December 20, 2017 | By Holly Dragoo
Tough cybersecurity policy issues cropped up in 2017, and the response could bring new privacy laws in 2018 with wide-reaching, cross-border effects. Highlights from the past year included how to respond to allegations of Russian election tampering, the great FCC/net neutrality debate, and mandatory clauses in the Chinese Cybersecurity Law (CCL). Yet arguably the most important privacy story of 2017 is still unresolved and likely will be among the most thunderous in 2018: Carpenter vs United States (more below). Also, looking ahead to 2018, another big story for cybersecurity policy will be the European Union’s enforcement of the new General Data Privacy Regulations (GDPR) which affect how private information may or may not flow among global businesses.
Guarding the Privacy of Cell Phone Data
The Supreme Court recently heard arguments for Carpenter vs. United States, a case about cell phone locational data privacy. At stake is the right for the government to be able to track a cell phone user without a warrant using cell-site locational data that the cell network needs to relay calls and billing information. Both liberal and conservative judges made statements indicating their interpretations will favor citizen privacy -- citing concerns that if the government were allowed to track citizen movements without a warrant, it would be similar to the general warrants of the 18th century that contributed to the first sparks of the Revolutionary War. If those remarks are any sign of things to come, before the close of 2018, we may see that law enforcement will have more hoops to jump through when pursuing locational data as evidence. A reading of the final verdict has yet to be assigned a date, but it’s sure to be noteworthy.
- The Atlantic: https://www.theatlantic.com/politics/archive/2017/11/bipartisanship-supreme-court/547124/
- Supreme Court Oral Argument Transcripts: https://www.supremecourt.gov/oral_arguments/argument_transcripts/2017/16-402_3f14.pdf
- Carpenter vs United States: http://www.scotusblog.com/case-files/cases/carpenter-v-united-states-2/
Guarding the Privacy of Europeans
Promulgation of the new General Data Privacy Regulations (GDPR) by the European Union will have extraterritorial effects, meaning non-EU citizens doing business with EU citizens – regardless of either party’s location – will be subject to comply or risk steep penalties. An example might be that the American company selling widgets online (to customers who include European citizens) soon will have to employ a privacy advocate staff member, provide opportunities for customers to both have their data removed and have access to their data for verification of accuracy. Many established commercial networks are not configured to allow for this (plus an extensive list of additional GDPR specifications), so the costs to transform business networks toward compliance will not be insignificant. Small-scale industries may turn away from EU clientele if the costs are prohibitive, but my guess is that will be short-lived. The EU is too great a market to leave behind, and the investment is a one-time sunk cost. Depending on how strong the lobby is for delaying the May 25, 2018 enforcement date, I predict we will see a prolonged and perhaps costly adjustment phase as companies adopt the regulations into their infrastructures, but the majority of businesses will comply.
- Understanding GDPR: https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection
- Preparations for Businesses: https://www.ntsc.org/resources/ntsc-blog/u.s.-businesses-need-to-prepare-now-to-align-with-eu-privacy-law.html
Holly Dragoo is a research associate with the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute. Her previous work with the U.S. Department of Defense and Federal Bureau of Investigation give her a unique understanding of intelligence community requirements. Dragoo’s research interests include cybersecurity policy issues, threat attribution, metadata analysis, and adversarial network reconstruction.