Access submitted a comment to the White House highlighting the importance of data security in the digital world. On January 17, 2014, in response to public outcry over NSA spying, President Obama announced a “comprehensive review of big data and privacy.” The review has resulted in a series of workshops around the country, primarily focusing on corporate data collection practices. However, as Access points out, “[r]ecent revelations have shown that U.S. government intelligence agencies have been implementing programs to collect personal information and communications of users around the world at unprecedented levels.”
The White House proposed a series of questions to inform its review process. In response, our comment examined data collection practices by corporate and government entities while looking at the real-world harms that have resulted from the failure to protect collected information from unauthorized access. In conclusion, Access called on the White House to bolster data protection standards, promote data security, and continue to foster a robust discussion on best practices. Access will continue to push for meaningful reform to government surveillance programs and authorities, both in the United States and around the world.
The full text of Access’ comment is below.
Dear Ms. Wong,
Thank you for the opportunity to provide public comment in response to your comprehensive review of “big data” and its implications for privacy, the economy, and public policy. Access (https://www.accessnow.org) is a global organization dedicated to defending and extending the digital rights of users at risk around the world. Access works through its Policy, Technology, and Advocacy teams to achieve this mission. Access provides thought leadership and policy recommendations to the public and private sectors to ensure the internet’s continued openness and universality and wields an action-focused global community of nearly half a million users from more than 185 countries. Access also operates a 24/7 digital security helpline that provides real-time direct technical assistance to users around the world.
I. The Challenges of “Big Data”
The growth in large-scale collection, retention, transfer, and analysis of personal data places everyone’s privacy at risk. All types of organizations — consumer-facing companies, third party data brokers, government agencies, and others — develop comprehensive profiles at times containing identifying information, such as names, addresses, and phone numbers, as well as buying habits, personal interests, ethnic identities, political affiliations, marital status, credit card details, and numerous other data points. Enough information is often collected that even anonymous information can be re-identified easily. In one high-profile case, reporters were able to identify several anonymous users based solely on their AOL search history, which had been publicly released. Information in one user’s records provided detailed information on her medical history and love life.
There has been an exponential increase in the amount of data collected and stored by private companies in recent years. Facebook announced in 2012 that its data center had grown 2500x since 2008. By 2012, Facebook was collecting about 180 petabytes of data per year. For reference, one petabyte is the equivalent of 20 million 4-drawer filing cabinets filled with text. Retailers, whether focused at online markets or off, also track customers. It is estimated that in one hour Wal-Mart processes about 1 million customer transactions containing 2.5 petabytes of data.
“Free” services offered by companies are often possible because these practices are part of a business model that relies on interpreting high-quality data about their users in order to serve revenue-generating targeted advertising. And over the years, many of these same internet companies have “simplified” their privacy policies by eliminating granular user-controls while increasing the capacity to track each and every online action.
Data collection practices have been connected to specific practices that negatively impact internet users. For example, in 2012, it was discovered that some online travel booking companies, including Orbitz Worldwide Inc., were charging customers using Apple products close to 30% more for flights and hotels than visitors using Windows. Such digital market manipulation leads to economic and privacy harms. A recent breach of Target’s systems is estimated to have affected up to one third of all Americans. Ensuring that citizens have adequate knowledge and control over their data would greatly reduce the privacy and other human rights risks associated with big data. Currently, comprehensive standandards apply to medical and financial data, but not other types of sensitive information.
It is not only private entities where data collection has skyrocketed. Recent revelations have shown that US government intelligence agencies have been implementing programs to collect personal information and communications of users around the world at unprecedented levels. Some of these programs are implemented through legal processes, which compel companies to produce user information that the companies have otherwise collected for their own purposes. These collection programs are overseen by the secret FISA Court, which issues orders requiring production while preventing companies from publicly revealing that the collection has occurred.
Under other programs, often authorized under Section 702 of the FISA Amendments Act and Executive Order 12333, the US is tapping fiber optic cables directly (BLARNEY, OAKSTAR, STORMBREW, FAIRVIEW), breaking into the private links between corporate data centers (e.g., MUSCULAR), or collecting the content of a whole country’s phone calls (e.g., MYSTIC/RETRO). Given the preponderance of attacks on the US Government, these mass surveillance places a tremendous amount of users and user data at risk.
