US Executive Order promises privacy progress

There is nothing like adversarial threats to election integrity to unite Americans of all parties on contentious issues like data privacy. On the one hand, legal trade in sensitive American data, including finances, health information, location, purchases, and online activity, fuels a multi-hundred billion dollar data broker industry with a knock-on impact for enterprises selling them products and services. 

It also empowers adversarial foreign powers to launch more precise and targeted attacks on elections, businesses, government personnel, and citizens. The US government has preliminarily identified China, Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern. Three recent developments include:

• President Joe Biden issued an Executive Order calling for measures to restrict the sale of sensitive data to foreign adversaries. 
• The Justice Department announced an advanced notice of proposed rulemaking to restrict certain categories of transactions. 
• A bipartisan coalition of legislators proposed the Protecting Americans from Foreign Adversary Controlled Applications Act to ban companies like ByteDance from running social media networks in the US. 

The executive order points out the many threats, particularly as countries of concern take advantage of recent advances in AI, de-anonymization and joining up representations of a person from across multiple data sets to engage in espionage, blackmail, influence, physical and cyber-attacks, and threaten national security. 

The measures suggest creating Know-Your-Customer requirements for the data broker industry. Still, they will not restrict the flow of sensitive data to non-adversarial countries for storage, processing, or offshoring customer support services. The EO states: 

The national security restrictions established in this order are specific, carefully calibrated actions to minimize the risks associated with access to bulk sensitive personal data and United States Government-related data by countries of concern while minimizing disruption to commercial activity.

Progress or privacy signaling?

Jeff Reich, Executive Director at the non-profit Identity Defined Security Alliance (IDSA), is hopeful that the EO will expand the scope of what is considered sensitive data to include protections for genomic, biometric, personal health, geolocation, financial data, and certain kinds of personal identifiers:  

It is good to see that we are beginning to think of identity as more than name, date of birth, and social security number. These are steps in the right direction, so much will be determined by what the resulting regulations will be and their effectiveness. I expect the effects of this latest EO to be felt in months or years, not now.

Jennifer DeTrani, General Counsel/EVP, Corporate Secretary and Head of Culture at Nisos, a vendor of tools for unmasking adversaries, is hopeful about the recent progress. She argues the EO shows the US will not stand by and allow US persons and businesses to fall prey to foreign adversaries.

It’s difficult for the average citizen to fend off targeted attacks when their data is compromised or sold off as a commodity to threat actors or predatory companies. However, it's too early to determine if the EO has a net effect on promoting collaboration across government agencies to protect cross-border data flows. She says:

It’s clear that this approach is meant to reinstate confidence in the US with respect to data privacy protections. We’ve known for a while that the patchwork approach to state data privacy laws was going to need to align with a more orchestrated federal approach, and this just might be a step in the right direction.

The new EO raises numerous questions about industry pushback and effectiveness. Steve Moore, Vice President, Chief Security Strategist & Co-Founder of TEN18 at Exabeam, said that although the EO includes some key points, it's largely ineffective. The EO offers a recommended deadline for next year, so what happens if the current administration loses the election? It's also unclear whether raising the privacy stakes under the umbrella of national security will be enough to overcome data broker lobbying efforts. 

Data flow like water

However, many experts are also concerned about the extensive data broker market for selling third-party data and finding the right balance between increased protection and industry usage. Caroline Carruthers, Chief Executive of data consultancy Caruthers and Jackson. Said that unlike the UK, the US has lacked specific laws addressing data scraping until this EO. This order appears to address gaps to bring the US more in line with UK and EU standards regarding the legality of data brokerage activities. But the devil is in the details. She explains:

The focus should be on the practical implementation of these measures. Data behaves just like water—it flows everywhere, often leaking where it shouldn't. Instead of merely aiming for a watertight solution where data is not used at all, it’s crucial to strike a balance between safeguarding data and using it effectively. It's essential to find a solution that is both comprehensive and adaptable, aiming to prevent misuse while allowing for legitimate use cases. Going forward, striking this delicate balance between protection and usage will be key.

