The big problem with privacy is that once you relinquish some of it, you never get it back. What makes it worse is when those who are supposed to protect your rights choose to undermine them. When they do so, they eat away at the thin protections we should all enjoy in the digital age.
US agencies’ illegal use of smartphone data
These are some of the reasons to be so concerned to learn from a newly released US Department of Homeland Security report that multiple US government agencies illegally used smartphone location data, breaching privacy regulations as they did. To do this, they purchased smartphone location data, including Advertising Identifiers (AdIDs) from data brokers that had been harvested from a wide range of apps.
(There’s a useful article explaining how to disable AdID on Android and iOS devices at the EFF.org.)
The agencies that have indulged in this include:
- US Secret Service
- US Customs and Border Protection (CPB)
- US Immigration and Customs Enforcement (ICE)
This is the story
As noted by 9to5Mac, Homeland Security has made available a redacted version of a previously classified report that reveals three separate US agencies broke the law in this way. It finds that the three agencies did not adhere to protections laid down in the E-Government Act of 2002 and the Homeland Security Act of 2002.
The report says the agencies:
“Did not have sufficient internal controls to ensure compliance with DHS privacy policies, and because the DHS Privacy Office did not follow or enforce its own privacy policies and guidance. Without a PIA in place, privacy risks may not be identified and mitigated.”
We don’t know precisely how the agencies then used this information, as much of the document that has been made available is redacted.
One use that is referred to, however, is combining the location data with other information to match an AdID to a specific person. This kind of information opens a person’s digital existence like a book, as Apple so well explained.
No remediation as yet
The initial report made eight specific recommendations it required the agencies to take to help prevent such disregard of privacy in the future. The redacted report confirms that three have not yet been met.
The report implies at least one agency continues to use commercial telemetry data even though privacy impacts have not been completed.
But the other two recommendations that the report confirms have not been enacted are worse, as they point to a culture in which privacy considerations are ignored:
- “We recommend that the Director, U.S. Immigration and Customs Enforcement develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.
- “We recommend that the Chief Privacy Officer, DHS Privacy Office include a statement on approved Privacy Threshold Analyses that use of the project, program, or system determined to be privacy sensitive is not authorized for operational use until approval of the required Privacy Impact Assessment.”
The thing about all this is that it is simply not OK.
While I’m certain the agencies concerned will say the end justifies the means, the fact that they indulged in these acts undermines the privacy that every individual and business should be able to rely on.
Their disrespect for privacy laws serves to shave another sliver of liberty from us all, eroding digital business stability in one fallacious sweep.
Say hello, wave goodbye
What makes this even more egregious is that we can see that governments everywhere are seeking to undermine digital privacy. Whether that’s weird Israeli firms selling surveillance as a service, or legitimate bodies within democratic governments, or scary nation-state attacks by hostile nations or criminal entities, makes no difference at all.
The issue is that if an agency — any agency — can ignore the laws surrounding privacy, then the only way to preserve privacy is to ensure the data doesn’t exist in the first place.
We know Apple tries to do something akin to this — and the existence of the Privacy Reports it now provides across its systems makes even more sense in this context. We also know that rogue governments, including that of the UK, continue to seek to undermine privacy on a platform basis.
This is bad for individuals and for business users. If governments feel they can ignore their own laws, then no one can be certain their data or information is safe. That’s bad for the bad guys, of course, but worse for everyone else, especially against a framework of increased international tension and nation-state backed industrial espionage.
To me, this is once again a reason, if reason was ever needed, to argue against the imposition of any security back doors on any platform, as the actions these agencies have already taken exposes the very thin line between “normalized” surveillance and the protections of privacy law.
It’s also a very good argument for users on any platform to put their devices and the apps they carry on a privacy diet.
For example, an iPhone user may want to open Settings > Content & Privacy Restrictions > Location Services and disable access to location data for all but their most regularly used apps.
Apple earlier this year hosted a series of events across its retail stores to mark Data Privacy Week, sharing multiple tips to protect users on its platforms.
What’s at stake?
Think about it this way. Each time privacy protection is stripped away — for whatever reason — just a little bit, then everyone is impacted. That’s bad for individuals and bad for business. And when you consider the sheer quantity of information held about you on your digital devices, and the insight it can provide into you and your life, then it is pretty clear, as Apple CEO Tim Cook once said:
“There’s probably more information about you on your phone than there is in your house.. Our smartphones are loaded with our intimate conversations, our financial data, our health records. They’re also loaded with the location of our kids in many cases.”
Let’s keep it to ourselves.
Copyright © 2023 IDG Communications, Inc.