How the US government woke up to data privacy

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.

This month:

• A whistleblower says Canadian bank Manulife hasn’t protected customers’ highly sensitive information “for years”.
• Tech lobbyists are playing states against each other to secure watered-down privacy regulations.
• And Putin's cyber warfare strategy is laid bare.

But first: new challenges force the US government to take privacy seriously.

‍

If you only read one thing

The US government wakes up

It’s been a little while since we checked in on the state of US privacy regulation, and data privacy in the country in general. When last we discussed the issue, we looked at the potential for a federal privacy law, the ADPPA, and suggested businesses should get their house in order before it passed. While this regulation appears to be bubbling away in the background, it’s not a law yet.

In the meantime, the government, like others worldwide, has faced privacy challenges requiring a more rapid response. Two stand out:  

• The rapid growth in the adoption and capability of advanced AI models.  
• And the potential for a ban on TikTok.  

Let’s look at what these issues can tell us about how the government is approaching data privacy.

Generating Generative AI regulation  

The technology industry is quickly reshaping itself around AI, in particular large language models like OpenAI’s ChatGPT, building new features, new platforms and new businesses that are based on data—our data--scraped from the web.

It was only a matter of time before governments and regulators worldwide took an interest. Canada’s privacy watchdog has opened an investigation in ChatGPT. Meanwhile, Italy has blocked access to ChatGPT over data privacy concerns, with other European governments considering similar actions. OpenAI has promised unspecified remedies in response.

The United States government is also keeping close watch on the technology, clearly focused on learning the lessons from its the failure to properly regulate social media and other technologies over the last decade.

The National Institute of Standards & Technology (NIST) issued Version 1.0 of its Artificial Intelligence Risk Management Framework (AI RMF) in January. Meant to complement the Biden administration’s AI ‘Bill of Rights’, issued in October, the two documents aim to protect individuals and society from AI-related risks, including data privacy risks.

Such an approach is important. Like social media platforms in the past, these companies won’t regulate themselves.

The clock stops for TikTok?

TikTok, the highly popular Chinese video-based social network, is under fire. Lawmakers worldwide are concerned about the company's connection to the Chinese government and the accompanying national security and data privacy risks.

The app has been blocked from the phones of government employees in the US, Australia, and elsewhere. Now the US government is looking at banning the app from the country. This has become a uniquely bipartisan issue. Disagreements seem to focus on how to restrict the app, not whether to block it in the first place.

In response, the company has spent more than US $1.5 billion on data security efforts under “Project Texas”, a plan to relocate all US user data to data centers outside China, through a partnership with Texas-based Oracle.

And last month, the company’s chief executive Shou Zi Crew testified before a US House committee, with lawmakers grilling him for five hours. This performance did little to reassure them. US House of Representatives speaker Kevin McCarthy says lawmakers will move forward with legislation to “protect Americans from the technological tentacles of the Chinese Communist party.”

There are real concerns here. The Department of Justice is investigating ByteDance’s use of TikTok to spy on journalists. In 2019, the company was fined for violating childrens’ privacy. But would a blanket ban of the app improve US citizens’ data privacy?

TikTok’s argument is that banning the app would allow the government to move on without addressing the many examples of Americans’ data privacy being put at risk by a lack of regulation. It’s a self-serving argument but it’s also true that a ban on TikTok would do nothing to address issues like a Colorado Catholic group buying data on priests who used hookup app Grindr, then sending the “evidence” to bishops.

If the Chinese government accessing US data is the concern, there are other solutions. For example, banning data brokers. There is currently nothing to stop the Chinese government simply buying the data on US citizens if TikTok is banned.  

So, while banning TikTok would be a chance for lawmakers to appear tough on China, arguably the victory would be a symbolic one.

Nonetheless, it’s clear the government is starting to understand that data privacy is a real issue that impacts people over the long run. The question is whether the government can move beyond piecemeal approaches to a comprehensive vision of what it takes to improve citizens’ data privacy.  

🤫 Privacy and governance

Tech lobbyists are watering down US state privacy legislation, to make them more friendly to businesses, and preventing consumers from suing. If they succeed in one state, they can then hold that as a model for future states. Another downside from the country’s current patchwork approach to privacy regulation.

Tesla workers have routinely shared images from in-car cameras, some showing “scenes of intimacy”. Employees have easy access to the output of the cameras and share it freely, according to nine former employees. Location data can also be obtained and linked to the recordings.

A whistleblower says Canadian bank Manulife hasn’t protected customers’ highly sensitive information “for years”, with a database of personal details accessed by 100 employees and an unknown number of others. The bank disputes this account, saying the database meets or exceeds regulatory privacy requirements.

A new study suggests fertility apps are collecting unnecessary personal data and could sell it to third parties. Data collected or inferred includes financial situation, housing, safety and education level, as well as location, even sexual history. In many cases, the apps have no policy over when the data might be deleted.

🔐 Security

Microsoft launched a GPT-4powered “Security Copilot”, designed to help security professionals identify breaches and sort through massive amounts of signals and data.

Meanwhile, Europol is warning criminals are already using ChatGPT to commit crimes. So, to summarize: the security folks are using GPT to guard against the crimes being committed by criminals using GPT. OpenAI has an opportunity here to save everyone a bit of time and money.

A great visualization of recent Australian data breaches shows both the enormous scale of the problem but also a frustrating number of gaps in our knowledge. This is thanks to data breach disclosure laws which place discretion in the hands of the companies which have been breached. As a result, a lot of breaches go unreported.

“By 2024, modern privacy regulation will blanket the majority of consumer data, but less than 10% of organisations will have successfully weaponised privacy as a competitive advantage.” Gartner’s top eight cybersecurity predictions for 2023-2024 are out, and aside from the above there is a focus on human-centric design for cybersecurity programs, and a growing emphasis on zero-trust programs.

A massive leak of the so-called “Vulkan Files” reveals Russia’s cyberwarfare tactics, list of targets, and previous operations.

‍

📣 The latest from RecordPoint

ChatGPT and large language models are everywhere at the moment, even this very newsletter! If you’re wondering how they can impact the records management industry, our Engineering Team Lead and Data Scientist Jason Franks has a compelling, lucid report on what the technology, what it is good at, what it isn’t, and how that may streamline records management tasks.

That’s all for this month’s edition. We hope you found the newsletter stimulating. If you did, ask ChatGPT to write you a script for a TikTok!