Digital Rights Primer

Digital Rights Primer

During Christmas week 2018, my wife and I hosted a dinner with friends and family. My sister, sitting next to me, put her glass of warm cider down.

“How secure is my credit card?” she asked me. “Because I think it might have been hacked”

“Assume it’s already hacked and go from there,” I said taking a sip of tea.

“Does that include bank accounts?” My great-aunt asked me. She was sitting in a fold-up chair to my right near the fireplace. The questions were the start of my family’s favorite sport. A.K.A. stump the chump.

“No,” I said feeling secure in my understanding of technology.

The room continued to pepper me with questions and each time my response was “No, your information isn’t secure.” Then one of my Mom’s lifelong friends asked me a question.

“What can I do?” She said forcefully.

“What do you mean?” I asked.

Gale, like my mom, was a Baby Boomer and used technology as little as possible. Her question confused me because I didn’t see myself as someone who could do anything about the current problems with digital rights in the United States.

Picking up steam, she went on to say, “I’m a leader in many nursing organizations, and I want to know what we can do?” Gale was an activist at heart and had protested in the sixties with my mother. I’d heard the stories a hundred times but the passion they spoke with interested me. As a diehard cynic, I didn’t understand where they were coming from, but I think I would have liked to have been there.

“I don’t know,” I said in disbelief.

“Well, you’re smart. When you figure it out, tell me.” She said smiling over her glass of Merlot. Gale knew me from the time I was born, and she knew I didn’t like not understanding how something works. I guess that’s how I ended up a software engineer. I sat back down, and the house returned to a low hum of laughter and stories. Everybody eventually said their goodbyes and made their way home. However, I continued to sit in the living room in silence with an itch I couldn’t quite scratch.

Why digital rights matter

I struggled with this subject for a number of reasons. Primarily, I discovered that many of my thoughts about digital rights weren’t new. The issue of privacy has been a long debated civil right and digital rights are only a permutation of that right. In the end, I felt the best service I could provide others was to develop a primer for digital rights that was easy to understand and reference for those who don’t have time to sift through the information available.

Digital rights matter because, as a U.S. citizen, we have few protections and opportunities for recourse when our digital privacy is invaded. As U.S. citizens, we must demand digital protections from big business, U.S. government, and hackers at a federal level that sets the bar for states to follow. For example, the California Consumer Privacy Act of 2018 (CPPA) is a progressive law that puts the wants and needs of the consumer first.

To keep it simple, I classified digital abuse into three general categories. Below is a list of those categories and brief examples of each.

1. U.S. Government – Apple vs. FBI
2. Big Business – Facebook and Cambridge Analytica
3. Hackers – Marriott & Yahoo Attacks

Category 1: U.S. Government – The case of Apple vs. FBI

On December 2015, a husband and wife, massacred fourteen people at a holiday party Wednesday at the Inland Regional Center in San Bernardino, California. The husband, Syed Rizwan Farook and his wife Tashfeen Malik are thought to have been radicalized through Facebook and other social media platforms. It is unquestionable that the San Bernardino attack was a tragedy and unnecessary loss of life. It is because of the tragedy and the heightened emotions that accompany a crime such as this that the FBI and other law enforcement entities used every investigative tool at their disposal. During the investigation, the FBI discovered a locked iPhone 5C and approached Apple to unlock the phone. According to Charles I. Francis, Professor in Law and Associate Dean for Academic Affairs at the University of Texas School of Law,

“The FBI had possession of an iPhone 5C used by Syed Rizwan Farook, as well as a warrant authorizing it to access the device. So far so good. However, the phone is passcode protected, and the FBI cannot risk a brute-force solution (i.e., running combinations until the right one comes up) because it is possible that the phone’s auto-delete feature is active. The potential impact of the auto-delete feature led the DOJ to apply under the ‘All Writs Act’ for an order compelling Apple to provide ‘technical assistance’ to the warrant-execution effort.” [1]

 

Under intense public pressure, the FBI used the obscure All Writ’s Act law from 1789 to try to compel Apple to unlock the phone because there were no laws about digital rights guiding the FBI and Apple on how to proceed. While I don’t blame the FBI for leveraging the All Writ’s Act to procure a warrant compelling Apple to provide assistance to unlock the phone, I find it disheartening that our Federal legislators didn’t foresee this collision between law enforcement (the government), private citizen’s rights, and private business. It put Apple in an unenviable position to push back on the FBI’s request. According to Apple’s rebuttal to the court order,

“The Justice Department and FBI are seeking an order from this Court that would force Apple to create precisely the kind of operating system that Congress has thus far refused to require. They are asking this Court to resolve policy and political issue that is dividing various agencies of the Executive Branch as well as Congress. This Court should reject that request, because the All Writs Act does not authorize such relief, and the Constitution forbids it.” [2]

 

I feel Apple was right to push back at the U.S. government. Rather than fighting courts, it is incumbent upon the U.S. government to legislate and enact a comprehensive approach to digital rights.

Category 2: Big Business – The case of Facebook and Cambridge Analytica

The Facebook and Cambridge Analytica incident is essential to understand how big business intersects with other companies and government. During the 2014 mid-term elections, Cambridge Analytica, a voter-profiling company, appeared.

