Data & Privacy in the Age of Surveillance Capitalism
The responsibility for data privacy and security at a time when both are under attack is an incredible responsibility. In the context of the commercial use of data in the 21st Century, data itself can be viewed as a capital asset of value. Harvard Business School’s Dr. Shoshana Zuboff noted that “the collection and selling of user data have created a new form of ‘surveillance capitalism,’ in which users’ quotidian behavior is commodified.” Former Google CEO and Executive Chairman Eric Schmidt also noted that “that there is a creepy line [in respect to surveillance capitalism], and the goal is to get right to the line without crossing it.”
Holding data is an open invitation that data privacy and cybersecurity professionals must deal with every day. For example, the January 6th Committee inadvertently released the Social Security Numbers of over 2,000 individuals, and T-Mobile recently had its eighth data breach in less than five years. The attack on privacy is not only on databases, however, but also an attack on the individuals affected. The challenge faced in government and the private sector is to determining the “creepy line,” how we choose what it is, and what our responsibilities are. Data is the “gateway drug” for other privacy abuses. Everything begins with privacy, and data attacks are easy and rewarding for bad actors.
Federal agencies find themselves in the middle of the explosion and exploitation of data. There is an exponential responsibility to protect data and how it is handled. The first electronic network led to the telephone, which led to the internet, and now leads to the Metaverse. Technology drives social and economic upheaval, and the winners are those that engage in the change. Public policy is problematic in changing times, mainly when it changes as fast as it does today. Simply put, you cannot use yesterday’s conclusions for today’s challenges.
This challenge results in the past making itself present in the future, and policymakers must live with statutes written for yesterday’s realities. Congress defines tomorrow in terms of yesterday. For example, the Fair Information Practice Principles (FIPPS)–developed in 1973–are still being used 50 years later. Ask how the digital revolution differs from the industrial revolution, which will drive the response to today’s world. In the past, assets were exhaustive. When using data, however, assets are inexhaustible.
The history of dealing with digital technology is one where policy is constantly playing catch up. This leads us to ask two key questions:
Who is going to meet this challenge?
How do we establish oversight and acceptable behavior, and who enforces them?
In government, our dilemma is that we are in a world where the status quo is secure, but we live in a world where the status quo is dangerous. How can we move from a world of micro-management to risk management? In a world where industrial thinking, statutes, and procedures prevail, we exist in a new era that has created a new reality that we can no longer be satisfied with regarding what we knew yesterday. The failure to reflect that reality has real consequences. New technologies create new responsibilities.
Safeguarding Data While Minimizing Risk: Leveraging Memorandum of Agreement (MOAs):
Memorandums of Agreement (MOAs) play an important role in safeguarding the exchange of data with less risk—empowering collaboration, fiscal efficiency, and safe data utilization. There are three categories of data: public data; personally identifiable information (PII) sensitive data; and statistical and demographic data. While public data is information that can be freely used, reused, and redistributed by anyone, PII sensitive data is protected by the Privacy Act and cannot be released. Conversely, statistical and demographic data is handled internally through an internal memo process.
An umbrella MOA with appendices is a strategic approach to adapt to multiple data assets without re-working the process. This approach is particularly effective for MOAs that require high-level signatories. The language of the MOA is the most important aspect, and the specific name of the agreement is not as critical. It is important to work out the details up front to avoid future hurdles when using the data.
The National Vetting Center (NVC) has its own version of an MOA, the Vetting Information Sharing and Technical Agreement (VISTA), which is very detailed and lays out the legal authorities for sharing information, access controls, and other important considerations such as trainings, redress procedures, auditing, metric capabilities, and processes for coordinating third-party requests for information. There are various MOA builder and toolbox resources available, such as HotDocs, Legito, Contract Express, and ProDoc. These resources can help ensure that MOAs are comprehensive and effective in protecting sensitive data.
With MOAs serving as an essential tool in safeguarding the exchange of data and reducing risks, there are several key questions to consider when drafting such agreements:
It is essential to determine the extent to which the receiving entity can further share the data or information.
Understanding whether the recipient can use the information or re-identify individuals is necessary.
It is essential to consider whether other sharing involves an MOA and if the sharing agency wants to be involved with those negotiations.
Additionally, it is crucial to outline the user or recipient's allowed and prohibited actions regarding the data. There should be language in the MOA to notify partners if there is a data breach so that the sharing agency can coordinate the response. The recipient should also notify the sharing agency if the data is inadvertently shared in a way that was not anticipated. The MOA should also clearly state the disposition of the data, including whether its use is indefinite.
Creating an effective MOA that safeguards data requires careful consideration of several key questions and provisions to minimize risk and protect data exchange. By taking the time to consider these questions and outlining explicit requirements in the MOA, the sharing agency and the recipient can thus ensure the safe and secure handling of sensitive information.