Inadequate data protection: A threat to economic and national security
The world is awash with personal data. As people increasingly rely on new data-driven services and products, from iPhones to exercise apps, almost every aspect of our daily activities has become a data collection opportunity.
In the US, home to the largest data companies in the Western world, individuals, citizens and firms have become increasingly dependent on data-driven services such as artificial intelligence and apps. Yet their person data are not adequately protected at the national level. As a result, they have also become more vulnerable to theft, hacking, and misuse. Meanwhile, defence and national security officials have also become more dependent on data-driven services; from drones to tanks, data are now at the heart of national security. These officials collect personal data from citizens and soldiers to inform decisions, connect machines and people, and to recruit and train soldiers. As with personal information, these specialised datasets are also vulnerable to theft, hacking, and misuse.
Moreover, although much of our individual data are anonymised when they are used in large datasets, several studies have shown that anonymised data can easily be unencrypted when researchers cross-evaluate multiple datasets (Ohm 2010). Since nation states are comprised of people, nation states are also vulnerable to the misuse of personal data (The New York Times 2019a).
The US failure to adequately protect personal data is rooted in the economics of data themselves. As the scholar Shoshana Zubofff has shown, the designers of web applications such as browsers, apps, and social networks decided not to directly charge ‘netizens’ for innovative services. They instead developed a business model where if netizens provided personal data, they could receive innovative free services (The Guardian 2019). Firms would then utilise and monetise those data to better understand customers, solve problems, and create new goods and services.
But the market for personal data is opaque; we know little about the supply and demand, the prices, the buyers, or the sellers. Moreover, the market is global and difficult to regulate (Aaronson 2019). As a result, countries (including the US) have struggled to devise a comprehensive approach to this problem. US policymakers have yet to develop a solution that effectively facilitates data-based innovation, whilst adequately protecting personal data from misuse (especially through apps or third-party reuse).
How does social science explain the evolution of this issue?
The American public claim that they care about privacy, but many people do not consistently act on that belief (Pew Research Center 2014). They do not vote with their feet and abandon firms that inadequately protect their personal data, nor do they seem to favour firms that embed personal data protection by deliberate design (TLS 2019). Furthermore, they have not made personal data protection a political priority (EPIC 2019). Until recently, the data giants such as Facebook, Amazon, Google, Apple and Microsoft did not push for national privacy legislation. As a result, some 20 years after the US announced that online privacy is essential to e-commerce,2 the US still does not have a national privacy law. This policy failure resonates globally.
Although defence officials acknowledged that their dependency on data-driven services could cause national security problems as early as 2013 (Vice 2013), personal data protection (as opposed to proprietary data protection) was not seen as a policy priority.1 Despite funding several projects, defence officials have not yet found an effective technical solution to ensuring privacy and effective anonymisation (DARPA 2015).
The US failure to adequately govern how firms use and monetise data affects national security in many ways. Threats posed by inadequate data protection can be direct or indirect, immediate or gradual, and they can be presented by insiders (domestic citizens or firms) or outsiders (foreign firms or adversaries). For example, some US firms such as Facebook continue to misuse data and present few restrictions on third-party use and the monetisation of those data (NBC News 2018). In doing so, they are undermining trust and jeopardising privacy and legitimate democratic debate (The Guardian 2019). Foreign firms linked to governments can also take advantage of inadequate governance of personal data. They can create appealing apps that monitor users such as ToTok (The New York Times 2019b) or share data without intent in the case of the Strava heatmap of global users (Wired 2018). These firms could also combine these data with other datasets or use such data to threaten other governments or citizens. There are emerging concerns that the apps Grindr and Tiktok, if under ownership by Chinese parent companies, may be required to share their user data with the Chinese government, although such claims are allegations (The Verge 2019, vox.com 2019).
Table 1 An overview of cases discussed
How I analysed the issue
In a recent study, I performed a historical analysis of primary and secondary sources to understand how US government entities viewed and responded to the use/misuse of personal data. I then examined five different cases from 2017 to 2019. The case studies included social networks and apps which present both alleged or verified threats to security in the US, and internationally. I next examined US and EU responses to the issue of inadequate data governance. By relying on these different cases, I was able to present a more complete picture of the overall issue.
How has the US and the EU responded to the problem of inadequate personal data governance?
Both the US and the EU have responded to these concerns about inadequate data governance with protectionist policies. The US response is both nationalistic and slightly paranoid. The US Congress tasked an arm of the US Treasury with carefully reviewing foreign investments in companies producing and using data. The Treasury told the Chinese company that it must sell the LGBTQ dating site, Grindr (Wiley 2019, The Washington Post 2019). The Trump Administration also proposed new regulations for the data supply chain, noting that “the unrestricted acquisition or use in the United States of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in information and communications technology or services, and thereby constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States”.3
Meanwhile, the EU already has strong data protection rules with international force. But in October 2019, Germany announced its plan (Bundesministerium für Wirtschaft und Energie) to create its own cloud infrastructure (the cloud can be defined as computing as a service). The Gaia-X project “aims at setting up a secure and trustworthy data infrastructure for Europe.” The project is not only designed to encourage European cloud self-sufficiency. With more European firms using its cloud, European states would have greater control over data markets. They plan Gaia-X to require ‘open standards’, ensuring that businesses and consumers could move their data around freely, and share and reuse data at their individual discretion. According to Fortune Magazine, a spokesperson for Germany’s Ministry of Economics said that, in principle, the Gaia-X initiative will not exclude any company because it is not based in Europe. Participating companies must however abide by European rules around data protection and ‘sovereignty’. The spokesman noted that because the project is at an early stage, the data governance rules are still to be defined (Fortune 2019).
Here is why you should care about this issue
Data are important to economic growth, and they are essential to national defence – from understanding and countering adversaries, to solving complex problems, to managing domestic personnel (The Washington Post 2017). How data are effectively governed will determine if the US can control both the data of its people and its government, as well as its own destiny. If loose lips can sink ships, inadequate data protection can move ships in the wrong direction.
Author’s note: This is a shorter version of a policy brief and article prepared for the Canadian think tank Centre for International Governance Innovation.
Aaronson, S (2018), “Data is Different”, Centre for International Governance Innovation, Waterloo, Canada.
Aaronson, S (2019a), “Data is a Development Issue”, Centre for International Governance Innovation, Waterloo, Canada.
Aaronson, S (2019b), “Data is different, and that’s why the world needs a new approach to governing cross-border data flows”, Digital Policy, Regulation and Governance 21(5): 441-460.