Privacy Challenges Illustrated by Recent Cases

In the 1973 baseball melodrama Bang the Drum Slowly, the players, intent on scamming some rubes, play a card game called “TEGWAR.” It stands, as you later learn, for ‘The Exciting Game Without Any Rules.’ Three recent unrelated events in the news this week illustrate how U.S. data privacy rules are, to a great extent, a game of TEGWAR.

First, there is the report in the Washington Post that the Department of Defense and the Federal Bureau of Investigation have been working together to develop not only rules but also technologies for facial recognition without much oversight from Congress or anybody else. The New York Times report indicated that the intelligence advanced research projects agency, part of the Department of Defense, has been working with U.S. law enforcement agencies to develop and deploy new technologies capable of conducting facial recognition from a distance—sometimes even from a great distance. What’s missing from the analysis is exactly how the technology works, how it is intended to be deployed, how it is going to be trained and what databases will be used to compare results against. For example, if facial recognition is merely used at airports, courthouses and other high-threat areas to determine whether or not individuals passing through secure areas with cameras are known criminals or terrorists, and only for that purpose, then this may be a perfectly acceptable use of technology and a waiver of rights to privacy. If, on the other hand, we establish a network of cameras the way they do in London or Beijing and create a database using social media and other “public” databases of images to create a database of where every man, woman and child in the United States is at any given day, the results are not only frightening but dystopian and authoritarian. In fact, the success of facial recognition technology to prevent crime, like the use of automatic gunshot detection microphones, is greatly overstated. Facial recognition may be helpful in solving crimes after the fact or, in some cases, altering the behavior of criminals, but I’m not sure there’s any good studies indicating that mass facial recognition actually prevents criminal activity.

The second report is from Wired, and indicated that the FBI purchased databases of location data from commercial entities. Now, the rules on the collection of location data for the government are substantially different from the rules on the collection of personal data by private individuals. Many apps you have on your cell phone collect your location data and transmit it to third parties, whether that is Google Maps, some shopping applications or any of a host of different applications. While users have some flexibility regarding whether to turn the location collection on or off, the real problem is not always the data collection itself but its later use or transmission to third parties. Frankly, individuals do not have the time, resources or technological savvy to understand exactly what location data is being collected, from where and how it’s being used. Individuals may not object to some uses of location data where it is helpful to them, but to a great extent, that location data gets dumped into a mass pool of personal data that is bought and sold by data brokers around the world. Or the FBI to attempt to create a database of location data for which it would otherwise require a massive number of subpoenas or, more likely, search warrants to collect. Cell phone records, including cell tower records, have legal protections for privacy. Application data, like any of the apps on your cell phone, unfortunately, does not. In addition, both governments and commercial entities are using automated license plate readers to collect data on cars driving by. Again, this data is available not only to law enforcement but also for repossession purposes, service of process purposes or just to find out where your cheating husband might be on any given day. While the data is collected by private entities, the New York Times report indicated that the FBI can then purchase that data and use it for law enforcement or intelligence purposes. Essentially, they are outsourcing mass surveillance.

The third unrelated matter this week was another report in the Washington Post about a religious group using data gathered from apps and other sources available on commercial databases to determine which priests in their respective parishes were, or were suspected to be, gay. This group purchased databases, including location data and data from apps like Grindr, Growlr, Scruff, Jack’d and even OkCupid, and compared this database against things like the location of churches, priests’ residences and gay bars and nightclubs. The group then used this data to “out” gay priests.

The problem in the United States is that, for the most part, none of this is illegal. We do not have comprehensive data privacy laws in general or laws that, in particular, protect the confidentiality of things like location data, biometric data or lifestyle data about our gender, sexual orientation, religious beliefs or other intimate personal facts. All of it is for sale. All of it is for sale to law enforcement or intelligence agencies, not only in the United States but also abroad.

In the U.S, there are few limits on the collection, sharing or use of this kind of data outside of states like California, Colorado, Connecticut, Utah and Virginia which have comprehensive data privacy laws. Your rights to privacy are, therefore, “hit or miss.” As we move closer and closer to a mass surveillance state, where either governments or commercial entities (or both) collect data on every possible aspect of your life, we need to have greater transparency, openness and accountability for misuse of data.

Image Source: Photo by Jose Francisco Morales on Unsplash 

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark