“A first grader can easily access things from all over the world,” says Larry Clinton, president of the Internet Security Alliance (ISA), noting that the lure of easy information flow “is so seductive that we haven't thought through how to manage the downside.”
Explains J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), “Technology advances are exceeding our ability to manage. There is an unprecedented gap between our ability to develop standards and the bleeding edge of technology. With the rise of social media, he explains, “we don't know what the social norm is.”
But 2015 might be counted as the year that businesses, government and consumers finally woke up and pursued answers – or at least fixes – to the privacy conundrum in earnest. At the very least, this year marked privacy's arrival and permanent residence on the center stage. Here's what happened over the course of the year to keep the spotlight where it belongs – on privacy.
Data breaches just keep rolling in. “The number one challenge to privacy is the wantonness of [stealing] personal data being carried out by the millions by cybercriminals,” says ISA's Clinton (left), contending that the constant stream of attacks is more cause for concern than the NSA's surveillance activity. Anthem, the State Department, the Office of Personnel and Management (OPM), VTech, were among those hardest hit by bad actors out to steal sensitive information. The worst-case scenario played out at OPM – which Rep. Ted Lieu (D-Calif.) says was “a very big wakeup call” – where information on millions of former and current federal workers was exposed, including the highly confidential data in the security clearance database maintained by the agency.
The Internet Engineering Task Force (IETF) designates .onion as a Special-use Domain Name. Calling the formal recognition of the .onion by the IETF “a small and important landmark in the movement to build privacy into the structure of the Internet,” Jacob Appelbaum, a security researcher and developer, privacy expert and a core member of the Tor Project, said in an October blog post that the draft to register the domain name included security and privacy considerations that likely “will help to protect end-users from targeted and mass-surveillance.”
The standards body's confirmation of the special-use domain name is a culmination of work done in conjunction with Facebook software engineer and internet security evangelist Alec Muffet, and others, since 2013, or as Appelbaum called it, the “Summer of Snowden,” to ensure that .onion not become a Top Level Domain (TLD) that could not be sold by the Internet Corporation For Assigned Names and Numbers (ICANN).
TOR gains legitimacy. With the release of TOR Browser 4.5 in April came a variety of security improvements, as well as a number of other privacy and usability enhancements, and an implicit nod that the TOR had moved out of the seedier crevices of the Dark Web and into the mainstream. The latest release features improvements to the first-party isolation implementation that prevents tracking by third parties, according to post by the Tor Project. Additionally, resolution and locale fingerprinting defenses have been buffed, Windows packages are signed with a DigiCert hardware signing token, and a Security Slider that “provides user-friendly vulnerability surface reduction – as the security level is increased, browser features that were shown to have a high historical vulnerability count in the iSec Partners hardening study are progressively disabled.” Also, the default search provider has been changed to Disconnect in order to provide Tor users with private Google search results, but without the CAPTCHAs or bans, the post notes.
Tor Project also joined forces with the Library Freedom Project to establish Tor exit nodes in libraries in an effort to protect internet freedom, bolster the Tor network and show the public how Tor can be used to protect their digital free expression rights, according to another Tor Project blog post. Calling libraries “our most democratic public spaces,” the post said that establishing Tor exit relays in libraries “would not only be powerful symbolic gesture,” it would also be “a practical way to help the Tor network” as well.
Tech companies demanded greater transparency. Following President Obama's call for greater transparency, the Department of Justice in 2014 decided to allow major tech firms to disclose the total number of Freedom of Information Act (FOIA) court orders they received on an annual basis, in addition to the total number of users affected by those requests. Not only did companies – like Twitter, Google, Yahoo and others – begin dutifully releasing their transparency reports, they continued to apply more pressure on government to allow them to expand their reporting. In February, Twitter wrote to “strongly encourage” other companies “to join us and our peers at Google, Vimeo, WordPress and Wikimedia in publishing government removal demands. The global community deserves this level of transparency from its governments and its service providers.”
The contents of a National Security Letter were released for the first time. After more than a decade of waiting, the unredacted contents of a National Security Letter (NSL) filed by the Federal Bureau of Investigation (FBI) have been made public in court filings surrounding the case of Calyx Internet Access founder Nicholas Merrill who refused to heed a demand the NSL delivered to him 11 years ago. Merrill responded in a series of tweets, saying that “The @FBI should not be able to silence innocent critics like myself – or hide abuses – simply by saying the magic words ‘National Security.'” And he added that “the @FBI shouldn't be allowed to demand #private customer records without any suspicion of wrongdoing or without any approval from a court.”
The American Civil Liberties Union (ACLU) applauded the release of the NSL, which came at the order of U.S. District Judge Victor Marrero and showed that the FBI had the right to obtain a vast amount of information without a warrant, but in a November 30 blog post Jameel Jaffer, ACLU Deputy Legal Director and Director of Center for Democracy, noted that tens of thousands of NSLs had been issued. “There's still a lot we don't know about how existing surveillance powers are being used,” he said.
