details, and numerous other data points. Enough information is often collected that even 2

Transcription

1 Big Data Study Office of Science and Technology Policy Eisenhower Executive Office Building 650 Pennsylvania Avenue, NW Washington, D.C. 050 VIA E MAIL bigdata@ostp.gov March, 04 Re: Big Data Study, Document Number Dear Ms. Wong, Thank you for the opportunity to provide public comment in response to your comprehensive review of big data and its implications for privacy, the economy, and public policy. Access ( is a global organization dedicated to defending and extending the digital rights of users at risk around the world. Access works through its Policy, Technology, and Advocacy teams to achieve this mission. Access provides thought leadership and policy recommendations to the public and private sectors to ensure the internet s continued openness and universality and wields an action focused global community of nearly half a million users from more than 85 countries. Access also operates a 4/7 digital security helpline that provides real time direct technical assistance to users around the world. I. The Challenges of "Big Data" The growth in large scale collection, retention, transfer, and analysis of personal data places everyone s privacy at risk. All types of organizations consumer facing companies, third party data brokers, government agencies, and others develop comprehensive profiles at times containing identifying information, such as names, addresses, and phone numbers, as well as buying habits, personal interests, ethnic identities, political affiliations, marital status, credit card details, and numerous other data points. Enough information is often collected that even anonymous information can be re identified easily. In one high profile case, reporters were able to identify several anonymous users based solely on their AOL search history, which had been publicly released. Information in one user's records provided detailed information on her medical history and love life. There has been an exponential increase in the amount of data collected and stored by private companies in recent years. Facebook announced in 0 that its data center had grown 500x big data does and doesnt know about me professor re identifies anonymous volunteers indna study/

2 4 since 008. By 0, Facebook was collecting about 80 petabytes of data per year. For reference, one petabyte is the equivalent of 0 million 4 drawer filing cabinets filled with text. Retailers, whether focused at online markets or off, also track customers. It is estimated that in one hour Wal Mart processes about million customer transactions containing.5 petabytes of data. "Free services offered by companies are often possible because these practices are part of a business model that relies on interpreting high quality data about their users in order to serve revenue generating targeted advertising. And over the years, many of these same internet companies have simplified their privacy policies by eliminating granular user controls while increasing the capacity to track each and every online action. 5 Data collection practices have been connected to specific practices that negatively impact internet users. For example, in 0, it was discovered that some online travel booking companies, including Orbitz Worldwide Inc., were charging customers using Apple products 6 close to 0% more for flights and hotels than visitors using Windows. Such digital market 7 manipulation leads to economic and privacy harms. A recent breach of Target s systems is 8 estimated to have affected up to one third of all Americans. Ensuring that citizens have adequate knowledge and control over their data would greatly reduce the privacy and other human rights risks associated with big data. Currently, comprehensive standandards apply to medical and financial data, but not other types of sensitive information. It is not only private entities where data collection has skyrocketed. Recent revelations have shown that US government intelligence agencies have been implementing programs to collect personal information and communications of users around the world at unprecedented levels. Some of these programs are implemented through legal processes, which compel companies to produce user information that the companies have otherwise collected for their own purposes. These collection programs are overseen by the secret FISA Court, which issues orders requiring production while preventing companies from publicly revealing that the collection has occurred. Under other programs, often authorized under Section 70 of the FISA Amendments Act and Executive Order, the US is tapping fiber optic cables directly (BLARNEY, OAKSTAR, 4 engineering/under the hood scheduling mapreduce jobs more effi ciently with corona/ privacy/ 6 wsj&ur l=http%a%f%fonline.wsj.com%farticle%fsb html breach affected 70 million customers.html

3 9 STORMBREW, FAIRVIEW), breaking into the private links between corporate data centers 0 (e.g., MUSCULAR), or collecting the content of a whole country s phone calls (e.g., MYSTIC/RETRO). Given the preponderance of attacks on the US Government, these mass surveillance places a tremendous amount of users and user data at risk. II. The Problem of Unauthorized Access Once collected, bad data security practices have led to the unauthorized access to and use of personal information, compromising users around the world. Data breaches are increasing in frequency. Last year saw the highest total records breached, according to a report by Risk Based Security. In one incident, attackers obtained records with addresses and passwords from around 5 million Adobe accounts. In another breach, approximately 0 4 million Target accounts, about a third of the US, were affected by a data breach. While the Adobe and Target breaches are two of the largest known breaches to date, data continues to be compromised with such great frequency that these incidents account for only a small portion of the total data that is known to have been exposed in 0. Indeed, last year there were,64 incidents of data breaches with 8 millions records exposed reported worldwide. Attacks against US entities accounted for nearly half of all breaches globally. 5 Unauthorized access to user data is not a new problem. For the past years, identity theft has 6 been the biggest source of complaints to the Federal Trade Commission, which underlines that the identity and finances of citizens are consistently at risk due to needless collection practices and insufficient security practices employed by companies online. The economic impact of data breaches, and the accompanying reputational and legal fallout, is undoubtedly huge. Target spent $6 million in breach related costs in the first three months after the breach, which experts 7 estimate may grow to as high as $ billion. Target s data breach is expected to be so 8 expensive, in part, because it revealed data placing credit at risk. That might be good for credit monitoring agencies, but it can create everyday challenges for victims when they try to get a mortgage, get a credit card, or buy a car. Data breaches are also particularly expensive in the US for the companies who lost or had records stolen. In 0, companies paid on average $88 per lost or stolen record. That equated to about $5.4 million in loss for each entity with a data 9 nsa slide you havent seen/0/07/0/8046 e8 e6 e aa9f c0a7ed4_story.html 0 hacks internet company data centers bulk collection is out of control DataBreachQuickView.pdf adobe cyberattack idusbre9a6d breach affected 70 million customers.html 5 DataBreachQuickView.pdf 6 events/press releases/0/0/ftc releases top complaint categories target results idusbreap0wc target data theft victims become a credit agencygoldmine

