With the data the U.S. government has, it could write detailed biographies on nearly every resident.
While it’s true the U.S. government requires access to information to keep our nation safe, it need not be at the expense of personal privacy. Unfortunately, in the case of the National Security Administration’s (NSA’s) leaked Ragtime files, personal privacy appears to have taken a back seat. Was this data truly collected “incidentally” as claimed by the NSA?
The Ragtime program collects the contents of communications, such as emails, online exchanges and text messages, of foreign nationals under the authority of several U.S. surveillance laws. Until recently, there were four known variants of the program. These variants were originally revealed by the leaks of whistleblower Edward Snowden:
- Ragtime-A, involving the U.S.-based collection of foreign-to-foreign counterterrorism data
- Ragtime-B, collecting foreign government data that travels through the U.S.
- Ragtime-C, focusing on the nuclear counterproliferation effort
- Ragtime-P, standing for Patriot Act and authorizing the collection of bulk metadata on calls and emails sent over the networks of telecom providers
However, recently released information indicates the amount of data collected may be larger than previously thought. There now appears to be 11 total variants. One is called “Ragtime-USP,” which may stand for “U.S. person” and target Americans.
These findings resurface an age-old question:
Where should we draw the line between personal privacy and national security?
Of course, the government needs to use all applicable and appropriate data possible to help military efforts and keep our nation safe. At the same time, the government must strongly secure data and protect individual privacy. Unfortunately, to date, its practices have leaned toward sacrificing data security and personal privacy in the name of national security. It does not have to be this way; the government CAN get insights from data without sacrificing national security when the guidelines below are followed.
These same principles also apply to the private sector.
Limit data-gathering programs to their stated purposes. When the NSA gathers communications from foreign nationals, the data inherently includes information on individuals the foreign nationals communicate with – including U.S. citizens. The stated purpose of the Ragtime program is to capture the communications of foreign nationals. However, the reality is that individuals who are brought into a conversation by others are subject to having their communications collected, monitored and analyzed. If the NSA can continue to claim, without opposition, that this breach (by design) of the program’s stated purpose is a byproduct of keeping the U.S. safe, it will take no actions to re-engineer systems and processes.
Private sector businesses should keep the data of those within arm’s reach of their clients in mind as they craft their own data security and privacy policies. Gather only the data of those with whom you have a relationship, and discard the rest. If you don’t you could run afoul of the growing numbers of data protection laws and regulations that require you to obtain explicit consent prior to collecting personal information from individuals.
Hold agencies accountable. Government agencies should be held to the same security and privacy standards as the private sector and, importantly, be accountable for following those standards. Only entities that have a proven record of implementing and maintaining strong security and privacy controls should be allowed to hold such gigantic repositories of sensitive and privacy-impacting data. So far, the NSA has not demonstrated accountability for the data it has collected. And lawmakers show little desire to implement security and privacy controls that may get in their way of reaching as much data as possible in the name of national security.
Regulators hold your agencies accountable; those of us in the private sector must insist on the same from them.
Private sector businesses also need to be responsible and accountable for implementing and maintaining strong and effective information security and privacy controls. They should also know and be in compliance with applicable data protection laws, regulations and other legal requirements.
Examine data retention policies. Another issue that has not been addressed through these surveillance programs is data retention. The programs suck up all the data possible and then keep it forever. The amount of data the NSA has on U.S. residents could be used to create detailed biographies of nearly every person in the U.S. This is a dangerous position for an organization without the proper security measures in place. Unfortunately, hundreds of millions of personal data records have been compromised in recent years due to vulnerabilities at the NSA and its associated vendors.
Private sector businesses with similar stores of data must perform regular information security and privacy assessments (SIMBUS360 can help!) to ensure they are doing everything they can to protect clients and customers.
Implement strong security controls and privacy protections. The NSA has not demonstrated these capabilities to date. Furthermore, the majority of government lawmakers have long enabled the NSA’s lack of security and privacy controls. An objective, validated and non-partisan entity with ongoing audit oversight would be best to provide the security protections required.
Similarly, businesses and other organizations should consider working with neutral third parties to affirm they are following all required compliance statutes, as well as thinking through how their evolving technologies, systems and business models may be opening their firms up to new threats. Certainly, such organizations can do their own ongoing assessments internally, but bringing in objective third parties to do assessments every now and then (at least once every year or two, and when significant operational changes occur) allows for a different perspective. Objective eyes often find things missed by those in the environment each day.
Indeed, when it comes to personal privacy and national security, we need to change it from an “either/or” conversation to an “and” conversation. While the NSA and your average law firm, accounting practice or health care provider may not have the same objectives, they do have much in common. Today’s growth-minded businesses understand data is a powerful currency, and will only increase in value as time goes on. As they are collecting, analyzing, storing and sharing data, there must be just as much strategy applied to protecting data.
