Incoming: Cutting the Gordian Knot of Privacy

Whenever I am notified of yet another data breach, I typically receive a complimentary one-year enrollment in a credit monitoring service. Great, I think. Free is always best! However, the monitoring is truly of little consequence given that my personally identifiable information (PII) has slipped into cyber darkness once again. I feel a sense of disappointment as I think about how much the cyberspace landscape has changed over the last 40-plus years and how little our nation’s privacy laws have done to keep up with this digital transformation. 

The last sweeping privacy-related change in the United States was the passage of the Privacy Act of 1974. A lot has changed since the paper-based processes of the 1970s, and we need a serious debate about what constitutes privacy in the digital age.

As new privacy concerns have surfaced, U.S. legislators have responded with a piecemeal approach that has produced limited success. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 provides the first nationwide regulations for the use and disclosure of an individual’s health information, while the Gramm-Leach-Bliley Act (1999) protects an individual’s financial information, and the Children’s Online Privacy Protection Rule (1998) prohibits the online collection of personal information of children under age 13. Other sectors, such as retail, primarily are self-policing, with enforcement constrained to a company’s own privacy policy. The lack of a comprehensive, overarching legal framework and the hodgepodge of privacy measures based on common-law tradition sets the United States apart from the rest of the developed world.

Consider the data privacy challenges we face today. This includes information derived from smart city technologies, or collected by personal assistants such as Amazon’s Alexa or Google’s Home, or from overprivileged applications on smartphones and data stored in the cloud. It seems that no one foresaw information privacy concerns stemming from this technology revolution whereby data is collected across the Internet of Things and amassed at an exponential rate.

Initially, the Privacy Act of 1974 set the standard for fair information practices, serving as a catalyst for legislation in Canada and Europe. But it only restricted what information the U.S. government could collect and did not apply to commercial entities. The way you know something is terribly wrong is when the government declares that opening someone else’s mail is a felony, but collecting data on your network activity is fair game. 

Europe has leapfrogged the United States in this arena and leads the way in defining privacy laws. Last year, the European Parliament approved the General Data Protection Regulation (GDPR), which strengthens and unifies data protection laws for individuals within the European Union. Enforcement of the GDPR will begin in 2018, and organizations not in compliance will face heavy penalties, such as fines of up to 4 percent of annual gross revenue or 20 million euros, whichever is greater.

Some experts have declared that privacy in the digital realm is dead. I beg to differ. It might be in an evolutionary state, but privacy is unquestionably not dead. It is not mutually exclusive to either the private or public sector, to economic development or national security. Privacy remains a fundamental expectation for individuals. America’s expectation of privacy is a permanent challenge requiring national resolve and continued response.

It is helpful to view privacy concerns through the lens of a common taxonomy to advance the dialogue. Daniel Solove, a leading U.S. expert in cybersecurity and privacy law, posits four main categories of concern for consideration: information collection (surveillance, interrogation); information processing (aggregation, identification, use); information dissemination (disclosure, exposure, distortion); and invasion (intrusion, decisional interference).

Additionally, asking the right questions is perhaps the most important consideration to move the discussion forward. Why do people fail to read privacy policies? If they do read and understand them, then why do they often lack enough experience to make an informed choice? Why do privacy policies often serve more as a liability disclaimer for the government and industry than as a guarantee of privacy for citizens and consumers? Adopting transparent data privacy and protection policies that are brief, well-stated and clear-cut might be a good start to addressing these questions. 

Clearly, the time has come to cut the Gordian knot of privacy as it relates to cybersecurity. To successfully protect America, its intellectual capital and its citizens, we must continue the thoughtful debate about privacy in the digital age. 

Maj. Gen. Earl D. Matthews, USAF (Ret.), the former director of cyberspace operations in the Air Force’s Office of Information Dominance and Chief Information Officer, is vice president of Hewlett Packard Enterprise’s Enterprise Security Solutions Group for HPE Enterprise Services, U.S. Public Sector. The views expressed are his alone.