A free and open Internet is the cornerstone of net neutrality, advocated by civil liberties groups and the US government alike. A wide range of actors have taken this concept to the extreme by publicly releasing very private information and pictures. This reflects a laissez-faire approach to the Internet, completely removing government intervention from the equation. Simultaneously, authoritarian regimes have implemented policies and approaches aimed at Internet censorship, reflecting a protectionist view, with the government determining exactly what information will be accessible to its citizens. But many democratic states are testing the waters with a third approach: Minimal intervention in the name of privacy and protecting citizens. Similar to Keynesian economics, where some government intervention is necessary to optimize economic stability, this third way may serve as a harbinger for the future of cyber security—especially as the public now very clearly understands just how fragile their private data is on the Internet.
Too Little: Laissez-Faire Data Freedom
Continuing the economics analogy, a laissez-faire approach to data freedom argues that data wishes to be free, and government intervention to prevent disclosures is anathema to that principle. The release of private information is already becoming a cottage industry from which blackmailers hope to reap financial benefits. One example is the Wikileaks compilation and aggregated release of the emails of Sony employees following last December’s attack. Similarly, last month’s Ashley Madison hack went a step further, publishing information that not only has the potential to ruin the personal and professional lives of its customers, but also their families.
Personally identifiable information (PII) is also a key target of disclosures and has implications both for personal as well as national security. The Islamic State of Iraq and Syria (ISIS) recently released email addresses, phone numbers, passwords and names of US military personnel, calling for attacks against the service members and their families. Other recent cases of PII theft include the Anthem and OPM breaches. Most of these were instigated by nation-states and criminal groups who have yet to publicly release the data, but who nevertheless now have access a vast trove of PII. And it’s not just adversarial groups who are releasing PII, but also data brokers, which are poorly regulated and have released billions of customer records. For instance, in 2013 Experian accidentally sold the PII of close to two-thirds of Americans to a criminal group in Vietnam.
Finally, with the omnipresence of smart phones, very private pictures also are released online without personal consent. This ranges from celebrities’ hacked iPhones, to photos used as a component of cyber bullying or revenge porn.
In each of these broad categories, the argument that data demands to be free often prevails, leading to victim blaming instead of facing the larger issue that – given the slow pace of the legal system – currently perpetrators face few, if any, repercussions for the theft and posting of personal information.
Too Much: Government Intervention & Information Control
Many authoritarian regimes operate at the opposite end of the spectrum when it comes to information freedom. For example, as the Chinese stock market plunged at the end of last month, impacting markets across the globe, the major Chinese newspapers either barely referenced the largest drop in eight years, or failed to mention it at all. The search engine Baidu and the micro-blogging site Weibo blocked much of the content related to information about the crash. Similarly, after promising not to censor the Internet a few years ago, the Malaysian government blocked the Sarawak Report, a UK-based news website, following its publication of an article alleging a bank transfer from a state investment fund into the Malaysian Prime Minister’s personal account. Russia was also busy with censorship last week, removing Russian Wikipedia following similar censorship of Reddit earlier this month.
This behavior is not just limited to authoritarian regimes; democracies are also increasingly censoring material. The Mexican government continues to control the narrative surrounding the students who disappeared en route to a protest last year, recently releasing Twitter bots to squash anti-government activists’ online activity. South Korea seems to be borrowing from this playbook, recently censoring LGBT apps as part of a larger censorship campaign, blocking or deleting almost 100,000 sites in 2013 alone. As these examples illustrate, too much government intervention in authoritarian and democratic regimes alike can lead to extreme infringements on civil liberties.
Just Right?
Complete information freedom is not the panacea many imagined, thanks to malicious actors and profiteers who benefit from the release of private information. At the same time, the rise of censorship, generally a tool of governments hoping to control the flow of information to their citizens, is a serious concern. Is there a middle ground that can support the freedom of information that promotes development and democracy, while also protecting privacy?
Attaining this middle ground will require creativity and innovation both from the security community and the legal system. For instance, there was some discussion that the Intimate Privacy Protection Act would be introduced this summer, but it continues to be stalled while other countries have successfully passed legislation focusing on protecting individual privacy. The UK passed and has sentenced perpetrators under a new law criminalizing revenge porn. The European Court of Justice ruled in favor of the “right to be forgotten” and has increasingly required compliance by the major search engines. Most of these laws focus on non-complicit posting of private data, and reveal legislation that addresses the growing concerns over privacy protection. Nevertheless, as we’ve seen with the Ashley Madison hack, because the legal system lags behind technological change, prosecutors may seek more creative solutions to protect personal privacy. For example, the Canadian government may rely upon recent cyber-bullying legislation to prosecute perpetrators of this behavior.
These examples demonstrate the emerging trend of patchwork legislation focused on protecting private data. However, this kind of legislation often encounters opposition from free-speech groups, many of which worry about a slippery slope toward censorship, as well as concerns about third-party sites being legally liable. If nothing else, the hacks ranging from OPM to Ashley Madison prove just how insecure private information can be on the Internet. Until the legal system catches up to the pace of technology, there will continue to be a greater need for security solutions. With the watershed hacks of the past year, there will be a greater demand to more actively defend against the range of adversaries and better protect not only personal information but intellectual property as well. It’s unfortunate that we’re increasingly talking about the millions of people affected. Groups and individuals on both sides of this argument must get more comfortable with a middle ground approach that integrates minimal government intervention to protect personal privacy while safeguarding information freedom. An incremental approach based on information sharing legislation is not enough. We should move towards greater protection of privacy, including the ability to prosecute for the theft and non-consensual disclosure of digital data. But until the legal system catches up, technical security solutions remain the main (yet imperfect) safeguard for information protection. This combination of more active security as well as modernized legislation is exactly what is needed to tip the balance back in favor of citizens and privacy protection.
Read more blog posts by Andrea Little Limbago.
Follow Andrea on Twitter @limbagoa