Cyber Privacy: Who Has Your Data and Why You Should Care
Book written by April Falcon Doss
Book review by Ben Smith
If you are interested in the topic, this is a good book to read; however, I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
We all live in an increasingly busy world, full of projects, obligations and distractions. And oh yes, technology as well - technology that ostensibly seeks to assist us, as well as to create new monetization opportunities for the many vendors whose products we purchase. For those of us who routinely fail to read and consider those too-long and sometimes incomprehensible terms and conditions when installing this week's must-have app, or answering last week's popular online survey, and even more importantly, those of us who don't realize the danger of data aggregation and how it impacts our privacy today, "Cyber Privacy: Who Has Your Data and Why You Should Care" should serve as a wake-up call.
Make no mistake, this is a policy book. But it's a book informed by two decades of "big picture" privacy-oriented experience from both a policy and operational perspective: the author has been not just a practicing attorney but the leader of Georgetown's Institute for Technology Law & Policy, along with key legal leadership roles supporting the Senate Select Committee on Intelligence as well as the National Security Agency, where at the time of this review she serves as General Counsel.
There is a lot of ground covered in this book, and there were more than a few areas which spoke to me clearly. The author takes the time to walk the reader through categories of data, including brief histories of biometric data: fingerprints, gait analysis, facial recognition, medical wearables, and genetic sequencing.
As a hobbyist who has spent years in the genetic genealogy field as a family historian, I was not surprised to see DNA mentioned as a privacy risk. It's an especially interesting risk, in that one individual's decision to take a DNA test with a direct-to-consumer lab produces information not just about that individual, but the extended family of that individual. This view into the extended family is the whole point: genealogists leverage these tests to find "new" cousins.
But the privacy and ethical questions related to this technology - what data protections do the test labs provide, especially in light of how law enforcement increasingly is leveraging this data - are far from being answered to everyone's satisfaction. This is just one of many examples of how unexpected applications of new technology can outstrip older laws and norms of the past.
Elsewhere in the book, there are brief and clear reviews of other key topics including surveillance in totalitarian societies, the "social credit" concept and how it is implemented, the fact that privacy rights were once associated with property ownership, and how governments and consumers should pay more attention to the expert deployment of behavioral manipulation across the most popular platforms and apps today. This last point reminds us that these "dark patterns" are a fundamental ingredient in many of the services we encounter on a daily basis.
The author isn't afraid to tee up some facts that might not be obvious: despite the attention to and activity around the EU's General Data Protection Regulation (GDPR), it turns out that the US and its different legal framework arguably has better privacy protections than the EU, especially it comes to wiretaps and other government-originated surveillance requests.
Perhaps the most intriguing idea appears towards the end of book, where the author proposes a parts-per-million model as a way to quantify the effects of privacy intrusion, a model used by the US Environmental Protection Agency (EPA) when measuring the impact of toxins and pollutants. The EPA acknowledges that absent an exorbitant cost, it's often impossible to completely remove many toxins completely, so there is a certain level of (acceptable) risk that society realizes is present: a balancing of those risks and costs. If we agree that some level of risk to our privacy exists in exchange for the products and services we consume, can we find a way to measure and enforce that trade-off?
Like most books, there are a handful of nits to pick. A (properly attributed!) 34-word quote from a research paper relating to corporate surveillance is repeated in successive chapters; I'm guessing the author treated each chapter as its own project, and an editor may have later missed this repetition. There are short breakout sections throughout the book where additional details are added, directly in-line with the main text and not off to the side. These breakouts are delineated by a slightly darker background and a different typeface, subtle changes that for this reader were not always easy to see in the physical book, leading to confusion when a turned page seemed to drop abruptly into another storyline. And finally, given this published-in-2020 book's topic, it is surprising not to see "Snowden" mentioned anywhere in the text.
Interested in getting deeper into this area? If the world of privacy is a current or future career track for you, take a look at the resources available from the International Association of Privacy Professionals (IAPP). This book's author holds the CIPP-US designation (focusing on data privacy laws and regulations) from the IAPP; I hold the CIPT (focusing on privacy and technology) from the same organization. These and the other global certifications offered by the IAPP are designed to arm privacy-focused practitioners with the insight needed to add more value to their businesses and missions.
For more reading in this area, there is a virtual forest of privacy and surveillance books available to us within the information security industry, including several reviewed elsewhere right here in the Cybersecurity Canon: Breached! Why Data Security Law Fails and How to Improve It,
Habeas Data: Privacy vs. the Rise of Surveillance Tech, and one of our Hall of Fame winners, American Spies: Modern Surveillance, Why You Should Care, and What to Do About It.
Also recommended: the academics Daniel Solove, Woodrow Hartzog, Susan Landau, Neil Richards, and Christopher Slobogin, each of whom has published more than one dense but rich book on this topic. But before you go to any of these alternatives, if you are an information security and risk management leader who has recently picked up privacy responsibilities, this readable book will give you a solid, current foundation and deserves a spot on your bookshelf.