[3]

The firm had secured a 15 million dollar investment from Robert Mercer, the wealthy Republican donor, and wooed Stephen K. Bannon with the promise of tools that could identify the personalities of American voters and influence their behavior. However, it did not have the data to make its new products.

So, the firm harvested private information from Facebook profiles of more than 50 million users without their permission. [4]

This information was then used to drive Donald Trump’s campaign for president in 2016. Using private information to manipulate people is inherently unethical. When Cambridge told Facebook, it was using this information for academic purposes, it violated the law and should be prosecuted. Cambridge denies this and is embroiled with Facebook in a lawsuit.

According to Paul Grewal, “a vice president and deputy general counsel at Facebook, ‘We will take whatever steps are required to see that the data in question is deleted once and for all – and take action against all offending parties. This was a scam – and a fraud’”. [5]

Additionally, Cambridge Analytica has come under fire for using the data to perform “illegal work on the ‘Brexit’ campaign” [6]. In both scenarios, Cambridge provided services predicated on unauthorized personal information. Whether Facebook can extract some justice from Cambridge is irrelevant. Both the United States and the United Kingdom are in the middle of political turmoil because personal information was used to manipulate the people and their votes. Until Brexit is enacted, the UK continues to be protected by the EU’s GDPR (General Data Protection Regulation) rules. However, the United States is not protected and continues to turn a blind eye to digital rights issues.

Category 3: The case of the Marriott & Yahoo Attacks

In addition to these hacks, I include organized crime and foreign espionage in this category. All too often we hear about hacks, data breaches, and information theft but have no legal recourse or protections in the United States. We hear about hacks on the news such as,

• November 30, 2018, “Marriott revealed a massive hack on the theft of personal data of a whopping 500 million customers of its Starwood hotels” [7],
• August 2013, hackers stole every Yahoo account that has ever existed. Russian hackers hacked approximately three billion accounts. The hack was easily the most massive hack to date [8]

It is not essential that these companies were hacked. What is important is that there is little recourse for the average citizen when they are the victim of a cyber-attack. Remedying this problem is not a matter of fining companies for not protecting personal information, it is about smart legislation that guides the development of new technologies that secure who we as U.S. citizens are in the digital world. We aggressively protect our right to privacy in our homes. Why aren’t we protecting our digital privacy to the same standard?

It’s not about technology

When I think about protecting my privacy, I think about my home and having the right, for my family and I, to be left in peace. Digital rights are no different. To me, digital rights are an emerging extension of the right to privacy. The United Nations Human Rights Office of the High Commissioner states,

“It has become clear that these new technologies are vulnerable to electronic surveillance and interception. Recent discoveries have revealed how new technologies are being developed covertly… such surveillance threatens individual rights and inhibits the free functioning of a vibrant civil society.” [9]

 

So, do not be intimidated by someone who talks about the technical merits of a given technology. Technology is merely a tool to enable an outcome. For example, my car is a tool I use to pick up groceries from the grocery store. Like my car, technology is only a tool to accomplish the outcome of securing my digital rights. What we need is thoughtful debate and legislation that ensures transparent and inclusive negotiations.

According to Access Now, an organization focused on global digital rights, “This means conducting public consultations and expert roundtables, publishing negotiating texts and allowing comments from all interested parties with reasonable deadlines and providing feedback on received comments” [10]. This includes all sectors of society as well as strong representation from civil rights advocates for the average American. Access Now’s Lawmakers Guide is a practical framework derived from researching how GDPR as developed, and it dispenses with the legalize that typically generates confusion around digital rights.

U.S. privacy law foundation

As a citizen of the United States, I have a few privacy protections under digital conditions. What exists in the United States is siloed and context specific. For example, HIPPA focuses explicitly on securing the privacy of a person’s health records. While laws such as this are a start, we need stronger and more comprehensive policies to ensure our digital rights. All rights concerning privacy come from the Fourth Amendment of the United States Constitution. Our forefathers viewed privacy as a human right and stated:

The right of the people to secure in their persons, houses, papers, and ‘effects’, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized [11].

All digital information that is defined as our personal information falls under a single word in the fourth amendment; the word ‘effects’. For example, ‘digital–effects’ are synonymous with Personal Identifying Information (PII). PII data is “any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date, and place of birth, mother’s maiden name, or biometric records” [12].

While both U.S. civil rights laws and current legislation being legislated, digital rights can be complicated and confusing, it is essential to keep the foundation and precedent for privacy in mind. When I question a piece of legislation, I ask myself if the intent of it is in the spirit of the fourth amendment. If it does not fit, I ask myself how could it fit, and I proceed accordingly.

Current legislation to be aware of

In response to recent digital privacy violations, both Congress and the Senate are attempting to address digital privacy by reworking old data protection bills. Below is a list of those bills and what to be aware of when your congressman or senator are voting on them, prepared by AccessNow

[13]

ACT – You don’t have to understand technology

Gale,

To answer your question, here’s what you can do. Use the information I’ve provided here to create a foundation of understanding and agreement on what ‘digital rights’ are and are not inside of your organizations. Approach legislators at both the State and Federal levels with what your digital-rights needs are. However, to be successful, give them answers they can choose from and can work with.

