Now more than ever the public is engaged in a conversation regarding online data privacy. As digital pioneers we have the unique opportunity to shape online privacy legislation to protect future generations. Currently the level of data privacy legally afforded to United States citizens is negligible. The U.S. government and big data companies are monitoring and storing an incredible amount of sensitive, electronic data. Privacy it is not a privilege afforded at the convenience of the government or any other organization, privacy is a right! Both our online and offline privacy rights need to be protected by law.
In 2014 we daren't leave our homes without our smartphones, through these mobile devices we stay continuously connected to each other and the web. These tiny computers in our pockets, and all other computers, big or small, are generating a tremendous amout of data about our activities, our habits, our hobbies and our lives. Exactly the kind of data that corporations and the government are interested in. They call it bulk data collection, but an equally apt name is mass surveillance.
U.S. Government Mass Surveillance
U.S. Intelligence agencies are collecting and storing information regarding electronic communications called metadata. Metadata includes the sender and recipient's name and location, the size or length of the file or conversation, and the time and date of the communication. This information can be very revealing about our everyday lives. In a recent public Q&A session Edward Snowden characterizes this type of mass surveillance by saying "You might not remember where you went to dinner on June 12th 2009, but the government does." This mass surveillance means that everyone is the subject of an ongoing government investigation without probable cause.
Such surveillance seems to violate our fourth amendment right to protection "against unreasonable searches and seizures." Unfortunately it is legally unclear who "owns" the electronic data; is the owner of the data the author or the owner of the server on which the data resides? This legal gray area is being exploited by the U.S. government to continue the unconstitutional mass surveillance programs.
The UN recently addressed this privacy disparity and passed a resolution called "The right to privacy in the digital age." In this resolution the UN General Assembly "affirms that the same rights that people have offline must also be protected online, including the right to privacy." The UN believes that we should retain the right to keep our photos and documents private regardless of the medium in which we choose to store them.
The more companies know about you the easier it is for them to sell you something, so they track and analyze consumer habits. Browser cookies are a favorite tool of online advertisers' which allow them to track consumers' web activity and serve individually relevant advertisements. Big data companies compile a profile of consumers' activity across the internet and store this information indefinitely. A mass database of consumer online habits stored indefinitely is absolutely a honeypot for cybercriminals. Should there be more regulation about what information can be collected and how long it can be stored for?
Brick-and-mortar retailers are also tracking consumer activity offline to further develop personal consumer profiles. Reward cards offer consumer benefits but allow companies to track and analyze spending habits. Taking this data analysis to extremes, Target has reportedly been to be able to analyze product purchasing patterns that indicate a particular consumer is pregnant before any formal announcement, such as a baby shower gift registry, has been made. It is alarming the conclusions that big data companies can make about an individual's life from purchasing patterns. Should this invasive level of data collection be legal?
The data used to build consumer profiles is naturally sensitive. In light of recent high-profile data breaches at Target, Michaels, and Nieman Marcus the PCI SSC Data Security Standards appear to be inadequate. According to PrivacyRights.org in 2013 there were just shy of 600 significant data breaches affecting hundreds of millions of consumers. Consumer online privacy will not be a reality until the big data industry's data collection procedures and security standards are revised.
Electronic Communications Privacy Act
The ECPA is the most recent federal legislation regarding the privacy of online data and was passed in 1986, before the internet had been widely adopted by the public. This legislation specifically protects electronic communications 180 days old or newer. The ECPA does not protect the privacy of consumer data in "storage" which is deemed to be all communications 181 days and older and pretty much all other electronic data, such as Google docs and images stored on Photobucket, etc. The ECPA provides no protection for consumer data collected by big data companies or metadata generated by our online communications, these things simply did not exist at the time the ECPA was passed.
The ECPA is wildly out dated and in need of an overhaul. The ACLU is fighting to update the ECPA, I encourage everyone to take a few moments and fill out this email form to tell Congress to update the ECPA.
Data Privacy Legislation in the Pipeline
"clarify(ies) in plain language that bulk surveillance is illegal and the bill should also prevent the FBI from issuing National Security Letters without prior review by a judge. The bill should also include language to stop the NSA from undermining international encryption standards, and it should have stronger language to protect the privacy of people outside of the United States."
Such a bill is not the be-all-end-all of privacy legislation, more progress is needed to curtail mass surveillance. The USA Freedom Act absolutely takes steps to reclaim some data privacy.
Conversely the FISA Improvements Act is designed to empower intelligence agencies to continue conducting mass surveillance. This bill has been subject to the ire of the ACLU who suggests that the FISA Improvements Act will "entrench and expand the NSA's surveillance powers" and allow "undefined 'law enforcement agencies' to query its foreign intelligence databases, even for U.S. persons, without a warrant."
However much action you deem necessary, a call or an email will do. But we need you, dear reader, to take a action and demand your personal privacy! Visit the TheDayWeFightBack.org's web page and make a call or send an email to your state legislator demanding data privacy reform. We the people of the United States demand that our right to privacy offline be extended to our online lives. ♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:James@ArmorforAndroid.com; Twitter:@James_AfA