A whistleblower turns up the volume on privacy advocacy. Edward Snowden re-emerged (did he ever really leave?) in 2015 to urge his Twitter followers to use encrypted chat and call app Signal. Actually, ever since he leaked documents lifted from the National Security Agency (NSA) revealing that agency's bulk surveillance of American citizens, Snowden has been an outspoken advocate for privacy. From his exile in Russia, the former NSA contractor and whistleblower has keynoted a number of conferences (via dial-in) and recently joined Twitter where he follows just one member: the NSA.
CISA passes the Senate. Although the overwhelmingly supportive vote, 74-21, of the Cyber Information Sharing Act (CISA) clearly demonstrated government satisfaction with the bill, privacy advocates waved their dissent freely before, during and after the Senate action. Even now, they're continuing to voice dissatisfaction as the bill moves to the House of Representatives for a final look. Saying the privacy of Americans was “greatly eroded” through CISA's passage, the Center for Democracy and Technology (CDT) wrote that “the extent to which the bill would improve cybersecurity is unclear.” Of primary concern to the CDT and other privacy advocates is information being shared among government agencies, including the National Security Agency (NSA) and law enforcement.
Vendors doubledown on encryption. Following Snowden's less than rosy leaks surrounding the NSA and its surveillance practices, private companies have become hyper-aware of government oversight. In an effort to regain users' trust, companies voice their differing opinions and, in some cases, use privacy and security as a marketing move. Apple's decision to encrypt its devices by default is one example of companies' skepticism producing tangible results.
Apple, Facebook and Google, along with dozens of other companies, civil society groups and security and policy experts, stressed the importance of rejecting legislation requiring new technology to include backdoors in a letter sent to President Barack Obama in May. Instead, the writers suggested the White House focus on “developing policies that will promote rather than undermine the wide adoption of strong encryption technology.” Strong encryption protects people against criminals trying to steal phones and laptops, spies trying to gain access to corporate secrets, and governments who might want to censor speech, they wrote. The letter follows an intense grilling session in April by the Committee on Oversight & Government Reform in which both encryption supporters and law enforcement officials presented their arguments. Law enforcement claimed encrypting devices by default could hamper investigations while others said there's no evidence to prove those assertions. But the deadly ISIS terror attack in Paris and the on-going police activity stemming from that incident may bring to a head the argument over whether or not the benefits encryption brings to privacy is worth the risks run when bad guys use the technology to pull off attacks or run criminal operations. New York District Attorney Cy Vance released a white paper detailing the argument against full encryption, while still giving consumers what he believes is a very high level of privacy.
“Apple and Google are not responsible for keeping the public safe. That is the job of law enforcement. But the consequences of these companies' actions on the public safety are severe. That is why my office has been working with our law enforcement partners around the world to craft the solution recommended in this report,” the DA's report states.
On the flipside, privacy proponents argue that any backdoor left in a device that is supposedly only accessible by the good guys is a fallacy. “Like clockwork, cynical calls to expand mass surveillance practices – by continuing the domestic telephone records collection and restricting access to strong encryption – came immediately following the Paris attacks,” said Cindy Cohen, executive director of the Electronic Frontier Foundation (EFF) in a blog.
FCC settles with AT&T over a call center breaches. As impressive as the large fine the Federal Communications Commission (FCC) levied on AT&T for breaches at a trio of call centers were the implications for privacy. “It's big,” says IAPP's Hughes, noting that the $25 million sum imposed by the commission could possibly be the largest of its kind not just at the FCC but in the U.S.
With the whopper of a fine and a bevy of requirements that AT&T must meet as part of the settlement, the FCC is sending out a clear message to companies that it is serious about enforcement of privacy issues. “Consumers trust that their phone company will zealously guard access to sensitive personal information in customer records,” Travis LeBlanc, chief of the FCC's Enforcement Bureau, said in a press release, noting that the agreement “shows the Commission's unwavering commitment to protect consumers' privacy by ensuring that phone companies properly secure customer data, promptly notify customers when their personal data has been breached, and put in place robust internal processes to prevent against future breaches.”
The settlement with AT&T was significant, too, Hughes adds, because “it actually acknowledged that you need human beings,” certified privacy professionals, within companies to execute the operational requirements typically imposed on organizations to comply with enforcement actions.
Women find level playing field in privacy. The information security industry, and high-tech in general, would do well to take a page from the privacy industry, where women stand more or less on equal footing with men. While women in the information security industry struggle to be seen, promoted and compensated in ways equal to men, the two genders have reached a certain parity in the privacy arena, with the field evenly split between the two, according to a survey from the International Association of Privacy Professionals (IAPP). “We started in 2000, with tremendous female leadership and have balance from the start,” says IAPP's Hughes. “It's healthier all around.”
The IAPP's “2015 Privacy Professional Salary Survey” of 1,253 privacy pros worldwide found that women in privacy and data governance follow similar career trajectories as men, with professional certification being the most predictive indicator for salary. Men brought in a median annual salary in the U.S. of $130,000 while women pulled down $125,000. Even that small gap narrowed with professional certification where men made a median salary of $135,000 and women earned $132,500.