II. The Problem of Unauthorized Access
Once collected, bad data security practices have led to the unauthorized access to and use of personal information, compromising users around the world. Data breaches are increasing in frequency. Last year saw the highest total records breached, according to a report by Risk Based Security. In one incident, attackers obtained records with email addresses and passwords from around 152 million Adobe accounts. In another breach, approximately 110 million Target accounts, about a third of the US, were affected by a data breach. While the Adobe and Target breaches are two of the largest known breaches to date, data continues to be compromised with such great frequency that these incidents account for only a small portion of the total data that is known to have been exposed in 2013. Indeed, last year there were 2,164 incidents of data breaches with 822 millions records exposed reported worldwide. Attacks against US entities accounted for nearly half of all breaches globally.
Unauthorized access to user data is not a new problem. For the past 12 years, identity theft has been the biggest source of complaints to the Federal Trade Commission, which underlines that the identity and finances of citizens are consistently at risk due to needless collection practices and insufficient security practices employed by companies online. The economic impact of data breaches, and the accompanying reputational and legal fallout, is undoubtedly huge. Target spent $61 million in breach related costs in the first three months after the breach, which experts estimate may grow to as high as $1 billion. Target’s data breach is expected to be so expensive, in part, because it revealed data placing credit at risk. That might be good for credit monitoring agencies, but it can create everyday challenges for victims when they try to get a mortgage, get a credit card, or buy a car. Data breaches are also particularly expensive in the US for the companies who lost or had records stolen. In 2012, companies paid on average $188 per lost or stolen record. That equated to about $5.4 million in loss for each entity with a data breach.
Governments also take advantage of insecure data. While the surveillance programs discussed above often operate under a system of compelled production, others skip official channels and, instead, use back doors. One such program is the “Upstream” programs alluded to in slides released in June 2013, and later confirmed by government officials. Upstream collection takes data right off the “backbone” of the internet — the wires over which information is transmitted from computer to computer. Further revelations have brought to light backbone collection by US and other governments of remotely-activated webcam feeds, e-mail contact lists, and information on internal company networks. It has also been revealed that the government has acted to preserve these collection programs by undermining data security standards.
Unauthorized access or use of information by governments, as well as private actors, fundamentally threatens the internet as we know it. The world’s largest internet companies build their business models around user trust in the networks that transmit and entities that store their personal data. Google’s public Chief Legal Officer David Drummond, has said, “Our business depends on the trust of our customers.” More acutely at risk, U.S.-based cloud computing firms spoke out after losing business following last summer’s NSA revelations, and fear losing up to $35 billion in worldwide contracts as European regulators look to tighten restrictions on the cloud. Trust is also eroded when the NSA shares data with government agencies not dealing with foreign intelligence. For example, the NSA has provided evidence to the DEA, which then uses “parallel construction,” whereby agents find alternative grounds to justify arrests and skirt legal challenges. Rule of law is threatened when legal limitations fail to protect even the narrow existing privacy protections.
III. The Role of Data Security
As data are transferred from entity to entity, they become increasingly vulnerable, with more points at which unauthorized parties may be able to gain access to those data and use them for unintended purposes. Bad actors may compromise the financial or physical safety of users, and governments could use personal information to target dissidents, stifle speech, or influence political outcomes.
Access has attempted to move the global conversation on security of big data forward. In March 2014, Access released the Data Security Action Plan. In creating the Data Security Action Plan, Access considered what common-sense practices were needed to mitigate the extreme risk posed by the increasing amounts of data stored online. The Action Plan consists of seven steps that companies should take to protect their users. The seven steps are:
- Implement strict encryption measures on all network traffic;
- Executive verifiable practices to effectively store user data stored at rest;
- Maintain the security of credentials and provide robust authentication safeguards;
- Promptly address known, exploitable vulnerabilities;
- Use algorithms that follow security best practices;
- Enable or support the use of client-to-client encryption; and
- Provide user education tools on the importance of digital security hygiene.
All entities should support the implementation of these security measures on all relevant data and networks under their control. Widespread adoption would benefit all internet users around the world, and would raise the floor on minimally-acceptable data security practices. If we fail to consider data security in the debate on big data public policy, we are standardizing unacceptable risks for users, companies, and the public at large.
To mitigate the harms of data breach and misuse and to build user trust, the White House should consider what steps are necessary to protect user data. Companies should take proactive steps to protect user data. Specifically, this means adopting privacy-centered approaches to the collection and processing of user data, including: data minimization to limit collection of data where possible; ensuring that data is collected and stored for strictly defined purposes, and not used in a way that is incompatible with those purposes; and applying appropriate security measures to data both in transit and at rest.
Accordingly, Access calls on the government to bolster data protection standards, promote data security, and continue to foster a robust discussion on best practices.