Edward Snowden's last day on the job was the first day of an awakening revelation for many Americans. What those of us in the security industry have known for a long time, Americans were just beginning to learn: Our own governments, and others around the globe, have been compiling data on us for years.
We’re not talking about data on the “bad” guys here, we are talking about you. The average American, who goes to work, takes care of the kids, and hopes to catch a TV show at night without falling asleep. That’s right. They have data on you — and what have you done?
President Obama recently received a report making recommendations how the scope of the National Security Agency should change after these revelations. When the NSA collects data today, it obtains a court order, every 90 days, and assembles data from all the phone companies then stores it for five years. Now, the panel has recommended instead of the federal government holding onto the data, private companies should be allowed to do so. The report says, “In our view, the current storage by the government of bulk metadata creates potential risks to public trust, personal privacy, and civil liberty.”
I don’t see how this recommendation really addresses that issue. As an American who is concerned about privacy, I ask the question: How is it better if a for-profit conglomerate to be doing the same thing as a government agency? Who will enforce restrictions on the usage of that data? If there is a stockpile of data available to an analyst it is tantamount to putting candy in front of an unsupervised child. The temptation is too great not to touch it.
Cybercriminals everywhere will know that treasure trove exists and will mount attacks trying to take whatever they can. If Americans think cybercriminals pulled off a major heist with the recent Target credit and debit card breach, wait until they go surfing through the data held by private telecommunications providers.
People scoff and say "What's the worry?" I would point them to a Massachusetts Institute of Technology study that said knowing the metadata of your smartphone communications could predict where you would be in the future, including decisions you might make. In one track of the study, scientists tracked student cellphones during the 2012 presidential election and correctly guessed that the two students were discussing politics even though they could not eavesdrop on the conversation.
We need to address the real issue: how much data is being collected and how long is it being stored. Here are two solutions:
-- Limit the type of data they can collect and retain from people’s cell phones, wearable computers, and data providers which track your location. That reveals travel patterns and daily routines. Today, many apps even require or request location data to work optimally. Other app companies simply take location data along with everything else they collect, whether it is needed for functionality or not. When you make purchases from your cell phone, use online banking, or identify a song you hear on the radio, the business is likely to note your location.
-- Congress should also pass a law limiting the amount of time the data is stored. Require companies to create regular programs for dumping location data when it is no longer necessary for immediate functionality. Dumping the data reduces both the size of collecting companies’ databases and their temptation to use this information to spy on consumers.
The panel is right, solutions exist. Americans are counting on real ones to protect the privacy they now know has been violated.Theresa Payton is former White House chief information officer and co-author of "Protecting Your Internet Identity: Are You Naked Online?" and "Privacy in the Age of Big Data."