Image Source: Anura
The 7-day journey of the Chinese spy balloon from Alaska to South Carolina captivated the attention of millions of Americans. While the mission and payload of the airship remain unclear, the low-tech platform likely provided two key advantages over existing satellite capabilities: proximity to targets and persistence for surveillance collection. The public response elicited by the airborne threat reflected Americans’ expressed preference for personal privacy. Even 60,000 feet away, the balloon’s white envelope reflected enough sunlight to be captured via cell phone cameras of concerned observers. Images and videos rapidly proliferated via social media, and citizens demanded action from the federal government.
While such a visible challenge from a foreign government generated broad support for action, other, more obscure digital surveillance threats evoke far less passion from the public. The information age has seen an exponential increase in the volume and frequency of data collection from individuals’ activities on the internet and telecommunications networks. Among many others, social media posts, geolocation tags, electronic shopping records, and smart devices record day-to-day activity. Taken individually, these records often say very little and remain anonymous. Viewed collectively, however, trend data derived from digital footprints reveal personalities, preferences, and patterns of life, useful information to many commercial and government entities.
Big Data and Commercial Access
Before the development of Big Data computing, processing these vast vaults of information proved time-consuming and cost-prohibitive. However, technical advances in new technologies have increased the volume of data storage, speed and complexity of analysis, and quality of insight. The ability to learn from such vast amounts of information provides enormous value for organizations and society as a whole, improving process efficiencies, decision-making, and the development of future generations of products and services. Such outcomes give tremendous power to organizations with the capability to process Big Data analytics, and these capabilities grow ever more accessible as data processing technologies mature.
Powerful tech companies like Google, Amazon, Meta, and Apple revolutionized data analytics and its use in the private sector. By combining widely collected user activity with behavioral psychology, commercial organizations alter choices that people make, often in the interest of profit maximization. While not illegal, such manipulation challenges the notions of individual choice in a liberal society.
However, while processing capabilities have matured, the requirements to secure data during the collection, storage, and analysis phases grow increasingly complex. Companies face endless attempts to exploit networks and servers, keeping cyber security teams busy with ever-evolving threats. Preventing data breaches, such as the 2013-2015 exfiltration of personal information from the United States Office of Personnel Management (OPM), requires skilled technicians and powerful software working around the clock.
Perhaps more concerningly, the proliferation of commercially-collected data has led to the rise of data brokers, who profit off the collection and sale of personal information within the current legal limitations of consumer data usage. With no restrictions on who can purchase these caches, non-profit-seeking groups can easily obtain anonymous data that, when combined with other information, can reveal personally identifiable information. The Privacy Project by the New York Times in 2019 demonstrated the ease of such a cross-referencing process. Times reporters obtained smartphone hits from a location data company using mobile app software, compared it to public records for homes and businesses to identify potential cell phone users, then tracked digital footprints to generate patterns of life and identify high-profile individuals. These techniques have already been used in practice, such as the Catholic nonprofit group that identified clergy members with activity on gay dating sites in 2018 and Cambridge Analytica using Facebook user data to target individual profiles with political advertising in the 2016 election cycle.
The exploitation of Big Data by governments raises specters of Orwellian control. Declining costs of data collection and storage technology have lowered traditional barriers to effective surveillance, giving states the ability to pursue ever more targeted, invasive, and broad-scale coverage. A 2019 study reported that at least 75 governments across the globe employed some form of digital surveillance with the assistance of artificial intelligence and Big Data processing. States employ Smart City technology, facial recognition software, and smart policing, drawing on data collected from devices owned by individuals, companies, and governments.
Unsurprisingly, China leads the pack in digital surveillance technology. In pursuit of its Fourth Industrial Revolution through informatization, China seeks to enable automated decision-making and social management through its investments in Big Data technologies and AI. Its three major state-owned telecoms–China Telecom, China Unicom, and China Mobile–loom large in the IT industry, and the government has used effective carrot and stick incentives to control major privately-owned companies like Baidu, Alibaba, and Tencent. With a successful domestic surveillance strategy, further enhanced by COVID-19 tracing apps, China now employs passive and active measures to export its technology-enabled techniques, while protecting its domestic data sovereignty with the Great Firewall of state-controlled networks.
Chinese influence reaches into the United States. Concerns over data privacy of American TikTok users have heightened after repeated reports of potential exploitation by China-based employees of the app’s parent company ByteDance. Worse, as late as 2020, a philanthropic program to fund affordable cell service and free smartphones to low-income households discovered some of its Android devices included Chinese malware, which opened backdoors to users’ private data. China’s forays into American data collection exemplify the interest of foreign entities in access, analysis, and manipulation of private information. The federal government has rightly begun to counter the growing Sino-Cyber threat, gathering critical information through the House select committee on China and challenging TikTok’s CEO on data privacy concerns. Yet the efforts targeting individual states or platforms fail to address the underlying legal frameworks that facilitate easy access to consumer data for more than just oppressive regimes.
Even the world’s more liberal democracies produce data collection software and employ digital surveillance techniques in the interest of state security. Commercial firms from Israel, Germany, and Italy create and export more spyware and digital forensics tools than any other country. Even in the United States, federal agencies, including the Internal Revenue Service and Drug Enforcement Agency, have purchased and searched aggregated smartphone geolocation data from third-party sources for border control, criminal investigations, and counterterrorism efforts. Certainly, these organizations should be permitted to leverage the power of emerging technologies to advance national security interests at scale through affordable solutions. However, the exploitation risks and misuse of such information must be mitigated to protect the privacy rights of Americans.
Return to Oz
The federal government has an opportunity to proactively pass legislation to protect Americans’ data privacy. Several states have already taken such measures. California, Colorado, Connecticut, Utah, and Virginia lead the way with comprehensive consumer privacy bills taking effect by July 2023. To varying degrees, these laws give citizens the rights to access, correct, delete, and limit the use of their data collected on websites. They also automatically limit what businesses can do with the collected data. However, the lack of shared regulations across state lines limits the effectiveness of such protections.
Privacy-oriented Germans pushed the European Union to develop the broad General Data Protection Regulation (GDPR), adopted in 2016. This complex legislation is the latest in a series of European privacy laws, but it represents the first major regulation spanning state borders that imposes strict rules on how companies can store and use personal data. With legal restrictions in each of the 27 member states, the law was designed to enhance individuals’ control over their information while establishing common rules across the union to streamline the international flow of data. The final product has proved far from perfect, disproportionately targeting advertising technology firms and potentially preventing some societal benefits of Big Data. Still, the legislation could be a template for American lawmakers to use in developing their own federal law, which could itself serve as guidelines for future regulations in the global information environment.
That federal legislation could look similar to H.R. 8152, better known as the American Data Privacy and Protection Act (ADPPA), which was introduced in the House of Representatives in June 2022. This law would enhance individual privacy controls, improve data transparency, and restrict how personal data could be collected, stored, and used by small businesses, large data holders, service providers, and third parties. While initially supported on both sides of the aisle, the ADPPA stalled due to concerns from California legislators who say the bill would supersede its state bill and allow law enforcement agencies unnecessary access to personal information.
While individual state requirements should certainly be considered, Congress can and should take action to standardize national data privacy protections. The Chinese spy balloon serves as a vivid example of persistent intrusions on personal privacy, and the rapid pace of technology development necessitates a well-crafted legislative response to establish commonality across state lines. Fortunately, federal legislators have the benefit of considering and improving upon existing regulations at the state and international levels. In crafting a comprehensive law, representatives should balance openness with security, promote innovation while preventing exploitation, and wield the transformative power of Big Data as they protect the privacy rights of Americans.