This article is more than 1 year old
Data tracking poses a 'national security risk' FTC told
'We're making China's job easier'
The massive amounts of digital data being bought and sold — or sometimes freely shared — poses a grave national security risk, according to a former US policymaker and diplomat.
During a Federal Trade Commission (FTC) hearing on commercial surveillance this week, Karen Kornbluh, the former US OECD ambassador and FCC exec who now leads the Digital Innovation and Democracy Initiative at the German Marshall Fund, urged the watchdog agency to enact stricter data privacy rules to protect consumers.
Most of the comments during Thursday's public forum covered the usual concerns over tracking software that collects millions of data points on individuals — including their location, search queries, race and gender — which is then sold to third parties or handed over to the police.
Kornbluh, however, made the case that businesses' data collection and retention practices also aid foreign cyberspies.
"There's a national security loophole from the proliferation of consumer data when we have so much information about Americans floating around the internet," she said. "In fact, there's a $12 billion surveillance-for-hire industry that allows foreign governments to buy data."
This data, Kornbluh added, is then used for espionage, voter manipulation and ransomware attacks as well as doxxing, swatting and real-life harassment. "Data brokers market data on current or former military personnel including their web searches, family members, home addresses, and even GPS coordinates," she said. "It's difficult to trace where these data go or what they're used for."
She cited the US National Counterintelligence and Security Center's warning [PDF] about China collecting large health-care data sets on Americans "though both legal and illegal means."
"So we are making their job easier," Kornbluh said.
"Data that's never collected in the first place cannot be breached."
Additionally, as the Supreme Court's decision to overturn Roe v. Wade, and the more recent Kiwi Farms incident revealed, "it's clear that this information floating around about vulnerable people poses real, physical danger," she added.
Kornbluh urged the agency to use its regulatory authority to combat dark patterns and other deceptive practices online. Additionally, the FTC should allow parents to delete their minor childrens' data and "reset the algorithms feeding them content."
To prevent what she deemed a "national security loophole," Kornbluh said the FTC should require corporations perform due diligence before selling or sharing personal data, and the recipient companies must also have the same legal responsibilities to ensure they're not feeding data to cybercriminals.
'Criminalization of private lives'
Finally, "to address the criminalization of our private lives," even if an individual has consented to data collection, if the information being collected is sensitive, such as an online search for or geolocation tracking an abortion clinic, "these searches should be deleted promptly," Kornbluh said, echoing a demand that hundreds of Googlers made to CEO Sundar Pichai last month.
- Mozilla CSO demands fines to curb Big Tech surveillance
- FTC ponders proper punishment for commercial data 'surveillance' and shoddy security
- FTC urged to probe Apple, Google for enabling 'intense system of surveillance'
- Why bother with warrants when cops can buy location data for under $10k?
As the FTC considers imposing stricter privacy rules on corporations, it's seeking public comment about the "harms" related to businesses' collecting, analyzing and monetizing people's information up until October 21.
While Kornbluh and her fellow "consumer advocate perspectives" panelists had plenty to say about these harms — Electronic Privacy Information Center (EPIC) deputy director Caitriona Fitzgerald described the current state of affairs as a "data privacy crisis" — not all of the public testimony provided was supportive of future FTC rules.
Surveillance? Or data gathering?
The US Chamber of Commerce not only took issue with data privacy mandates, but also with the FTC's word choices including "harms" and "commercial surveillance," which it said suggests that businesses are using consumer data for nefarious purposes.
Plus, "if a rulemaking was lawful, the FTC would objectively and independently be required to look at both harms and benefits," said Jordan Crenshaw, VP of the US Chamber Technology Engagement Center, in his testimony.
"We urge the FTC to wait on Congress as constitutionally required to pass a true, clear, and workable national privacy law and to follow the FTC Act by remembering the tremendous benefits consumers derive from our data driven economy in any enforcement proceeding," Crenshaw said."
However, the commission's political makeup and Biden-appointed chair, as well as a recent lawsuit against data broker Kochava, seem to indicate it is inclined to codify some type of privacy regulations to limit companies' appetite for information harvesting.
Big Tech plays by 'different rules'
EPIC's Fitzgerald said rules are needed to level the playing field. Otherwise Big Tech isn't held to the same legal and ethical standards as, for example, telephone companies or postal services.
Data tracking, she said, "assaults long held norms surrounding privacy. This about communications: letter writing, the content of our phone calls. These have long been private activities, and we have legally protected their confidentiality. Why should the rules change when it comes to email?"
"Google's implementation of email sought to track both the content and the identity of communicating parties in a way that we wouldn't stand for, and would violate criminal statutes if performed on postal mail or telephone calls," she added.
Fitzgerald called on the agency to "rein in commercial surveillance" by limiting wide-scale tracking and profiling of consumers, and mandating that individuals' information can only be collected, used and transferred "as reasonably necessary to provide the service requested by the individual."
This will also help improve data security, she added: "Data that's never collected in the first place cannot be breached. Data that is deleted after it is no longer needed is no longer at risk." ®