based on who we are, what we do online, where we are, our locations, our browsing habits, who we talk to on the phone, when we talk, when we rise. If you have these smartwatches or smartphones, you’re being tracked 24/7.”
Touhill also warned that people need to emerge from the echo chambers created when they pay attention only to news and information sources that tell them what they want to hear. The phenomenon is exacerbated by social media platforms that bring to users’ attention the kinds of information that interests them most. “You typically gravitate toward sources that amplify what you want. We do that with television as well, radio stations, other media sources,” he stated. “We’ve seen these companies that have been gathering data and repackaging it. They’re selling us on certain things, and since we’re the product, they’re selling us ourselves.”
In this case, individuals may be the first line of defense. “The good news is that there’s an easy countermeasure that’s free and simple: go to other places for your information. Deliberately get outside your comfort zone and go out and look for the alternative views,” Touhill offered. “If you keep watching one television station, you’re going to be influenced only by that one source and what they decide to spoon feed you.”
But individuals cannot solve the problem by themselves, Groman asserted. “I don’t think the solutions here are going to rest with individuals because I don’t think individuals will ever be able to understand the scope and the scale of data collection, data use and creation by all of the devices and services we use. It’s impossible.”
The consensus for the panel seemed to be that a government strategy, policies and legislation are needed to address the issue. “In the United States, we do not have a general privacy law. Every other Western democracy does. We are the only one that does not right now. I’m optimistic and hopeful that we will address that,” Groman said. He added that the United States does have very specific laws, such as what medical data health providers can share. But nonhealth providers who gather the same data are not restricted by those laws.
“So, we need to make sure we have obligations on companies like a Facebook or a Google or an Apple or an Amazon or a Snapchat. The obligations belong there to be responsible stewards of data, to use data ethically, to be transparent and to not cross that line,” Groman said. “We don’t have laws yet.”
Not only does the country not have laws governing the use or misuse of personal data, it has not even established ethical norms. “I have a passion, as people know, about kids and data, and I really object to a lot of the ways that social media platforms leverage, collect and use data about kids,” Groman said. “The data collection is used to activate and cause behaviors, and it’s difficult enough for a grownup to navigate that, but when you have no frontal lobe, and you’re 15, that really bothers me.”
The panelists discussed China, where the government is notorious for spying on its own citizens, and whether the U.S. government is going down the same path. Most panelists expressed a degree of trust in the U.S. government. “I’m not concerned, at least right now, about the U.S. government becoming…like China where they’re collecting information and using it maybe for purposes that don’t benefit the average citizen,” said Col. Arthur Friedman, USAR (Ret.), an identity strategist detailed to the Defense Information Systems Agency from the National Security Agency, and a co-chair of the AFCEA Digital Identity and Privacy subcommittee. “But what I’m more concerned about is how private corporations are collecting information today that may hurt citizens. They may not be able to get a loan, they may be denied a job interview, they may even be denied health insurance. That’s where my concern is.”
Still, Touhill warned that the U.S. government may be at a tipping point. He described an incident several years ago during which he was involved in a diplomatic mission. A senior government official from another country asked him why the U.S. government is so messy and inefficient. His response was that the government was created to thwart tyranny, to prevent any one person or group from gaining too much power, that it was designed to be fair rather than efficient.
“I think really right now when it comes to information, we are at an inflection point about how our data, data about us, is consumed, how it’s packaged, how it’s managed. We really need, from a public policy standpoint, to have a very open and transparent conversation on identity and privacy so that we do not find ourselves in a condition of tyranny when it comes to our identity, our privacy and our data.”
If you enjoyed this article, you might also enjoy: Digital Identity and Privacy Challenges.