Companies and governments have been scrambling to combat cyber incidents affecting stored customer information and their private documents. Over the years, the United States government has provided cyber laws, policies, and frameworks to assist companies in protecting user data and information as well as providing guidance for acceptable usage of said data. Despite this, there are still devastating cyber-attacks that expose hundreds of thousands of personal records each year, not being assuaged by the fact that both private and public institutions alike have been caught ‘over-collecting’ and improperly using customer information. In recent years, the European Union has implemented a new set of cybersecurity laws, known as the General Data Protection Regulation, or GDPR. Though the regulation isn’t flawless, cyber security experts claim it sets clear expectations and contains clear steps and punishments to hold organizations who breach the GDPR accountable. Personally, I believe that the USA should reevaluate its cyber security posture and policies from a lawmaker’s standpoint, providing more individual privacy rights. Using the articles from Zimmer and Buchanan, this paper will elaborate on why a GDPR approach to user data would assist in providing more cyber-related protections to individuals, potentially curbing government agencies and company data collection. On top of this, I will utilize the African moral theory of ubuntu to emphasize the importance of data ethics in American society.
Micheal Zimmer, a professor at the University of Wisconsin, comments on the data mishandling of a group of researchers in a piece dubbed, “But the data is already public”. Zimmer’s commentary follows a group of social scientists who wanted to track the social trajectory of a group of college students utilizing their online Facebook profile. Titled “Tastes, Ties, and Times”, the research paper consisted of data from “anonymous” college students. Researchers assert that both the students and the college were kept as vague as possible to protect the identity of the unwitting participants. Traditionally, the method of collecting data for an analysis such as this would’ve been through third-party organizations or through self-reporting, which the researchers stated proved unreliable. The team of researchers gathered information through “scraping”, or searching up the names of the college students, recording the data, then storing and maintaining it on a datasheet. Claiming that the students would remain anonymous, the researchers assured readers and colleagues that unnecessary information had been encoded or deleted in “good faith steps”. They failed, miserably. Despite these attempts, outsiders were able to identify the location of the college and the students without ever needing to use the actual dataset itself. Using tidbits of the information left in their available research code book and interviews researchers gave with the media, outside parties were able to use web searches to locate the “classified” university. In the end, the researchers closed their research paper to the public, with student’s private lives being exposed, as well as the university being identified.
Thankfully, the researchers were truly acting in good faith, attempting an intriguing social study. That is to say, there was no malicious intent, just social science research. Taking a step back, however, the research was an egregious breach of personal data privacy. Not only was data collected and scraped from unsuspecting student profiles, but the university provided housing records, which were intended for internal administration usage, not for researchers to collect and store. The researchers felt they made a good faith effort in obfuscating the private data, going so far as to add a ‘terms of use’ agreement on the paper, forcing readers to agree not to disseminate the data. (It is worth mentioning that the codebook that was used to reveal the student data and university location did not have a ‘terms of use’ agreement.) Zimmer counters with the habitual “click-through mentality” of users, scrolling to the end of long, painful documents just to click accept. With GDPR-esque laws and frameworks, I believe that the researchers wouldn’t have to act in good faith, already having a playbook and set of rules to follow in ensuring that student data is protected. Meaning, the researchers would’ve known what data they could collect, how they could collect it, and who they would have to inform about the data collection. For example, GDPR regulations could have mandated that students must be informed when their dormitory information was provided to 3rd party researchers. Another GDPR protection would’ve been regarding Facebook, which wouldn’t have been able to collect so much information about students, to begin with, therefore barring researchers the ability to scrape student data off the internet. Ubuntu professes the idea of treating all with dignity, with providing basic communal respect. A GDPR-style approach to user data would provide a “collective responsibility” to a user’s data, mandating more respect for the individual through a collective duty to protect one another. GDPR would provide rules for private institutions on collecting, storing, processing, and transporting private data, giving more control to the individual.
