Privacy

Where President Biden’s EO on digital privacy falls short

Data Privacy EO

Today’s columnist, John Ackerly of Virtru, explains why the recent Biden administration EO on digital privacy falls short. (Photo by MANDEL NGAN/AFP via Getty Images)

In the realm of digital privacy, the seminal Cypherpunk Manifesto by Eric Hughes offers an important lens through which to assess the Biden administration’s February 28 executive order (EO). While the EO aims to protect sensitive information from exploitation by foreign adversaries, a closer examination reveals a myopic approach that falls short of the Cyherpunk’s vision of privacy empowerment.

The definition of privacy by Hughes emphasizes the power to selectively reveal oneself to the entire world — foreign nationals and U.S. citizens alike. Hughes highlights the importance of individual agency in controlling personal information. Privacy, in his view, is not merely about keeping secrets, but about having the autonomy to choose what information to share and with whom, whether they are advertisers, data brokers, foreign hackers, or representatives of U.S. law enforcement.

For Hughes, the Biden administration’s EO would likely appear half-hearted in scope, focusing exclusively on safeguarding data against foreign or external threats, while neglecting to address the much broader issue of empowering individuals to protect sensitive data that they choose to share with others.

The EO highlights the need to govern personally identifiable information (PII), shared with international organizations. It refers to: “Unrestricted transfers of Americans’ bulk sensitive personal data and United States Government-related data to such countries of concern may therefore enable them to exploit such data for a variety of nefarious purposes, including to engage in malicious cyber-enabled activities.”

While it’s all well and good, it’s a pretty low bar to set for protecting individual privacy. The idea that we should prevent bulk datasets of PII from being shared freely with parties in countries of concern goes without saying. We need a more nuanced view of individual privacy and the ability to have agency and autonomy over our sensitive data, wherever it might travel — whether it’s to “countries of concern” or within our own border, or even our own government. 

While it’s important to have protection from foreign actors, true security and privacy requires more than just defense against external threats from nation-state actors and countries of concern — it requires a special type of offense. This necessitates proactive measures and granular policy controls to empower individuals (and commercial enterprises) to govern massive amounts of sensitive data that’s intentionally shared, yet still requires close protection.

The EO’s failure to address domestic privacy concerns stands as a significant oversight. By focusing solely on protecting data from foreign exploitation, the order ignores the reality that bad actors can also compromise privacy within the United States. Hughes would likely argue that true privacy protection must encompass all potential threats, whether they originate from abroad or within one’s own country — even one’s own network of contacts.

In line with the Hughes vision, true privacy empowerment requires individuals (and organizations) to take two steps:

  • Play defense by protecting sensitive data that we possess from theft by malicious actors.
  • Play offense by having agency and control over data that they choose to share with others.

Enhancing privacy is not only about implementing defensive, reactive measures against external threats; it’s also about showing initiative and having the agency to implement offensive, proactive tools to maximize control over data which we voluntarily share.

When we raise the bar of personal privacy, we also reap the benefits: In addition to giving our data the proper respect, we also maximize the value and utility we gain from our data, because we are confident in its integrity. When we have control of our own data destiny — the ability to protect our information with cryptographic controls, securely share it with the people and entities we so choose, and retain the ability to revoke it if we change our minds about who can access it — the better off we’ll be as stewards of U.S. citizens’ private data.

While the Biden administration’s EO on digital privacy represents a step in the right direction, it falls far short of the Cypherpunk’s vision of privacy empowerment. Like so much of conventional cyber wisdom, the Biden administration’s EO myopically focuses on playing defense against external threats, and it completely misses the point with respect to playing better offense by proactively applying granular policy controls on data that we all choose to share.

John Ackerly, co-founder and CEO, Virtru

Related

Phishing attack compromises LA County Health Services data

Individuals receiving healthcare across Los Angeles had their personal and health data compromised following a successful phishing attack against Los Angeles County Department of Health Services, which is the second largest U.S. public healthcare system, in February, according to BleepingComputer.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.