Consumer Privacy: Reasons for Optimism As Well As ConcernACLU's Jon Callas Briefs RSA Conference on Evolution of Privacy Discussion
When it comes to notions of privacy and consumer data protection, Jon Callas wants everyone to know that attitudes are not as bad as some would believe. Still, there is plenty of room for improvement.
At the start of RSA Conference 2019 in San Francisco on Monday, Callas, a security expert and software engineer who now holds the title of technology fellow at the American Civil Liberties Union, told an audience that arguments over privacy, which have grown more vocal, will likely continue over the next 30 to 40 years as we come to grips with an ever-expanding array of technologies, especially internet of things devices.
Certain developments are concerning, he says, especially what he calls "surveillance capitalism," where tech companies offer free services to consumers and then collect behavioral data on them, often without them knowing. Nevertheless, there's reason for optimism as well, especially as consumers demand greater protection and security around the data that fuels much of the digital economy.
"We moaned about it in times past and we said, 'People don't care about privacy.' ... Now people care about it," Callas told a gathering of the Cloud Security Alliance. "Now they are worrying about it, and when they see these awful news stories, it helps fuel the change."
Callas points to four recent developments that are changing broader consumer attitudes toward privacy and forcing companies and governments to make changes:
- The European Union's General Data Privacy Regulation, with some companies starting to adopt the rules for all countries, not only Europe;
- The recently passed California Consumer Privacy Act, which goes into effect in 2020;
- The Illinois Biometric Privacy Law, which the state's Supreme Court recently upheld;
- A series of court decisions that strengthened protection of mobile devices and their data, including the U.S. Supreme Court's recent decision in Carpenter v. United States, which strengthened Fourth Amendment protections.
Privacy advocates can hail these victories and point to others, such as greater use of TLS and encryption turned on as a default.
But in addition to surveillance capitalism, Callas pointed to what he called government overreach in countries such as the United States and Australia, as well as growing concerns about government agencies in China, Russia, India, the United Arab Emirates and Brazil demanding encrypted data from companies and their users.
"There is a dichotomy in that we have a design for security, or we design for surveillance," Callas said. "There is a gray area between them, but the more that you collect data, the more you are designing for surveillance, and these decisions can turn out to be awful ones by surprise, and they can smack you in the head."
Callas added that consumer advocates such as the ACLU and governments continue to argue over issues, such as how much information a warrant allows the police to collect and whether health records are subject to search. "We will bounce the ideas back-and-forth in the future," he said.
A Balancing Act
Callas left the audience with a thought about balancing the good and the bad when it comes to privacy:
"The good news is that the privacy situation has gotten so bad that people want to change it. That means in the next five, 10, 15 years, we will see the pendulum swing back the other way and you will see new regulations inspired by GDPR and the California law. There will be actions done on behalf of consumers and all sorts of regulatory actions. ... There are still things going the wrong way. Surveillance capitalism is a problem where you have companies [whose] entire business model is selling data back and forth to each other. That's a problem for us all, and we should legislate that and figure out what it's good for and what it is not."