Where Data Privacy Is Concerned, There's a Lot to Consider

As technology advances, privacy and cybersecurity have become more closely linked. Privacy experts took to some of the core issues around data protection at the Washington Digital Government Summit Nov. 8.

OLYMPIA, WASH. — As technology continues to develop, so do the privacy and security issues around it. Advances in biometrics, data analysis and machine learning offer seemingly limitless applications to improve government and the lives of customers and citizens. But the experts warn those benefits come with inherent risks that cannot be ignored.

During a panel discussion at the Washington Digital Government Summit* on Nov. 8, privacy experts took aim at the issues surrounding our growing reliance on technology and the problems that relationship brings.

Alex Alben, Washington state's chief privacy officer, moderated the conversation with technology transactions associate Tiffany Georgievski and Washington’s Military Department Chief Information Security and Privacy Officer Beth Hutchens. While the trio agreed there are benefits to be had from data sharing in many regards, those benefits often come with costs — some obvious, some unseen. 

They weighed in on the need for data control, citing recent California legislation and enactment of the European Union’s General Data Protection Regulation (GDPR) as examples of policy efforts being made in the space.

Prior to going into effect, GDPR created a flurry of activity in the private sector as companies rushed to meet stringent new requirements. While Georgievski said her clients were very concerned about the potential for fines, Alben and Hutchens said government remained largely unaffected.  

“State agencies have reached out to me, as the chief privacy officer, and said, ‘Do we need to worry about GDPR,’ and my answer is generally, ‘No, you do not need to worry about compliance with GDPR,’” Alben said. “By its terms, the European law can apply to anything, any state or local entity, if you are keeping the data of European citizens. But by and large, it is not going to monitor the kind of functions that a state government does.”

In her work providing legal advice for the private sector, Georgievski said the new rule quickly got the attention of companies concerned about the financial implications of non-compliance — fines of as much as 4 percent of global revenue.   

“From the private sector, it definitely hit a wave. From the consumer side, you’ve probably all noticed an influx of ‘We’ve updated our privacy policy. We’ve updated our privacy policy,’” she said.

Hutchens has seen benefits from the privacy regulations when it comes to vendors working with the government, if they've done the leg work to comply with the European rules.

“I’ve seen some vendors just say, ‘You know what, we are not even going to try to have two sets of books because it is too much of a pain in the neck.’ So they are applying GDPR protections across the board, which makes my life as a security and privacy officer much easier because I do security and privacy reviews of, for example, software applications …,” Hutchens said. “If it’s going to pass muster under GDPR, it’s going to pass muster in any state or federal law that we can think of.”

She cautions, however, that some vendors are willing to keep two sets of books, one GDPR-compliant and one for use everywhere else.

The conversation shifted away from compliance and policy and turned toward potential threats emerging in the privacy and data space. Asked what keeps her up at night, Hutchens said education of personnel continues to be a concern at a time when phishing attacks are only growing in number.

Fileless malware, she explained, is making protecting data even more difficult because it doesn’t require personnel to open anything — only to follow what look like official IT administrator prompts. 

“My pain point is fileless malware,” she said. “What we are starting to see, and these are making the rounds, is that before we’d have a phishing email that would say, ‘Hey, you have an invoice here. Click this.’ Now they’ll take an Office product logo, like SharePoint, Outlook or Word even, and say, ‘You have three unread messages due to a server upgrade from your IT division. Click here to reset your password.’”

For Georgievski, the proliferation of facial recognition technologies is cause for concern. While she jokes that the technology used to apply bunny ears to videos is not the problem, the tools being developed and data being collected by larger tech companies is.

Who has access to or can purchase that data leads to larger questions around digital surveillance and companies and governments being able to literally pick you out of a crowd and study your habits. 

“You think about just taking your camera out at a protest, collecting that video stream and starting to ping those faces and see where they pop up in other places. That type of technology that can so easily go out to an end user, a teenager who knows how to code a little bit, and then not have any controls about how it’s used, kind of freaks me out,” she said.

Asked whether smartphone biometrics were a concern, Georgievski said users should first establish whether that data is the product or meant to enhance a product and its security features. She used the example of Facebook and Apple. Where Facebook makes its billions off of data collection and sales, Apple sells a product and has a history of being very privacy-focused.

Hutchens put it simply when it comes to any tool or service that requires data from the user.

“I always tell my end users and anybody who will listen, 'If it’s free, you’re not the customer, you’re the product,'” she said.

*Digital Government Summits are organized by the Center for Digital Government, which is part of Government Technology's parent company, e.Republic.

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at eeidam@erepublic.com.