4 breach. 9 Governments also take advantage of insecure data. While the surveillance programs discussed above often operate under a system of compelled production, others skip official channels and, instead, use back doors. One such program is the "Upstream" programs alluded to in slides released in June 0, and later confirmed by government officials. Upstream collection takes data right off the "backbone" of the internet the wires over which information is transmitted from computer to computer. Further revelations have brought to light backbone collection by US 0 and other governments of remotely activated webcam feeds, e mail contact lists, and information on internal company networks. It has also been revealed that the government has acted to preserve these collection programs by undermining data security standards. Unauthorized access or use of information by governments, as well as private actors, fundamentally threatens the internet as we know it. The world s largest internet companies build their business models around user trust in the networks that transmit and entities that store their personal data. Google s public Chief Legal Officer David Drummond, has said, Our business depends on the trust of our customers." More acutely at risk, U.S. based cloud computing firms spoke out after losing business following last summer s NSA revelations, and fear losing up to $5 billion in worldwide contracts as European regulators look to tighten restrictions on the cloud. Trust is also eroded when the NSA shares data with government agencies not dealing with foreign intelligence. For example, the NSA has provided evidence to the DEA, which then uses parallel construction, whereby agents find alternative grounds to justify arrests and skirt 4 legal challenges. Rule of law is threatened when legal limitations fail to protect even the narrow existing privacy protections. III. The Role of Data Security As data are transferred from entity to entity, they become increasingly vulnerable, with more points at which unauthorized parties may be able to gain access to those data and use them for unintended purposes. Bad actors may compromise the financial or physical safety of users, and governments could use personal information to target dissidents, stifle speech, or influence Cost of a Data Brea ch Report_daiNA_cta78.pdf 0 us spies hacked webcams millions yahoo users/ security/nsa collects millions of e mail address books globall y/0/0/4/8e58b5be 4f9 e 80c6 7e6dd8dd8f_story.html security/nsa infiltrates links to yahoo google data centers wo rldwide snowden documents say/0/0/0/e5d66e 466 e 8b74 d89d74ca4dd_story.html backdoored and stole keys/ 4 switch/wp/0/08/05/the nsa is giving your phone records to thedea and the dea is covering it up/ 4

5 political outcomes. Access has attempted to move the global conversation on security of big data forward. In March 5 04, Access released the Data Security Action Plan. In creating the Data Security Action Plan, Access considered what common sense practices were needed to mitigate the extreme risk posed by the increasing amounts of data stored online. The Action Plan consists of seven steps that companies should take to protect their users. The seven steps are:. Implement strict encryption measures on all network traffic;. Executive verifiable practices to effectively store user data stored at rest;. Maintain the security of credentials and provide robust authentication safeguards; 4. Promptly address known, exploitable vulnerabilities; 5. Use algorithms that follow security best practices; 6. Enable or support the use of client to client encryption; and 7. Provide user education tools on the importance of digital security hygiene. All entities should support the implementation of these security measures on all relevant data and networks under their control. Widespread adoption would benefit all internet users around the world, and would raise the floor on minimally acceptable data security practices. If we fail to consider data security in the debate on big data public policy, we are standardizing unacceptable risks for users, companies, and the public at large. IV. Conclusion To mitigate the harms of data breach and misuse and to build user trust, the White House should consider what steps are necessary to protect user data. Companies should take proactive steps to protect user data. Specifically, this means adopting privacy centered approaches to the collection and processing of user data, including: data minimization to limit collection of data where possible; ensuring that data is collected and stored for strictly defined purposes, and not used in a way that is incompatible with those purposes; and applying appropriate security measures to data both in transit and at rest. Accordingly, Access calls on the government to bolster data protection standards, promote data security, and continue to foster a robust discussion on best practices. Thank you for the opportunity to provide comment as part of this Big Data Study. For more information, please visit or contact the authors of this comment, Amie Stepanovich and Drew Mitnick, at amie@accessnow.org and drew@accessnow.org respectively. 5 More information is available at 5