As we move into the twenty-first century, we will be called on to defend digital rights. With the ubiquity of digital services and platforms at people’s fingertips, as a nation, we must ensure the American people’s right to privacy is protected. The fourth amendment staunchly protects our privacy. However, when it comes to digital rights, it is incumbent upon us to legislate a comprehensive bill that includes protections for digital privacy and enhanced identity rights. The following is a list of Do’s and Don’ts derived from lessons learned during the drafting GDPR.

Do’s [14]

1. Ensure transparent, inclusive negotiations
2. Define and include a list of binding data protection principles in the law
3. Define a legal basis for authorizing data to be processed
4. Include a list of binding users’ rights in the law
5. Define a clear scope of application
6. Create binding and transparent mechanisms for secure data transfer to other countries
7. Protect data security and integrity
8. Develop data breach prevention and notification mechanisms
9. Establish independent authority and robust mechanisms for enforcement
10. Continue protecting data protection and privacy

Don’ts [15]

1. Do not seek broad data protection and privacy limitations for national security reasons
2. Do not authorize the processing of personal data based on the legitimate interest of companies without strict limitations
3. Do not develop a ‘right to be forgotten’
4. Do not authorize companies to gather sensitive data without consent
5. Do not favor self-regulation and co-regulation mechanisms

With this list of Do’s and Don’ts, we can look to GDPR (General Data Protection Regulation) and the CPPA (California Consumer Privacy Act of 2018) as progressive digital rights regulation that begins to address both digital privacy and identity rights. While these laws are reasonable first steps, they possess a flaw. The flaw is that they are opt-out laws. You have a right to request to be forgotten. You have a right to know where your information is and how it is used. Instead, I challenge the State and Federal legislators to create amendments that enshrine our digital rights as a new form of civil rights and then empower a new generation of technologists to bend the digital world to serve the people.

[1] Apple vs. FBI: The Going Dark Dispute Moves from Congress to the Courtroom. (2016, February 17). Retrieved March 13, 2019, from https://www.lawfareblog.com/apple-vs-fbi-going-dark-dispute-moves-congress-courtroom

[2] Boutorous, T., Vandevelde, E., Olson, T., & Zwillinger, M. (2016, March 15). Memorandum of Points and Authorities. United States District Court Central District of California Eastern Division.

[3] Rosenberg, M., Confessore, N., & Cadwalladr, C. (2019, March 4). How Trump Consultants Exploited the Facebook Data of Millions. The New York Times. Retrieved from https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html

[4] Rosenberg, M., Confessore, N., & Cadwalladr, C. (2019, March 4). How Trump Consultants Exploited the Facebook Data of Millions. The New York Times. Retrieved from https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html

[5] Rosenberg, M., Confessore, N., & Cadwalladr, C. (2019, March 4). How Trump Consultants Exploited the Facebook Data of Millions. The New York Times. Retrieved from https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html

[6] Rosenberg, M., Confessore, N., & Cadwalladr, C. (2019, March 4). How Trump Consultants Exploited the Facebook Data of Millions. The New York Times. Retrieved from https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html

[7] Brewster, T. (2018, December 3). Revealed: Marriott’s 500 Million Hack Came After A String Of Security Breaches. Retrieved December 3, 2018, from https://www.forbes.com/sites/thomasbrewster/2018/12/03/revealed-marriotts-500-million-hack-came-after-a-string-of-security-breaches/

[8] Larson, S. (2017, October 3). Every single Yahoo account was hacked – 3 billion in all. Retrieved December 4, 2018, from https://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html

[9] OHCHR | Right to Privacy in the Digital Age. (n.d.). Retrieved March 24, 2019, from https://www.ohchr.org/en/issues/digitalage/pages/digitalageindex.aspx

[10] Creating A Data Protection Framework: A Do’s and Don’ts for Lawmakers. (2018, January). AccessNow. Retrieved from accessnow.org

[11] Declaration of Independence: A Transcription. (2015, November 1). Retrieved February 3, 2019, from https://www.archives.gov/founding-docs/declaration-transcript

[12] Guide to Identifying Personally Identifiable Information (PII). (2017, February 14). Retrieved December 5, 2018, from https://www.technology.pitt.edu/help-desk/how-to-documents/guide-identifying-personally-identifiable-information-pii

[13] Data protection in the United States: Where do we go from here? (2018, April 23). Retrieved March 6, 2019, from https://www.accessnow.org/data-protection-in-the-united-states-where-do-we-go-from-here/

[14] Data protection in the United States: Where do we go from here? (2018, April 23). Retrieved March 6, 2019, from https://www.accessnow.org/data-protection-in-the-united-states-where-do-we-go-from-here/

[15] Data protection in the United States: Where do we go from here? (2018, April 23). Retrieved March 6, 2019, from https://www.accessnow.org/data-protection-in-the-united-states-where-do-we-go-from-here/