Turmoil in the online world has been drawing headlines lately, whether it’s a Twitter shakeup or ongoing efforts to ban TikTok from US government systems.
As a security practitioner, I know that a crisis should never be allowed to go to waste. We can use these heightened data privacy concerns to motivate us to take action that will have a much more lasting and comprehensive effect than just banning one particular app.
Today’s digital world is a modern wonder of convenience, information and entertainment. Algorithms enable each of us to easily navigate this large and sometimes chaotic ecosystem. At best, these algorithms are extremely useful. At worst, they are weapons of mass manipulation, causing significant damage to us, our families and our society. But good or bad, we cannot avoid them and we deserve to know how they work and how they are used.
These algorithms do not produce immediate, noticeable changes. Rather, they fuel relentless micromanipulation that fundamentally changes our society, politics, and opinions over time. It doesn’t matter if you can resist manipulation or opt out of apps powered by these algorithms. If enough of your neighbors and friends make these almost imperceptible changes in attitudes and behavior, your world will change – not for your benefit, but for the benefit of those who own and control the platforms.
Finally, the data privacy movement
Data privacy activists have been raising the alarm about these algorithms for years, but have had little success in making significant changes. But now there’s finally a chance to do something about the problem – a federal bill that the House Energy and Commerce Committee in last Congress sent for a full House vote.
The bill, known as the American Privacy and Data Protection Act (ADPPA), would for the first time start holding the creators of these algorithms accountable – and require them to show that their formulas of engagement do not harm the public.
I like to think of it as comparable to the generally accepted accounting principles that the SEC requires of publicly traded companies. In such a case, the enforcement authority would be the Federal Trade Commission.
Unfortunately, the vote on ADPPA did not take place before the recess of the last Congress. And it is not known whether the new Chamber, currently controlled by the new party, will be willing to take over. But citizens of all political persuasions who care about data privacy should urge their lawmakers to reinvigorate the legislation or draft a new version that takes into account what some critics saw as its shortcomings.
As a former FBI cybersecurity special agent now working for a cybersecurity company, I urge every cyber citizen to pay attention to this issue – and I beg lawmakers to take action.
Why should you worry
A typical example of the algorithms I’m talking about are those that create “you might like” suggestions on sites like Amazon or Netflix. They seem harmless enough, but they’re designed to get us to buy more stuff or engage in more binge-watching, which I guess is fine if you have the time or money to burn.
But other algorithms are pernicious — such as those used by some online financial institutions that have been accused of encoding racism or other biases in the loan application process, and those that push algorithmic radicalization that feeds users increasingly radicalized content with extremist views from politics to healthcare.
Then there’s TikTok, a “free” social media app used by 80 million Americans. It is so addictive that some critics call it “digital fentanyl”. The revelations about TikTok’s data collection and storage have also raised serious concerns. It’s unclear whether the Chinese government is privy to the data TikTok collects about its users, but national security leaders say they don’t want to wait to find out.
Controlling Data Collection
These concerns led the U.S. Senate to unanimously approve a bill banning the app from all federally issued devices, and at least 11 states followed suit by mandating similar bans on state-owned devices.
FBI Director Chris Wray also testified in November before the House Homeland Security Committee that China could potentially use the app as a weapon to influence or control users and their devices – creating a virtually infinite flow of information from which attackers could launch campaigns like phishing or social manipulation targeting US users.
But with strong and clear regulation and enforcement of data privacy, Americans could use social media apps like TikTok with much less fear. If we were able to better control what information is collected, where it is stored, with whom it is shared, and we could verify these facts, such concerns would be greatly mitigated.
More importantly, if we could gain insight into the algorithms used to influence users, we could set rules on what we would allow and even give you the option to opt out of these manipulative systems.
A key step towards data privacy
ADPPA is far from perfect, but for the first time in decades, the federal government has made a serious effort to protect consumer data privacy. Some states, most notably California, already have stricter data privacy laws, and ADPPA critics want the law changed so it doesn’t prevent states from enacting stricter safeguards.
But Internet data does not respect national borders. And even if ADPPA is just the first step on behalf of the nation’s cyber citizens, it would be a significant step. We need a federal legal framework that protects everyone and avoids the pitfalls of a patchwork of unequal laws across states.
The bill is a reminder to all of us: don’t let the perfect be the enemy of the good. I would like to see the FTC’s rulemaking powers increased and that it receive a larger budget to carry out the tasks set out in the Act. In addition, we need more detail and clarity on the “private right of action” to directly take legal action against companies for data privacy violations.
Data collection is a sophisticated science; also destructive
Having said that, one of the most valuable parts of ADPPA is highlighting how the sophisticated science of data collection can be turned into something dangerous and destructive. Right now, we rely on companies that do the right thing. Many don’t.
ADPPA would eventually create a mechanism that requires companies to certify that private data will not be misused. This would give every consumer the right to opt out of being tracked and having their data shared with third parties.
In the business-to-business world where I work now, everyone sees the value of data. So they take all kinds of measures, including legally binding contracts, to stop other companies from using them to their advantage.
Today, consumers have little say in how their equally valuable personal information is used – and by whom – for another person’s gain. ADPPA will provide consumers with remedies, which in some cases include the right to sue companies for data abuse. Additionally, consumers have little insight into the powerful algorithms that underlie our current use of the internet.
A bill like ADPPA would provide a process to understand how these algorithms work, allowing consumers to influence how they work and how they are used.
We humans must hold algorithm developers and data collectors accountable. ADPPA would create a much needed foundation upon which we could build a much safer and more transparent online world for all of us.
Former FBI Cyber Special Agent Adam Marrè is the CISO at Arctic Wolf.
Welcome to the VentureBeat community!
DataDecisionMakers is a place where experts, including data technicians, can share insights and innovations related to data.
If you want to read about cutting edge ideas and current information, best practices and the future of data and data technology, join us at DataDecisionMakers.
You might even consider writing your own article!
Read more from DataDecisionMakers