Security news that informs and inspires

Don’t Despair, Good Privacy Days Ahead

SAN FRANCISCO——While it is “really easy to be nihilistic” about the current state of privacy, there is also plenty to be pleased about, such as the almost-year-old European privacy law and the fact that companies are beginning to compete on privacy, Jon Callas, a technology fellow at the American Civil Liberties Union, said in his keynote at the CSA Summit.

“The good news is the privacy situation has gotten so bad that people want to change it,” Callas said. “That means that over the next five to 10 to 20 years we’re going to see the pendulum swing back the other way...There will be actions done on behalf of consumers and all sorts of things done from a regulatory space as people have decided that they just don’t like it.”

A computer security expert who was key to the development of PGP encryption and a founding member of the Cloud Security Alliance, Callas said the rapid advancements in technology have made it possible for him to have a good camera in his pocket and be able to request a car to take him someplace even when in an unfamiliar location. However, all these features in the name of efficiency come with trade-offs, such as collecting location data making it possible for someone to plot on a map the exact route a person took to get somewhere.

“I love living in the future. I think it is marvelous,” Callas said, noting that privacy doesn't mean rejecting tech's benefits.

Privacy Victories

Regulators are noticing and taking steps to rein in some of the rampant data collection by companies. Europe’s General Data Protection Regulation and California’s recently enacted Consumer Privacy Act are all positive developments. GDPR requires all companies that collect personal data about European Union citizens to be transparent about why the data is being collected, to delete the data upon user request, and to disclose a data breach within 72 hours. Companies in the United States may not be wild about GDPR because it forces them to prioritize the protection of user information, but the smart companies are rolling out GDPR for all users, not just the European ones. This spillover benefit is a good thing.

“Number one on the list of where we’re getting things right is GDPR,” Callas said. “It’s certainly not perfect, but what it’s making us do in terms of looking at user privacy in a more rigorous way will help us advance.”

One of the reasons it took so long to get privacy features baked into technology was because of of the perception that people didn't care about security. The increased scrutiny over corporate data collection and discussion of privacy disasters are fueling people's demands for better privacy, Callas said. This has shifted some companies to see privacy as a market opportunity and enabling privacy features by default as competitive advantage. Apple touts itself as being more privacy-conscious than the competition. Laptops encrypt user data on the disk drives by default. TLS Everywhere is a reality, as it is possible for users to spend their day online without encountering any pages not on HTTPS. Google is policing apps on Google Play for any privacy missteps.

"People do care [about privacy]," Callas said.

Redefining Privacy

Privacy is hard to define precisely, but the prevailing definition focuses on the right to be left alone and to be unobserved. “When you want to do something in private, you want to be able to close the door and do it,” Callas said. The idea of a “reasonable expectation of privacy” is the driving principle in privacy, but changes in how people interact with technology have eroded the perception of what reasonable expectations look like.

Back in the late 1800s, it would have been considered “beyond the pale” to subpoena a person’s diary—considered to be “innermost thoughts, feelings, conversation with ourselves”—for a legal proceeding, but now that's considered acceptable. Other changes, such as the idea that people have less expectation of privacy in their car than they do in their home, is still evolving.

“I know if I walk down the street for a quarter mile that I will be photographed three times," Callas said. "We need to rethink this."

Callas is not encouraging privacy nihilism—”You think that is reasonable? Gosh, you are naive.” There is a balance between embracing technology and wanting some restraint over what companies are allowed to do. Unforunately, "surveillance capitalism," where the company's business model depends on collecting as much data as possible and selling to as many buyers as possible, is a problem.

Smart-TV maker Vizio was att least being honest when the CTO said on The Verge's podcast that the TVs would cost more if the company didn't monetize the TVs by collecting user data, selling them to advertisers, and offering direct-to-consumer entertainment. Callas wanted to know how much more the TVs would cost to get a privacy-focused model.

"I have my wallet out," he said.

Data collection by the government becomes mass surveillance, and Callas was adamant that there needed to be curbs on government "arrogance and overreach." A recently passed law in Australia authorizes law enforcement to force technology companies to create backdoors—a deliberately added security vulnerability—into their products. India is fighting Facebook over creating a backdoor in encrypted messaging app WhatsApp, and China is interested in similar rules. There is a concern that a court decision in India could affect the privacy rights of users in the United States.

“The idea of surveillance backdoors is not going to be something that’s limited to this little club of good democracies are doing and not the others,” Callas said. “Countries are starting to say, ‘Hey if others are doing that, we want in, too.’”

“The future of privacy is neither pretty good nor futile,” Callas said. There's plenty to worry about, and enough to look forward to.