Today the European Union General Data Protection Regulation (GDPR) went into effect. It has sparked discussions about what privacy should mean in the digital world and how to ensure privacy.
I have been thinking about this topic because of China’s moves toward matching American technological know how in semiconductors and digital systems (Great podcast on the topic). Apparently, a big part of the push has been because of the Snowden revelations that showed American companies worked with the US government to install backdoors, secret access points designed for access by governments, into products.
I think many Americans were shocked as well. I sincerely believe that the security agencies that implemented backdoors has good intentions. They wanted access data to spy on our enemies or catch terrorists. But as a programmer and digital native I find backdoors alarming. Programmers will tell you that you cannot create a backdoor without creating a security vulnerability. Any digital access point that can be used by the FBI can be used by hostile powers like Russia or Iran. They are also used by criminal elements to steal information for sale on the black market. Imagine if Congress passed an act that forced lock makers to allow for a master key access on all locks to be used by law enforcement. There would be a whole host of issues. What if criminals copied the key? Or if a police officer used the key to spy on their former lover? It would compromise the security of American homes and offices to an extent that it would cause an immediate up roar. Americans should feel the same way about digital backdoors. Every backdoor in a major program like Windows, Chrome, or Adobe is a weakness that can be used to attack millions of Americans. It is morally unacceptable.
I believe it is also illegal under any digitally informed reading of our constitution. If you are wondering I strongly doubt the ability of Congress or the Judiciary to understand digital concepts after the embarrassing Zukerburg interview in Congress. Anyways, our constitution does not guarantee explicitly a right to privacy. However, I believe it is relatively straightforward to see how constitutional protections for property can be extended into the digital space. The government cannot order us to make our homes easier to break into just because it would be more convenient for the NSA. Similarly, they should not be allowed to make our computers vulnerable to attack even if it is nicer for them.
So what should we do to ensure digital privacy?
First, we should ban the creation of backdoors for anything other than legitimate business reasons.
Second, new regulations should be put into place that impose substantial fines for data breaches. Those fines should be used to help victims recover.
Third, the US should set new digital privacy standards that allow users to delete data from digital platforms.
Fourth, tech companies should work toward complete encryption for data where only the user can access information. This means that companies would not be able to access user data even if they wanted to. It would also make it impossible for them to comply with search warrants since they cannot access the data.