Obama administration mixes signals on user security
Late last week, President Obama announced a new Executive Order to protect user data titled Improving the Security of Consumer Financial Transactions . The move came in response to a number of recent data breaches at major U.S. corporations. News of these breaches is becoming the new normal — just this week, for example, Staples announced that customer credit card information may have been compromised. In response to the growing trend, the president urged companies to start implementing more advanced security, and the Executive Order requires the federal government to lead by example with the movement toward more secure systems for its own financial transactions. While President Obama’s initiative is a great start, more is needed. First and foremost, his administration should actually promote the use of strong encryption standards.
To be clear, Access commends the administration’s new Executive Order. Secure systems, in every layer of the internet, are the key to user privacy, so it’s encouraging that as part of its announcement on Friday, Obama also renewed his push for cybersecurity legislation. However, recently drafted legislation has focused almost exclusively on information sharing for critical infrastructure companies, ignoring the larger picture; the bills were missing initiatives that directly protect users. In a letter to the president earlier this year, Access and a coalition of organizations and experts called for legislation that would incentivize improved digital security and provide resources for cybersecurity education, foster better international dialogue about cybersecurity, and create new transparency obligations. This Executive Order starts to address these gaps.
However, the Order doesn’t address the full range of financial security issues at stake. For example, it fails to encourage companies to discontinue the far-too-common process of storing personal information in plaintext or to encourage them to improve the inadequate protections in place to prevent exploits of vulnerabilities in company systems. In many cases, vulnerabilities exist after the point-of-sale, limiting the effectiveness of the administration’s recommended technologies, which offer limited protections. For example, chips in credit cards only protect in-store transactions, and personal identification numbers (PINs) are only effective so long as they remain secret. So while the Obama administration’s efforts could limit fraud, there remains much work to be done.
Notably, President Obama’s plan to increase user security is contradicted by other executive branch activities, including the recently-renewed calls by the Department of Justice to undermine data security. For example, revelations have demonstrated that the NSA has actively undermined global encryption standards.
Just last week, the director of the FBI publicly supported the insertion of back doors and vulnerabilities in mobile devices, a move which would put all users at risk of unauthorized third-party access to their personal information, including financial information. This newly-reenergized call comes in response to announcements by Google and Apple that mobile devices will be encrypted by default, an option long available for desktop and laptop computers.
If the president is serious about user security, he must put his administration’s support behind efforts to increase digital security for users and explore rights-respecting law enforcement surveillance methods. Additionally, it is important that the administration supports meaningful cybersecurity legislation that protects user rights and privacy. The Cybersecurity Act of 2012 was a good example of a comprehensive, rights-respectful cybersecurity approach. Substantive reforms and incentives should be combined with funding and resources to increase user education and training. In addition, an independent, properly funded agency should focus on developing tools and technologies for user security.
President Obama’s Executive Order is a great first step towards protecting user security. But it is now time to get serious about providing the level of security our personal data deserves. As National Cybersecurity Awareness month winds down, Obama should instruct administration officials to respect and support the increased use of encryption.