Modern field guide to security and privacy

Opinion: Will either candidate protect your data? It's time to ask

In light of the Yahoo breach, Donald Trump and Hillary Clinton owe the American public an explanation for how they'll protect their personal data.

Julio Cortez/AP
Lena Gjokaj takes a cell phone photo of stage for the presidential debate between Democratic presidential candidate Hillary Clinton and Republican presidential candidate Donald Trump at Hofstra University in Hempstead, N.Y., Monday, Sept. 26, 2016. (AP Photo/Julio Cortez) 2016 Hofstra Debate;Debates;Presidential Debates

It's time for the presidential candidates to start talking about privacy, and specifically about data protection.

Firstly, the scope of the recent Yahoo data breach was unprecedented. More than 500 million user accounts were compromised. Yahoo said that the "account information may have included names, email addresses, telephone numbers, and dates of birth."

Yahoo assured users that passwords and security questions and answers were encrypted. But the company is also urging users to change their password and security questions and to review their accounts for suspicious activity.

The Yahoo data breach may be the largest of all time, but it is hardly the first. Over the last several years, the scope of data breaches in the US has increased and the rate of occurrences has accelerated.

This was not hard to predict. When I testified before the Congress in 2011, following a string of attacks against US businesses and financial institutions, I warned that the data breach problem would grow worse. I explained that as consumers and businesses became dependent on cloud-based services they would be less likely to know when problems occur than if they were to lose a laptop or experience a break-in.

We urged Congress and the administration to pass comprehensive privacy legislation and to back Privacy Enhancing Techniques that would minimize or eliminate the collection of personally identifiable information.

In 2012, the administration announced a solid proposal for data protection called the Consumer Privacy Bill of Rights. President Obama also spoke in support of Student Privacy legislation that would prevent the use of educational records for commercial proposes. But the White House has shown little interest in pushing these initiatives, focusing instead on plans for drones and driverless vehicles that will create new privacy risks. And Congress has been unwilling to support new privacy initiatives, even blocking a modest effort at the Federal Communications Commission to limit consumer profiling.

Then in 2015, the Office of Management and Budget acknowledged the most extensive hack of a government records system. The personal information of more than 22 million federal employees, their friends, and family members was breached. This included more the 5 million digitized fingerprint, unique biometric identifiers, and the contents of the confidential SF-86 form, which provides tremendous detail on the personal lives of applicants for sensitive government jobs. 

Earlier this year, the Federal Trade Commission reported that almost 500,000 Americans reported identify theft, an increase of 47 percent over the previous year, and the highest number since the agency began keeping this statistic. 

Policymakers are well aware of the cybersecurity threat – it even came up during the first presidential debate – but few view the problem through the lens of data protection, which could actually place limits on the personal information businesses and government agencies collect. The result is that data collection continues, and companies and law enforcement agencies are reluctant to tell users when their personal information is compromised. At best data breach laws tell consumers there is a problem.

The current path is not sustainable. Even businesses that oppose government regulation must see that data breaches pose a direct threat to consumer trust and the US economy. Verizon, which planned to pay almost $5 billion to acquire Yahoo, must be asking how to value a company that exposed hundreds of millions of its users to increased risk of identity theft and financial fraud. The potential liability is staggering.

The public knows there is a problem. A recent survey by the Pew Research Center shows support for stronger privacy laws in the US. Pew found that "68 percent of internet users believe current laws are not good enough in protecting people’s privacy online."

Americans also favor limits on how long their personal information is stored. And contrary to the conventional wisdom, Pew found that "young adults are more focused than elders when it comes to online privacy."

Many young people try to protect their privacy online, remove their names from tagged photos, and take steps to mask their identity. They use messaging services with strong cryptography. According to Pew, 74 percent of all Americans say it is "very important" to be in control of their personal information.

In this election year, we have heard a lot from the candidates about the privacy of their email, their tax records, and their health care records. But none of the candidates have save a word about the need for a national strategy on data protection. That must change.

The moderators for the next presidential debate need to ask the candidates about data protection. This may be the most important least well-understood issue of this election. Here are a few suggestions:

"Have you or a family member ever experienced identity theft or a data breach?"

"How do you view the current administration’s efforts to safeguard privacy?"

"What steps would you take to protect the personal information of Americans?"

"Would you back comprehensive privacy legislation?"

"Should the US create a data protection agency?”

"If you are elected president, will Americans continue to experience data breaches similar to the recent Yahoo breach?"

Marc Rotenberg is president of the Electronic Privacy Information Center in Washington and editor "Privacy in the Modern Age: The Search for Solutions." EPIC is nonpartisan independent research organization, established in 1994, to focus public attention on emerging privacy issues. Follow Marc on Twitter @MarcRotenberg.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.