UPDATE 7/9/2015: Today, the Office of Personnel Management announced that a second security breach led to the capture of highly personal information of about 21 million people that includes federal employees and their family members. Some members of Congress are continuing to tout the Cybersecurity Information Security Act as providing a solution to prevent similar breaches in the future. But this is very far from the truth — CISA would not only have done nothing to stop the OPM breach, it would also result in massive sharing of even more personal data with the NSA. The OPM breach was a human problem. We need better digital security practices from both government and the private sector.
On Friday, the United States Office of Personnel Management (OPM) confirmed yet another data breach, just over a week after it announced that approximately four million current and former government employees were compromised. The second breach is reported to be even larger than the first, and may include the information of high-ranking U.S. intelligence employees.
Those who were impacted have indicated that the government has offered them free credit monitoring services, though similar redress was not offered to family members, including spouses, who may have had sensitive data included in the breach by association. Leaders in the U.S. have immediately responded by calling for quick passage of cybersecurity “information sharing” legislation.
But what does all this mean? As more details will doubtlessly continue to emerge over the next days, weeks, and months about the scope and attribution of these breaches, here are five things to keep in mind:
1. Sending more personal information to federal agencies is not the answer to cybersecurity threats to personal information.
Passing a law in response to a government database breach of personal information that allows — and will foreseeably result in — the greater capture of personal information in government databases is backward logic. The current cybersecurity legislative vehicle of choice — the Cybersecurity Information Sharing Act — does not adequately limit the amount of personal information that can be sent to the government in the name of “cybersecurity.” You may have heard of CISA — it’s the close cousin of the infamous Cybersecurity Information Sharing and Protection Act, or CISPA, which was beaten back to the tune of loud public protests on several occasions (we previously led a coalition of groups asking for President Obama to issue a veto threat against CISA). CISA allows companies to send a broad range of personal information to government agencies, regardless of any existing privacy law. The definition of what can be shared does not exclude personal information, although the bill separately requires companies to attempt to strip personal or identifying information if (and only if) the entity knows about the presence of the information “at the time of sharing.” We need a cybersecurity bill that properly incentivizes companies to remove personal information — and, better yet, one that actually addresses the problem. Which leads me to…
2. We haven’t demonstrated that this “solution” would have prevented the breach in the first place, or any other breach like it.
On top of sending to the government a massive influx of our personal information, “solutions” like CISA, as Marcy Wheeler points out,“would not actually fix our most urgent cybersecurity problems.” In fact, security experts have repeatedly pointed out that information sharing may be a nominal help at best. No one seems to have publicly asked the experts at the Department of Homeland Security or the FBI (or, presumably the NSA) who are conducting the investigation whether the procedures in CISA would have done anything to prevent the breach.
What the OPM breach demonstrates, above all else, is the immediacy of the need for a real solution. But with CISA we are still relying on antiquated ideas of cybersecurity legislation, instead of focusing on things that could really help — things like incentivizing research into, and adoption of, encryption tools and technologies, and educating people about the risks they face from bad security practices.
3. We have an over-classification problem, and it is resulting in more attack surfaces.
In the wake of recent incidents when classified information was revealed to the public — most notably by Edward Snowden but also by other brave journalists and whistleblowers — leading lawmakers called for reform of U.S. classification procedures. The problem, as they laid it out, was that too many people had access to classified information, and it was too hard to properly vet those people. The obvious answer to this problem, in line with the Administration and the Intelligence Community’s promise of greater transparency, is to classify less information — classifying only that which could legitimately, foreseeably result in damage to national security. That would mean that fewer people would need a security clearance to be able to access the information necessary to do their jobs, and more information would be disseminated to the public to facilitate an open debate about practices and programs.
However, instead the government has sought to increase penalties for disclosing classified information and to conduct more frequent checks for those with clearance. It was the database of information obtained for, and used in conjunction with, granting security clearance that was breached in the OPM incident. The size of the population victimized by the breach is so large because so many people had to go through the incredibly invasive and revealing vetting process. This information all feeds into databases in the government, which provides what is clearly an attractive target for bad actors. Again, we should be looking at ways to collect less personal information and to better protect that which is necessary.
4. The harms we face from data breaches are more than just financial, but we often don’t recognize that in law or in practice.
The victims of the OPM breach were reportedly offered credit monitoring services for a year. This is, purportedly, to help deal with consequences of potential identity theft or credit fraud, which could have a broad and deteriorative impact on the victims’ lives. However, this redress is severely limited when compared to the scope of the harm that these individuals face. If you ask, most people would rather have their credit card number stolen than all of the photos in their smart phone. That shouldn’t be surprising. Our personal information, like our photos, is exactly that — personal — and most of us would rather not have it out in the world to be used for purposes unknown. Not only could the non-financial information compromised by the OPM breach be used to blackmail high-ranking officials and contractors, but it could more generally be used to embarrass, shame, or harass people with intimate details of their personal lives.
However, rather than moving toward a system where we recognize these non-monetary harms, we are instead further ingraining in our laws the idea that only money matters. For example, proposed data-breach notification laws often require that users be notified of a data breach only if there is a likelihood that they may suffer financial damage. We have to start recognizing the true scope of harm faced by victims of unauthorized access to their personal data and codify protections to address it.
5. The U.S. has lost it moral authority to complain about surveillance on its citizens by other governments.
A senior government official was quoted by the Washington Post as saying, about the motivation behind the OPM breach, “This is part of [the perpetrator’s] strategic goal — to increase their intelligence collection via big-data theft and big-data aggregation.” While many countries recognize rights that extend beyond their physical borders, the United States has interpreted many of its human rights obligations, including to respect the privacy of individuals, as ending at its borders.
Under authorities like Executive Order 12333, the U.S. conducts nearly unfettered surveillance on non-U.S. Persons (people who are not U.S. citizens or permanent residents). In fact, in Section 702 of the FISA Amendments Act, the government is able to conduct invasive surveillance on any target so long as that person is foreign, with no additional showing of a relationship to terrorism or criminal activity. How, then, can we complain when other countries turn their surveillance capabilities against people in the U.S.? Perhaps in this case there are other elements of the breach that we can condemn, but increasingly other governments are going to obtain NSA-like surveillance capabilities, and they care going to turn them against the rest of the world, including the U.S., and the people in Washington, D.C. will have no leg to stand on to protest against it.
We need policies that recognize that human rights apply to all humans, and we need to treat those outside the U.S. with the dignity and respect that we show to people in the country.