It will also be difficult to apply controls to the extensive mass of sensitive data now in the wild. Wade Barisof, Director of Product Data Protection at Fortra, says:

The reality of the EO is how do you put the toothpaste back into the tube, as we have already lived through decades of sharing private data which once sold, can be resold to any interested party regardless of need or country. That is the true loss of control. Foreign adversaries already have US citizens' public data, and if there was a magical way to cut it off today, the existing data would be relevant for years to come, which there is no magical way to cut it off.

He believes the EO is purely a play on trying to stop feeding the models used against US citizens to sway elections, manipulate public opinion based on profiles and inject instability, which is topical in a presidential election year. But it is only a step towards taking privacy and sovereignty seriously, which will require new laws with stiff penalties to be effective. Barisof argues: 

Until there is a penalty that is material to US companies, EOs are ineffective other than hopefully giving companies pause when monetizing citizen data.

Irina Tsukerman, president of Scarab Rising, a boutique security and privacy consultancy, is concerned that foreign nationals of relevant backgrounds work in research projects and companies that create and use sensitive data. There is no surefire way of preventing industrial espionage until business practices improve. Negligence by these companies is an obvious obstacle to protecting data. She argues: 

So, at most, this EO will motivate some companies that directly deal with data sharing from turning over everything they have to those governments, but unless they are also held responsible for negligent sharing of data in general (strict liability imposition), they can just as easily sell it to shell companies and false flag operations from those countries with the same impact as if they were selling directly.

Step in the right direction

Anthony Cammarano, VP of Security, Privacy & Strategy, Protegrity, sees the EO as a small step in the right direction. It’s a start to recognize that we must consider and regulate US citizen PII more broadly. Either the US’s existing frameworks haven’t gone far enough, or more likely, industries that have not been regulated haven’t had to think about it other than in terms of revenue. A probable outcome is that this will enforce existing regulations on non-regulated industries.

But it also raises interesting questions about who owns the data collected on citizens. Cammarano explains:

The US government is tackling the challenge as a national security issue, which isn’t incorrect. Businesses in the US believe customers’ data is their property, and those businesses can use it for just about any purpose they choose. One side is thinking about national security, and the other side is thinking about profits in this mix. If history serves as a lesson, businesses will find ways to skirt the laws for profits. The US approach stands in stark contrast to measures like the GDPR that affords the citizens the rights to control their data and requires businesses to be good stewards of that data.

Davi Ottenheimer, VP of Trust and Digital Ethics at Inrupt, which is developing a trusted data management platform, believes that executive orders are meant to establish the tone and direction, and the recent one focusing on safeguarding sensitive data is a notable stride. It underscores the significance of data protection at the highest levels that could ignite innovation within the market.

It is also significant that the recent EO outlines steps to map out links in the data supply chain, such as ownership and control of submarine fiber optic cables connecting the US to other countries. This builds on previous efforts like The Clean Network initiative launched by the Trump Administration to remove Huawei and other Chinese companies from phone and computer network infrastructure. Ottenheimer believes this kind of mapping and analysis could lay the foundations for broader privacy protections in the future:

 While actions like cataloging lines of communication may appear minor, they represent vital initial steps, akin to the early stages of scaling a mountain. For instance, those acquainted with the history of spycraft and hacking, such as the infamous Zimmerman telegram of 1917, understand the value of inventorying physical and logical egress points. Collaboration across sectors and nations is essential in combating sophisticated threats to data privacy within interconnected systems, making such an executive order instrumental because it fosters necessary co-operation and investment.

My take

Election hacking is an explosive topic in American politics and linking it to foreign adversaries will ignite discussions about data privacy until the November 5th elections. Then, it will quietly fade to the backburner against pushback from data brokers and their enterprise customers. 

Data broker KYC will be argued as too complex, expensive, and a burden on innovation and American competitiveness. As a side effect, the data brokering and processing industry will fuel more sophisticated social engineering attacks on businesses, consumers, and government organizations from foreign adversaries and native hackers. Other “non-adversarial” actors will continue to combine bulk sensitive data and AI innovations to drive “engagement” and sell us things we don’t need to exacerbate the mental health crises at great profit. 

Meaningful change will only come when innovators discover ways to grow faster than privacy laggards by treating sensitive personal data as a valuable tool to #acceleratetrust rather than something to be mined.