To build upon this, Elizabeth Buchanan, another researcher, comments on a study regarding data privacy and big tech. Extremists such as ISIS, she writes, have been utilizing new media types to communicate and spread messages across the internet. Twitter, for example, has been used to disseminate ISIS propaganda to a global audience. As described in the article, law enforcement agencies are behind in their ability to identify and monitor extremist accounts and stay “in the know”. To compensate for this lack of identification process, state and federal agencies like the NSA have begun a process of mass intelligence and data gathering on social media. Crawling across the internet, these government organizations have collected hundreds of thousands of posts, records, and other personal data. On the surface, this is a noble goal. Stopping the spread of horrendous propaganda, ideologies, and messages can stop additional attacks and inspiration. Additionally, the practice allows agencies to identify patterns in extremists and apply them to suspects on a large scale. Ethicists, however, have pushed back on this practice, seeing it as a blatant breach of data privacy. Questions have arisen about the collection framework, such as; when does it end, who is it targeting, and which organizations are utilizing and accessing data collection tools and archives. With this method, everyone is treated as a suspect, being guilty until proven otherwise. There is no ability to give or withdraw consent, with all users being seen as subjects with data to collect. An interesting point to mention, Buchanan actually notes that the advent of the GDPR will create hurdles in the mass data mining process. Buchanan’s report on mass data mining illuminates how mass surveillance and collection of data can start with honorable intentions.
Personally, I found the article to be short, simple, and poignant. Buchanan relays an excellent contention, stating “…we can ask to what end this methodology will be used, and who will use it?”. (Buchanan 2017) Creating collection frameworks that scrape for researchers and private institutions is already a vicious breach of personal data privacy, but having government agencies commit the act under supposed ‘national security’ is entirely different. To put it bluntly, it’s worse. For example, Edward Snowden illuminated blatant violations of civil liberties and data privacy through NSA leaks, displaying how, if unchecked, the government can and will abuse its ability to collect data on unsuspecting citizens all in the name of protecting the populace. Implementation of GDPR-style rulings could curtail and place a leash upon the practices of these three-letter organizations, who, if found in violation of data ethics laws, could face severe legal ramifications. The Fourth Amendment’s intention was to curb government search and seizure of private documents and information, but sadly this is not enough for digital space. GDPR for the United States would set a clear expectation for both private and public institutions, with clear, measured consequences. Ubuntu ethics charge members of a community to stand in solidarity with one another. If one man isn’t free, none of us are, and as long as one individual is being spied upon, whether we agree or disagree with the reason, we are all under threat.
Personally Identifiable Information (PII) and Personal Health Information (PHI) are extremely important. As previously described in the first case analysis, privacy is one of our dearest possessions. Unsurprisingly, as the world has become more globalized and technologically advanced, government entities and companies feel inclined to collect personal data with impunity, seemingly sprinting towards a cyber dystopia. Traditionally, the United States Constitution and Bill of Rights would protect the individual and hold the government accountable, whilst privacy laws would keep private organizations in check. In lieu of the recent events in the past few decades, there is a requirement for more modern regulation to keep up with advancing technologies. For the European Union, the GDPR was a step in the right direction, ensuring proper data handling, as well as notification of data collection and data loss due to breaches. Zimmer and Buchanan both described scenarios in which, without clear frameworks or policies, both private and public sectors will breach and exfiltrate private information. Ubuntu professes that individualism comes from the community, charging said members to ensure the freedom of every individual. As long as one is at risk, all are at risk. With clear expectations and defined punishments, the GDPR is an excellent start at retaking privacy and data security.
References:
Buchanan, E. (2018, March 20). Considering the ethics of Big Data Research: A case of twitter and Isis/ISIL. PLOS ONE. https://journals.plos.org/plosone/article?id=10.1371%2Fjournal.pone.0187155
Zimmer, M. (2010, June 4). (PDF) “but the data is already public”: On the Ethics of Research in … VoiceThread. https://www.researchgate.net/publication/226596617_But_the_data_is_already_public_On_the_ethics_of_research_in_Facebook