Janie Slaven: LEFT TO MY OWN DEVICES: Finally, a federal law protecting privacy in America

Janie Slaven, The Times-Tribune, Corbin, Ky.
·5 min read

Aug. 31—There continually exists a debate about whether Americans enjoy a right to privacy. Of course, you won't find it expressly put forth in the U.S. Constitution. That's unusual when compared to well over 100 other national constitutions that do include overt nods to one's privacy and its protection. In the States, we have court cases, inferential readings of the U.S. Constitution, such as its Fourth Amendment, lofty law review articles, and a slew of states' laws protecting your personal privacy. Yet, that one, clear-cut, express, federally scoped law that explains that we have a right to privacy does not exist.

With decades of evolution influencing the Internet Age and its commercial practices of data gathering, we need this as much as anyone. The vast and indescribable amount of personal, private information about you, your family, your work and belongings that's now part of the databases of Amazon, Facebook/Meta, Twitter, Google, and those level of players is only the starting point. Your banks and healthcare providers, also subject to the big tech data vacuums, add complexity and vulnerabilities. Every non-cash transaction. Government interactions. Traveling. What functions of modern-day living do not result in sharing your information?

When I lament this state we've arrived at, sometimes I find comfort in the practical realities of it all. One, I'm a relative nobody, worth relatively nothing to the bad actors. Most of us, despite our proclivity to over-self-value ourselves or our merits in society are actually in that same category. Our egotism likely considers us riskier than where our actual beings and values might place us in aspiring criminals' priorities. The phrase "random acts of violence" while not having much to do with cybersecurity risks might apply, however. That could turn said comfort found in our honest self-evaluation back to being on guard. Just because I'm not a worthy individual target for a cybercriminal doesn't mean I won't get swept up in some scheme. I mean, truly, as I've shared in this column and otherwise, I have in fact been victimized through online scams, debit and credit card fraud, and other nuisance examples.

There's nonetheless some relief in knowing that I'm not the phish that most bait is trying to lure. Another factor that gives me some ease, and takes me off the ledge of utter insecurity of data in the face of modern collection and security practices, is that there is simply so much information. The likelihood of my pittance of a digital footprint being compromised is slight. This is simple math, such that when the denominator of the risk percentage represents decades of digital information about six or seven billion people, the odds calculated with my scant numerator's weight seems to keep me safe(r). Car wrecks happen every minute, and I've endured some through the years. Though with 276 million vehicles on America's roadways, you and I feel pretty safe heading out every morning.

Risk analysis, in a very basic understanding, considers both the likelihood of the risky event happening and its potential damage. So, if my private information is one of the digital universe's tiny, cosmic particles, it's unlikely that a hacker will target me. Add to that the fact that because I have so little to lose, and that in most cases my bank will make me whole (I won't get into the indirect costs, fees, and all that, resulting), I would analyze my risk as being rather slim.

It's only a partial analysis, though. That's because of a couple factors that bring me back closer to the edge. First, the aforementioned randomness might catch me in a hacking dragnet where even if the criminal would never risk their freedom on Ed's vast coffers, I'd get snared in a bigger plot. Secondly, I write it all the time: All the reports and information about security incidents only account for those that victims are willing to share, and certainly don't account for the best of the baddest actors who are so crafty in their criminal trade as to not only never get caught, but in many cases leave the damages as being unknown for a while or forever. Third, we're still in an evolutionary point of all this that we cannot predict how big and bad it could get. Could be that suddenly we're all devastatingly affected. Economies fail. Infrastructure systems collapse. I'm talking truly big-picture results.

On balance, then, this notion of a right to personal privacy should remain important to you. It is to me, for sure. I am heartened, therefore, about the American Data and Privacy Protection Act, which is still undergoing negotiations in Congress, and thusly still needs to pass both its chambers before getting signed into law.

The importance of the ADPPA is that it would introduce the first federal privacy law to American society and our functions, commercial and otherwise. The phrase that pays, or perhaps that saves, is "data minimization." If you're a stockholder in the FAANG enterprises, credit reporting firms, retailers, etc., etc., this should concern you. If you're a sensible human being who cares about your privacy, this should inspire high-fives.

Amongst the myriad reasons that companies currently collect your private information, beginning with their own enrichment, only 17 distinct functions of data collection survive in the current iteration of the ADPPA. If a company needs to authenticate you in order to conduct a transaction you want to engage in, that's still good-to-go. Collecting information to avoid fraud? Same. All good. The hundreds of other marketing reasons, profiling users, collecting data willy and or nilly? Nope. Ain't gonna happen any more.

We're going to see many changes to the ADPPA's current language, but there is real hope, and privacy advocates agree. Things might get a little safer for us, or at minimum a little more challenging for the digital criminals out there.

Ed Zuger is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.