“It is a story about women, but more of a story about a modern profession,” says Hughes. “We've created a profession with a blank white board and have emerged in a way where it's balanced.”
That sentiment is echoed by Kathy Fithen (left), chief privacy officer at Coca-Cola, who says that her gender never stood in the way of her ascension at Coke, where she started building out a forensic program that she had helped create while consulting at PwC. She followed the program to the IT department and it eventually landed in corporate security. Further, when attorney Patrice Ettinger made her move to privacy in the 1990s, “there was open space there, people had not filled in positions, there were no preconceived notions or role models,” she says. Nor was there the idea that success belonged to men. “I think it happened organically, we informally became a network of women who were mentors and prompters to encourage young women,” says Ettinger, now CPO at Pfizer.
Section 215 authorizations sunset. At midnight on June 1, after weeks of debate and an unyielding Senate gridlock, the controversial Section 215 of the PATRIOT Act, which allowed for the bulk collection of phone metadata, expired. Along with Section 215, also expired were the “lone wolf” provision, which allowed the government to order a wiretap of terrorism suspects who are not part of a foreign group, as well as the “roving” wiretap provision, which followed suspects who change phones. The provisions' expiration doesn't mean the government cannot obtain telephone data. If it identifies a new phone number it suspects could be linked to terrorists, it will have to subpoena phone companies for the call records and wait for a response. The NSA cannot query its own database for the information.
The Electronic Frontier Foundation (EFF) cited the public's immense response to the current law and proposed bills as a dial mover. The EFF attributed all the online debate, legislative conversations and general back and forth on the legislation to the large amount of action constituents have taken, such as calling legislators and emailing Congress.
National Security Agency's (NSA) controversial surveillance program ends after 180-day transition to USA Freedom Act. Without a lot of fanfare, the NSA's bulk collection program ceased to exist on Nov. 29 as the 180-day transition period to the USA Freedom Act came to an end. When Congress voted the USA Freedom Act into law in June, it conferred the transition period to ease the move to a targeted surveillance system that will replace the bulk data collection program exposed in 2013 by Edward Snowden. When petitioned by the ACLU, Gerard Lynch, the Second Circuit Court of Appeals Judge, said in the court's decision, “An abrupt end to the program would be contrary to the public interest in effective surveillance of terrorist threats, and Congress thus provided a 180-day transition period.” Despite the loud outcry on both sides of the privacy issue, the program went out without a whimper.
Judicial Redress Act passes House. By passing the Judicial Redress Act in October and sending it on to the Senate, the U.S. House of Representatives moved the country one-step closer to the type of data protection for foreigners that will prompt the EU signoff on an Umbrella Agreement hammered out in September and be more likely to approve Safe Harbor 2.0 Under the Judicial Redress Act, foreign citizens will have the same judicial redress that Americans do if their personal information is misused by federal agencies in pursuit of law enforcement action. In other words, law enforcement and intelligent agencies are not allowed to spy on foreigners unless they show just cause – and if authorities step outside of the bounds of that protection, then they have the right to judicial redress.
European court nixes Safe Harbor. The data-sharing agreement known as Safe Harbor was ruled invalid on Oct. 6 by the Court of Justice of the European Union, with widespread ramifications for organizations – ranging from cloud computing providers to multinational companies that move information across the Atlantic. The decision striking down Safe Harbor came about after an Austrian law student, Maximillian Schrems, lodged a complaint that his personal data was being unlawfully processed by Facebook in the U.S. His claims were based on revelations by Edward Snowden regarding cooperation between the National Security Agency (NSA) and companies such as Facebook to access the personal data of social media users.
In its widely anticipated ruling, the court agreed. “The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” Yves Bot, the court's advocate general, said in his opinion. Bot added that the agreement should have been suspended immediately following Snowden's revelations about the NSA.
The Court found that the Safe Harbor agreement compromised EU citizens' right to respect for private life, compromised the fundamental right to effective judicial protection and denied national supervisory authorities their powers to investigate breaches of the principles behind data protection.
Despite some clear strides in the privacy arena, there's clearly more left to do. Privacy advocates worry that fears over national security and consumer apathy toward their own information may move society across prudent privacy boundaries. Some certainly fear that the Fourth Amendment might be in the cross-hairs of government and law enforcement.
But Rep. Ted Lieu (D-Calif.) (left), himself a privacy proponent, believes the amendment that protects against illegal search and seizure is safe for now. “We can't annihilate the Constitution,” he says, noting that the protections in the Fourth would go away only “with an amendment to the Constitution. There's a process.”
And while law enforcement and spy agencies may argue that Americans would be safer if the Fourth Amendment didn't exist, Lieu says, “It would be a society we wouldn't want to live in.” Let's hope other lawmakers, citizens and tech companies continue to feel the same way. n